Forem: Akhilesh Mishra The latest articles on Forem by Akhilesh Mishra (@livingdevops). https://forem.com/livingdevops https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1363514%2Faf4b7195-ce89-4c82-a620-387cde875747.jpg Forem: Akhilesh Mishra https://forem.com/livingdevops en Every Kubernetes Concept Has a Story Akhilesh Mishra Sat, 21 Mar 2026 22:26:23 +0000 https://forem.com/livingdevops/every-kubernetes-concept-has-a-story-49g2 https://forem.com/livingdevops/every-kubernetes-concept-has-a-story-49g2 <p>Kubernetes Concepts are not random; each one has a beautiful problem-solving story behind it. </p> <p>Most people learn Kubernetes the wrong way.</p> <p>They see it as a list of concepts. Pods. Deployments. Services. Ingress. ConfigMaps. Secrets. HPA. They memorize them without understanding why they exist.</p> <p>Every concept in Kubernetes exists because something broke. Someone ran it in production, something failed, and a new concept was born to fix it.</p> <p>Let me show you the full story in order.</p> <blockquote> <blockquote> <p>You start with a Pod.</p> </blockquote> </blockquote> <p>A pod runs your container. Simple. Clean. Done.</p> <p>Until it crashes.</p> <p>Nobody restarts it. It is just gone.</p> <p>In production, that is not acceptable.</p> <blockquote> <blockquote> <p>So you use a Deployment.</p> </blockquote> </blockquote> <p>A Deployment watches your pods.</p> <p>One dies and it creates another.</p> <p>You want 3 running, it keeps 3 running.</p> <p>You want to scale to 10, one command does it.</p> <p>Pods were too fragile for production. Deployment fixed that.</p> <blockquote> <blockquote> <p>But now you have a new problem.</p> </blockquote> </blockquote> <p>Every pod gets a new IP when it restarts.</p> <p>You have 3 pods running your app.</p> <p>Another service needs to talk to them.</p> <p>Which IP do you use? They keep changing.</p> <p>You cannot hardcode them. You cannot track them at scale.</p> <blockquote> <blockquote> <p>So you use a Service.</p> </blockquote> </blockquote> <p>A Service gives your app one stable IP address.</p> <p>It finds your pods using labels, not IPs.</p> <p>Pods die and come back with new IPs. The Service does not care.</p> <p>It always finds them. It also load balances.</p> <p>Traffic coming in gets distributed across all healthy pods automatically.</p> <p>Pods had unstable IPs. Service fixed that.</p> <blockquote> <blockquote> <p>But your app still needs to be accessible from the internet.</p> </blockquote> </blockquote> <p>So you use a LoadBalancer Service.</p> <p>This creates a real cloud load balancer. AWS ALB. Azure LB. GCP LB.</p> <p>Your app gets a public endpoint.</p> <p>Works perfectly. Until you have 10 services.</p> <p>Now you have 10 load balancers. Each one costs money every single month.</p> <p>Your cloud bill does not care that 6 of them handle almost no traffic.</p> <p>LoadBalancer Services solved external access. But one per service does not scale.</p> <blockquote> <blockquote> <p>So you use Ingress.</p> </blockquote> </blockquote> <p>One load balancer. All your services behind it.</p> <p>Ingress routes traffic based on rules.</p> <p>Request comes in for /api, goes to the API service.</p> <p>Request comes in for /dashboard, goes to the frontend service.</p> <p>One entry point. Smart routing. One cloud load balancer on your bill.</p> <p>But Ingress is just a set of rules. Something has to execute those rules.</p> <blockquote> <blockquote> <p>So you use an Ingress Controller.</p> </blockquote> </blockquote> <p>Nginx. Traefik. AWS Load Balancer Controller.</p> <p>These are the actual engines that read your Ingress rules and make the routing happen.</p> <p>Ingress without a controller is just a config file nobody reads.</p> <p>Ingress Controller made the rules actually work.</p> <p>If you want to learn Kubernetes the way it works in production, I am starting a 9-week advanced Kubernetes on AWS bootcamp where we build real production projects, troubleshoot live incidents, write RCAs, and implement AIops on Kubernetes. Checkout 👇</p> <p>9-week Advanced Kubernetes Bootcamp on AWS (EKS) + AIops</p> <blockquote> <blockquote> <p>Now your app is running. But it needs configuration.</p> </blockquote> </blockquote> <p>Database URL. API keys. Environment name. Feature flags.</p> <p>So you do what feels natural. You hardcode them inside the container.</p> <p>It works on your laptop.</p> <p>You deploy to staging. Wrong database URL.</p> <p>You deploy to production. Wrong API key.</p> <p>You fix it by rebuilding the image every time config changes.</p> <p>In production, rebuilding an image to change a config value is not acceptable.</p> <blockquote> <blockquote> <p>So you use a ConfigMap.</p> </blockquote> </blockquote> <p>A ConfigMap holds your configuration outside the container.</p> <p>You inject it into your pod at runtime as environment variables or a mounted file.</p> <p>Change the ConfigMap. Redeploy. Your app picks up the new values.</p> <p>The image never changes. The config does.</p> <p>Same image runs in dev, staging and production with different configs.</p> <p>Hardcoded config made your image environment-specific. ConfigMap fixed that.</p> <blockquote> <blockquote> <p>But now you have a new problem.</p> </blockquote> </blockquote> <p>Your database password is sitting in a ConfigMap.</p> <p>ConfigMaps are not encrypted.</p> <p>Anyone with basic kubectl access can read them.</p> <p>You just stored your production database credentials in plain text inside your cluster.</p> <p>That is not a mistake. That is a security incident.</p> <blockquote> <blockquote> <p>So you use a Secret.</p> </blockquote> </blockquote> <p>A Secret holds sensitive data. Passwords. Tokens. Certificates. API keys.</p> <p>Stored separately from ConfigMaps with its own access controls.</p> <p>Your app reads it at runtime. Your image never sees it.</p> <p>You control who in the cluster can access which Secret.</p> <p>ConfigMaps were not safe for sensitive data. Secrets fixed that.</p> <blockquote> <blockquote> <p>Now traffic starts growing. And manual scaling breaks you.</p> </blockquote> </blockquote> <p>Some days 100 users. Some days 10,000.</p> <p>You are running 3 pods. On a busy day all three are maxed out.</p> <p>Users are seeing slow responses. Requests are timing out.</p> <p>You jump on, run a scale command, bump it to 8 pods. Crisis over.</p> <p>Traffic drops at night. 8 pods sitting idle. Wasting money.</p> <p>Next spike you do it all over again.</p> <p>You cannot babysit your cluster every time traffic changes.</p> <blockquote> <blockquote> <p>So you use HPA. Horizontal Pod Autoscaler.</p> </blockquote> </blockquote> <p>HPA watches your pods continuously.</p> <p>CPU goes above 70 percent. It adds more pods automatically.</p> <p>Traffic drops. It scales back down automatically.</p> <p>You define the minimum and maximum. Kubernetes does the rest.</p> <p>Your app handles the spike. You are not woken up at 2am to manually scale.</p> <p>Manual scaling could not keep up with real traffic. HPA fixed that.</p> <blockquote> <blockquote> <p>But scaling pods created a new problem.</p> </blockquote> </blockquote> <p>HPA adds pods during a traffic spike.</p> <p>Your nodes are full.</p> <p>The new pods sit in Pending state.</p> <p>They cannot be scheduled because there is no capacity.</p> <p>HPA did its job. But your cluster had nowhere to put the pods.</p> <p>Scaling pods without scaling nodes is half a solution.</p> <blockquote> <blockquote> <p>So you use Cluster Autoscaler or Karpenter.</p> </blockquote> </blockquote> <p>They watch for pods stuck in Pending state.</p> <p>Not enough capacity. They add a new node automatically.</p> <p>Pending pods get scheduled. Traffic is handled.</p> <p>Load drops. Nodes sit underutilized. They remove them automatically.</p> <p>You only pay for the compute you actually need.</p> <p>On EKS, Karpenter is the better choice. It is faster and more cost efficient. It provisions the exact right node for your workload instead of waiting for a fixed node group to scale.</p> <p>HPA scaled your pods. Karpenter scaled your nodes. Together they make your cluster truly elastic.</p> <blockquote> <blockquote> <p>But one last problem. And it is the one that takes things down silently.</p> </blockquote> </blockquote> <p>Everything is scaling. Pods are coming up. Nodes are being added.</p> <p>One pod starts consuming 4GB of memory. It was never supposed to.</p> <p>But nobody told Kubernetes that. So it keeps consuming.</p> <p>It starves every other pod on that node.</p> <p>Those pods start failing. A cascade begins.</p> <p>One rogue pod. No limits. Your entire node is affected.</p> <p>An unpredictable cluster is an unreliable cluster.</p> <blockquote> <blockquote> <p>So you use Resource Requests and Limits.</p> </blockquote> </blockquote> <p>Requests tell Kubernetes the minimum your pod needs to be scheduled on a node.</p> <p>Limits tell Kubernetes the maximum it is ever allowed to consume.</p> <p>The scheduler places pods intelligently across nodes using requests.</p> <p>Limits make sure one noisy pod cannot take down everything around it.</p> <p>Your cluster runs predictably. Every pod gets what it needs. Nothing more.</p> <p>Uncontrolled resource usage made your cluster unpredictable. Requests and Limits fixed that.</p> <h2> To summarize the full story: </h2> <p>Pod ran your app but had no resilience. Deployment fixed that.</p> <p>Pods had unstable IPs. Service fixed that.</p> <p>One load balancer per service was too expensive. Ingress fixed that.</p> <p>Ingress needed something to execute its rules. Ingress Controller fixed that.</p> <p>Hardcoded config made images inflexible. ConfigMap fixed that.</p> <p>ConfigMaps were not safe for sensitive data. Secrets fixed that.</p> <p>Manual scaling could not keep up with traffic. HPA fixed that.</p> <p>Pod scaling without node scaling left pods pending. Karpenter fixed that.</p> <p>Uncontrolled resource usage made clusters unpredictable. Requests and Limits fixed that.</p> <p>Each concept exists because the previous one was not enough.</p> <p>That is how you stop memorizing Kubernetes and start understanding it.</p> kubernetes Deploy Secure Google Cloud VMs with Terraform and GitHub Actions in 2025 Akhilesh Mishra Wed, 23 Jul 2025 09:57:44 +0000 https://forem.com/livingdevops/deploy-secure-google-cloud-vms-with-terraform-and-github-actions-in-2025-2k1o https://forem.com/livingdevops/deploy-secure-google-cloud-vms-with-terraform-and-github-actions-in-2025-2k1o <h2> Automate VM provisioning, networking, and CI/CD pipelines using Infrastructure as Code best practices </h2> <p><em>Part 2 of our comprehensive Terraform on Google Cloud series - Building on your VPC foundation with compute resources and automation</em></p> <p><strong>Ready to automate your VM deployments like a DevOps pro?</strong> This tutorial builds directly on our Part 1 foundation, adding secure Compute Engine instances with automated GitHub Actions workflows. You'll master firewall rules, Cloud NAT setup, and production-ready CI/CD patterns.</p> <p>By the end of this guide, you'll have a complete automated pipeline that deploys VMs to Google Cloud every time you push code to your GitHub repository.</p> <p><em>Perfect for teams wanting to eliminate manual infrastructure deployments and embrace true DevOps automation.</em></p> <h2> What You'll Learn in This Guide </h2> <ul> <li> <strong>Secure VM provisioning</strong> with proper service accounts and networking</li> <li> <strong>Firewall rule management</strong> for SSH access and internet connectivity </li> <li> <strong>Cloud NAT configuration</strong> for private VM internet access</li> <li> <strong>GitHub Actions automation</strong> with service account authentication</li> <li> <strong>Production CI/CD patterns</strong> for infrastructure deployment</li> </ul> <h2> Prerequisites </h2> <p>Before starting this tutorial, ensure you have:</p> <p>✅ <strong>Completed Part 1</strong> of this series (VPC and storage setup)<br><br> ✅ <strong>GitHub account</strong> with repository access<br><br> ✅ <strong>Git installed</strong> locally with basic knowledge<br><br> ✅ <strong>GitHub personal access token</strong> created<br><br> ✅ <strong>Same GCP project</strong> from Part 1 with billing enabled</p> <h2> Understanding Google Cloud Compute Components </h2> <h3> What are Firewall Rules in GCP? </h3> <p><strong>Firewall rules</strong> in Google Cloud are security policies that control inbound and outbound traffic to your VM instances and other resources within a VPC network. They work at the network level and are stateful - meaning return traffic is automatically allowed.</p> <p><strong>Key concepts:</strong></p> <ul> <li> <strong>Direction</strong>: INGRESS (incoming) or EGRESS (outgoing) traffic</li> <li> <strong>Priority</strong>: Lower numbers = higher priority (0-65534)</li> <li> <strong>Targets</strong>: Which resources the rule applies to (tags, service accounts)</li> <li> <strong>Sources/Destinations</strong>: Where traffic can come from or go to</li> <li> <strong>Protocols and Ports</strong>: What type of traffic is allowed</li> </ul> <h3> What is Cloud NAT? </h3> <p><strong>Cloud NAT (Network Address Translation)</strong> provides outbound internet connectivity for VM instances that only have private IP addresses. This is essential for:</p> <ul> <li> <strong>Security</strong>: VMs don't need public IPs to access the internet</li> <li> <strong>Cost optimization</strong>: Fewer external IP addresses needed</li> <li> <strong>Compliance</strong>: Keeps resources private while allowing necessary internet access</li> </ul> <h3> What is Cloud Router? </h3> <p><strong>Cloud Router</strong> is a networking service that provides dynamic routing capabilities. It's required for Cloud NAT and enables:</p> <ul> <li> <strong>Dynamic routing</strong> between VPCs and on-premises networks</li> <li> <strong>BGP support</strong> for advanced networking scenarios</li> <li> <strong>NAT gateway functionality</strong> when paired with Cloud NAT</li> </ul> <h2> Extending Your Terraform Configuration </h2> <p>Let's add the new variables and resources to your existing Terraform setup from Part 1.</p> <h3> Add VM Variables (<code>variables.tf</code>) </h3> <p>Add these variables to your existing <code>variables.tf</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"zone"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"GCP zone for VM deployment"</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-central1-b"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"^[a-z]+-[a-z]+[0-9]+-[a-z]$"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">zone</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Zone must be a valid GCP zone format (e.g., us-central1-b)."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"vm_machine_type"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Machine type for the VM instance"</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"e2-standard-2"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">([</span> <span class="s2">"e2-micro"</span><span class="p">,</span> <span class="s2">"e2-small"</span><span class="p">,</span> <span class="s2">"e2-medium"</span><span class="p">,</span> <span class="s2">"e2-standard-2"</span><span class="p">,</span> <span class="s2">"e2-standard-4"</span><span class="p">,</span> <span class="s2">"n1-standard-1"</span><span class="p">,</span> <span class="s2">"n1-standard-2"</span> <span class="p">],</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vm_machine_type</span><span class="p">)</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Machine type must be a valid GCP machine type."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"prefix"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Prefix for resource naming"</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"main"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"^[a-z][a-z0-9-]{1,10}$"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">prefix</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Prefix must start with a letter, contain only lowercase letters, numbers, and hyphens, and be 2-11 characters long."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"vm_disk_size"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Boot disk size in GB"</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">50</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vm_disk_size</span> <span class="err">&gt;</span><span class="p">=</span> <span class="mi">10</span> <span class="err">&amp;&amp;</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vm_disk_size</span> <span class="err">&lt;</span><span class="p">=</span> <span class="mi">2000</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"VM disk size must be between 10 and 2000 GB."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"vm_image"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"VM boot disk image"</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"debian-cloud/debian-12"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">([</span> <span class="s2">"debian-cloud/debian-12"</span><span class="p">,</span> <span class="s2">"ubuntu-os-cloud/ubuntu-2204-lts"</span><span class="p">,</span> <span class="s2">"centos-cloud/centos-7"</span><span class="p">,</span> <span class="s2">"rhel-cloud/rhel-8"</span> <span class="p">],</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vm_image</span><span class="p">)</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"VM image must be a supported OS image."</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Update Variable Values (<code>terraform.tfvars</code>) </h3> <p>Add these values to your existing <code>terraform.tfvars</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Existing variables from Part 1</span> <span class="nx">project_id</span> <span class="err">=</span> <span class="s2">"your-gcp-project-id"</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">region</span> <span class="err">=</span> <span class="s2">"us-central1"</span> <span class="nx">vpc_name</span> <span class="err">=</span> <span class="s2">"main-vpc"</span> <span class="nx">subnet_name</span> <span class="err">=</span> <span class="s2">"primary-subnet"</span> <span class="nx">subnet_cidr</span> <span class="err">=</span> <span class="s2">"10.0.1.0/24"</span> <span class="c1"># New VM variables</span> <span class="nx">zone</span> <span class="err">=</span> <span class="s2">"us-central1-b"</span> <span class="nx">vm_machine_type</span> <span class="err">=</span> <span class="s2">"e2-standard-2"</span> <span class="nx">prefix</span> <span class="err">=</span> <span class="s2">"demo"</span> <span class="nx">vm_disk_size</span> <span class="err">=</span> <span class="mi">50</span> <span class="nx">vm_image</span> <span class="err">=</span> <span class="s2">"debian-cloud/debian-12"</span> </code></pre> </div> <h3> Create VM Resources (<code>vm.tf</code>) </h3> <p>Create a new file <code>vm.tf</code> for your compute resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Service account for VM instances</span> <span class="nx">resource</span> <span class="s2">"google_service_account"</span> <span class="s2">"vm_service_account"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="s2">"${var.prefix}-vm-sa"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"VM Service Account for ${var.environment}"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Service account for VM instances with minimal required permissions"</span> <span class="p">}</span> <span class="c1"># IAM roles for VM service account</span> <span class="nx">resource</span> <span class="s2">"google_project_iam_member"</span> <span class="s2">"vm_sa_logging"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/logging.logWriter"</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"serviceAccount:${google_service_account.vm_service_account.email}"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"google_project_iam_member"</span> <span class="s2">"vm_sa_monitoring"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/monitoring.metricWriter"</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"serviceAccount:${google_service_account.vm_service_account.email}"</span> <span class="p">}</span> <span class="c1"># Compute Engine VM instance</span> <span class="nx">resource</span> <span class="s2">"google_compute_instance"</span> <span class="s2">"main_vm"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.prefix}-${var.environment}-vm"</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">machine_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vm_machine_type</span> <span class="nx">zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">zone</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ssh-allowed"</span><span class="p">,</span> <span class="s2">"http-server"</span><span class="p">]</span> <span class="nx">allow_stopping_for_update</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Enable deletion protection in production</span> <span class="nx">deletion_protection</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="p">==</span> <span class="s2">"prod"</span> <span class="err">?</span> <span class="kc">true</span> <span class="err">:</span> <span class="kc">false</span> <span class="c1"># Boot disk configuration</span> <span class="nx">boot_disk</span> <span class="p">{</span> <span class="nx">initialize_params</span> <span class="p">{</span> <span class="nx">image</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vm_image</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"pd-standard"</span> <span class="nx">size</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vm_disk_size</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">managed-by</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">auto_delete</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="c1"># Network configuration - private IP only</span> <span class="nx">network_interface</span> <span class="p">{</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">main_vpc</span><span class="p">.</span><span class="nx">self_link</span> <span class="nx">subnetwork</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">main_subnet</span><span class="p">.</span><span class="nx">self_link</span> <span class="c1"># No external IP - will use Cloud NAT for internet access</span> <span class="c1"># Uncomment below for external IP:</span> <span class="c1"># access_config {</span> <span class="c1"># nat_ip = google_compute_address.vm_external_ip.address</span> <span class="c1"># }</span> <span class="p">}</span> <span class="c1"># Service account and scopes</span> <span class="nx">service_account</span> <span class="p">{</span> <span class="nx">email</span> <span class="p">=</span> <span class="nx">google_service_account</span><span class="p">.</span><span class="nx">vm_service_account</span><span class="p">.</span><span class="nx">email</span> <span class="nx">scopes</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"https://www.googleapis.com/auth/cloud-platform"</span><span class="p">,</span> <span class="s2">"https://www.googleapis.com/auth/logging.write"</span><span class="p">,</span> <span class="s2">"https://www.googleapis.com/auth/monitoring.write"</span> <span class="p">]</span> <span class="p">}</span> <span class="c1"># Metadata for VM configuration</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enable-oslogin</span> <span class="p">=</span> <span class="s2">"TRUE"</span> <span class="nx">startup-script</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> #!/bin/bash apt-get update apt-get install -y nginx systemctl start nginx systemctl enable nginx echo "&lt;h1&gt;Hello from ${var.prefix}-${var.environment}-vm&lt;/h1&gt;" &gt; /var/www/html/index.html echo "&lt;p&gt;Deployed with Terraform and GitHub Actions&lt;/p&gt;" &gt;&gt; /var/www/html/index.html </span><span class="no"> EOF </span> <span class="p">}</span> <span class="c1"># Labels for resource management</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">managed-by</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="nx">team</span> <span class="p">=</span> <span class="s2">"devops"</span> <span class="p">}</span> <span class="c1"># Depends on the subnet being ready</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">main_subnet</span> <span class="p">]</span> <span class="p">}</span> <span class="c1"># Optional: Static external IP (commented out for security)</span> <span class="c1"># resource "google_compute_address" "vm_external_ip" {</span> <span class="c1"># name = "${var.prefix}-${var.environment}-vm-ip"</span> <span class="c1"># project = var.project_id</span> <span class="c1"># region = var.region</span> <span class="c1"># }</span> </code></pre> </div> <h3> Create Firewall Rules (<code>firewall.tf</code>) </h3> <p>Create a new file <code>firewall.tf</code> for network security:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Ingress firewall rule for SSH access</span> <span class="nx">resource</span> <span class="s2">"google_compute_firewall"</span> <span class="s2">"allow_ssh"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-allow-ssh"</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">main_vpc</span><span class="p">.</span><span class="nx">name</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow SSH access to instances with ssh-allowed tag"</span> <span class="nx">direction</span> <span class="p">=</span> <span class="s2">"INGRESS"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">1000</span> <span class="nx">allow</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"22"</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># Restrict source ranges for better security</span> <span class="c1"># For production, use your specific IP ranges</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="c1"># Change this in production!</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ssh-allowed"</span><span class="p">]</span> <span class="c1"># Log firewall activity</span> <span class="nx">log_config</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="s2">"INCLUDE_ALL_METADATA"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Ingress firewall rule for HTTP traffic</span> <span class="nx">resource</span> <span class="s2">"google_compute_firewall"</span> <span class="s2">"allow_http"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-allow-http"</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">main_vpc</span><span class="p">.</span><span class="nx">name</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow HTTP access to web servers"</span> <span class="nx">direction</span> <span class="p">=</span> <span class="s2">"INGRESS"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">1000</span> <span class="nx">allow</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"80"</span><span class="p">,</span> <span class="s2">"8080"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"http-server"</span><span class="p">]</span> <span class="nx">log_config</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="s2">"INCLUDE_ALL_METADATA"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Egress firewall rule for internet access</span> <span class="nx">resource</span> <span class="s2">"google_compute_firewall"</span> <span class="s2">"allow_egress"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-allow-egress"</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">main_vpc</span><span class="p">.</span><span class="nx">name</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow outbound internet access"</span> <span class="nx">direction</span> <span class="p">=</span> <span class="s2">"EGRESS"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">1000</span> <span class="nx">allow</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"80"</span><span class="p">,</span> <span class="s2">"443"</span><span class="p">,</span> <span class="s2">"53"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">allow</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"udp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"53"</span><span class="p">,</span> <span class="s2">"123"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">destination_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">target_tags</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ssh-allowed"</span><span class="p">,</span> <span class="s2">"http-server"</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># Internal communication firewall rule</span> <span class="nx">resource</span> <span class="s2">"google_compute_firewall"</span> <span class="s2">"allow_internal"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-allow-internal"</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">main_vpc</span><span class="p">.</span><span class="nx">name</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow internal communication within VPC"</span> <span class="nx">direction</span> <span class="p">=</span> <span class="s2">"INGRESS"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">1000</span> <span class="nx">allow</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0-65535"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">allow</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"udp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0-65535"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">allow</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"icmp"</span> <span class="p">}</span> <span class="c1"># Allow traffic from the VPC CIDR</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">subnet_cidr</span><span class="p">,</span> <span class="s2">"10.1.0.0/16"</span><span class="p">,</span> <span class="s2">"10.2.0.0/16"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h3> Update Networking with Cloud NAT (<code>networking.tf</code>) </h3> <p>Add these resources to your existing <code>networking.tf</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Cloud NAT for private VM internet access</span> <span class="nx">resource</span> <span class="s2">"google_compute_router_nat"</span> <span class="s2">"main_nat"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-nat-gateway"</span> <span class="nx">router</span> <span class="p">=</span> <span class="nx">google_compute_router</span><span class="p">.</span><span class="nx">main_router</span><span class="p">.</span><span class="nx">name</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="c1"># NAT IP allocation</span> <span class="nx">nat_ip_allocate_option</span> <span class="p">=</span> <span class="s2">"AUTO_ONLY"</span> <span class="c1"># Which subnets to provide NAT for</span> <span class="nx">source_subnetwork_ip_ranges_to_nat</span> <span class="p">=</span> <span class="s2">"LIST_OF_SUBNETWORKS"</span> <span class="nx">subnetwork</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">main_subnet</span><span class="p">.</span><span class="nx">name</span> <span class="nx">source_ip_ranges_to_nat</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ALL_IP_RANGES"</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># Logging for monitoring</span> <span class="nx">log_config</span> <span class="p">{</span> <span class="nx">enable</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">filter</span> <span class="p">=</span> <span class="s2">"ERRORS_ONLY"</span> <span class="p">}</span> <span class="c1"># Timeout settings</span> <span class="nx">min_ports_per_vm</span> <span class="p">=</span> <span class="mi">64</span> <span class="nx">udp_idle_timeout_sec</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">icmp_idle_timeout_sec</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">tcp_established_idle_timeout_sec</span> <span class="p">=</span> <span class="mi">1200</span> <span class="nx">tcp_transitory_idle_timeout_sec</span> <span class="p">=</span> <span class="mi">30</span> <span class="p">}</span> </code></pre> </div> <h3> Update Outputs (<code>outputs.tf</code>) </h3> <p>Add these VM-related outputs to your existing <code>outputs.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Existing outputs from Part 1...</span> <span class="c1"># VM outputs</span> <span class="nx">output</span> <span class="s2">"vm_name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_instance</span><span class="p">.</span><span class="nx">main_vm</span><span class="p">.</span><span class="nx">name</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Name of the created VM instance"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vm_internal_ip"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_instance</span><span class="p">.</span><span class="nx">main_vm</span><span class="p">.</span><span class="nx">network_interface</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">network_ip</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Internal IP address of the VM"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vm_zone"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_instance</span><span class="p">.</span><span class="nx">main_vm</span><span class="p">.</span><span class="nx">zone</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Zone where the VM is deployed"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vm_service_account"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_service_account</span><span class="p">.</span><span class="nx">vm_service_account</span><span class="p">.</span><span class="nx">email</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Service account email used by the VM"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"ssh_command"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"gcloud compute ssh ${google_compute_instance.main_vm.name} --zone=${var.zone} --project=${var.project_id}"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Command to SSH into the VM instance"</span> <span class="p">}</span> <span class="c1"># NAT gateway output</span> <span class="nx">output</span> <span class="s2">"nat_gateway_name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_router_nat</span><span class="p">.</span><span class="nx">main_nat</span><span class="p">.</span><span class="nx">name</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Name of the Cloud NAT gateway"</span> <span class="p">}</span> </code></pre> </div> <h2> Setting Up GitHub Actions Automation </h2> <p>Now let's create an automated CI/CD pipeline that will deploy your infrastructure whenever you push code to GitHub.</p> <h3> Create GitHub Secrets </h3> <p>First, you need to store your service account credentials in GitHub secrets:</p> <ol> <li> <strong>Get your service account key content:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat </span>terraform-sa-key.json </code></pre> </div> <ol> <li> <strong>In your GitHub repository:</strong> <ul> <li>Go to <strong>Settings</strong> &gt; <strong>Secrets and variables</strong> &gt; <strong>Actions</strong> </li> <li>Click <strong>New repository secret</strong> </li> <li>Name: <code>GCLOUD_SERVICE_ACCOUNT_KEY</code> </li> <li>Value: Paste the entire contents of your service account key file</li> </ul> </li> </ol> <p><strong>Security Note</strong>: This approach using service account keys is for learning purposes. In Part 3, we'll upgrade to Workload Identity Federation for keyless authentication, which is the production-recommended approach.</p> <h3> Create GitHub Actions Workflow </h3> <p>Create the workflow directory and file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> .github/workflows <span class="nb">touch</span> .github/workflows/deploy.yml </code></pre> </div> <p>Add this workflow configuration to <code>deploy.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Infrastructure Deployment</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="pi">-</span> <span class="s">develop</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">env</span><span class="pi">:</span> <span class="na">PROJECT_ID</span><span class="pi">:</span> <span class="s">your-gcp-project-id</span> <span class="c1"># Replace with your project ID</span> <span class="na">TF_VERSION</span><span class="pi">:</span> <span class="s">1.6.0</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">terraform</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Plan and Apply</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">pull-requests</span><span class="pi">:</span> <span class="s">write</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout repository</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Google Cloud SDK</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">google-github-actions/setup-gcloud@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">latest'</span> <span class="na">service_account_key</span><span class="pi">:</span> <span class="s">${{ secrets.GCLOUD_SERVICE_ACCOUNT_KEY }}</span> <span class="na">project_id</span><span class="pi">:</span> <span class="s">${{ env.PROJECT_ID }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure Terraform authentication</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">echo '${{ secrets.GCLOUD_SERVICE_ACCOUNT_KEY }}' &gt; /tmp/gcp-key.json</span> <span class="s">gcloud auth activate-service-account --key-file=/tmp/gcp-key.json</span> <span class="s">gcloud config set project ${{ env.PROJECT_ID }}</span> <span class="s">gcloud config set compute/region us-central1</span> <span class="s">export GOOGLE_APPLICATION_CREDENTIALS=/tmp/gcp-key.json</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">terraform_version</span><span class="pi">:</span> <span class="s">${{ env.TF_VERSION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Format Check</span> <span class="na">id</span><span class="pi">:</span> <span class="s">fmt</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform fmt -check -diff -recursive</span> <span class="na">continue-on-error</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Initialize</span> <span class="na">id</span><span class="pi">:</span> <span class="s">init</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform init</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Validation</span> <span class="na">id</span><span class="pi">:</span> <span class="s">validate</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform validate</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Plan</span> <span class="na">id</span><span class="pi">:</span> <span class="s">plan</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">terraform plan -input=false -out=tfplan -detailed-exitcode</span> <span class="na">continue-on-error</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Comment PR with Plan</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.event_name == 'pull_request'</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/github-script@v7</span> <span class="na">with</span><span class="pi">:</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`</span> <span class="s">#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`</span> <span class="s">#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`</span> <span class="s">#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`</span> <span class="s">&lt;details&gt;&lt;summary&gt;Show Plan&lt;/summary&gt;</span> <span class="s">\`\`\`terraform</span> <span class="s">${{ steps.plan.outputs.stdout }}</span> <span class="s">\`\`\`</span> <span class="s">&lt;/details&gt;</span> <span class="s">*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;</span> <span class="s">github.rest.issues.createComment({</span> <span class="s">issue_number: context.issue.number,</span> <span class="s">owner: context.repo.owner,</span> <span class="s">repo: context.repo.repo,</span> <span class="s">body: output</span> <span class="s">})</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Apply</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.ref == 'refs/heads/main' &amp;&amp; github.event_name == 'push'</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform apply -input=false tfplan</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Clean up credentials</span> <span class="na">if</span><span class="pi">:</span> <span class="s">always()</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">rm -f /tmp/gcp-key.json</span> <span class="s">rm -f tfplan</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Output VM Information</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.ref == 'refs/heads/main' &amp;&amp; github.event_name == 'push'</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">echo "## 🚀 Deployment Complete!" &gt;&gt; $GITHUB_STEP_SUMMARY</span> <span class="s">echo "| Resource | Value |" &gt;&gt; $GITHUB_STEP_SUMMARY</span> <span class="s">echo "|----------|-------|" &gt;&gt; $GITHUB_STEP_SUMMARY</span> <span class="s">echo "| VM Name | $(terraform output -raw vm_name) |" &gt;&gt; $GITHUB_STEP_SUMMARY</span> <span class="s">echo "| Internal IP | $(terraform output -raw vm_internal_ip) |" &gt;&gt; $GITHUB_STEP_SUMMARY</span> <span class="s">echo "| SSH Command | \`$(terraform output -raw ssh_command)\` |" &gt;&gt; $GITHUB_STEP_SUMMARY</span> </code></pre> </div> <h2> Deploying Your Infrastructure </h2> <h3> Local Deployment First </h3> <p>Before pushing to GitHub, test your configuration locally:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Format and validate</span> terraform <span class="nb">fmt</span> <span class="nt">-recursive</span> terraform validate <span class="c"># Plan and apply</span> terraform plan <span class="nt">-out</span><span class="o">=</span>tfplan terraform apply tfplan <span class="c"># Verify deployment</span> terraform output </code></pre> </div> <h3> Expected Output </h3> <p>You should see output similar to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>vm_internal_ip = "10.0.1.2" vm_name = "demo-dev-vm" vm_zone = "us-central1-b" ssh_command = "gcloud compute ssh demo-dev-vm --zone=us-central1-b --project=your-project-id" </code></pre> </div> <h3> Test VM Connectivity </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># SSH into your VM (if you have gcloud configured)</span> gcloud compute ssh demo-dev-vm <span class="nt">--zone</span><span class="o">=</span>us-central1-b <span class="nt">--project</span><span class="o">=</span>your-project-id <span class="c"># Test internet connectivity from VM</span> curl <span class="nt">-I</span> http://google.com <span class="c"># Check nginx is running</span> curl localhost </code></pre> </div> <h3> Push to GitHub for Automated Deployment </h3> <p>Once local testing works:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git add <span class="nb">.</span> git commit <span class="nt">-m</span> <span class="s2">"Add VM deployment with GitHub Actions automation"</span> git push origin main </code></pre> </div> <p><strong>GitHub Actions will:</strong></p> <ol> <li> <strong>Validate</strong> your Terraform code</li> <li> <strong>Plan</strong> the infrastructure changes</li> <li> <strong>Apply</strong> changes automatically on main branch</li> <li> <strong>Comment</strong> on pull requests with plan details</li> </ol> <h2> Monitoring Your Deployment </h2> <h3> Check GitHub Actions </h3> <ol> <li>Go to your repository on GitHub</li> <li>Click the <strong>Actions</strong> tab</li> <li>Watch your workflow run in real-time</li> <li>Check the job summary for deployment details</li> </ol> <h3> Verify in GCP Console </h3> <ol> <li> <strong>Compute Engine</strong> &gt; <strong>VM instances</strong> - see your VM</li> <li> <strong>VPC network</strong> &gt; <strong>Firewall</strong> - check your firewall rules</li> <li> <strong>Network services</strong> &gt; <strong>Cloud NAT</strong> - verify NAT configuration</li> <li> <strong>Logging</strong> &gt; <strong>Logs Explorer</strong> - monitor VM and firewall logs</li> </ol> <h3> Test Your VM </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List your VMs</span> gcloud compute instances list <span class="c"># SSH into the VM</span> gcloud compute ssh demo-dev-vm <span class="nt">--zone</span><span class="o">=</span>us-central1-b <span class="c"># Inside the VM, test internet access</span> curl <span class="nt">-I</span> https://www.google.com <span class="c"># Check nginx status</span> <span class="nb">sudo </span>systemctl status nginx curl localhost </code></pre> </div> <h2> Production Considerations </h2> <h3> Security Enhancements </h3> <p><strong>Firewall Rules:</strong></p> <ul> <li>Restrict SSH access to specific IP ranges</li> <li>Use IAP (Identity-Aware Proxy) for SSH access</li> <li>Implement network tags consistently</li> </ul> <p><strong>Service Accounts:</strong></p> <ul> <li>Follow principle of least privilege</li> <li>Use separate service accounts for different workloads</li> <li>Regularly rotate service account keys</li> </ul> <h3> Monitoring and Logging </h3> <p><strong>Enable Monitoring:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Add to vm.tf</span> <span class="nx">metadata</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">enable-oslogin</span> <span class="p">=</span> <span class="s2">"TRUE"</span> <span class="nx">google-monitoring-enabled</span> <span class="p">=</span> <span class="s2">"TRUE"</span> <span class="nx">google-logging-enabled</span> <span class="p">=</span> <span class="s2">"TRUE"</span> <span class="p">}</span> </code></pre> </div> <p><strong>Set up Alerts:</strong></p> <ul> <li>VM instance health checks</li> <li>High CPU or memory usage</li> <li>Network connectivity issues</li> <li>Unusual SSH access patterns</li> </ul> <h3> Cost Optimization </h3> <p><strong>Right-sizing:</strong></p> <ul> <li>Monitor VM performance and adjust machine types</li> <li>Use preemptible instances for non-critical workloads</li> <li>Implement auto-shutdown for development VMs</li> </ul> <p><strong>Storage Optimization:</strong></p> <ul> <li>Use appropriate disk types (pd-standard vs pd-ssd)</li> <li>Enable disk auto-deletion with VMs</li> <li>Implement disk snapshots for backups</li> </ul> <h2> Troubleshooting Common Issues </h2> <h3> Authentication Failures </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Re-authenticate gcloud</span> gcloud auth application-default login <span class="c"># Verify project setting</span> gcloud config get-value project <span class="c"># Check service account permissions</span> gcloud projects get-iam-policy YOUR_PROJECT_ID </code></pre> </div> <h3> VM Won't Start </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check VM status</span> gcloud compute instances describe VM_NAME <span class="nt">--zone</span><span class="o">=</span>ZONE <span class="c"># View serial console output</span> gcloud compute instances get-serial-port-output VM_NAME <span class="nt">--zone</span><span class="o">=</span>ZONE <span class="c"># Check quotas</span> gcloud compute project-info describe <span class="nt">--project</span><span class="o">=</span>PROJECT_ID </code></pre> </div> <h3> Network Connectivity Issues </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test firewall rules</span> gcloud compute firewall-rules list <span class="c"># Check routes</span> gcloud compute routes list <span class="c"># Verify NAT configuration</span> gcloud compute routers get-nat-mappings ROUTER_NAME <span class="nt">--region</span><span class="o">=</span>REGION </code></pre> </div> <h2> What's Next in Part 3 </h2> <p>In our next tutorial, we'll enhance this setup with:</p> <p>🔜 <strong>Secure PostgreSQL deployment</strong> with Cloud SQL<br><br> 🔜 <strong>Workload Identity Federation</strong> for keyless GitHub Actions<br><br> 🔜 <strong>Private service connections</strong> for database security<br><br> 🔜 <strong>Advanced networking</strong> with VPC peering</p> <h2> Key Takeaways </h2> <p>✅ <strong>Automated infrastructure</strong> reduces human error and increases deployment speed<br><br> ✅ <strong>GitHub Actions integration</strong> enables true Infrastructure as Code workflows<br><br> ✅ <strong>Proper firewall rules</strong> are essential for both security and functionality<br><br> ✅ <strong>Cloud NAT</strong> provides secure internet access without public IPs<br><br> ✅ <strong>Service account best practices</strong> improve security posture from the start</p> <p>Ready to level up your infrastructure automation? This foundation of automated VM deployment sets you up perfectly for the advanced database and security patterns we'll cover in Part 3!</p> <p><strong>Connect with me:</strong></p> <ul> <li> <a href="https://linkedin.com/in/akhilesh-mishra-0ab886124" rel="noopener noreferrer">LinkedIn</a> for more Google Cloud and DevOps content</li> </ul> <p><strong>Tags:</strong> #Terraform #GoogleCloud #GCP #GitHubActions #DevOps #InfrastructureAsCode #ComputeEngine #Automation</p> googlecloud Build Production-Ready Google Cloud Infrastructure with Terraform in 2025 Akhilesh Mishra Wed, 23 Jul 2025 09:39:26 +0000 https://forem.com/livingdevops/build-production-ready-google-cloud-infrastructure-with-terraform-in-2025-1jj7 https://forem.com/livingdevops/build-production-ready-google-cloud-infrastructure-with-terraform-in-2025-1jj7 <h2> Complete step-by-step guide to creating VPC networks, subnets, and storage buckets using Infrastructure as Code </h2> <p><em>Part 1 of our comprehensive 6-part Terraform on Google Cloud series - from beginner setup to advanced DevOps automation</em></p> <p><strong>Ready to transform your Google Cloud infrastructure management?</strong> This comprehensive guide kicks off our <strong>Terraform on Google Cloud</strong> series, where you'll master professional-level cloud automation, GitHub Actions CI/CD, advanced security patterns, and production-ready DevOps practices.</p> <p>By the end of this tutorial series, you'll have hands-on experience with:</p> <ul> <li> <strong>Infrastructure as Code</strong> fundamentals and best practices</li> <li> <strong>Automated CI/CD pipelines</strong> with GitHub Actions and Workload Identity Federation</li> <li> <strong>Production security</strong> with Secret Manager and key rotation</li> <li> <strong>Serverless computing</strong> with Cloud Functions and Cloud Run</li> <li> <strong>Big data processing</strong> with Cloud SQL and Dataproc</li> </ul> <p><em>🚀 Perfect for cloud engineers, DevOps practitioners, and developers ready to level up their infrastructure automation game.</em></p> <h2> What You'll Build in This Series </h2> <p><strong>Part 1 (This Post)</strong>: Foundation - VPC, Subnets, and Storage<br><br> <strong>Part 2</strong>: Compute Engine VMs with GitHub Actions CI/CD<br><br> <strong>Part 3</strong>: Secure PostgreSQL with Workload Identity Federation<br><br> <strong>Part 4</strong>: Secret Management and Automated Key Rotation<br><br> <strong>Part 5</strong>: Serverless FastAPI with Cloud Run<br><br> <strong>Part 6</strong>: Big Data Processing with Dataproc (Advanced)</p> <h2> Understanding Google Cloud Networking Fundamentals </h2> <h3> What is a VPC in Google Cloud? </h3> <p>A <strong>Virtual Private Cloud (VPC)</strong> serves as your isolated network environment within Google Cloud:</p> <ul> <li> <strong>🔒 Network Isolation</strong>: Complete separation from other projects and tenants</li> <li> <strong>🛡️ Security Control</strong>: Fine-grained access control and firewall rules </li> <li> <strong>🌍 Global Resource</strong>: Automatically spans multiple regions worldwide</li> <li> <strong>📍 IP Management</strong>: Custom IP addressing, subnets, and routing control</li> <li> <strong>🔗 Connectivity</strong>: VPN, interconnect, and peering capabilities</li> </ul> <h3> What is a Subnet in Google Cloud? </h3> <p><strong>Subnets</strong> are regional network segments within your VPC that:</p> <ul> <li>Define IP address ranges (CIDR blocks) for your resources</li> <li>Enable regional resource deployment and isolation</li> <li>Provide traffic segmentation and security boundaries</li> <li>Support private Google API access for enhanced security</li> <li>Allow custom routing and firewall rule application</li> </ul> <p><strong>Pro Tip</strong>: Unlike AWS, Google Cloud subnets are regional (not zonal), giving you automatic high availability across zones within a region.</p> <h2> Prerequisites: Setting Up Your Environment </h2> <p>Before diving into Terraform automation, ensure you have:</p> <p>✅ <strong>Google Cloud Platform account</strong> (<a href="https://cloud.google.com" rel="noopener noreferrer">Sign up here</a>)<br><br> ✅ <strong>Active GCP project</strong> with billing enabled<br><br> ✅ <strong>Terraform installed</strong> (<a href="https://terraform.io" rel="noopener noreferrer">Installation guide</a>) - Version 1.0+ recommended<br><br> ✅ <strong>Google Cloud SDK</strong> (<a href="https://cloud.google.com/sdk" rel="noopener noreferrer">Download here</a>)<br> ✅ <strong>Basic understanding</strong> of cloud networking concepts</p> <h3> Verify Your Installation </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check Google Cloud SDK</span> gcloud <span class="nt">--version</span> gcloud init <span class="c"># Verify Terraform</span> terraform <span class="nt">--version</span> <span class="c"># Check your active project</span> gcloud config get-value project </code></pre> </div> <h2> Google Cloud Authentication Setup </h2> <h3> Creating a Service Account (Development Setup) </h3> <p>For this tutorial series, we'll create a service account with owner permissions. <strong>Important</strong>: In production environments, always follow the <strong>principle of least privilege</strong> and use keyless authentication with Workload Identity Federation (covered in Part 3).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Set your project ID (replace with your actual project ID)</span> <span class="nb">export </span><span class="nv">PROJECT_ID</span><span class="o">=</span><span class="s2">"your-gcp-project-id"</span> gcloud config <span class="nb">set </span>project <span class="nv">$PROJECT_ID</span> <span class="c"># Create service account for Terraform</span> gcloud iam service-accounts create terraform-automation <span class="se">\</span> <span class="nt">--description</span><span class="o">=</span><span class="s2">"Service account for Terraform infrastructure automation"</span> <span class="se">\</span> <span class="nt">--display-name</span><span class="o">=</span><span class="s2">"Terraform Automation SA"</span> <span class="c"># Grant owner role (development only - we'll improve this in later parts)</span> gcloud projects add-iam-policy-binding <span class="nv">$PROJECT_ID</span> <span class="se">\</span> <span class="nt">--member</span><span class="o">=</span><span class="s2">"serviceAccount:terraform-automation@</span><span class="k">${</span><span class="nv">PROJECT_ID</span><span class="k">}</span><span class="s2">.iam.gserviceaccount.com"</span> <span class="se">\</span> <span class="nt">--role</span><span class="o">=</span><span class="s2">"roles/owner"</span> <span class="c"># Generate service account key</span> gcloud iam service-accounts keys create terraform-sa-key.json <span class="se">\</span> <span class="nt">--iam-account</span> terraform-automation@<span class="k">${</span><span class="nv">PROJECT_ID</span><span class="k">}</span>.iam.gserviceaccount.com </code></pre> </div> <h3> Set Environment Variables </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Set credentials for Terraform</span> <span class="nb">export </span><span class="nv">GOOGLE_APPLICATION_CREDENTIALS</span><span class="o">=</span><span class="s2">"terraform-sa-key.json"</span> <span class="c"># Verify authentication</span> gcloud auth application-default print-access-token </code></pre> </div> <h2> Project Structure: Organizing Your Terraform Code </h2> <p>Create a clean, maintainable project structure that will scale throughout our series:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>terraform-gcp-foundation <span class="o">&amp;&amp;</span> <span class="nb">cd </span>terraform-gcp-foundation <span class="c"># Create core Terraform files</span> <span class="nb">touch </span>main.tf variables.tf outputs.tf providers.tf terraform.tfvars <span class="c"># Create resource-specific files</span> <span class="nb">touch </span>networking.tf storage.tf <span class="c"># Create backend configuration</span> <span class="nb">touch </span>backend.tf <span class="c"># Initialize git for version control</span> git init <span class="nb">echo</span> <span class="s2">"*.tfvars"</span> <span class="o">&gt;&gt;</span> .gitignore <span class="nb">echo</span> <span class="s2">"terraform-sa-key.json"</span> <span class="o">&gt;&gt;</span> .gitignore <span class="nb">echo</span> <span class="s2">".terraform/"</span> <span class="o">&gt;&gt;</span> .gitignore <span class="nb">echo</span> <span class="s2">"*.tfstate*"</span> <span class="o">&gt;&gt;</span> .gitignore </code></pre> </div> <p><strong>Why this structure?</strong> </p> <ul> <li> <strong>Separation of concerns</strong>: Each file has a specific purpose</li> <li> <strong>Scalability</strong>: Easy to add new resources in dedicated files</li> <li> <strong>Team collaboration</strong>: Clear organization for multiple developers</li> <li> <strong>Version control ready</strong>: Proper .gitignore for sensitive files</li> </ul> <h2> Terraform Configuration Files Explained </h2> <h3> 1. Provider Configuration (<code>providers.tf</code>) </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"&gt;= 1.0"</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">google</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/google"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="p">}</span> <span class="nx">google-beta</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/google-beta"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"google-beta"</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="p">}</span> </code></pre> </div> <h3> 2. Input Variables (<code>variables.tf</code>) </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"project_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Google Cloud Project ID"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span><span class="p">)</span> <span class="err">&gt;</span> <span class="mi">6</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Project ID must be more than 6 characters."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"GCP region for resources"</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-central1"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">([</span> <span class="s2">"us-central1"</span><span class="p">,</span> <span class="s2">"us-east1"</span><span class="p">,</span> <span class="s2">"us-west1"</span><span class="p">,</span> <span class="s2">"us-west2"</span><span class="p">,</span> <span class="s2">"europe-west1"</span><span class="p">,</span> <span class="s2">"europe-west2"</span><span class="p">,</span> <span class="s2">"asia-east1"</span> <span class="p">],</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span><span class="p">)</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Region must be a valid GCP region."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Environment name (dev, staging, prod)"</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"dev"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">([</span><span class="s2">"dev"</span><span class="p">,</span> <span class="s2">"staging"</span><span class="p">,</span> <span class="s2">"prod"</span><span class="p">],</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span><span class="p">)</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Environment must be dev, staging, or prod."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"vpc_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Name for the VPC network"</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"main-vpc"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Name for the subnet"</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"main-subnet"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_cidr"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"CIDR range for the subnet"</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"10.0.1.0/24"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">cidrhost</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">subnet_cidr</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Subnet CIDR must be a valid IPv4 CIDR block."</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> 3. Networking Resources (<code>networking.tf</code>) </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># VPC Network</span> <span class="nx">resource</span> <span class="s2">"google_compute_network"</span> <span class="s2">"main_vpc"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.vpc_name}"</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">auto_create_subnetworks</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">routing_mode</span> <span class="p">=</span> <span class="s2">"REGIONAL"</span> <span class="nx">mtu</span> <span class="p">=</span> <span class="mi">1460</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Main VPC network for ${var.environment} environment"</span> <span class="c1"># Enable deletion protection in production</span> <span class="nx">delete_default_routes_on_create</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="c1"># Subnet</span> <span class="nx">resource</span> <span class="s2">"google_compute_subnetwork"</span> <span class="s2">"main_subnet"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-${var.subnet_name}"</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">main_vpc</span><span class="p">.</span><span class="nx">name</span> <span class="nx">ip_cidr_range</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_cidr</span> <span class="nx">private_ip_google_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Primary subnet in ${var.region} for ${var.environment}"</span> <span class="c1"># Enable flow logs for security monitoring</span> <span class="nx">log_config</span> <span class="p">{</span> <span class="nx">aggregation_interval</span> <span class="p">=</span> <span class="s2">"INTERVAL_10_MIN"</span> <span class="nx">flow_sampling</span> <span class="p">=</span> <span class="mf">0.5</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="s2">"INCLUDE_ALL_METADATA"</span> <span class="p">}</span> <span class="c1"># Secondary IP ranges for future use (GKE, etc.)</span> <span class="nx">secondary_ip_range</span> <span class="p">{</span> <span class="nx">range_name</span> <span class="p">=</span> <span class="s2">"pods"</span> <span class="nx">ip_cidr_range</span> <span class="p">=</span> <span class="s2">"10.1.0.0/16"</span> <span class="p">}</span> <span class="nx">secondary_ip_range</span> <span class="p">{</span> <span class="nx">range_name</span> <span class="p">=</span> <span class="s2">"services"</span> <span class="nx">ip_cidr_range</span> <span class="p">=</span> <span class="s2">"10.2.0.0/16"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Cloud Router for Cloud NAT (we'll use this in Part 2)</span> <span class="nx">resource</span> <span class="s2">"google_compute_router"</span> <span class="s2">"main_router"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-cloud-router"</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">main_vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Cloud Router for NAT gateway"</span> <span class="p">}</span> </code></pre> </div> <h3> 4. Storage Resources (<code>storage.tf</code>) </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Storage bucket for Terraform state (remote backend)</span> <span class="nx">resource</span> <span class="s2">"google_storage_bucket"</span> <span class="s2">"terraform_state"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project_id}-${var.environment}-terraform-state"</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="c1"># Force destroy for development (disable in production)</span> <span class="nx">force_destroy</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="p">==</span> <span class="s2">"dev"</span> <span class="err">?</span> <span class="kc">true</span> <span class="err">:</span> <span class="kc">false</span> <span class="c1"># Enable versioning for state file safety</span> <span class="nx">versioning</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="c1"># Uniform bucket-level access for better security</span> <span class="nx">uniform_bucket_level_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Encryption at rest</span> <span class="nx">encryption</span> <span class="p">{</span> <span class="nx">default_kms_key_name</span> <span class="p">=</span> <span class="kc">null</span> <span class="c1"># We'll add KMS in Part 4</span> <span class="p">}</span> <span class="c1"># Lifecycle management to control costs</span> <span class="nx">lifecycle_rule</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">age</span> <span class="p">=</span> <span class="mi">30</span> <span class="p">}</span> <span class="nx">action</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Delete"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">lifecycle_rule</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">age</span> <span class="p">=</span> <span class="mi">7</span> <span class="nx">with_state</span> <span class="p">=</span> <span class="s2">"ARCHIVED"</span> <span class="p">}</span> <span class="nx">action</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Delete"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Labels for resource management</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">purpose</span> <span class="p">=</span> <span class="s2">"terraform-state"</span> <span class="nx">managed-by</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># General purpose storage bucket</span> <span class="nx">resource</span> <span class="s2">"google_storage_bucket"</span> <span class="s2">"app_storage"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project_id}-${var.environment}-app-storage"</span> <span class="nx">project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="nx">location</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="c1"># Storage class optimization</span> <span class="nx">storage_class</span> <span class="p">=</span> <span class="s2">"STANDARD"</span> <span class="nx">uniform_bucket_level_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># CORS configuration for web applications</span> <span class="nx">cors</span> <span class="p">{</span> <span class="nx">origin</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="nx">method</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"GET"</span><span class="p">,</span> <span class="s2">"HEAD"</span><span class="p">,</span> <span class="s2">"PUT"</span><span class="p">,</span> <span class="s2">"POST"</span><span class="p">,</span> <span class="s2">"DELETE"</span><span class="p">]</span> <span class="nx">response_header</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="nx">max_age_seconds</span> <span class="p">=</span> <span class="mi">3600</span> <span class="p">}</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">purpose</span> <span class="p">=</span> <span class="s2">"application-storage"</span> <span class="nx">managed-by</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># IAM binding for service account access to state bucket</span> <span class="nx">resource</span> <span class="s2">"google_storage_bucket_iam_member"</span> <span class="s2">"terraform_state_access"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">google_storage_bucket</span><span class="p">.</span><span class="nx">terraform_state</span><span class="p">.</span><span class="nx">name</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/storage.admin"</span> <span class="nx">member</span> <span class="p">=</span> <span class="s2">"serviceAccount:terraform-automation@${var.project_id}.iam.gserviceaccount.com"</span> <span class="p">}</span> </code></pre> </div> <h3> 5. Outputs (<code>outputs.tf</code>) </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"vpc_name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">main_vpc</span><span class="p">.</span><span class="nx">name</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Name of the created VPC"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vpc_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">main_vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"ID of the created VPC"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vpc_self_link"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">main_vpc</span><span class="p">.</span><span class="nx">self_link</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Self-link of the VPC (useful for other resources)"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"subnet_name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">main_subnet</span><span class="p">.</span><span class="nx">name</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Name of the created subnet"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"subnet_cidr"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">main_subnet</span><span class="p">.</span><span class="nx">ip_cidr_range</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"CIDR range of the subnet"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"subnet_gateway_address"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">main_subnet</span><span class="p">.</span><span class="nx">gateway_address</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Gateway IP address of the subnet"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"terraform_state_bucket"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_storage_bucket</span><span class="p">.</span><span class="nx">terraform_state</span><span class="p">.</span><span class="nx">name</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Name of the Terraform state storage bucket"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"app_storage_bucket"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_storage_bucket</span><span class="p">.</span><span class="nx">app_storage</span><span class="p">.</span><span class="nx">name</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Name of the application storage bucket"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"cloud_router_name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_compute_router</span><span class="p">.</span><span class="nx">main_router</span><span class="p">.</span><span class="nx">name</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Name of the Cloud Router (for NAT in Part 2)"</span> <span class="p">}</span> <span class="c1"># Network details for use in subsequent parts</span> <span class="nx">output</span> <span class="s2">"network_details"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">vpc_name</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">main_vpc</span><span class="p">.</span><span class="nx">name</span> <span class="nx">subnet_name</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">main_subnet</span><span class="p">.</span><span class="nx">name</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">project_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_id</span> <span class="p">}</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Network configuration details for other Terraform configurations"</span> <span class="p">}</span> </code></pre> </div> <h3> 6. Variable Values (<code>terraform.tfvars</code>) </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Project Configuration</span> <span class="nx">project_id</span> <span class="err">=</span> <span class="s2">"your-gcp-project-id"</span> <span class="c1"># Replace with your actual project ID</span> <span class="nx">environment</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="c1"># Network Configuration</span> <span class="nx">region</span> <span class="err">=</span> <span class="s2">"us-central1"</span> <span class="nx">vpc_name</span> <span class="err">=</span> <span class="s2">"main-vpc"</span> <span class="nx">subnet_name</span> <span class="err">=</span> <span class="s2">"primary-subnet"</span> <span class="nx">subnet_cidr</span> <span class="err">=</span> <span class="s2">"10.0.1.0/24"</span> </code></pre> </div> <h3> 7. Backend Configuration (<code>backend.tf</code>) </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Local backend for initial setup</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"local"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"terraform.tfstate"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># After creating the storage bucket, uncomment below and migrate:</span> <span class="c1"># terraform {</span> <span class="c1"># backend "gcs" {</span> <span class="c1"># bucket = "your-project-id-dev-terraform-state"</span> <span class="c1"># prefix = "foundation/state"</span> <span class="c1"># }</span> <span class="c1"># }</span> </code></pre> </div> <h2> Understanding Terraform State Management </h2> <p><strong>Terraform state</strong> is the crucial component that tracks your infrastructure:</p> <ul> <li>📊 <strong>Resource Metadata</strong>: Current state, IDs, and configurations</li> <li>🔗 <strong>Dependencies</strong>: Relationships and creation order between resources </li> <li>📝 <strong>Performance</strong>: Caches resource attributes for faster operations</li> <li>🎯 <strong>Drift Detection</strong>: Identifies manual changes made outside Terraform</li> </ul> <h3> State Storage Options </h3> <p><strong>Local State (Development)</strong>:</p> <ul> <li>Stored on your local machine</li> <li>Simple for learning and testing</li> <li>Not suitable for team collaboration</li> </ul> <p><strong>Remote State (Production)</strong>:</p> <ul> <li> <strong>Google Cloud Storage</strong> (recommended for GCP)</li> <li> <strong>Terraform Cloud</strong> (HashiCorp's managed solution)</li> <li> <strong>Amazon S3</strong> (for multi-cloud scenarios)</li> </ul> <h3> Migrating to Remote State </h3> <p>After your first deployment, migrate to remote state:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Update backend.tf with your bucket name</span> <span class="c"># 2. Run migration command</span> terraform init <span class="nt">-migrate-state</span> </code></pre> </div> <h2> Deploying Your Infrastructure </h2> <h3> Step 1: Initialize Terraform </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init </code></pre> </div> <p><em>Downloads provider plugins and initializes the working directory</em></p> <h3> Step 2: Format and Validate </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Format code for consistency</span> terraform <span class="nb">fmt</span> <span class="nt">-recursive</span> <span class="c"># Validate configuration</span> terraform validate </code></pre> </div> <h3> Step 3: Plan Your Deployment </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan <span class="nt">-out</span><span class="o">=</span>tfplan </code></pre> </div> <p><em>Creates an execution plan and saves it to a file</em></p> <p><strong>Understanding the Plan Output:</strong></p> <ul> <li> <code>+</code> Resources to be <strong>created</strong> </li> <li> <code>-</code> Resources to be <strong>destroyed</strong> </li> <li> <code>~</code> Resources to be <strong>modified</strong> </li> <li> <code>&lt;=</code> Resources to be <strong>read</strong> (data sources)</li> </ul> <h3> Step 4: Apply Changes </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply tfplan </code></pre> </div> <p><em>Executes the plan - no additional confirmation needed since plan was saved</em></p> <h3> Step 5: Verify Deployment </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check outputs</span> terraform output <span class="c"># Verify in GCP Console</span> gcloud compute networks list gcloud compute networks subnets list <span class="nt">--network</span><span class="o">=</span>dev-main-vpc gsutil <span class="nb">ls </span>gs://your-project-id-dev-terraform-state </code></pre> </div> <h3> Step 6: Clean Up (When Needed) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy </code></pre> </div> <p><em>⚠️ Removes all managed infrastructure - be extremely careful in production!</em></p> <h2> Production-Ready Best Practices </h2> <h3> 🔧 Code Organization &amp; Standards </h3> <ul> <li> <strong>Modularize</strong> configurations for reusability across environments</li> <li>Use <strong>consistent naming conventions</strong> with environment prefixes</li> <li>Implement <strong>proper file structure</strong> with clear separation of concerns</li> <li> <strong>Version pin</strong> providers and modules to avoid breaking changes</li> </ul> <h3> 🔒 Security &amp; Access Management </h3> <ul> <li> <strong>Never commit</strong> sensitive data or credentials to version control</li> <li>Use <strong>remote state backend</strong> with proper access controls and encryption</li> <li>Implement <strong>state locking</strong> to prevent concurrent modifications</li> <li>Follow <strong>least privilege principle</strong> for service account permissions</li> </ul> <h3> 📚 Documentation &amp; Team Collaboration </h3> <ul> <li>Add <strong>meaningful descriptions</strong> to all resources and variables</li> <li>Use <strong>version control</strong> (Git) with proper branching strategies</li> <li>Implement <strong>peer reviews</strong> for all infrastructure changes</li> <li>Document <strong>runbooks</strong> for common operations and troubleshooting</li> </ul> <h3> 🚀 Automation &amp; CI/CD (Coming in Part 2) </h3> <ul> <li>Integrate with <strong>GitHub Actions</strong> for automated deployments</li> <li>Use <strong>environment-specific</strong> variable files and workspaces</li> <li>Implement <strong>automated testing</strong> for infrastructure code</li> <li>Set up <strong>monitoring and alerting</strong> for infrastructure changes</li> </ul> <h3> 💰 Cost Optimization </h3> <ul> <li>Use <strong>labels and tags</strong> for resource tracking and cost allocation</li> <li>Implement <strong>lifecycle policies</strong> for storage resources</li> <li>Choose <strong>appropriate machine types</strong> and disk sizes</li> <li>Monitor and set up <strong>budget alerts</strong> for cost control</li> </ul> <h2> What's Coming Next in This Series </h2> <h3> 🔜 <strong>Part 2: Compute Engine VMs with GitHub Actions</strong> </h3> <ul> <li>Deploy secure VM instances with proper networking</li> <li>Set up automated CI/CD pipelines with GitHub Actions</li> <li>Implement firewall rules and Cloud NAT for secure internet access</li> <li>Master service account management and authentication</li> </ul> <h3> 🔜 <strong>Part 3: PostgreSQL with Workload Identity Federation</strong> </h3> <ul> <li>Deploy Cloud SQL PostgreSQL in private networks</li> <li>Implement keyless authentication with Workload Identity Federation</li> <li>Set up VPC peering and private service connections</li> <li>Database security and backup configuration</li> </ul> <h3> 🔜 <strong>Part 4: Secret Management and Key Rotation</strong> </h3> <ul> <li>Secure credential storage with Secret Manager</li> <li>Automated service account key rotation with Cloud Functions</li> <li>Production-grade security patterns</li> <li>Integration with existing infrastructure</li> </ul> <h3> 🔜 <strong>Part 5: Serverless FastAPI with Cloud Run</strong> </h3> <ul> <li>Containerize and deploy Python applications</li> <li>Implement proper artifact registry workflows</li> <li>Configure custom domains and SSL certificates</li> <li>Performance optimization and scaling strategies</li> </ul> <h3> 🔜 <strong>Part 6: Big Data with Dataproc (Advanced)</strong> </h3> <ul> <li>Set up managed Hadoop and Spark clusters</li> <li>Configure preemptible instances for cost optimization</li> <li>Data processing pipelines and job orchestration</li> <li>Integration with Cloud Storage and BigQuery</li> </ul> <h2> Key Takeaways </h2> <p>✅ <strong>Infrastructure as Code</strong> provides consistency, repeatability, and version control<br><br> ✅ <strong>Proper project structure</strong> makes maintenance and collaboration easier<br><br> ✅ <strong>Variable validation</strong> catches errors early in the development cycle<br><br> ✅ <strong>Remote state management</strong> is essential for team collaboration and production use<br><br> ✅ <strong>Security best practices</strong> should be implemented from day one, not as an afterthought</p> <p><strong>Ready to continue?</strong> This foundation sets you up for success in the remaining parts of our series. Each subsequent tutorial builds upon this infrastructure, adding more sophisticated patterns and production-ready features.</p> <h2> Troubleshooting Common Issues </h2> <h3> Authentication Problems </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Re-authenticate if needed</span> gcloud auth application-default login gcloud config <span class="nb">set </span>project YOUR_PROJECT_ID </code></pre> </div> <h3> API Enablement </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Enable required APIs</span> gcloud services <span class="nb">enable </span>compute.googleapis.com gcloud services <span class="nb">enable </span>storage-api.googleapis.com </code></pre> </div> <h3> Permission Issues </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Verify service account permissions</span> gcloud projects get-iam-policy YOUR_PROJECT_ID <span class="se">\</span> <span class="nt">--flatten</span><span class="o">=</span><span class="s2">"bindings[].members"</span> <span class="se">\</span> <span class="nt">--filter</span><span class="o">=</span><span class="s2">"bindings.members:serviceAccount:terraform-automation@YOUR_PROJECT_ID.iam.gserviceaccount.com"</span> </code></pre> </div> <p><strong>Connect with me:</strong></p> <ul> <li> <a href="https://linkedin.com/in/akhilesh-mishra-0ab886124" rel="noopener noreferrer">LinkedIn</a> </li> </ul> <p><strong>Tags:</strong> #Terraform #GoogleCloud #GCP #DevOps #InfrastructureAsCode #CloudAutomation #NetworkingSeries</p> gcp terraform Managing AWS Lambda Layers Was a Nightmare Until I Did This Akhilesh Mishra Fri, 27 Jun 2025 12:17:15 +0000 https://forem.com/aws-builders/managing-aws-lambda-layers-was-a-nightmare-until-i-did-this-4830 https://forem.com/aws-builders/managing-aws-lambda-layers-was-a-nightmare-until-i-did-this-4830 <h2> Automation That Saved My Team Months of Toil </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimages.unsplash.com%2Fphoto-1518432031352-d6fc5c10da5a%3Fixlib%3Drb-4.0.3%26ixid%3DM3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%253D%253D%26auto%3Dformat%26fit%3Dcrop%26w%3D2074%26q%3D80" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimages.unsplash.com%2Fphoto-1518432031352-d6fc5c10da5a%3Fixlib%3Drb-4.0.3%26ixid%3DM3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%253D%253D%26auto%3Dformat%26fit%3Dcrop%26w%3D2074%26q%3D80" alt="AWS Lambda automation with Terraform" width="2074" height="1556"></a></p> <p><em>Automate Lambda Layer management with Terraform and GitHub Actions - A complete guide from pain to automation</em></p> <p>I started my DevOps career with the Google Cloud platform and used Cloud Functions for event-driven serverless workloads. It was pretty straightforward — package the Python code with its dependencies, i.e. <code>requirements.txt</code> and everything else will be taken care of by Cloud Function (i.e. GCP).</p> <p>Then I moved to AWS and discovered Lambda, their popular serverless offering. It was great, except for one headache: <strong>managing code dependencies</strong>.</p> <p>I was used to just using a <code>requirements.txt</code> file, but that doesn't work with Lambda. Instead, you have two options. You can either bundle all your libraries with your code in a big zip file (which is a pain to manage) or use something called <strong>Lambda Layers</strong>.</p> <p>Before I explain Layers and how to use them effectively, let me give you a quick rundown on Lambda and serverless computing in general.</p> <h2> Table of Contents </h2> <ul> <li>What is Serverless?</li> <li>What is AWS Lambda?</li> <li>What are Lambda Layers?</li> <li>How to Build Lambda Layers</li> <li>The Automation Solution</li> <li>Implementation Guide</li> <li>Running the Automation</li> </ul> <h2> What is Serverless? </h2> <p>Don't let the term "serverless" fool you — it doesn't mean servers have vanished into thin air. Instead, think of it as <strong>"servers you don't see."</strong> In this model, your cloud provider manages the resources for you, handling all the nitty-gritty of server maintenance.</p> <p>At its core, serverless computing is about simplifying your life as a developer or business owner. It's a world where you can focus on what truly matters — your code and business logic — without getting bogged down in the complexities of managing the machines that run it.</p> <p>That's the promise of serverless computing — it's about freeing you to innovate, while your cloud provider handles the heavy lifting of infrastructure management.</p> <h2> What is AWS Lambda? </h2> <p>Lambda is the Function as a Service (serverless) offering by AWS. It uses an <strong>event-driven architecture</strong>, meaning it runs a piece of code when some event occurs. It integrates well with other AWS services such as DynamoDB, S3, SQS, API Gateway, etc.</p> <p>Your code may be just a couple of lines, or spread across 2 files but if it requires 15 different packages to tie everything together, it's referred to as a <strong>"deployment package."</strong></p> <p>It is best practice to manage the code dependencies separately and this is where Lambda Layers come in handy.</p> <h2> What are Lambda Layers? </h2> <p>To quote AWS documentation:</p> <blockquote> <p>A Lambda layer is a .zip file archive that contains supplementary code or data. Layers usually contain library dependencies, a custom runtime, or configuration files.</p> </blockquote> <p>In simple words, if your Python code requires 5, 10, 15 libraries to run the code, you build them separately and enable Lambda to use them on runtime.</p> <p><strong>Key benefits of Lambda Layers:</strong></p> <ul> <li>📦 Separate dependencies from your application code</li> <li>🔄 Share layers across multiple Lambda functions</li> <li>🌐 Share layers across multiple AWS accounts</li> <li>💾 Reduce deployment package size</li> <li>⚡ Faster deployments and cold starts</li> </ul> <h2> How to Build Lambda Layers </h2> <h3> Manual Method (The Old Way) </h3> <p>The simplest way of building Layers is to install the Python dependencies in your local machine inside a Python directory, zip it, and upload it to AWS layers. Your Lambda function can use the layer.</p> <p><strong>⚠️ Important Note:</strong> Creating a zip package from a non-Linux environment (even Mac) will NOT WORK with Lambda.</p> <h3> Docker Method </h3> <p>Alternatively, you can use Docker with <code>--platform linux/amd64</code> flag to build the layer with the help of sam/build-python Docker images.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run <span class="nt">--platform</span> linux/amd64 <span class="nt">-v</span> <span class="se">\</span> <span class="s2">"</span><span class="nv">$PWD</span><span class="s2">"</span>:/var/task <span class="s2">"public.ecr.aws/sam/build-python3.10"</span> /bin/sh <span class="se">\</span> <span class="nt">-c</span> <span class="s2">"pip install -r requirements.txt -t python/; exit"</span> </code></pre> </div> <h3> Cross-Account Sharing </h3> <p>If you want to share your Layer in a different AWS account, add permissions by running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws lambda add-layer-version-permission <span class="se">\</span> <span class="nt">--layer-name</span> &lt;Layer_name&gt; <span class="se">\ </span> <span class="nt">--statement-id</span> xaccount <span class="se">\</span> <span class="nt">--action</span> lambda:GetLayerVersion <span class="se">\</span> <span class="nt">--principal</span> &lt;AWS_ACCOUNT_ID&gt; <span class="se">\</span> <span class="nt">--version-number</span> &lt;Layer_Version&gt; </code></pre> </div> <p><strong>The Problem:</strong> Managing Lambda Layers manually can be a lot of pain when every other month you need to update the libraries to use new versions of libraries to take your security team off your back.</p> <h2> The Automation Solution </h2> <h3> Automating Layer Build with Terraform and GitHub Actions </h3> <p>Before we start writing Terraform, create the file structure in your VSCode as shown below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>lambda-python-layers/ ├── .github/ │ └── workflows/ │ └── build-lambda-layers.yml ├── layers/ │ ├── layer1/ │ │ └── requirements.txt │ ├── layer2/ │ │ └── requirements.txt │ └── common-scripts/ │ ├── logger.py │ └── db_connection.py ├── providers.tf ├── variables.tf ├── config.tf ├── s3.tf └── main.tf </code></pre> </div> <h3> Defining Python Dependencies for Layers </h3> <p><strong>layers/layer1/requirements.txt</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws-psycopg2 requests==2.32.3 urllib3==2.2.2 </code></pre> </div> <p><strong>layers/layer2/requirements.txt</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>pyzipper==0.3.6 pycryptodome==3.20.0 cryptography==41.0.7 PyPDF2==3.0.1 </code></pre> </div> <p>Sometimes we also need to use common scripts such as logger, and db-connection scripts used by Lambda functions. We can package them with the dependencies to avoid packaging them with Lambda code or building separate layers for these scripts.</p> <p>Place those Python scripts in <code>layers/common-scripts/</code> path.</p> <h2> Implementation Guide </h2> <h3> Writing Terraform Configuration </h3> <blockquote> <p>💡 <strong>Note:</strong> You can find the complete code for this blog in my <a href="https://github.com/akhileshmishrabiz/Devops-zero-to-hero" rel="noopener noreferrer">public GitHub repo</a>.</p> </blockquote> <p><strong>providers.tf</strong></p> <p>Setting up Terraform providers and remote backend using S3 bucket I have already created to store the Terraform state files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"&gt;= 1.6"</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"your-terraform-state-bucket"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"lambda-layers/terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"ap-south-1"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">aws_region</span> <span class="p">}</span> </code></pre> </div> <p><strong>variables.tf</strong></p> <p>We will store default values for Python layers such as runtime, and compatible runtimes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"aws_region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"AWS region"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"ap-south-1"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"python_runtime"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Python runtime version"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"python3.10"</span> <span class="p">}</span> </code></pre> </div> <p><strong>config.tf</strong></p> <p>We will create local variables to store the layer details such as layer name and path to the dependencies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">layer_definitions</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">identifier</span> <span class="p">=</span> <span class="s2">"layer1"</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"${path.module}/layers/layer1"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">identifier</span> <span class="p">=</span> <span class="s2">"layer2"</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"${path.module}/layers/layer2"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p><strong>s3.tf</strong></p> <p>Use the data source to get the AWS account ID and use it as a prefix to ensure the unique name of the S3 bucket, and use it to store the layers packages in .zip format:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"aws_caller_identity"</span> <span class="s2">"current"</span> <span class="p">{}</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"lambda_layers"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"${data.aws_caller_identity.current.account_id}-lambda-layers-bucket"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket_versioning"</span> <span class="s2">"lambda_layers"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">lambda_layers</span><span class="p">.</span><span class="nx">id</span> <span class="nx">versioning_configuration</span> <span class="p">{</span> <span class="nx">status</span> <span class="p">=</span> <span class="s2">"Enabled"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>main.tf</strong></p> <p>It will use the Terraform module (terraform-aws-modules/lambda/aws) for Lambda to build Python layers. I will package the custom scripts along with the layers for usability:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"layers"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/lambda/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 6.0"</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">i</span> <span class="nx">in</span> <span class="nx">local</span><span class="p">.</span><span class="nx">layer_definitions</span> <span class="err">:</span> <span class="nx">i</span><span class="p">.</span><span class="nx">identifier</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">i</span> <span class="p">}</span> <span class="nx">create_layer</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">layer_name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">identifier</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Lambda layer for ${each.value.identifier}"</span> <span class="nx">compatible_runtimes</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">python_runtime</span><span class="p">]</span> <span class="nx">source_path</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">path</span> <span class="nx">pip_requirements</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">prefix_in_zip</span> <span class="p">=</span> <span class="s2">"python"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"${path.module}/layers/common-scripts"</span> <span class="nx">prefix_in_zip</span> <span class="p">=</span> <span class="s2">"python"</span> <span class="p">}</span> <span class="p">]</span> <span class="nx">store_on_s3</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">s3_bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">lambda_layers</span><span class="p">.</span><span class="nx">bucket</span> <span class="p">}</span> </code></pre> </div> <h3> Cross-Account Layer Sharing (Optional) </h3> <p>If you want to share the layers across multiple accounts, add these configurations:</p> <p><strong>Append to config.tf:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="c1"># List of layer names</span> <span class="nx">layer_names</span> <span class="p">=</span> <span class="p">[</span><span class="nx">for</span> <span class="nx">i</span> <span class="nx">in</span> <span class="nx">local</span><span class="p">.</span><span class="nx">layer_definitions</span> <span class="err">:</span> <span class="nx">i</span><span class="p">.</span><span class="nx">identifier</span><span class="p">]</span> <span class="c1"># Accounts that should have permission on layer version</span> <span class="nx">allowed_accounts</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"AWS_ACCOUNT_ID_1"</span><span class="p">,</span> <span class="s2">"AWS_ACCOUNT_ID_2"</span><span class="p">]</span> <span class="c1"># Mapping layers -&gt; aws accounts for permission on layer version</span> <span class="nx">layers_to_accounts</span> <span class="p">=</span> <span class="nx">flatten</span><span class="p">([</span> <span class="nx">for</span> <span class="nx">layer</span> <span class="nx">in</span> <span class="nx">local</span><span class="p">.</span><span class="nx">layer_names</span> <span class="err">:</span> <span class="p">[</span> <span class="nx">for</span> <span class="nx">account</span> <span class="nx">in</span> <span class="nx">local</span><span class="p">.</span><span class="nx">allowed_accounts</span> <span class="err">:</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">=</span> <span class="s2">"${layer}-${account}"</span> <span class="nx">layer</span> <span class="p">=</span> <span class="nx">layer</span> <span class="nx">account</span> <span class="p">=</span> <span class="nx">account</span> <span class="p">}</span> <span class="p">]</span> <span class="p">])</span> <span class="c1"># Map to be used by for_each loop for resource</span> <span class="nx">layers_to_accounts_map</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">item</span> <span class="nx">in</span> <span class="nx">local</span><span class="p">.</span><span class="nx">layers_to_accounts</span> <span class="err">:</span> <span class="nx">item</span><span class="p">.</span><span class="nx">id</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">item</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Append to main.tf:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_lambda_layer_version_permission"</span> <span class="s2">"lambda_layer_permission"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">layers_to_accounts_map</span> <span class="nx">layer_name</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">layers</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">layer</span><span class="p">].</span><span class="nx">lambda_layer_layer_arn</span> <span class="nx">version_number</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">layers</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">layer</span><span class="p">].</span><span class="nx">lambda_layer_version</span> <span class="nx">principal</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">account</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"lambda:GetLayerVersion"</span> <span class="nx">statement_id</span> <span class="p">=</span> <span class="s2">"${each.value.layer}-${each.value.account}-${random_integer.random.result}"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"random_integer"</span> <span class="s2">"random"</span> <span class="p">{</span> <span class="nx">min</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">max</span> <span class="p">=</span> <span class="mi">1000</span> <span class="p">}</span> </code></pre> </div> <h3> GitHub Actions Workflow </h3> <p>Here is the GitHub Action workflow that will build the layers:</p> <p><strong>.github/workflows/build-lambda-layers.yml</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Build Lambda Layers with Terraform</span> <span class="na">on</span><span class="pi">:</span> <span class="c1"># On push to main branch when there is a change in dependencies</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">lambda-python-layers/layers/</span> <span class="c1"># Run manually</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">terraform</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">env</span><span class="pi">:</span> <span class="na">AWS_ACCESS_KEY_ID</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">AWS_SECRET_ACCESS_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">AWS_REGION</span><span class="pi">:</span> <span class="s">ap-south-1</span> <span class="na">TERRAFORM_VER</span><span class="pi">:</span> <span class="s">1.6.6</span> <span class="na">TERRAFORM_PATH</span><span class="pi">:</span> <span class="s">lambda-python-layers/</span> <span class="na">PYTHON_VERSION</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3.10'</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout Repository</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">terraform_version</span><span class="pi">:</span> <span class="s">${{ env.TERRAFORM_VER }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Python</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-python@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="na">python-version</span><span class="pi">:</span> <span class="s">${{ env.PYTHON_VERSION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Init</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">${{ env.TERRAFORM_PATH }}</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform init</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Plan</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">${{ env.TERRAFORM_PATH }}</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform plan -out=tfplan</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Apply</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">${{ env.TERRAFORM_PATH }}</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform apply -auto-approve tfplan</span> </code></pre> </div> <h3> Workflow Explanation </h3> <p>This GitHub Action workflow is designed to deploy Terraform to build the layers for a specific path (<code>layers/</code>) within a repository.</p> <p><strong>Triggers:</strong></p> <ul> <li>On push to the main branch, specifically if files within the <code>lambda-python-layers/layers/</code> directory are updated</li> <li>Can be triggered manually via <code>workflow_dispatch</code> </li> </ul> <p><strong>Job Configuration:</strong></p> <ul> <li>Job runs on the <code>ubuntu-latest</code> runner</li> <li>AWS credentials and region are sourced from GitHub Secrets</li> <li>Terraform version (<code>1.6.6</code>) and Python version (<code>3.10</code>) are specified</li> </ul> <p><strong>Steps:</strong></p> <ol> <li>Checkout repository using <code>actions/checkout@v4</code> </li> <li>Install Terraform using <code>hashicorp/setup-terraform@v3</code> </li> <li>Install Python 3.10 using <code>actions/setup-python@v5</code> </li> <li>Run Terraform commands to deploy the layers</li> </ol> <h2> Running the Automation </h2> <h3> Step-by-Step Setup </h3> <p>You can clone the code from my <a href="https://github.com/akhileshmishrabiz/Devops-zero-to-hero" rel="noopener noreferrer">Public GitHub Repo</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Clone my GitHub repo</span> git clone https://github.com/akhileshmishrabiz/Devops-zero-to-hero.git <span class="c"># Create a folder/directory </span> <span class="nb">mkdir </span>lambda-layer-example <span class="nb">cd </span>lambda-layer-example <span class="c"># Copy the terraform from Devops-zero-to-hero/lambda-python-layers</span> <span class="nb">cp</span> <span class="nt">-r</span> Devops-zero-to-hero/lambda-python-layers <span class="nb">.</span> <span class="c"># Create a .github/workflows folder to store the GitHub Action workflow</span> <span class="nb">mkdir</span> <span class="nt">-p</span> .github/workflows <span class="c"># Create a .yml file </span> <span class="nb">touch</span> .github/workflows/layer-build.yml <span class="c"># Copy the workflow code from the cloned repo</span> <span class="nb">cp </span>Devops-zero-to-hero/.github/workflows/build-lambda-layer.yml .github/workflows/layer-build.yml <span class="c"># Create a github repository and push the code from lambda-layer-example to your repo</span> </code></pre> </div> <h3> Configure GitHub Secrets </h3> <p>Create access and secret keys and store them as secrets in your GitHub repo:</p> <ol> <li>Go to your repo → <strong>Settings</strong> → <strong>Secrets and variables</strong> → <strong>Actions</strong> </li> <li>Create two secrets: <ul> <li> <code>AWS_ACCESS_KEY_ID</code> = Your AWS Access Key</li> <li> <code>AWS_SECRET_ACCESS_KEY</code> = Your AWS Secret Key</li> </ul> </li> </ol> <h3> Deploy the Automation </h3> <p>Push the code to trigger the workflow, or run it manually from the Actions tab.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9qtweyu76rxk8ukxpo4n.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9qtweyu76rxk8ukxpo4n.webp" alt="Image description" width="800" height="201"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4m9zd1co1nq89vk3kfqi.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4m9zd1co1nq89vk3kfqi.webp" alt="Image description" width="800" height="433"></a><br> You can see the layers in your AWS account: <strong>Lambda</strong> → <strong>Layers</strong></p> <h3> AWS Lambda Layers in Console </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbv3zhkik251y3qaja6ur.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbv3zhkik251y3qaja6ur.webp" alt="Image description" width="800" height="201"></a></p> <h2> Benefits of This Automation </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Before Automation</th> <th>After Automation</th> </tr> </thead> <tbody> <tr> <td>❌ Manual zip creation</td> <td>✅ Automated builds</td> </tr> <tr> <td>❌ Platform compatibility issues</td> <td>✅ Consistent Linux builds</td> </tr> <tr> <td>❌ Version management pain</td> <td>✅ Automated versioning</td> </tr> <tr> <td>❌ Manual uploads</td> <td>✅ Automatic deployment</td> </tr> <tr> <td>❌ Cross-account sharing complexity</td> <td>✅ Terraform-managed permissions</td> </tr> </tbody> </table></div> <h2> Conclusion </h2> <p>This automation solution has saved my team countless hours of manual Lambda Layer management. Instead of spending time on repetitive packaging and uploading tasks, we can focus on writing better Lambda functions.</p> <p>The combination of Terraform and GitHub Actions provides:</p> <ul> <li> <strong>Consistency</strong> across environments</li> <li> <strong>Reproducibility</strong> of builds</li> <li> <strong>Version control</strong> for dependencies</li> <li><strong>Automated security updates</strong></li> </ul> <p>The Terraform code for this is available <a href="https://github.com/akhileshmishrabiz/Devops-zero-to-hero/tree/main/lambda-python-layers" rel="noopener noreferrer">here</a>, and the GitHub Action workflow is <a href="https://github.com/akhileshmishrabiz/Devops-zero-to-hero/blob/main/.github/workflows/build-lambda-layer.yml" rel="noopener noreferrer">here</a>.</p> <h2> About Me </h2> <p>I am Akhilesh Mishra, a self-taught DevOps engineer with 11+ years working on private and public cloud (GCP &amp; AWS) technologies.</p> <p><strong>Connect with me:</strong></p> <ul> <li><a href="https://www.linkedin.com/in/akhilesh-mishra-0ab886124/" rel="noopener noreferrer">LinkedIn</a></li> <li><a href="https://github.com/akhileshmishrabiz" rel="noopener noreferrer">GitHub</a></li> </ul> <h2> Tags </h2> <p><code>#aws</code> <code>#lambda</code> <code>#terraform</code> <code>#automation</code> <code>#devops</code> <code>#serverless</code> <code>#githubactions</code> <code>#infrastructure</code> <code>#iac</code> <code>#cicd</code></p> <p><em>Found this automation helpful? Follow for more AWS and DevOps content!</em></p> aws lambda automation tutorial You Are Making A Big Mistake By Not Scanning Your Terraform Code Akhilesh Mishra Fri, 27 Jun 2025 09:55:32 +0000 https://forem.com/livingdevops/you-are-making-a-big-mistake-by-not-scanning-your-terraform-code-350k https://forem.com/livingdevops/you-are-making-a-big-mistake-by-not-scanning-your-terraform-code-350k <p><em>Stop infrastructure misconfigurations before they become security nightmares - Master Terrascan for bulletproof IaC security</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimages.unsplash.com%2Fphoto-1558494949-ef010cbdcc31%3Fixlib%3Drb-4.0.3%26ixid%3DM3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%253D%253D%26auto%3Dformat%26fit%3Dcrop%26w%3D2089%26q%3D80" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimages.unsplash.com%2Fphoto-1558494949-ef010cbdcc31%3Fixlib%3Drb-4.0.3%26ixid%3DM3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%253D%253D%26auto%3Dformat%26fit%3Dcrop%26w%3D2089%26q%3D80" alt="Infrastructure security scanning with Terrascan" width="2089" height="1172"></a></p> <h2> Complete DevSecOps Guide to Terrascan for Infrastructure as Code Security </h2> <p>Last year, someone I know deployed a Kubernetes cluster that accidentally exposed internal APIs to the internet because of a misconfigured network policy. They caught it during a routine scan, but it could have been much worse.</p> <p><strong>Infrastructure misconfigurations aren't just embarrassing — they're potentially catastrophic.</strong></p> <p>Infrastructure misconfigurations have been behind some of the most notorious security incidents in recent years. From the Capital One breach caused by a misconfigured WAF to the thousands of Elasticsearch instances leaking sensitive data, the pattern is clear: <strong>the security of your cloud depends heavily on your configuration, not just your code.</strong></p> <p>Security in infrastructure code often feels like an afterthought. We're so focused on making things work that we forget to make them secure.</p> <p>At my company, we already use Checkov for basic security scanning, but we've found limitations in its policy coverage and customization options. That's why we're adding <strong>Terrascan</strong> to our security toolkit — it offers deeper analysis, better policy flexibility, and more comprehensive coverage across different cloud providers.</p> <h2> Table of Contents </h2> <ul> <li>Why Infrastructure Security Scanning Matters</li> <li>What is Terrascan?</li> <li>Installation and Setup</li> <li>Basic Usage and Commands</li> <li>Advanced Scanning Techniques</li> <li>Docker Integration</li> <li>CI/CD Pipeline Integration</li> <li>Custom Security Policies</li> <li>Best Practices and Recommendations</li> <li>Troubleshooting Common Issues</li> </ul> <h2> Why Infrastructure Security Scanning Matters </h2> <h3> The Hidden Cost of Misconfigurations </h3> <p><strong>Real-world impact of IaC security failures:</strong></p> <ul> <li>🏦 <strong>Capital One (2019)</strong>: Misconfigured WAF led to 100+ million customer records exposed</li> <li>📊 <strong>Elasticsearch incidents</strong>: Thousands of instances leaked sensitive data due to default configurations</li> <li>☁️ <strong>AWS S3 breaches</strong>: Countless incidents from misconfigured bucket permissions</li> <li>🔐 <strong>Kubernetes exposures</strong>: APIs accidentally exposed to the internet via network policies</li> </ul> <h3> Common Infrastructure Security Risks </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Risk Category</th> <th>Examples</th> <th>Impact Level</th> </tr> </thead> <tbody> <tr> <td><strong>Network Security</strong></td> <td>Open security groups, exposed databases</td> <td>🔴 Critical</td> </tr> <tr> <td><strong>Access Control</strong></td> <td>Overprivileged IAM roles, public buckets</td> <td>🔴 Critical</td> </tr> <tr> <td><strong>Encryption</strong></td> <td>Unencrypted storage, data in transit</td> <td>🟠 High</td> </tr> <tr> <td><strong>Compliance</strong></td> <td>Missing logging, audit trails</td> <td>🟡 Medium</td> </tr> <tr> <td><strong>Resource Management</strong></td> <td>Untagged resources, cost overruns</td> <td>🟡 Medium</td> </tr> </tbody> </table></div> <h2> What is Terrascan? </h2> <p><strong>Terrascan</strong> is an open-source static code analyzer created by Tenable, specially designed for Infrastructure as Code security. It's your first line of defense against configuration vulnerabilities.</p> <h3> Key Features That Set Terrascan Apart </h3> <p>✅ <strong>Multi-Cloud Support</strong>: AWS, Azure, GCP, Kubernetes<br><br> ✅ <strong>Multiple IaC Tools</strong>: Terraform, Helm, Kubernetes, Docker<br><br> ✅ <strong>Custom Policies</strong>: Write organization-specific security rules<br><br> ✅ <strong>CI/CD Integration</strong>: Seamless DevOps workflow integration<br><br> ✅ <strong>Compliance Frameworks</strong>: SOC 2, PCI DSS, GDPR, HIPAA<br><br> ✅ <strong>Active Community</strong>: Regular updates and policy additions </p> <h3> Terrascan vs Competitors </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Terrascan</th> <th>Checkov</th> <th>tfsec</th> <th>Bridgecrew</th> </tr> </thead> <tbody> <tr> <td><strong>Open Source</strong></td> <td>✅ Free</td> <td>✅ Free</td> <td>✅ Free</td> <td>❌ Paid</td> </tr> <tr> <td><strong>Custom Policies</strong></td> <td>✅ Rego</td> <td>✅ Python</td> <td>❌ Limited</td> <td>✅ Advanced</td> </tr> <tr> <td><strong>Multi-Cloud</strong></td> <td>✅ Excellent</td> <td>✅ Good</td> <td>✅ Good</td> <td>✅ Excellent</td> </tr> <tr> <td><strong>Docker Scanning</strong></td> <td>✅ Yes</td> <td>✅ Yes</td> <td>❌ No</td> <td>✅ Yes</td> </tr> <tr> <td><strong>Learning Curve</strong></td> <td>🟡 Moderate</td> <td>🟢 Easy</td> <td>🟢 Easy</td> <td>🔴 Steep</td> </tr> </tbody> </table></div> <h2> Installation and Setup </h2> <h3> Method 1: Homebrew (Mac/Linux) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install via Homebrew (recommended for Mac)</span> brew <span class="nb">install </span>terrascan <span class="c"># Verify installation</span> terrascan version </code></pre> </div> <h3> Method 2: Manual Installation </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Download latest release</span> curl <span class="nt">-L</span> <span class="s2">"</span><span class="si">$(</span>curl <span class="nt">-s</span> https://api.github.com/repos/tenable/terrascan/releases/latest | <span class="nb">grep</span> <span class="nt">-o</span> <span class="nt">-E</span> <span class="s2">"https://.+?_Darwin_x86_64.tar.gz"</span><span class="si">)</span><span class="s2">"</span> <span class="o">&gt;</span> terrascan.tar.gz <span class="c"># Extract and install</span> <span class="nb">tar</span> <span class="nt">-xf</span> terrascan.tar.gz terrascan <span class="o">&amp;&amp;</span> <span class="nb">rm </span>terrascan.tar.gz <span class="nb">sudo install </span>terrascan /usr/local/bin <span class="o">&amp;&amp;</span> <span class="nb">rm </span>terrascan <span class="c"># Verify installation</span> terrascan version </code></pre> </div> <h3> Method 3: Docker </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Run as Docker container</span> docker run <span class="nt">--rm</span> tenable/terrascan version <span class="c"># Scan current directory</span> docker run <span class="nt">--rm</span> <span class="nt">-it</span> <span class="nt">-v</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span><span class="s2">:/iac"</span> <span class="nt">-w</span> /iac tenable/terrascan scan </code></pre> </div> <h2> Basic Usage and Commands </h2> <h3> Your First Scan </h3> <p>Navigate to any directory containing Infrastructure as Code files and run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Basic scan - scans all supported files in current directory</span> terrascan scan </code></pre> </div> <p><strong>Example output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Violated Policies (7): LOW | Ensure S3 bucket has versioning enabled MEDIUM | Ensure S3 bucket has access logging enabled HIGH | Ensure S3 bucket is not publicly readable HIGH | Security group allows ingress from 0.0.0.0/0 to port 22 </code></pre> </div> <p>I ran this command with my code and this is how the results look like</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb60vmldi2eso2ycb34ej.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb60vmldi2eso2ycb34ej.webp" alt="Image description" width="800" height="918"></a></p> <h3> Essential Command Flags </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Get comprehensive help</span> terrascan-help </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhq0ycjqbbdb09u8sd2lw.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhq0ycjqbbdb09u8sd2lw.webp" alt="Image description" width="800" height="193"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terrascan scan --help </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Flags: --config-only will output resource config (should only be used for debugging purposes) --config-with-error will output resource config and errors (if any) --find-vuln fetches vulnerabilities identified in Docker images -h, --help help for scan -d, --iac-dir string path to a directory containing one or more IaC files (default ".") -f, --iac-file string path to a single IaC file -i, --iac-type string iac type (arm, cft, docker, helm, k8s, kustomize, terraform, tfplan) --iac-version string iac version (arm: v1, cft: v1, docker: v1, helm: v3, k8s: v1, kustomize: v2, v3, v4, terraform: v12, v13, v14, v15, tfplan: v1) --non-recursive do not scan directories and modules recursively -p, --policy-path stringArray policy path directory -t, --policy-type strings policy type (all, aws, azure, docker, gcp, github, k8s) (default [all]) -r, --remote-type string type of remote backend (git, s3, gcs, http, terraform-registry) -u, --remote-url string url pointing to remote IaC repository --repo-ref string branch of the repo being scanned --repo-url string URL of the repo being scanned, will be reflected in scan summary --scan-rules strings one or more rules to scan (example: --scan-rules="ruleID1,ruleID2") --severity string minimum severity level of the policy violations to be reported by terrascan --show-passed display passed rules, along with violations --skip-rules strings one or more rules to skip while scanning (example: --skip-rules="ruleID1,ruleID2") --use-colors string color output (auto, t, f) (default "auto") --use-terraform-cache use terraform init cache for remote modules (when used directory scan will be non recursive, flag applicable only with terraform IaC provider) --values-files strings one or more values files to scan(applicable for iactype=helm) (example: --values-files="file1-values.yaml,file2-values.yaml") -v, --verbose will show violations with details (applicable for default output) --webhook-token string optional token used when sending authenticated requests to the notification webhook --webhook-url string webhook URL where Terrascan will send JSON scan report and normalized IaC JSON Global Flags: -c, --config-path string config file path -l, --log-level string log level (debug, info, warn, error, panic, fatal) (default "info") --log-output-dir string directory path to write the log and output files -x, --log-type string log output type (console, json) (default "console") -o, --output string output type (human, json, yaml, xml, junit-xml, sarif, github-sarif) (default "human") --temp-dir string temporary directory path to download remote repository,module and templates </code></pre> </div> <h3> Target-Specific Scanning </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Scan specific cloud provider</span> terrascan scan <span class="nt">-t</span> aws <span class="c"># AWS only</span> terrascan scan <span class="nt">-t</span> azure <span class="c"># Azure only </span> terrascan scan <span class="nt">-t</span> gcp <span class="c"># GCP only</span> terrascan scan <span class="nt">-t</span> k8s <span class="c"># Kubernetes only</span> <span class="c"># Scan specific IaC type</span> terrascan scan <span class="nt">-i</span> terraform <span class="c"># Terraform files</span> terrascan scan <span class="nt">-i</span> helm <span class="c"># Helm charts</span> terrascan scan <span class="nt">-i</span> docker <span class="c"># Dockerfiles</span> terrascan scan <span class="nt">-i</span> k8s <span class="c"># Kubernetes manifests</span> </code></pre> </div> <h3> Output Format Options </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># JSON output for automation</span> terrascan scan <span class="nt">-o</span> json <span class="c"># YAML output</span> terrascan scan <span class="nt">-o</span> yaml <span class="c"># SARIF format for GitHub integration</span> terrascan scan <span class="nt">-o</span> sarif <span class="c"># JUnit XML for CI reporting</span> terrascan scan <span class="nt">-o</span> junit-xml </code></pre> </div> <h2> Try out different flags with the command </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terrascan scan -t gcp -i terraform -o json --severity "High" </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc09p8sg8cf9codlsf9i4.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc09p8sg8cf9codlsf9i4.webp" alt="Image description" width="800" height="272"></a></p> <h2> Advanced Scanning Techniques </h2> <h3> Severity-Based Filtering </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Only show high severity issues</span> terrascan scan <span class="nt">--severity</span> <span class="s2">"High"</span> <span class="c"># Show medium and high severity</span> terrascan scan <span class="nt">--severity</span> <span class="s2">"Medium"</span> <span class="c"># Verbose output with details</span> terrascan scan <span class="nt">-v</span> </code></pre> </div> <h3> File and Directory Targeting </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Scan specific file</span> terrascan scan <span class="nt">-f</span> main.tf <span class="c"># Scan specific directory</span> terrascan scan <span class="nt">-d</span> /path/to/terraform/modules <span class="c"># Non-recursive scan (current directory only)</span> terrascan scan <span class="nt">--non-recursive</span> </code></pre> </div> <h3> Rule Management </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Skip specific rules</span> terrascan scan <span class="nt">--skip-rules</span><span class="o">=</span><span class="s2">"AWS.S3.DS.High.1041,AWS.EC2.NetworkACL.Medium.0506"</span> <span class="c"># Scan only specific rules</span> terrascan scan <span class="nt">--scan-rules</span><span class="o">=</span><span class="s2">"AWS.S3.DS.High.1041,AWS.RDS.DS.High.1025"</span> <span class="c"># Show passed rules along with violations</span> terrascan scan <span class="nt">--show-passed</span> </code></pre> </div> <h3> Remote Repository Scanning </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Scan remote Git repository</span> terrascan scan <span class="nt">-r</span> git <span class="nt">-u</span> https://github.com/user/repo.git <span class="c"># Scan specific branch</span> terrascan scan <span class="nt">-r</span> git <span class="nt">-u</span> https://github.com/user/repo.git <span class="nt">--repo-ref</span> develop <span class="c"># Scan Terraform modules from registry</span> terrascan scan <span class="nt">-r</span> terraform-registry <span class="nt">-u</span> terraform-aws-modules/vpc/aws </code></pre> </div> <h3> Configuration Debugging </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Output resource configuration for debugging</span> terrascan scan <span class="nt">--config-only</span> <span class="nt">-o</span> json <span class="c"># Show configuration with errors</span> terrascan scan <span class="nt">--config-with-error</span> <span class="c"># Enable debug logging</span> terrascan scan <span class="nt">-l</span> debug </code></pre> </div> <h2> Docker Integration </h2> <h3> Scanning Dockerfiles </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Scan Dockerfiles for vulnerabilities</span> terrascan scan <span class="nt">-i</span> docker <span class="o">![</span>Image description]<span class="o">(</span>https://dev-to-uploads.s3.amazonaws.com/uploads/articles/wn8vko9mi99c9mc18sxd.webp<span class="o">)</span> <span class="c"># Find vulnerabilities in container images</span> terrascan scan <span class="nt">-i</span> docker <span class="nt">--find-vuln</span> </code></pre> </div> <h3> Running Terrascan in Docker </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Basic Docker usage</span> docker run <span class="nt">--rm</span> <span class="nt">-v</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span><span class="s2">:/iac"</span> <span class="nt">-w</span> /iac tenable/terrascan scan <span class="c"># With specific parameters</span> docker run <span class="nt">--rm</span> <span class="nt">-v</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span><span class="s2">:/iac"</span> <span class="nt">-w</span> /iac tenable/terrascan scan <span class="nt">-i</span> terraform <span class="nt">-t</span> aws <span class="nt">-o</span> json </code></pre> </div> <h2> CI/CD Pipeline Integration </h2> <h3> GitHub Actions Integration </h3> <p>Create <code>.github/workflows/terrascan.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Terrascan Security Scan</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span> <span class="nv">main</span><span class="pi">,</span> <span class="nv">develop</span> <span class="pi">]</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span> <span class="nv">main</span> <span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">terrascan_job</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terrascan Security Analysis</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout repository</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run Terrascan</span> <span class="na">id</span><span class="pi">:</span> <span class="s">terrascan</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">tenable/terrascan-action@main</span> <span class="na">with</span><span class="pi">:</span> <span class="na">iac_type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">terraform'</span> <span class="na">iac_version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">v15'</span> <span class="na">policy_type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">aws'</span> <span class="na">only_warn</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">sarif_upload</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Upload SARIF file</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">github/codeql-action/upload-sarif@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">sarif_file</span><span class="pi">:</span> <span class="s">terrascan.sarif</span> </code></pre> </div> <h3> GitLab CI Integration </h3> <p>Add to <code>.gitlab-ci.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">terrascan_security</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">security</span> <span class="na">image</span><span class="pi">:</span> <span class="s">tenable/terrascan:latest</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">terrascan scan -i terraform -t aws -o json --config-path terrascan-config.toml</span> <span class="na">artifacts</span><span class="pi">:</span> <span class="na">reports</span><span class="pi">:</span> <span class="na">sast</span><span class="pi">:</span> <span class="s">terrascan-results.json</span> <span class="na">only</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">merge_requests</span> <span class="pi">-</span> <span class="s">main</span> </code></pre> </div> <h3> Jenkins Integration </h3> <div class="highlight js-code-highlight"> <pre class="highlight groovy"><code><span class="n">pipeline</span> <span class="o">{</span> <span class="n">agent</span> <span class="n">any</span> <span class="n">stages</span> <span class="o">{</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Terrascan Security Scan'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">script</span> <span class="o">{</span> <span class="n">docker</span><span class="o">.</span><span class="na">image</span><span class="o">(</span><span class="s1">'tenable/terrascan:latest'</span><span class="o">).</span><span class="na">inside</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">'terrascan scan -i terraform -o junit-xml &gt; terrascan-results.xml'</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="n">post</span> <span class="o">{</span> <span class="n">always</span> <span class="o">{</span> <span class="n">publishTestResults</span> <span class="nl">testResultsPattern:</span> <span class="s1">'terrascan-results.xml'</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Pre-commit Hooks </h3> <p>Create <code>.pre-commit-config.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">repos</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">repo</span><span class="pi">:</span> <span class="s">https://github.com/tenable/terrascan</span> <span class="na">rev</span><span class="pi">:</span> <span class="s">v1.18.0</span> <span class="na">hooks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">terrascan</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">scan'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">-i'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">terraform'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">--severity'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">High'</span><span class="pi">]</span> <span class="na">verbose</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>Install and use:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install pre-commit</span> pip <span class="nb">install </span>pre-commit <span class="c"># Install hooks</span> pre-commit <span class="nb">install</span> <span class="c"># Run manually</span> pre-commit run terrascan <span class="nt">--all-files</span> </code></pre> </div> <h2> Custom Security Policies </h2> <h3> Understanding Rego Policy Language </h3> <p>Terrascan uses <strong>Rego</strong> (from Open Policy Agent) for custom policies. This allows you to create organization-specific security rules.</p> <h3> Example: Prevent Public SSH Access </h3> <p>Create <code>custom-policies/terraform/no_public_ssh/rule.rego</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rego"><code><span class="ow">package</span> <span class="n">accurics</span> <span class="c1"># Rule to deny SSH access from 0.0.0.0/0</span> <span class="n">deny_public_ssh</span><span class="p">[</span><span class="n">msg</span><span class="p">]</span> <span class="p">{</span> <span class="n">resource</span> <span class="o">:=</span> <span class="n">input</span><span class="p">.</span><span class="n">aws_security_group</span><span class="p">[</span><span class="n">_</span><span class="p">]</span> <span class="n">rule</span> <span class="o">:=</span> <span class="n">resource</span><span class="p">.</span><span class="n">config</span><span class="p">.</span><span class="n">ingress</span><span class="p">[</span><span class="n">_</span><span class="p">]</span> <span class="n">rule</span><span class="p">.</span><span class="n">from_port</span> <span class="o">&lt;=</span> <span class="m">22</span> <span class="n">rule</span><span class="p">.</span><span class="n">to_port</span> <span class="o">&gt;=</span> <span class="m">22</span> <span class="n">rule</span><span class="p">.</span><span class="n">cidr_blocks</span><span class="p">[</span><span class="n">_</span><span class="p">]</span> <span class="o">==</span> <span class="s2">"0.0.0.0/0"</span> <span class="n">msg</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span><span class="s2">"Security group '%s' allows SSH (port 22) from 0.0.0.0/0"</span><span class="p">,</span> <span class="p">[</span><span class="n">resource</span><span class="p">.</span><span class="n">name</span><span class="p">])</span> <span class="p">}</span> </code></pre> </div> <h3> Example: Enforce Resource Tagging </h3> <p>Create <code>custom-policies/terraform/require_tags/rule.rego</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rego"><code><span class="ow">package</span> <span class="n">accurics</span> <span class="n">required_tags</span> <span class="o">:=</span> <span class="p">[</span><span class="s2">"Environment"</span><span class="p">,</span> <span class="s2">"Owner"</span><span class="p">,</span> <span class="s2">"Project"</span><span class="p">]</span> <span class="c1"># Check if EC2 instances have required tags</span> <span class="n">deny_missing_tags</span><span class="p">[</span><span class="n">msg</span><span class="p">]</span> <span class="p">{</span> <span class="n">resource</span> <span class="o">:=</span> <span class="n">input</span><span class="p">.</span><span class="n">aws_instance</span><span class="p">[</span><span class="n">_</span><span class="p">]</span> <span class="n">missing_tags</span> <span class="o">:=</span> <span class="n">required_tags</span><span class="p">[</span><span class="n">_</span><span class="p">]</span> <span class="ow">not</span> <span class="n">resource</span><span class="p">.</span><span class="n">config</span><span class="p">.</span><span class="n">tags</span><span class="p">[</span><span class="n">missing_tags</span><span class="p">]</span> <span class="n">msg</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span><span class="s2">"EC2 instance '%s' is missing required tag '%s'"</span><span class="p">,</span> <span class="p">[</span><span class="n">resource</span><span class="p">.</span><span class="n">name</span><span class="p">,</span> <span class="n">missing_tags</span><span class="p">])</span> <span class="p">}</span> </code></pre> </div> <h3> Using Custom Policies </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Scan with custom policies</span> terrascan scan <span class="nt">-p</span> ./custom-policies <span class="c"># Combine with built-in policies</span> terrascan scan <span class="nt">-p</span> ./custom-policies <span class="nt">-t</span> aws </code></pre> </div> <h3> Policy Development Best Practices </h3> <ol> <li> <strong>Start Simple</strong>: Begin with basic rules and iterate</li> <li> <strong>Test Thoroughly</strong>: Use different scenarios to validate policies</li> <li> <strong>Document Rules</strong>: Include clear descriptions and examples</li> <li> <strong>Version Control</strong>: Store policies in Git with your infrastructure code</li> <li> <strong>Peer Review</strong>: Have security and DevOps teams review custom policies</li> </ol> <h2> Best Practices and Recommendations </h2> <h3> 1. Implement Shift-Left Security </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Run in development environment</span> terrascan scan <span class="nt">-i</span> terraform <span class="nt">--severity</span> High <span class="c"># Integrate with IDE plugins</span> <span class="c"># Use VS Code Terrascan extension</span> </code></pre> </div> <h3> 2. Create Security Gates </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># GitHub Actions example with failure conditions</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terrascan Security Gate</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">terrascan scan -i terraform -o json &gt; results.json</span> <span class="s">HIGH_ISSUES=$(jq '.results.violations[] | select(.severity == "HIGH") | length' results.json)</span> <span class="s">if [ "$HIGH_ISSUES" -gt 0 ]; then</span> <span class="s">echo "❌ High severity security issues found. Blocking deployment."</span> <span class="s">exit 1</span> <span class="s">fi</span> </code></pre> </div> <h3> 3. Configure Organization Policies </h3> <p>Create <code>terrascan-config.toml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[rules]</span> <span class="py">skip-rules</span> <span class="p">=</span> <span class="p">[</span> <span class="s">"AWS.S3.DS.High.1041"</span><span class="p">,</span> <span class="c"># Allow specific exceptions</span> <span class="p">]</span> <span class="nn">[severity]</span> <span class="py">level</span> <span class="p">=</span> <span class="s">"MEDIUM"</span> <span class="nn">[output]</span> <span class="py">format</span> <span class="p">=</span> <span class="s">"json"</span> <span class="nn">[notifications]</span> <span class="py">webhook-url</span> <span class="p">=</span> <span class="s">"https://hooks.slack.com/your-webhook"</span> </code></pre> </div> <h3> 4. Regular Policy Updates </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Stay updated with latest policies</span> docker pull tenable/terrascan:latest <span class="c"># Check for new rule releases</span> terrascan scan <span class="nt">--help</span> | <span class="nb">grep</span> <span class="nt">-A</span> 20 <span class="s2">"policy-type"</span> </code></pre> </div> <h2> Troubleshooting Common Issues </h2> <h3> Issue 1: False Positives </h3> <p><strong>Problem</strong>: Legitimate configurations flagged as violations</p> <p><strong>Solution</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Skip specific rules for false positives</span> terrascan scan <span class="nt">--skip-rules</span><span class="o">=</span><span class="s2">"RULE_ID_1,RULE_ID_2"</span> <span class="c"># Use inline comments in Terraform</span> resource <span class="s2">"aws_s3_bucket"</span> <span class="s2">"example"</span> <span class="o">{</span> <span class="c"># ts:skip=AWS.S3.DS.High.1041 Business requirement for public access</span> bucket <span class="o">=</span> <span class="s2">"my-public-bucket"</span> <span class="o">}</span> </code></pre> </div> <h3> Issue 2: Performance with Large Codebases </h3> <p><strong>Problem</strong>: Slow scanning on large repositories</p> <p><strong>Solution</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Use non-recursive scanning</span> terrascan scan <span class="nt">--non-recursive</span> <span class="c"># Scan specific directories</span> terrascan scan <span class="nt">-d</span> terraform/modules/security <span class="c"># Use .terrascignore file</span> <span class="nb">echo</span> <span class="s2">"*.backup"</span> <span class="o">&gt;</span> .terrascignore <span class="nb">echo</span> <span class="s2">"test/"</span> <span class="o">&gt;&gt;</span> .terrascignore </code></pre> </div> <h3> Issue 3: Custom Policy Errors </h3> <p><strong>Problem</strong>: Rego policy compilation errors</p> <p><strong>Solution</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test policy syntax</span> opa <span class="nb">fmt </span>custom-policies/ <span class="c"># Validate policy structure</span> opa <span class="nb">test </span>custom-policies/ </code></pre> </div> <h2> Advanced Configuration Options </h2> <h3> Webhook Integration </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Send results to webhook</span> terrascan scan <span class="nt">--webhook-url</span> https://your-webhook.com/endpoint <span class="nt">--webhook-token</span> your-token </code></pre> </div> <h3> Multi-Environment Scanning </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Development environment</span> terrascan scan <span class="nt">-d</span> environments/dev <span class="nt">--severity</span> Low <span class="c"># Production environment </span> terrascan scan <span class="nt">-d</span> environments/prod <span class="nt">--severity</span> High <span class="nt">--config-path</span> prod-config.toml </code></pre> </div> <h2> Security Scanning Metrics and KPIs </h2> <p>Track your infrastructure security improvements:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Target</th> <th>Measurement</th> </tr> </thead> <tbody> <tr> <td><strong>Critical Issues</strong></td> <td>0</td> <td>High severity violations</td> </tr> <tr> <td><strong>Scan Coverage</strong></td> <td>100%</td> <td>% of IaC files scanned</td> </tr> <tr> <td><strong>Policy Compliance</strong></td> <td>&gt;95%</td> <td>Passed rules / Total rules</td> </tr> <tr> <td><strong>Mean Time to Fix</strong></td> <td>&lt;24h</td> <td>Time from detection to resolution</td> </tr> </tbody> </table></div> <h2> Conclusion </h2> <p>Infrastructure security can't be an afterthought anymore. With the rise in cloud misconfigurations leading to major breaches, scanning your Infrastructure as Code is no longer optional — it's essential.</p> <p><strong>Key takeaways:</strong></p> <p>🔒 <strong>Prevention is cheaper than remediation</strong> - Catch issues before deployment<br><br> ⚡ <strong>Automation is key</strong> - Integrate scanning into your CI/CD pipeline<br><br> 📋 <strong>Custom policies matter</strong> - Tailor security rules to your organization<br><br> 📊 <strong>Measure and improve</strong> - Track security metrics and continuously improve </p> <p>Terrascan makes infrastructure security scanning accessible and powerful, automatically checking your code against hundreds of security policies while allowing complete customization for your organization's specific needs.</p> <p>Start implementing Terrascan today, and transform your infrastructure security from reactive to proactive.</p> <h2> Related DevSecOps Articles </h2> <ul> <li><a href="https://dev.to/example">Complete Docker Security Scanning Guide</a></li> <li><a href="https://dev.to/example">Kubernetes Security Best Practices</a></li> <li><a href="https://dev.to/example">AWS Security Automation with CloudFormation</a></li> <li><a href="https://dev.to/example">Azure DevSecOps Pipeline Implementation</a></li> </ul> <h2> Resources and References </h2> <ul> <li>📚 <a href="https://docs.tenable.com/terrascan/" rel="noopener noreferrer">Terrascan Official Documentation</a> </li> <li>🐙 <a href="https://github.com/tenable/terrascan" rel="noopener noreferrer">Terrascan GitHub Repository</a> </li> <li>📖 <a href="https://www.openpolicyagent.org/docs/latest/policy-language/" rel="noopener noreferrer">Rego Policy Language Guide</a> </li> <li>🎓 <a href="https://owasp.org/www-project-devsecops-guideline/" rel="noopener noreferrer">DevSecOps Best Practices</a> </li> </ul> <h2> Tags </h2> <p><code>#devsecops</code> <code>#terraform</code> <code>#security</code> <code>#iac</code> <code>#cloudsecurity</code> <code>#automation</code> <code>#cicd</code> <code>#scanning</code> <code>#compliance</code> <code>#devops</code> <code>#kubernetes</code> <code>#aws</code> <code>#azure</code> <code>#gcp</code></p> <p><em>Found this guide helpful? Follow for more DevSecOps and cloud security content!</em></p> <p><strong>Connect with the author:</strong></p> <ul> <li><a href="https://www.linkedin.com/in/akhilesh-mishra-0ab886124/" rel="noopener noreferrer">LinkedIn</a></li> <li><a href="https://github.com/akhileshmishrabiz" rel="noopener noreferrer">GitHub</a></li> </ul> <p><em>Akhilesh Mishra is a DevSecOps engineer with 12+ years of experience in cloud security, infrastructure automation, and security tooling at KPMG UK.</em></p> security devops programming How to Auto-Generate requirements.txt for Python Projects: Complete Guide to pipreqs and pigar Akhilesh Mishra Thu, 26 Jun 2025 11:29:20 +0000 https://forem.com/livingdevops/how-to-auto-generate-requirementstxt-for-python-projects-complete-guide-to-pipreqs-and-pigar-19p0 https://forem.com/livingdevops/how-to-auto-generate-requirementstxt-for-python-projects-complete-guide-to-pipreqs-and-pigar-19p0 <p><em>Stop manually hunting for Python dependencies - automate requirements.txt generation with these powerful tools</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimages.unsplash.com%2Fphoto-1516259762381-22954d7d3ad2%3Fixlib%3Drb-4.0.3%26ixid%3DM3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%253D%253D%26auto%3Dformat%26fit%3Dcrop%26w%3D2089%26q%3D80" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimages.unsplash.com%2Fphoto-1516259762381-22954d7d3ad2%3Fixlib%3Drb-4.0.3%26ixid%3DM3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%253D%253D%26auto%3Dformat%26fit%3Dcrop%26w%3D2089%26q%3D80" alt="Python dependency management tools" width="800" height="522"></a></p> <p>As a DevOps engineer, I frequently collaborate with multiple teams, diving into various projects and repositories. One common challenge I face is encountering Python code without a <code>requirements.txt</code> file.</p> <p>Every time I run such code, I need to figure out and manually install the necessary dependencies. I found it a waste of time and effort. I am sure you guys also feel the same way.</p> <p>So I dug around, did some Google searches, experimented with a few tools, and found many good ones. My favorites are <strong>pipreqs</strong> and <strong>pigar</strong>. </p> <p>In this comprehensive guide, I'll show you how to use these Python dependency management tools to generate <code>requirements.txt</code> files automatically for any Python project.</p> <h2> Table of Contents </h2> <ul> <li>Why Not Use pip freeze?</li> <li>Method 1: Using pipreqs</li> <li>Method 2: Using pigar</li> <li>Comparison and Best Practices</li> </ul> <h2> Why Not Use pip freeze? </h2> <p>Before diving into the solutions, let's address why <code>pip freeze</code> isn't always the best choice for generating <code>requirements.txt</code>:</p> <p>❌ <strong>pip freeze problems:</strong></p> <ul> <li>Only saves packages installed with <code>pip install</code> in your current environment</li> <li>Includes ALL packages in the environment, even those not used in your project (if you don't use virtualenv)</li> <li>Sometimes you need to create <code>requirements.txt</code> for a new project without installing modules first</li> <li>Can include system-wide packages that aren't relevant to your project</li> </ul> <p>✅ <strong>What we need instead:</strong></p> <ul> <li>Tools that analyze your actual Python code</li> <li>Generate requirements based on import statements</li> <li>Create clean, project-specific dependency lists</li> </ul> <h2> Method 1: Using pipreqs - The Import-Based Analyzer </h2> <h3> What is pipreqs? </h3> <p><code>pipreqs</code> is a Python tool that analyzes your Python files and generates <code>requirements.txt</code> based on the actual imports in your code. It's smart, fast, and doesn't require installing packages beforehand.</p> <h3> Setting Up Your Environment </h3> <p>I recommend working with isolated Python virtual environments for better dependency management:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a project directory</span> <span class="nb">mkdir </span>python-requirements-demo <span class="nb">cd </span>python-requirements-demo <span class="c"># Create and activate virtual environment</span> python3 <span class="nt">-m</span> venv venv <span class="nb">source </span>venv/bin/activate <span class="c"># On Windows: venv\Scripts\activate</span> </code></pre> </div> <h3> Installing pipreqs </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>pipreqs </code></pre> </div> <h3> Practical Example: Word Cloud Generator </h3> <p>Let's create a real Python project to demonstrate pipreqs. Create a directory and file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>project <span class="nb">cd </span>project </code></pre> </div> <p>Create <code>word_cloud_generator.py</code> with the following code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">matplotlib.pyplot</span> <span class="k">as</span> <span class="n">plt</span> <span class="kn">from</span> <span class="n">wordcloud</span> <span class="kn">import</span> <span class="n">WordCloud</span> <span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">Counter</span> <span class="kn">import</span> <span class="n">requests</span> <span class="kn">from</span> <span class="n">PIL</span> <span class="kn">import</span> <span class="n">Image</span> <span class="kn">import</span> <span class="n">numpy</span> <span class="k">as</span> <span class="n">np</span> <span class="kn">import</span> <span class="n">argparse</span> <span class="kn">from</span> <span class="n">io</span> <span class="kn">import</span> <span class="n">BytesIO</span> <span class="k">def</span> <span class="nf">get_mask_image</span><span class="p">(</span><span class="n">url</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Download and process mask image from URL</span><span class="sh">"""</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">)</span> <span class="n">img</span> <span class="o">=</span> <span class="n">Image</span><span class="p">.</span><span class="nf">open</span><span class="p">(</span><span class="nc">BytesIO</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="n">content</span><span class="p">))</span> <span class="k">return</span> <span class="n">np</span><span class="p">.</span><span class="nf">array</span><span class="p">(</span><span class="n">img</span><span class="p">)</span> <span class="k">def</span> <span class="nf">create_word_cloud</span><span class="p">(</span><span class="n">text</span><span class="p">,</span> <span class="n">mask_url</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Generate word cloud from text with optional mask</span><span class="sh">"""</span> <span class="k">if</span> <span class="n">mask_url</span><span class="p">:</span> <span class="n">mask</span> <span class="o">=</span> <span class="nf">get_mask_image</span><span class="p">(</span><span class="n">mask_url</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">mask</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">wordcloud</span> <span class="o">=</span> <span class="nc">WordCloud</span><span class="p">(</span> <span class="n">width</span><span class="o">=</span><span class="mi">800</span><span class="p">,</span> <span class="n">height</span><span class="o">=</span><span class="mi">400</span><span class="p">,</span> <span class="n">background_color</span><span class="o">=</span><span class="sh">'</span><span class="s">white</span><span class="sh">'</span><span class="p">,</span> <span class="n">mask</span><span class="o">=</span><span class="n">mask</span><span class="p">,</span> <span class="n">contour_width</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">contour_color</span><span class="o">=</span><span class="sh">'</span><span class="s">black</span><span class="sh">'</span> <span class="p">).</span><span class="nf">generate</span><span class="p">(</span><span class="n">text</span><span class="p">)</span> <span class="n">plt</span><span class="p">.</span><span class="nf">figure</span><span class="p">(</span><span class="n">figsize</span><span class="o">=</span><span class="p">(</span><span class="mi">10</span><span class="p">,</span> <span class="mi">5</span><span class="p">))</span> <span class="n">plt</span><span class="p">.</span><span class="nf">imshow</span><span class="p">(</span><span class="n">wordcloud</span><span class="p">,</span> <span class="n">interpolation</span><span class="o">=</span><span class="sh">'</span><span class="s">bilinear</span><span class="sh">'</span><span class="p">)</span> <span class="n">plt</span><span class="p">.</span><span class="nf">axis</span><span class="p">(</span><span class="sh">'</span><span class="s">off</span><span class="sh">'</span><span class="p">)</span> <span class="n">plt</span><span class="p">.</span><span class="nf">show</span><span class="p">()</span> <span class="k">def</span> <span class="nf">parse_arguments</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Parse command line arguments</span><span class="sh">"""</span> <span class="n">parser</span> <span class="o">=</span> <span class="n">argparse</span><span class="p">.</span><span class="nc">ArgumentParser</span><span class="p">(</span><span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">Generate a word cloud from input text</span><span class="sh">"</span><span class="p">)</span> <span class="n">parser</span><span class="p">.</span><span class="nf">add_argument</span><span class="p">(</span><span class="sh">'</span><span class="s">--text</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">-t</span><span class="sh">'</span><span class="p">,</span> <span class="n">required</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="sh">"</span><span class="s">Input text for word cloud</span><span class="sh">"</span><span class="p">)</span> <span class="n">parser</span><span class="p">.</span><span class="nf">add_argument</span><span class="p">(</span><span class="sh">'</span><span class="s">--mask_url</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">-m</span><span class="sh">'</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="sh">"</span><span class="s">URL of mask image for word cloud shape</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">parser</span><span class="p">.</span><span class="nf">parse_args</span><span class="p">()</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="n">args</span> <span class="o">=</span> <span class="nf">parse_arguments</span><span class="p">()</span> <span class="nf">create_word_cloud</span><span class="p">(</span><span class="n">args</span><span class="p">.</span><span class="n">text</span><span class="p">,</span> <span class="n">args</span><span class="p">.</span><span class="n">mask_url</span><span class="p">)</span> </code></pre> </div> <h3> Generating requirements.txt with pipreqs </h3> <p>Now comes the magic! Instead of manually figuring out dependencies, run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate requirements.txt for the project directory</span> pipreqs project </code></pre> </div> <p><strong>Output in <code>requirements.txt</code>:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>matplotlib==3.9.1 numpy==2.0.0 Pillow==10.4.0 Requests==2.32.3 wordcloud==1.9.3 </code></pre> </div> <h3> Installing and Testing Dependencies </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install all dependencies at once</span> pip <span class="nb">install</span> <span class="nt">-r</span> project/requirements.txt <span class="c"># Test the script</span> python project/word_cloud_generator.py <span class="nt">--text</span> <span class="s2">"Python dependency management made easy"</span> <span class="c"># With mask image</span> python project/word_cloud_generator.py <span class="nt">--text</span> <span class="s2">"pipreqs is awesome"</span> <span class="nt">--mask_url</span> <span class="s2">"https://example.com/mask.jpg"</span> </code></pre> </div> <h3> Advanced pipreqs Options </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate requirements for specific directory</span> pipreqs /path/to/your/project <span class="c"># Specify output file name</span> pipreqs <span class="nb">.</span> <span class="nt">--savepath</span> requirements-dev.txt <span class="c"># Force overwrite existing requirements.txt</span> pipreqs <span class="nb">.</span> <span class="nt">--force</span> <span class="c"># Use local database for package names</span> pipreqs <span class="nb">.</span> <span class="nt">--use-local</span> <span class="c"># Debug mode for troubleshooting</span> pipreqs <span class="nb">.</span> <span class="nt">--debug</span> </code></pre> </div> <h2> Method 2: Using pigar - The Advanced Dependency Scanner </h2> <h3> What is pigar? </h3> <p><code>pigar</code> is another excellent tool for generating Python requirements. It offers more advanced features and better handling of complex projects.</p> <h3> Installing pigar </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Using pip</span> pip <span class="nb">install </span>pigar <span class="c"># From source (latest features)</span> pip <span class="nb">install </span>git+https://github.com/damnever/pigar.git@main <span class="nt">--upgrade</span> <span class="c"># Using conda</span> conda <span class="nb">install</span> <span class="nt">-c</span> conda-forge pigar </code></pre> </div> <h3> Real-World Example: Flask Application </h3> <p>Let's test pigar with a Flask application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Clone a sample Flask project</span> git clone https://github.com/akhileshmishrabiz/Devops-zero-to-hero <span class="nb">cd </span>Devops-zero-to-hero/project5 <span class="c"># Remove existing requirements.txt for demo</span> <span class="nb">rm </span>requirements.txt </code></pre> </div> <h3> Generating requirements with pigar </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate requirements.txt for current directory</span> pigar generate <span class="c"># Check the generated file</span> <span class="nb">cat </span>requirements.txt </code></pre> </div> <p><strong>Output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Automatically generated by https://github.com/damnever/pigar. Flask==3.0.3 Flask-SQLAlchemy==3.1.1 </code></pre> </div> <h3> Advanced pigar Usage </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate requirements for specific directory with custom filename</span> pigar gen <span class="nt">-f</span> custom-requirements.txt /path/to/project <span class="c"># Example with Python Lambda project</span> pigar gen <span class="nt">-f</span> python-lambda-requirements.txt python-for-devops/python-lambda-runtime/ </code></pre> </div> <p><strong>Output for Lambda project:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Automatically generated by https://github.com/damnever/pigar. boto3==1.34.142 colorlog==6.8.2 packaging==24.1 </code></pre> </div> <h3> pigar Advanced Features </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check for outdated packages</span> pigar check <span class="c"># Search for packages</span> pigar search numpy <span class="c"># Show package information</span> pigar show requests </code></pre> </div> <h2> Comparison: pipreqs vs pigar </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>pipreqs</th> <th>pigar</th> </tr> </thead> <tbody> <tr> <td><strong>Speed</strong></td> <td>⚡ Very Fast</td> <td>🔄 Moderate</td> </tr> <tr> <td><strong>Accuracy</strong></td> <td>✅ High</td> <td>✅ Very High</td> </tr> <tr> <td><strong>Local imports</strong></td> <td>❌ Limited</td> <td>✅ Excellent</td> </tr> <tr> <td><strong>Complex projects</strong></td> <td>✅ Good</td> <td>✅ Excellent</td> </tr> <tr> <td><strong>Additional features</strong></td> <td>❌ Basic</td> <td>✅ Package search, outdated checks</td> </tr> <tr> <td><strong>File size</strong></td> <td>📦 Lightweight</td> <td>📦 Slightly larger</td> </tr> </tbody> </table></div> <h2> Best Practices for Python Dependency Management </h2> <h3> 1. Use Virtual Environments </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Always create isolated environments</span> python <span class="nt">-m</span> venv project-env <span class="nb">source </span>project-env/bin/activate </code></pre> </div> <h3> 2. Pin Exact Versions </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Good - specific versions requests==2.32.3 numpy==2.0.0 # Avoid - unpinned versions requests numpy </code></pre> </div> <h3> 3. Separate Development Dependencies </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create different requirement files</span> pigar gen <span class="nt">-f</span> requirements.txt <span class="nb">.</span> <span class="c"># Production</span> pigar gen <span class="nt">-f</span> requirements-dev.txt <span class="nb">.</span> <span class="c"># Development</span> </code></pre> </div> <h3> 4. Regular Dependency Audits </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check for security vulnerabilities</span> pip-audit <span class="nt">-r</span> requirements.txt <span class="c"># Update outdated packages</span> pip list <span class="nt">--outdated</span> </code></pre> </div> <h2> Troubleshooting Common Issues </h2> <h3> pipreqs Not Finding All Imports </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Use debug mode</span> pipreqs <span class="nb">.</span> <span class="nt">--debug</span> <span class="c"># Force scan all files</span> pipreqs <span class="nb">.</span> <span class="nt">--scan-notebooks</span> </code></pre> </div> <h3> pigar Missing Local Modules </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Include local packages</span> pigar gen <span class="nt">--with-referenced-comments</span> </code></pre> </div> <h3> Version Conflicts </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate without version pins</span> pipreqs <span class="nb">.</span> <span class="nt">--no-version</span> <span class="c"># Then manually specify versions</span> </code></pre> </div> <h2> Automation with CI/CD </h2> <h3> GitHub Actions Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Check Requirements</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">push</span><span class="pi">,</span> <span class="nv">pull_request</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">check-deps</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v2</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Generate requirements</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">pip install pipreqs</span> <span class="s">pipreqs . --force</span> <span class="s">git diff --exit-code requirements.txt</span> </code></pre> </div> <h2> Conclusion </h2> <p>Both <code>pipreqs</code> and <code>pigar</code> are excellent tools for automating Python dependency management:</p> <ul> <li> <strong>Choose pipreqs</strong> for: Simple projects, fast generation, lightweight solution</li> <li> <strong>Choose pigar</strong> for: Complex projects, advanced features, comprehensive analysis</li> </ul> <p>Stop wasting time manually managing Python dependencies. These tools will save you hours and reduce deployment errors significantly.</p> <h2> Next Steps </h2> <ol> <li>Try both tools on your existing Python projects</li> <li>Integrate dependency generation into your development workflow</li> <li>Set up automated checks in your CI/CD pipeline</li> <li>Share this guide with your team to standardize dependency management</li> </ol> <h2> Related Python Articles </h2> <ul> <li><a href="https://dev.to/example">Complete Guide to Python Virtual Environments</a></li> <li><a href="https://dev.to/livingdevops/i-ditched-python-built-in-logging-for-loguru-you-should-too-514m">Python Logging with Loguru - Advanced Tutorial</a></li> </ul> <h2> Tags </h2> <p><code>#python</code> <code>#devops</code> <code>#dependencies</code> <code>#automation</code> <code>#pip</code> <code>#requirements</code> <code>#development</code> <code>#productivity</code> <code>#tools</code> <code>#tutorial</code></p> <p><em>Found this helpful? Follow for more Python and DevOps tutorials!</em></p> <p><strong>Connect with the author:</strong></p> <ul> <li><a href="https://www.linkedin.com/in/akhilesh-mishra-0ab886124/" rel="noopener noreferrer">LinkedIn</a></li> <li><a href="https://github.com/akhileshmishrabiz" rel="noopener noreferrer">GitHub</a></li> </ul> programming python I Ditched Python Built-In Logging For Loguru — You Should Too Akhilesh Mishra Wed, 25 Jun 2025 21:13:58 +0000 https://forem.com/livingdevops/i-ditched-python-built-in-logging-for-loguru-you-should-too-514m https://forem.com/livingdevops/i-ditched-python-built-in-logging-for-loguru-you-should-too-514m <p><em>A Complete Guide to better logging in Python with loguru</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimages.unsplash.com%2Fphoto-1551288049-bebda4e38f71%3Fixlib%3Drb-4.0.3%26ixid%3DM3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%253D%253D%26auto%3Dformat%26fit%3Dcrop%26w%3D2070%26q%3D80" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimages.unsplash.com%2Fphoto-1551288049-bebda4e38f71%3Fixlib%3Drb-4.0.3%26ixid%3DM3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%253D%253D%26auto%3Dformat%26fit%3Dcrop%26w%3D2070%26q%3D80" alt="Photo by bady abbas on Unsplash" width="2070" height="1380"></a></p> <p>I have been using Python's built-in logging module for years, I have always found it quite boring. It cannot be customized beyond a point.</p> <p>I wanted to include some color coding in my log messages, but had to use a third-party package, for it. I wished Python built-in logging module has options to customise logs with ease.</p> <p>Then I stumbled upon <strong>loguru</strong> and found it interesting. I spent some time with this yesterday and fell in love with it.</p> <p>By the end of this blog post, you will fall for it too.</p> <h2> Understanding Log Levels </h2> <p>When talking about logging, loglevel is an important term, they are like a severity scale for your messages. By assigning different levels to log messages, it becomes easier to focus on critical issues while reducing noise from less important events while troubleshooting or monitoring.</p> <p>While the Python builtin module comes with <code>DEBUG</code>, <code>INFO</code>, <code>WARNING</code>, <code>ERROR</code>, and <code>CRITICAL</code>, loguru include 2 more log levels, <code>TRACE</code> and <code>SUCCESS</code>.</p> <p>Here is the table to remember log levels in order of increasing priority:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Level</th> <th>Priority</th> </tr> </thead> <tbody> <tr> <td>TRACE</td> <td>5</td> </tr> <tr> <td>DEBUG</td> <td>10</td> </tr> <tr> <td>INFO</td> <td>20</td> </tr> <tr> <td>SUCCESS</td> <td>25</td> </tr> <tr> <td>WARNING</td> <td>30</td> </tr> <tr> <td>ERROR</td> <td>40</td> </tr> <tr> <td>CRITICAL</td> <td>50</td> </tr> </tbody> </table></div> <p>Enough with the talking, let me show you what we can do with <strong>loguru</strong> and why I fell in love with it.</p> <h2> Installing Loguru </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>loguru </code></pre> </div> <h2> Basic Usage </h2> <p>To use Loguru, import the logger from loguru module and use it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">loguru</span> <span class="kn">import</span> <span class="n">logger</span> <span class="n">logger</span><span class="p">.</span><span class="nf">trace</span><span class="p">(</span><span class="sh">"</span><span class="s">Hi, This is Akhilesh Mishra</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">debug</span><span class="p">(</span><span class="sh">"</span><span class="s">I will show how to use loguru for better logging in python</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s"> I love how the logs look</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">warning</span><span class="p">(</span><span class="sh">"</span><span class="s">Different color of each section of log</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sh">"</span><span class="s">Easy to get started with</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">critical</span><span class="p">(</span> <span class="sh">"</span><span class="s">So many options to choose from</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">success</span><span class="p">(</span><span class="sh">"</span><span class="s"> You see what i am talking about</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnjdq6ir2gq7vi56ojq8e.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnjdq6ir2gq7vi56ojq8e.webp" alt="Image description" width="800" height="106"></a><br> <strong>Output format:</strong> <code>date | level | file location: scope: line number - message</code></p> <p>You can see that the trace output is not printed. Default log level for loguru is debug.</p> <h2> Changing the Default Log Level </h2> <p>We can use logger's <code>add()</code> function to change the default loglevel, update the log's formatting.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">sys</span> <span class="kn">from</span> <span class="n">loguru</span> <span class="kn">import</span> <span class="n">logger</span> <span class="n">logger</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="n">sys</span><span class="p">.</span><span class="n">stderr</span><span class="p">,</span> <span class="n">level</span><span class="o">=</span><span class="sh">"</span><span class="s">TRACE</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">trace</span><span class="p">(</span><span class="sh">"</span><span class="s">Hi, This is Akhilesh Mishra</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4e1xo1uwefi8zwu96l2o.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4e1xo1uwefi8zwu96l2o.webp" alt="Image description" width="800" height="82"></a></p> <h2> Change the Formatting with Loguru </h2> <p>Unlike Python's built-in logging module, you can add a handler, update formatting, and change the log level in just one line — with <code>add()</code> function.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">sys</span> <span class="kn">from</span> <span class="n">loguru</span> <span class="kn">import</span> <span class="n">logger</span> <span class="n">logger</span><span class="p">.</span><span class="nf">remove</span><span class="p">()</span> <span class="c1"># remove the old formatting </span><span class="n">logger</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span> <span class="n">sys</span><span class="p">.</span><span class="n">stdout</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="sh">"</span><span class="s">{time}::{level} --- {message}</span><span class="sh">"</span><span class="p">,</span> <span class="n">level</span><span class="o">=</span><span class="sh">"</span><span class="s">INFO</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">debug</span><span class="p">(</span><span class="sh">"</span><span class="s"> Add a handler, update formatting, and change the loglevel</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s"> one function to rule them all</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">success</span><span class="p">(</span><span class="sh">"</span><span class="s"> logger.add()</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F83l5on6vpynilhbynglw.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F83l5on6vpynilhbynglw.webp" alt="Image description" width="800" height="121"></a></p> <h2> Pretty Logging with Colors </h2> <p>You can change the color of these output messages by using HTML like syntax.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">logger</span><span class="p">.</span><span class="nf">remove</span><span class="p">()</span> <span class="n">logger</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span> <span class="n">sys</span><span class="p">.</span><span class="n">stdout</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="sh">"</span><span class="s"> &lt;yellow&gt;{time} &lt;/yellow&gt;:: &lt;green&gt; &lt;bold&gt; {level} &lt;/bold&gt; &lt;/green&gt;--- &lt;blue&gt; {message} &lt;/blue&gt;</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Set the colors you want to use for logs</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">success</span><span class="p">(</span><span class="sh">"</span><span class="s"> How easy it was???</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgdchg7ep4mik8d9x8qkz.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgdchg7ep4mik8d9x8qkz.webp" alt="Image description" width="800" height="161"></a></p> <h2> Change the Time Formatting </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">sys</span> <span class="kn">from</span> <span class="n">loguru</span> <span class="kn">import</span> <span class="n">logger</span> <span class="n">logger</span><span class="p">.</span><span class="nf">remove</span><span class="p">()</span> <span class="c1"># MMMM D, YYYY &gt; HH:mm:ss!UTC : UTC time </span><span class="n">logger</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="n">sys</span><span class="p">.</span><span class="n">stderr</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="sh">"</span><span class="s">{time:MMMM D, YYYY &gt; HH:mm:ss!UTC} | {level} | &lt;level&gt;{message} &lt;/level&gt;</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">warning</span><span class="p">(</span><span class="sh">"</span><span class="s"> Use time format-&gt; {time:MMMM D, YYYY &gt; HH:mm:ss!UTC}</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">success</span><span class="p">(</span><span class="sh">"</span><span class="s">Use the default color from level: &lt;level&gt;{message} &lt;/level&gt;</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>You can use more options with time, check the <a href="https://loguru.readthedocs.io/en/stable/api/logger.html#time" rel="noopener noreferrer">loguru documentation</a> for more time formatting options.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxwlrvenak66j47957uu5.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxwlrvenak66j47957uu5.webp" alt="Image description" width="800" height="84"></a></p> <h2> Sending Logs to a File </h2> <p>Loguru sends logs to the console by default, but you can configure it to send logs to a file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">logger</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="sh">"</span><span class="s">log_file_demo.log</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>Let's use formatted logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">loguru</span> <span class="kn">import</span> <span class="n">logger</span> <span class="n">logger</span><span class="p">.</span><span class="nf">remove</span><span class="p">()</span> <span class="n">logger</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="sh">"</span><span class="s">file_{time}.log</span><span class="sh">"</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="sh">"</span><span class="s">{time:MMMM D, YYYY &gt; HH:mm:ss} | {level} | &lt;level&gt;{message} &lt;/level&gt;</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">using file logging</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">success</span><span class="p">(</span><span class="sh">"</span><span class="s"> will send logs to the file</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxkoic5weiyjmn1ou2l0u.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxkoic5weiyjmn1ou2l0u.webp" alt="Image description" width="800" height="189"></a></p> <h2> Log Rotation, Retention, and Compression </h2> <p>Loguru also allows you to rotate/retain/compress logs with time and size filters.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">logger</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="sh">"</span><span class="s">log_rotate.log</span><span class="sh">"</span><span class="p">,</span> <span class="n">rotation</span><span class="o">=</span><span class="sh">"</span><span class="s">500 MB</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Automatically rotate too big file </span><span class="n">logger</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="sh">"</span><span class="s">log_rotate2.log</span><span class="sh">"</span><span class="p">,</span> <span class="n">rotation</span><span class="o">=</span><span class="sh">"</span><span class="s">12:00</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># New file is created each day at noon </span><span class="n">logger</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="sh">"</span><span class="s">log_rotate3.log</span><span class="sh">"</span><span class="p">,</span> <span class="n">rotation</span><span class="o">=</span><span class="sh">"</span><span class="s">1 week</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Once the file is too old, it's rotated </span> <span class="n">logger</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="sh">"</span><span class="s">log_retention.log</span><span class="sh">"</span><span class="p">,</span> <span class="n">retention</span><span class="o">=</span><span class="sh">"</span><span class="s">10 days</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Cleanup after some time </span> <span class="n">logger</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="sh">"</span><span class="s">log_retention2.log</span><span class="sh">"</span><span class="p">,</span> <span class="n">compression</span><span class="o">=</span><span class="sh">"</span><span class="s">zip</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Save some loved space </span></code></pre> </div> <h2> JSON Logging </h2> <p>Loguru supports logging in JSON format with <code>serialize=True</code> option.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">sys</span> <span class="kn">from</span> <span class="n">loguru</span> <span class="kn">import</span> <span class="n">logger</span> <span class="n">logger</span><span class="p">.</span><span class="nf">remove</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span> <span class="n">sys</span><span class="p">.</span><span class="n">stderr</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="sh">"</span><span class="s">{time:MMMM D: YYYY:: HH:mm:ss!UTC} | {level} | {message}</span><span class="sh">"</span><span class="p">,</span> <span class="n">serialize</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">warning</span><span class="p">(</span><span class="sh">"</span><span class="s"> Its addictive, use with caution !</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">success</span><span class="p">(</span><span class="sh">"</span><span class="s">I know you started liking loguru</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F867ryh8wl1sc1rxrsa90.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F867ryh8wl1sc1rxrsa90.webp" alt="Image description" width="800" height="186"></a></p> <h2> Adding Context to Log Messages </h2> <p>Suppose you want to add some additional information to the log message for context, you can use the <code>bind()</code> method.</p> <p>You can add directive <code>extra</code> to the format in your logger <code>add()</code> method to add custom entries to the logs output.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">sys</span> <span class="kn">from</span> <span class="n">loguru</span> <span class="kn">import</span> <span class="n">logger</span> <span class="c1"># Remove the default logger </span><span class="n">logger</span><span class="p">.</span><span class="nf">remove</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="c1"># Add a new logger that outputs to sys.stderr </span><span class="n">logger</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span> <span class="n">sys</span><span class="p">.</span><span class="n">stderr</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="sh">"</span><span class="s"> {level} | &lt;level&gt;{message}&lt;/level&gt; | {extra} </span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># Create a new logger with some initial context </span><span class="n">context_logger</span> <span class="o">=</span> <span class="n">logger</span><span class="p">.</span><span class="nf">bind</span><span class="p">(</span><span class="n">author</span><span class="o">=</span><span class="sh">"</span><span class="s">Akhilesh</span><span class="sh">"</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="sh">"</span><span class="s">demo</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Log an info message with the current context </span><span class="n">context_logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">You can pass context with logs!</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0r0oc6feidsiife8o1ul.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0r0oc6feidsiife8o1ul.webp" alt="Image description" width="800" height="109"></a></p> <p>You can further customize the context:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Bind additional context to the logger and log a warning message </span><span class="n">context_logger</span><span class="p">.</span><span class="nf">bind</span><span class="p">(</span><span class="n">blog_type</span><span class="o">=</span><span class="sh">"</span><span class="s">Tutorial</span><span class="sh">"</span><span class="p">).</span><span class="nf">warning</span><span class="p">(</span> <span class="sh">"</span><span class="s">You can use extra attributes to bind context!</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># Log a success message with additional context provided during formatting </span><span class="n">context_logger</span><span class="p">.</span><span class="nf">success</span><span class="p">(</span> <span class="sh">"</span><span class="s">Use kwargs to add context during formatting: {platform}</span><span class="sh">"</span><span class="p">,</span> <span class="n">platform</span><span class="o">=</span><span class="sh">"</span><span class="s">Medium</span><span class="sh">"</span> <span class="p">)</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F75tan8ye04tvqdasiwv0.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F75tan8ye04tvqdasiwv0.webp" alt="Image description" width="800" height="73"></a></p> <h2> Using Context Managers </h2> <p>We can also use the Python context manager to modify a context-local state temporarily with <code>contextualize()</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">sys</span> <span class="kn">from</span> <span class="n">loguru</span> <span class="kn">import</span> <span class="n">logger</span> <span class="n">logger</span><span class="p">.</span><span class="nf">remove</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span> <span class="n">sys</span><span class="p">.</span><span class="n">stderr</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="sh">"</span><span class="s"> {level} | &lt;level&gt;{message}&lt;/level&gt; | {extra} </span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="n">context_logger</span> <span class="o">=</span> <span class="n">logger</span><span class="p">.</span><span class="nf">bind</span><span class="p">(</span><span class="n">blog_id</span><span class="o">=</span><span class="mi">45</span><span class="p">)</span> <span class="k">def</span> <span class="nf">do_something</span><span class="p">():</span> <span class="n">context_logger</span><span class="p">.</span><span class="nf">debug</span><span class="p">(</span><span class="sh">"</span><span class="s">doing something</span><span class="sh">"</span><span class="p">)</span> <span class="k">with</span> <span class="n">logger</span><span class="p">.</span><span class="nf">contextualize</span><span class="p">(</span><span class="n">scope</span><span class="o">=</span><span class="sh">"</span><span class="s">From context manager</span><span class="sh">"</span><span class="p">):</span> <span class="nf">do_something</span><span class="p">()</span> <span class="nf">do_something</span><span class="p">()</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fob86fi5j53yyymzd7446.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fob86fi5j53yyymzd7446.webp" alt="Image description" width="800" height="144"></a></p> <h2> Filtering Logs </h2> <p>Combine <code>bind()</code> and filter for fine-grained control over your logs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">loguru</span> <span class="kn">import</span> <span class="n">logger</span> <span class="n">logger</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="sh">"</span><span class="s">special.log</span><span class="sh">"</span><span class="p">,</span> <span class="nb">filter</span><span class="o">=</span><span class="k">lambda</span> <span class="n">record</span><span class="p">:</span> <span class="sh">"</span><span class="s">special</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">record</span><span class="p">[</span><span class="sh">"</span><span class="s">extra</span><span class="sh">"</span><span class="p">])</span> <span class="n">logger</span><span class="p">.</span><span class="nf">debug</span><span class="p">(</span><span class="sh">"</span><span class="s">This message is not logged to the file</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">bind</span><span class="p">(</span><span class="n">special</span><span class="o">=</span><span class="bp">True</span><span class="p">).</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">This message, though, is logged to the file!</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5ufz66nwse3hd2esgp39.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5ufz66nwse3hd2esgp39.webp" alt="Image description" width="800" height="164"></a></p> <h2> Dynamic Values with patch() </h2> <p>The <code>patch()</code> method allows you to attach dynamic values to be attached to each new message:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">sys</span> <span class="kn">from</span> <span class="n">loguru</span> <span class="kn">import</span> <span class="n">logger</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="n">logger</span><span class="p">.</span><span class="nf">remove</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="n">sys</span><span class="p">.</span><span class="n">stderr</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="sh">"</span><span class="s">{extra[utc]} - {level}- {message}</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span> <span class="o">=</span> <span class="n">logger</span><span class="p">.</span><span class="nf">patch</span><span class="p">(</span><span class="k">lambda</span> <span class="n">record</span><span class="p">:</span> <span class="n">record</span><span class="p">[</span><span class="sh">"</span><span class="s">extra</span><span class="sh">"</span><span class="p">].</span><span class="nf">update</span><span class="p">(</span><span class="n">utc</span><span class="o">=</span><span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">()))</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">using patch method from loguru</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiw0v5ffcoo0z56lk4wel.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiw0v5ffcoo0z56lk4wel.webp" alt="Image description" width="800" height="117"></a></p> <h2> Create Custom Log Levels </h2> <p>Loguru allows you to create your own log level with <code>level()</code> function.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">sys</span> <span class="kn">from</span> <span class="n">loguru</span> <span class="kn">import</span> <span class="n">logger</span> <span class="n">logger</span><span class="p">.</span><span class="nf">remove</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">m_level</span> <span class="o">=</span> <span class="n">logger</span><span class="p">.</span><span class="nf">level</span><span class="p">(</span><span class="sh">"</span><span class="s">Medium</span><span class="sh">"</span><span class="p">,</span> <span class="n">no</span><span class="o">=</span><span class="mi">45</span><span class="p">,</span> <span class="n">color</span><span class="o">=</span><span class="sh">"</span><span class="s">&lt;yellow&gt;&lt;bold&gt;</span><span class="sh">"</span><span class="p">,</span> <span class="n">icon</span><span class="o">=</span><span class="sh">"</span><span class="s">/</span><span class="se">\\</span><span class="s">/</span><span class="se">\\</span><span class="sh">"</span><span class="p">)</span> <span class="n">n_level</span> <span class="o">=</span> <span class="n">logger</span><span class="p">.</span><span class="nf">level</span><span class="p">(</span><span class="sh">"</span><span class="s">Nedium</span><span class="sh">"</span><span class="p">,</span> <span class="n">no</span><span class="o">=</span><span class="mi">45</span><span class="p">,</span> <span class="n">color</span><span class="o">=</span><span class="sh">"</span><span class="s">&lt;blue&gt;&lt;bold&gt;</span><span class="sh">"</span><span class="p">,</span> <span class="n">icon</span><span class="o">=</span><span class="sh">"</span><span class="s">|</span><span class="se">\\</span><span class="s">|</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="n">sys</span><span class="p">.</span><span class="n">stderr</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="sh">"</span><span class="s"> &lt;level&gt; {level.icon} :: {message} &lt;/level&gt;</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="sh">"</span><span class="s">Medium</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">This is my custom log level</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="sh">"</span><span class="s">Nedium</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">I like having optional log levels</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F64pc7btehedunkxkaank.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F64pc7btehedunkxkaank.webp" alt="Image description" width="800" height="170"></a></p> <h2> Logging Exceptions </h2> <p>Logging exceptions is crucial for tracking bugs, but it's not helpful if you don't know the cause. Loguru makes it easier by showing the entire stack trace, including variable values so you can identify the problem.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">loguru</span> <span class="kn">import</span> <span class="n">logger</span> <span class="n">logger</span><span class="p">.</span><span class="nf">remove</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="c1"># Caution, "diagnose=True" is the default and may leak sensitive data in prod </span><span class="n">logger</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="sh">"</span><span class="s">loguru.log</span><span class="sh">"</span><span class="p">,</span> <span class="n">backtrace</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">diagnose</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">def</span> <span class="nf">func</span><span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">):</span> <span class="k">return</span> <span class="n">a</span> <span class="o">/</span> <span class="n">b</span> <span class="k">def</span> <span class="nf">nested</span><span class="p">(</span><span class="n">c</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="nf">func</span><span class="p">(</span><span class="mi">5</span><span class="p">,</span> <span class="n">c</span><span class="p">)</span> <span class="k">except</span> <span class="nb">ZeroDivisionError</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">exception</span><span class="p">(</span><span class="sh">"</span><span class="s">Did you just??</span><span class="sh">"</span><span class="p">)</span> <span class="nf">nested</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj27f2stspj9iveu29t36.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj27f2stspj9iveu29t36.webp" alt="Image description" width="800" height="476"></a><br> You can also use it with context manager by using <code>logger.catch()</code> decorator.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">loguru</span> <span class="kn">import</span> <span class="n">logger</span> <span class="n">logger</span><span class="p">.</span><span class="nf">remove</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="c1"># Caution, "diagnose=True" is the default and may leak sensitive data in prod </span><span class="n">logger</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="sh">"</span><span class="s">loguru.log</span><span class="sh">"</span><span class="p">,</span> <span class="n">backtrace</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">diagnose</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="nd">@logger.catch</span><span class="p">()</span> <span class="k">def</span> <span class="nf">func</span><span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="n">b</span><span class="p">):</span> <span class="k">return</span> <span class="n">a</span> <span class="o">/</span> <span class="n">b</span> <span class="nf">func</span><span class="p">(</span><span class="mi">5</span><span class="p">,</span><span class="mi">0</span><span class="p">)</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6ln1sdsyfrwvgturoqb2.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6ln1sdsyfrwvgturoqb2.webp" alt="Image description" width="800" height="124"></a><br> By default the level you will see <code>ERROR</code> level, but you can customize it to use different levels.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8d17xwtykqh1im9o6tgn.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8d17xwtykqh1im9o6tgn.webp" alt="Image description" width="800" height="208"></a></p> <h2> Final Words </h2> <p>If you got to this point, you know how nice loguru is. If you love customization and making things pretty, you will love it.</p> <p>Let me know what you think about it in the comments. If you found it useful, don't forget to like and follow for more Python tutorials!</p> <p><em>Connect with the author on <a href="https://www.linkedin.com/in/akhilesh-mishra-0ab886124/" rel="noopener noreferrer">LinkedIn</a></em></p> python logging Step-by-Step Guide to Setting OIDC With Terraform for GitHub Actions Workflows with AWS Akhilesh Mishra Sun, 22 Jun 2025 10:47:22 +0000 https://forem.com/aws-builders/step-by-step-guide-to-setting-oidc-for-github-actions-workflows-with-aws-4ogn https://forem.com/aws-builders/step-by-step-guide-to-setting-oidc-for-github-actions-workflows-with-aws-4ogn <blockquote> <p>Your GitHub Actions Secrets Are the Weakest Link in Your AWS Security Chain</p> </blockquote> <p>Are you still using AWS access keys and secrets to authenticate your GitHub Actions with AWS in 2025?</p> <p>Please don't. Unless you want to wake up someday with 1000 GPU machines mining Bitcoin in your account at your expense, footing a million-dollar bill.</p> <p>Using long-term secrets can be a security nightmare that could expose your cloud account to a possible security incident.</p> <p>You might be just one exposed GitHub secret away from an AWS billing catastrophe.</p> <h2> Then what should you do? </h2> <p>You should use <strong>OpenID Connect (OIDC)</strong>, a modern, more secure way to authenticate your GitHub Actions workflows with AWS without storing long-lived credentials.</p> <p>You can configure the OIDC to work with certain GitHub org and GitHub repos, or you can go more granular and allow it with certain branches, tag formats, etc.</p> <h2> What the heck is OIDC? </h2> <p>OIDC enables token-based authentication between GitHub Actions and AWS, eliminating the need to store long-lived access keys. Establishing a trusting relationship with temporary credentials significantly enhances security while simplifying the authentication process.</p> <h3> The better way to authenticate GitHub Actions with AWS is with OpenID Connect (OIDC). </h3> <p>Setting up OIDC for your AWS account is very simple,</p> <ul> <li>Step 1: Create an OIDC Identity Provider in AWS</li> <li>Step 2: Create an IAM Role for GitHub Actions</li> <li>Step 3: Attach the Permissions your CICD workflow needs to the Role</li> <li>Step 4: Update Your GitHub Actions Workflow to use the Identity provider ARN instead of access keys and secrets</li> </ul> <p>You can configure it from the AWS console, with AWS CLI commands or use Terraform to configure it.</p> <p>I will use AWS CLI to configure the OIDC first and later with Terraform(with more flexible options).</p> <h2> Real-time implementation </h2> <h3> Scenario </h3> <p>I have a 3-tier application running on an EKS cluster. <br> I want to build and deploy new versions of applications using the GitHub Action workflow. For simplicity, I will run kubectl commands from the workflow to deploy the new version of the application.</p> <h3> Workflow </h3> <p>Look for the change in frontend/backend code and only build the images upon the code change and push them to their respective ECR repos.</p> <p>Configure the kubectl and authenticate to the EKS cluster<br> Use the newly built images (for backend/frontend) and deploy them to the frontend/backend service.</p> <h2> Setting Up OIDC Between GitHub Actions and AWS: A Step-by-Step Guide </h2> <h3> Create the file structure below </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feyqutifb7ry12owqibll.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feyqutifb7ry12owqibll.webp" alt="Image description" width="800" height="236"></a></p> <p>Run the below command to create the directory structure<br> touch configure-oidc-github.sh eks-policy.json trust-policy.json<br> Copy the code to their respective files.<br> <code>trust-policy.json<br> </code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::$AWS_ACCOUNT_ID:oidc-provider/$OIDC_PROVIDER" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringLike": { "$OIDC_PROVIDER:sub": "repo:$GITHUB_ORG/$GITHUB_REPO:*" } } } ] } </code></pre> </div> <p><code>eks-policy.json<br> </code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "eks:DescribeCluster", "eks:ListClusters" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload", "ecr:PutImage" ], "Resource": "*" } ] } </code></pre> </div> <p><code>configure-oidc-github.sh<br> </code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>#!/bin/bash set -e export OIDC_PROVIDER="token.actions.githubusercontent.com" export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text) export GITHUB_ORG="akhileshmishrabiz" # GitHub Org/Owner export GITHUB_REPO="DevOpsDojo" # Repo you want to allow to use OIDC with AWS # Create the OIDC provider aws iam create-open-id-connect-provider \ --url https://$OIDC_PROVIDER \ --client-id-list sts.amazonaws.com \ --thumbprint-list "6938fd4d98bab03faadb97b34396831e3780aea1" aws iam create-role \ --role-name GitHubActionsEKSDeployRole \ --assume-role-policy-document file://trust-policy.json aws iam create-policy \ --policy-name GitHubActionsEKSPolicy \ --policy-document file://eks-policy.json # Attach the policy to the role aws iam attach-role-policy \ --role-name GitHubActionsEKSDeployRole \ --policy-arn arn:aws:iam::$AWS_ACCOUNT_ID:policy/GitHubActionsEKSPolicy </code></pre> </div> <p>This script will configure the OIDC to allow my GitHub workflows in the repo <a href="https://github.com/akhileshmishrabiz/DevOpsDojo" rel="noopener noreferrer">https://github.com/akhileshmishrabiz/DevOpsDojo</a> to use OIDC to authenticate with AWS. </p> <h3> Let me explain the steps. </h3> <h4> Setting the environment variable </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>export OIDC_PROVIDER="token.actions.githubusercontent.com" export AWS_ACCOUNT_ID=$(aws sts get-caller-identity - query "Account" - output text) export GITHUB_ORG="akhileshmishrabiz" export GITHUB_REPO="DevOpsDojo" </code></pre> </div> <h4> Creating the OIDC IAM provider </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws iam create-open-id-connect-provider \ --url https://$OIDC_PROVIDER \ --client-id-list sts.amazonaws.com \ --thumbprint-list "6938fd4d98bab03faadb97b34396831e3780aea1" </code></pre> </div> <h4> Creating an IAM Role for GitHub Actions </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws iam create-role \  --role-name GitHubActionsEKSDeployRole \ --assume-role-policy-document file://trust-policy.json </code></pre> </div> <h4> Creating an IAM policy for the GitHub Action role </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws iam create-policy \ --policy-name GitHubActionsEKSPolicy \ --policy-document file://eks-policy.json </code></pre> </div> <h4> Attaching IAM policy with the role </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws iam attach-role-policy \ --role-name GitHubActionsEKSDeployRole \ --policy-arn arn:aws:iam::$AWS_ACCOUNT_ID:policy/GitHubActionsEKSPolicy </code></pre> </div> <h2> Configuring the OIDC provider for GitHub Action with AWS CLI. </h2> <p>Install the AWS CLI if you haven't already done<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg" sudo installer -pkg AWSCLIV2.pkg -target / </code></pre> </div> <p>Configure the AWS credentials - with Access key and security key</p> <p><code>aws configure<br> </code># This will as you access and secret key<br> Run the script to<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>chmod u+ x configure-oidc-github.sh ./configure-oidc-github.sh </code></pre> </div> <p><a href="https://github.com/akhileshmishrabiz/DevOpsDojo/tree/main/infra/aws-oidc-github-cli" rel="noopener noreferrer">Note: You can find the entire code for OIDC with AWS CLI here.<br> </a></p> <p>This will allow us to use the role <code>arn:aws:iam::366140438193:role/GitHubActionsEKSDeployRole</code><br> to authenticate with the GitHub repo <code>https://github.com/akhileshmishrabiz/DevOpsDojo</code></p> <h2> Terraform implementation </h2> <p>In a production environment, we mostly use Terraform to deploy the OIDC provider for GitHub Action.</p> <p>Let me show how you can set up the OIDC provider with the help of Terraform and how to allow more than one repository.</p> <ul> <li><p>Create aproviders.tf file and paste the below code into it. This will configure the Terraform version and AWS provider.</p></li> <li><p>Create the files,variables.tf, output.tf, main.tf, iam.tfand paste the below code into them.</p></li> <li><p>Create a terraform.tfvars file to create a map of repositories and branches.</p></li> <li><p>Deploy the Terraform code, it will return the Role ARN that we can use with GitHub Action to authenticate with AWS.</p></li> <li><p>This will create an IAM role to use with GitHub Action, IAM policies with permissions you want your GitHub Action workflow to have, and attach them to the role. </p></li> </ul> <p>IAM roles's trust policy will allow the particular repositories and branches to use this role to authenticate with AWS.</p> <p><code>providers.tf<br> </code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform { required_version = "1.8.1" required_providers { aws = { source = "hashicorp/aws" version = "~&gt; 5.0" } } } provider "aws" { region = "ap-south-1" } </code></pre> </div> <p><code>variables.tf<br> </code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Variables variable "aws_region" { description = "AWS region" type = string default = "ap-south-1" } variable "github_repositories" { description = "List of GitHub repositories to grant access to" type = list(object({ org = string repo = string branch = optional(string, "*") })) default = [ { org = "akhileshmishrabiz" repo = "DevOpsDojo" branch = "*" } ] } </code></pre> </div> <p><code>**main.tf<br> **</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># OIDC Provider resource "aws_iam_openid_connect_provider" "github_actions" { url = "https://token.actions.githubusercontent.com" client_id_list = [ "sts.amazonaws.com" ] thumbprint_list = [ "6938fd4d98bab03faadb97b34396831e3780aea1" ] tags = { Name = "GitHub-Actions-OIDC-Provider" } } # IAM Role resource "aws_iam_role" "github_actions_eks_deploy_role" { name = "GitHubActionsEKSDeployRole" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Effect = "Allow" Principal = { Federated = aws_iam_openid_connect_provider.github_actions.arn } Action = "sts:AssumeRoleWithWebIdentity" Condition = { StringLike = { "token.actions.githubusercontent.com:sub" = [ for repo in var.github_repositories : "repo:${repo.org}/${repo.repo}:${repo.branch}" ] } } } ] }) tags = { Name = "GitHub-Actions-EKS-Deploy-Role" } } </code></pre> </div> <p><strong><code>iam.tf<br> </code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># IAM Policy resource "aws_iam_policy" "github_actions_eks_policy" { name = "GitHubActionsEKSPolicy" description = "Policy for GitHub Actions to access EKS and ECR" policy = jsonencode({ Version = "2012-10-17" Statement = [ { Effect = "Allow" Action = [ "eks:DescribeCluster", "eks:ListClusters" ] Resource = "*" }, { Effect = "Allow" Action = [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload", "ecr:PutImage" ] Resource = "*" } ] }) tags = { Name = "GitHub-Actions-EKS-Policy" } } # Policy Attachment resource "aws_iam_role_policy_attachment" "github_actions_eks_policy_attachment" { role = aws_iam_role.github_actions_eks_deploy_role.name policy_arn = aws_iam_policy.github_actions_eks_policy.arn } </code></pre> </div> <p><strong><code>terraform.tfvars<br> </code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>github_repositories = [ { org = "akhileshmishrabiz" repo = "DevOpsDojo" branch = "*" # All branches }, { org = "akhileshmishrabiz" repo = "Devops-zero-to-hero" branch = "main" # Only main branch } ] </code></pre> </div> <p><strong><a href="https://github.com/akhileshmishrabiz/Devops-zero-to-hero/tree/main/AWS-Projects/oidc" rel="noopener noreferrer">You can find the Terraform code to set up OIDC for Github Action here.</a></strong></p> <h3> Apply the Terraform </h3> <p>This example uses the Terraform version 1.8.1 , make sure you have the same Terraform version installed. </p> <p>If you have some other version of Terraform installed then update the providers.tf</p> <p>If you want to use multiple versions of Terraform then use tfenv CLI.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform init terraform apply </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkose69uvbkj4vrgzltao.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkose69uvbkj4vrgzltao.webp" alt="Image description" width="800" height="246"></a><br> This will allow us to use the role arn:aws:iam::366140438193:role/GitHubActionsEKSDeployRole<br> to authenticate with the GitHub repo <a href="https://github.com/akhileshmishrabiz/DevOpsDojo" rel="noopener noreferrer">https://github.com/akhileshmishrabiz/DevOpsDojo</a> on all branches. <br> And <a href="https://github.com/akhileshmishrabiz/Devops-zero-to-hero" rel="noopener noreferrer">https://github.com/akhileshmishrabiz/Devops-zero-to-hero</a> on the main branch.</p> <h3> Let's use this OIDC provider in our GitHub Action workflow </h3> <p>Using the OIDC provider to authenticate GitHub Action workflow with AWS to push the docker images to ECR repositories.</p> <p>For this example, I will use my public GitHub Repo <a href="https://github.com/akhileshmishrabiz/DevOpsDojo" rel="noopener noreferrer">https://github.com/akhileshmishrabiz/DevOpsDojo</a><br> This repo has a 3-tier app:</p> <ul> <li>Flask backend</li> <li>React frontend</li> <li>RDS Postgres database I will use GitHub Action to build the backend and frontend images and push them to AWS ECR repositories. GitHub Action will use OIDC to authenticate with AWS.</li> </ul> <h3> Let me create 2 ECR repositories </h3> <h1> Create ECR repositories for frontend and backend </h1> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws ecr create-repository --repository-name devopsdozo/frontend aws ecr create-repository --repository-name devopsdozo/backend </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faemqkf64xecyllqd0q0f.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faemqkf64xecyllqd0q0f.webp" alt="Image description" width="800" height="549"></a><br> I want to use the workflow to build the backend and frontend docker images and push them to ECR repositories.</p> <p>If you look at the below GitHub Action workflow, you can see that I have used <strong>GitHubActionsEKSDeployRole</strong> instead of access and secret keys.<br> <code>role-to-assume:arn:aws:iam::366140438193:role/GitHubActionsEKSDeployRole</code><br> instead of AWS access and security keys.</p> <p>When GitHub sends an auth request to AWS, it verifies the trust policy attached to the role to check if it is allowed to authenticate the workflow for the specific GitHub repo, and branch. </p> <p>If it finds the conditions to be true, it will generate a short-term token that GH workflow uses to authenticate with AWS.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>name: Build and Push Docker Images on: push: branches: [ main ] workflow_dispatch: # Enable manual triggering env: AWS_REGION: ap-south-1 ECR_REPOSITORY_FRONTEND: devopsdozo/frontend ECR_REPOSITORY_BACKEND: devopsdozo/backend IMAGE_TAG: latest jobs: build-and-push: name: Build and Push Images runs-on: ubuntu-latest permissions: id-token: write contents: read steps: - name: Checkout repository uses: actions/checkout@v3 - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v3 with: aws-region: ${{ env.AWS_REGION }} role-to-assume: arn:aws:iam::366140438193:role/GitHubActionsEKSDeployRole - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 - name: Build, tag, and push frontend image to Amazon ECR working-directory: ./frontend env: ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} run: | docker build -t $ECR_REGISTRY/$ECR_REPOSITORY_FRONTEND:$IMAGE_TAG \ --platform=linux/amd64 . docker push $ECR_REGISTRY/$ECR_REPOSITORY_FRONTEND:$IMAGE_TAG echo "Frontend image pushed to ECR: $ECR_REGISTRY/$ECR_REPOSITORY_FRONTEND:$IMAGE_TAG" - name: Build, tag, and push backend image to Amazon ECR working-directory: ./backend env: ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} run: | docker build -t $ECR_REGISTRY/$ECR_REPOSITORY_BACKEND:$IMAGE_TAG \ --platform=linux/amd64 . docker push $ECR_REGISTRY/$ECR_REPOSITORY_BACKEND:$IMAGE_TAG echo "Backend image pushed to ECR: $ECR_REGISTRY/$ECR_REPOSITORY_BACKEND:$IMAGE_TAG" - name: Summary run: | echo "### Docker Images Built and Pushed" &gt;&gt; $GITHUB_STEP_SUMMARY echo "✅ Frontend: ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY_FRONTEND }}:${{ env.IMAGE_TAG }}" &gt;&gt; $GITHUB_STEP_SUMMARY echo "✅ Backend: ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY_BACKEND }}:${{ env.IMAGE_TAG }}" &gt;&gt; $GITHUB_STEP_SUMMARY </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fowl46iyt7k8hpuyhaivx.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fowl46iyt7k8hpuyhaivx.webp" alt="Image description" width="800" height="462"></a><br> Note: <a href="https://github.com/akhileshmishrabiz/DevOpsDojo/blob/main/.github/workflows/build-push-with-oidc.yaml" rel="noopener noreferrer">You can find a better version of this workflow here.</a></p> <p>You can see from the screenshot above that GH workflows are authenticated with AWS using the OIDC, build the Docker images, and push to ECR.</p> <p>This is all for this blog post.<br> Let's connect</p> <ul> <li> <a href="https://www.linkedin.com/in/akhilesh-mishra-0ab886124/" rel="noopener noreferrer">Connect with me on LinkedIn</a> ** **- <a href="https://x.com/livingdevops" rel="noopener noreferrer">Connect with me on Twitter</a> (<a class="mentioned-user" href="https://dev.to/livingdevops">@livingdevops</a>)</li> </ul> tutorial devops aws security Stop Writing Ugly Docker Build Commands Today - Do This Instead Akhilesh Mishra Tue, 17 Jun 2025 13:54:53 +0000 https://forem.com/livingdevops/stop-writing-ugly-docker-build-commands-today-do-this-instead-4hfj https://forem.com/livingdevops/stop-writing-ugly-docker-build-commands-today-do-this-instead-4hfj <p>Why Docker Bake is the Smarter Way to Build and Manage Docker Images</p> <p>Do you enjoy remembering the docker build commands with all the different flags, and arguments?</p> <p>Well, I never did. I had to google the flag and arguments whenever I needed to build images.</p> <p>It gets worse when I have to build multiple docker images for mono repositories with different platforms. </p> <p>Then, you will be using way more flags. That means way more googling or prompting AI bots.</p> <p>What if I tell you a better way that allows you to write docker build as code and build everything with just one short command?</p> <p>Well, you are in luck as good people at Docker finally released their long-awaited, build orchestration tool, Docker Bake in General Availability. </p> <p>It is available with the Docker Desktop version 4.38.</p> <h2> Introducing Docker bake </h2> <p>Docker Bake allows you to define build stages and deployment environments in a declarative file, making complex builds easier to manage. It also leverages BuildKit's parallelization and optimization features to speed up build times.</p> <h2> Let me show you why I love Docker Bake </h2> <p>Let's take the example of a mono repo with a dummy frontend and backend application code with its Dockerfile.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuc7q8ke5jrjqi1ojtt5e.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuc7q8ke5jrjqi1ojtt5e.webp" alt="Image description" width="692" height="312"></a></p> <p>If I had to build the docker images for both of these applications and push these two, I would have to run these commands run 2 commands<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Frontend build docker build --build-arg NODE_VERSION=20 -t \ 366140438193.dkr.ecr.ap-south-1.amazonaws.com/frontend:latest \ -f frontend/frontend.Dockerfile frontend </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Backend Build docker build --build-arg GO_VERSION=1.21 -t \ 366140438193.dkr.ecr.ap-south-1.amazonaws.com/backend:latest \ -f backend/backend.Dockerfile backend </code></pre> </div> <p>And if you want to push these images to ECR repos, you will be running<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>docker push 366140438193.dkr.ecr.ap-south-1.amazonaws.com/frontend:latest docker push 366140438193.dkr.ecr.ap-south-1.amazonaws.com/backend:latest </code></pre> </div> <p>I used multiple flags to build the app, and 4 commands to push the image and you don't have these commands version-controlled as these are just commands.</p> <p>Now what if I can tell you that you don't need to remember these flags and store these commands just like Terraform infra templates?</p> <p>Yes, you can do it all with just one command - Docker buildx bake<br> Let me show you how Docker Bake makes all this a piece of cake.</p> <p>Create a file docker-bake.hcl into the root path and paste the below into that file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># docker-bake.hcl group "default" { targets = ["frontend", "backend"] } target "frontend" { context = "./frontend" dockerfile = "frontend.Dockerfile" args = { NODE_VERSION = "20" } tags = ["366140438193.dkr.ecr.ap-south-1.amazonaws.com/frontend:latest"] } target "backend" { context = "./backend" dockerfile = "backend.Dockerfile" args = { GO_VERSION = "1.21" } tags = ["366140438193.dkr.ecr.ap-south-1.amazonaws.com/backend:latest"] } </code></pre> </div> <p>Your project will look like this.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fofk302pqw5cnnuzf21rx.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fofk302pqw5cnnuzf21rx.webp" alt="Image description" width="688" height="364"></a><br> Now just run one command</p> <p><code>docker buildx bake<br> </code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frlag7u8by4uhsaast8q1.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frlag7u8by4uhsaast8q1.webp" alt="Image description" width="800" height="608"></a></p> <p>Checking if the new Docker images exist by running the docker images command.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp1db4ocjgmf9igom3jmc.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp1db4ocjgmf9igom3jmc.webp" alt="Image description" width="800" height="61"></a></p> <p>You can see that the docker build bake command built both images using the HCL config file. </p> <p>You can push the docker-bake.hcl to your GitHub repo, no one ever needs to use remember docker build commands or its flags.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1rip4hwhevdk2ri24c1y.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1rip4hwhevdk2ri24c1y.webp" alt="Image description" width="800" height="554"></a></p> <p>You can also push the images to remote ECR repositories with --push argument</p> <p><code>docker buildx bake --push <br> </code></p> <h2> Digging deep into Docker bake </h2> <h3> If you have a docker command like below: </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>docker build \ -f Dockerfile \ -t myapp:latest \ --build-arg foo=bar \ --no-cache \ --platform linux/amd64,linux/arm64 \ . </code></pre> </div> <p>It's equivalent Docker Bake file will be like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># docker-bake.hcl target "myapp" { context = "." dockerfile = "Dockerfile" tags = ["myapp:latest"] args = { foo = "bar" } no-cache = true platforms = ["linux/amd64", "linux/arm64"] } </code></pre> </div> <p>A target in a Bake file represents a build invocation. </p> <p>It holds all the information you would normally pass on to a docker build command using flags.</p> <p>To build a target with Bake, pass the name of the target to the bake command - <br> <code>docker buildx bake webapp<br> </code><br> If you don't define any target, the bake command will build the default target.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>target "default" { dockerfile = "webapp.Dockerfile" tags = ["docker.io/username/webapp:latest"] context = "https://github.com/username/webapp" } </code></pre> </div> <p>You can run <br> <code>docker buildx bake <br> </code><br> and it will build the image</p> <p>Let's consider this bake config<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>group "all" { targets = ["webapp", "api", "tests"] } target "webapp" { dockerfile = "webapp.Dockerfile" tags = ["docker.io/username/webapp:latest"] context = "https://github.com/username/webapp" } target "api" { dockerfile = "api.Dockerfile" tags = ["docker.io/username/api:latest"] context = "https://github.com/username/api" } target "tests" { dockerfile = "tests.Dockerfile" contexts = { webapp = "target:webapp", api = "target:api", } output = ["type=local,dest=build/tests"] context = "." } </code></pre> </div> <p>To build multiple targets at once, run</p> <p><code>docker buildx bake webapp api tests<br> </code><br> You can group targets using the group block</p> <p><code>docker buildx bake all<br> </code></p> <p>If you noticed in the example I talked about at the start, I used a group block with a default target and I used docker build bake to build both images.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> group "default" { targets = ["frontend", "backend"] } </code></pre> </div> <h4> Inheritance in Bake </h4> <p>Inheritance allows you to define common configurations and reuse them across multiple targets. Consider the below config<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>target "common" { context = "." platforms = ["linux/amd64", "linux/arm64"] } target "backend" { inherits = ["common"] dockerfile = "backend.Dockerfile" args = { GO_VERSION = "1.21" } } target "frontend" { inherits = ["common"] dockerfile = "frontend.Dockerfile" args = { NODE_VERSION = "20" } } </code></pre> </div> <h4> Common target sets context and multi-platform builds. </h4> <p>backend and frontend inherit from common, ensuring they both build for multiple platforms.</p> <h4> Overriding Values in Inheritance </h4> <p>When a target inherits another target, it can override any of the inherited attributes. </p> <p>For example, the following target overrides the args attribute from the inherited target:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>target "base" { context = "." dockerfile = "Dockerfile" args = { APP_ENV = "development" } } target "production" { inherits = ["base"] args = { APP_ENV = "production" } } </code></pre> </div> <h4> Using Variables in Bake - Just like Terraform </h4> <p>You can define and use variables in a Bake file to set attribute values, interpolate them into other values, and perform arithmetic operations.</p> <p>Consider the below config<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>group "default" { targets = [ "frontend" ] } variable "NODE_VERSION" { default = "20" } variable "tag" { default = "latest" } target "frontend" { context = "." dockerfile = "frontend.Dockerfile" args = { NODE_VERSION = NODE_VERSION } tags = ["myapp-frontend:${tag}"] } </code></pre> </div> <p>Printing the Bake file with the --print flag shows the interpolated value in the resolved build configuration.</p> <p><code>docker buildx bake --print<br> </code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa6jy1p086t0gh4kaihbz.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa6jy1p086t0gh4kaihbz.webp" alt="Image description" width="800" height="629"></a><br> You can do a lot of things like Validating multiple conditions, Escaping variable interpolation</p> <h4> Airthematic expression and Ternary conditional with Docker bake </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>variable "FOO" { default = 3 } variable "IS_FOO" { default = true } target "app" { args = { v1 = FOO &gt; 5 ? "higher" : "lower" v2 = IS_FOO ? "yes" : "no" } } </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5ntv9j0nhziuup9ys6lq.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5ntv9j0nhziuup9ys6lq.webp" alt="Image description" width="800" height="550"></a></p> <p>Using built-in and user-defined functions with Docker bake</p> <p>We can use a user-defined function to generate a tag with a timestamp(with a built-in function)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// User-defined function to generate a tag with a timestamp function "generate_tag" { params = [version] result = format("%s-%s", version, replace(timestamp(), "[-:TZ]", "")) // Correct concatenation } // Define a variable for version variable "APP_VERSION" { default = "1.0.0" } // Define a target using the custom function and built-in function target "myapp" { context = "." dockerfile = "Dockerfile" tags = ["myapp:${generate_tag(APP_VERSION)}"] args = { BUILD_DATE = timestamp() } } </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl17h6fxdh3iwrs5v5ncf.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl17h6fxdh3iwrs5v5ncf.webp" alt="Image description" width="800" height="612"></a></p> <h4> Remote Bake file definition </h4> <p>You can build Bake files directly from a remote Git repository or an HTTPS URL</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1sxy8m5fjsnwi2kp4lhx.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1sxy8m5fjsnwi2kp4lhx.webp" alt="Image description" width="800" height="190"></a></p> <h4> Bake file reference </h4> <p>You can write Bake files in HCL, YAML (Docker Compose files), or JSON.</p> <p>I used docker-bake.hcl as a file name but you can use any filename you want and pass that file as an argument to the bake command.</p> <p><code>docker buildx bake --file ../docker/bake.hcl<br> </code><br> By default, Bake uses the following lookup order to find the configuration file.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwlrwbgby2jj75marl6df.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwlrwbgby2jj75marl6df.webp" alt="Image description" width="758" height="592"></a></p> <p>Docker bake is a powerful tool, there are so many things you can do with it. It offers great flexibility with options like using a matrix, docker-compose like config, overriding configuration, cache, and so many things.</p> <p>Go check it out and try to use it in your workflow. I am sure you will love it.</p> <p>Thanks for reading, do share your thoughts in the comments. Would love to hear any feedback/suggestions</p> docker programming Building a production Lambda function that monitors IAM access keys and sends automated email alerts using boto3 and AWS SES. Akhilesh Mishra Tue, 17 Jun 2025 13:12:00 +0000 https://forem.com/aws-builders/building-a-production-lambda-function-that-monitors-iam-access-keys-and-sends-automated-email-32ld https://forem.com/aws-builders/building-a-production-lambda-function-that-monitors-iam-access-keys-and-sends-automated-email-32ld <h2> Scenario </h2> <p>In my project, we have over 10+ users with access keys. Most of the access keys were 300–400 days old.</p> <blockquote> <p>Having access keys lying around for a long period poses a security risk, which is unacceptable. They’re not just a minor security issue — they’re multimillion-dollar liabilities.</p> </blockquote> <p>The issue I can see is that no one remembers to rotate the access keys, so I thought of building a Lambda function that could remind the team to rotate the keys after a certain number of days.</p> <p>Different organizations enforce varying rotation policies — some require rotation every 30 days, others allow 60 or 90 days before access keys must be refreshed.</p> <p>My solution needed to accommodate these different requirements while being easy to deploy and maintain.</p> <h2> What to expect in this blog post </h2> <p>In this blog post, I’ll walk you through the complete implementation of an automated access key rotation reminder system. You’ll learn how to build a Lambda function that monitors key ages, sends targeted notifications, and helps your team maintain robust security hygiene without the overhead of manual tracking.</p> <p>✅ <a href="https://github.com/akhileshmishrabiz/Devops-zero-to-hero/tree/main/AWS-Projects/lambda-iam-key-rotation" rel="noopener noreferrer"><strong>You can find the entire code for this blog post on my public GitHub repo</strong>.</a></p> <h2> Writing the Python code </h2> <p>I used AWS Python SDK, boto3, for the automation. Here is the approach I took.</p> <ol> <li>List the users and access keys</li> <li>Calculate the age</li> <li>Compare it with age standards, and determine if this key should be rotated.</li> <li>If the key should be rotated, build the email body that includes the link to the user</li> <li>Send the email using AWS SES(Simple Email Service)</li> <li>Building the code</li> <li>Before we deploy a fully functioning Lambda, I will build and test the code locally.</li> </ol> <p>Note: Also, configure the AWS credentials -&gt; aws configure locally</p> <p>I will use boto3, datetime, and email Python modules. datetime and email are Python built-in modules, but we need to install boto3, which is the AWS-managed library.</p> <ul> <li>Install the boto3 I will use a Python virtual environment and install boto3 with that </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>python3 -m venv .venv # activate the virtual environemnts on my mac. There is a different commnad # windows. source .venv/bin/activate </code></pre> </div> <h3> Install boto3 with pip </h3> <p><code>pip install boto3</code></p> <p>Now that we have the installation done, let's write the code step by step.</p> <h3> 1. List the users </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import boto3 def get_users(): iam_client = boto3.client('iam') response = iam_client.list_users() return [user['UserName'] for user in response['Users']] print(get_users()) </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo3hwb6h9hobplfkx1m03.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo3hwb6h9hobplfkx1m03.png" alt="Image description" width="800" height="91"></a></p> <h3> 2. Get the access keys details </h3> <p>I will use the datetime module to calculate the age from the created date parameter of the access key<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>def get_access_keys_age(username): iam_client = boto3.client('iam') response = iam_client.list_access_keys(UserName=username).get('AccessKeyMetadata', []) access_keys_info = [] for item in response: if item['Status'] == 'Active': access_key_id = item['AccessKeyId'] create_date = item['CreateDate'].date() age = (date.today() - create_date).days access_keys_info.append((access_key_id, age)) return access_keys_info print(get_access_keys_age('cliuser-akhilesh')) </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnwy5fsnpd2u0ncj1i1ai.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnwy5fsnpd2u0ncj1i1ai.png" alt="Image description" width="800" height="92"></a></p> <p>As you can see, the user cliuser-akhilesh has 2 access keys, one with 22 days' age and the other with 2 days.</p> <p>For this use case, I will set the access key expiry age as 20 days, and I would want to send email from 15 days (I would want to have 5 days as a buffer to ensure people responsible for rotating email get enough time to address this)</p> <h3> 3.Check if the expired key </h3> <p>I want a function that returns an HTML message if the keys are expired. I would include a dynamic link of the AWS IAM user for which the keys have expired.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>username = "cliuser-akhilesh" Expiry_days = 20 reminder_email_age = Expiry_days - 5 def if_key_expired(access_key_id, age, reminder_email_age): if age &gt;= reminder_email_age: return f''' &lt;p&gt;Reminder: Access key &lt;strong&gt;{access_key_id}&lt;/strong&gt; is &lt;strong&gt;{age}&lt;/strong&gt; days old. Please rotate it.&lt;/p&gt; &lt;p&gt;For more details, visit the &lt;a href="https://us-east-1.console.aws.amazon.com/iam/home?region=us-east-1#/users/details/{username}?section=security_credentials"&gt; Rotate this key here&lt;/a&gt;.&lt;/p&gt; ''' return None print(if_key_expired("AKIA4ZPZU3T7QIPRKR5X", 22, reminder_email_age)) </code></pre> </div> <p>That HTML will look like this</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe221uunorvfsslrq50b6.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe221uunorvfsslrq50b6.webp" alt="Image description" width="800" height="184"></a></p> <h3> 4.Process users </h3> <p>This will return the email body, only for users with access keys about to expire. We will only build an email for these users/access_keys and send an email<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>def process_users(): email_body_list = [] users = get_users() for user in users: access_keys_info = get_access_keys_age(user) for keys in access_keys_info: access_key_id, age = keys email_body = if_key_expired(access_key_id, age, reminder_email_age) if email_body: email_body_list.append(email_body) return email_body_list print(type(process_users())) print(process_users()) </code></pre> </div> <h3> 5. Build an email with the Python email library </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>from email.mime.multipart import MIMEMultipart from email.mime.text import MIMEText def build_email_message(to_email, from_email, subject, body): msg = MIMEMultipart() msg['From'] = from_email msg['To'] = to_email msg['Subject'] = subject body_part = MIMEText(body, 'html') msg.attach(body_part) return msg </code></pre> </div> <h3> 6. Send an email using the AWS SES service </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Create ses clinet ses_client = boto3.client('ses') def send_email(msg, to_emails): response = ses_client.send_raw_email( Source=msg["From"], Destinations=to_emails, RawMessage={"Data": msg.as_string()}, ) return response.get('MessageId', None) </code></pre> </div> <h3> 7. Now let’s put it all together </h3> <p>This function will find all the users with expiring access keys and send an email. I used my emails for this demo; in real scenarios, you can send an email to the whole team.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>def main(): subject = f"AWS Access Key Rotation Reminder -user {username}" to_email = "akhileshmishratoemail@gmail.com" from_email = "akhileshmishrafromemail@gmail.com" for email_body in process_users(): email_msg = build_email_message(to_email, from_email, subject, email_body) email_sent =send_email(email_msg, [to_email]) print(f"Email sent with Message ID: {email_sent}") </code></pre> </div> <p>I will go to Lambda and test it. I should get an email.<br> And here it is</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk3pty78ror4oki8f7o54.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk3pty78ror4oki8f7o54.png" alt="Image description" width="800" height="451"></a></p> <p>Now that we have tested the code on the local machine, we are ready to deploy it on Lambda.</p> <p><strong>Only one part will change on Lambda, the main function will look something like this.</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>def main(event, context): subject = f"AWS Access Key Rotation Reminder -user {username}" to_email = "aditiyamishranit@gmail.com" from_email = "akhileshmishra121990@gmail.com" for email_body in process_users(): email_msg = build_email_message(to_email, from_email, subject, email_body) email_sent =send_email(email_msg, [to_email]) print(f"Email sent with Message ID: {email_sent}") </code></pre> </div> <p>The main function will be the entry function for lambda.</p> <h3> AWS SES </h3> <p>You need to validate the identities in AWS before you can send an email to them. Since you will be using the SES sandbox account, you need to validate to_email and from_email.</p> <p>Go to Amazon SES &gt; Configuration: Identities</p> <p>Create and validate identities</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbryauzbvumpocxnavusr.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbryauzbvumpocxnavusr.webp" alt="Image description" width="800" height="412"></a></p> <h2> Terraform implementation </h2> <p>I will follow the steps below to write a Terraform function to deploy the Lambda function.</p> <ul> <li><p>Lambda will expect zipped code, so I will be archiving the code in a zip format using the Terraform archive_file data source</p></li> <li><p>Lambda will need access to AWS IAM to get the access key details, so I will be creating an IAM role with an IAM policy with access to list users, get access key data, and send email</p></li> <li><p>Create the Lambda function</p></li> <li><p>Create a cron job that will run this Lambda daily</p></li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feyn1ad2ysoq1ynbmm95o.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feyn1ad2ysoq1ynbmm95o.webp" alt="Image description" width="800" height="226"></a></p> <h4> - Archiving the code </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># zip the code data "archive_file" "lambda_zip" { type = "zip" source_dir = "${path.module}/lambda/iam-key-rotation" output_path = "${path.module}/iam-key-rotation.zip" } </code></pre> </div> <p><code>path.module</code> reference to the path of the Terraform config. We use it to write the relative path for the code files.</p> <h4> - IAM role for the Lambda </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># iam role resource "aws_iam_role" "lambda_role" { name = "iam-key-rotation-role" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = "sts:AssumeRole" Effect = "Allow" Principal = { Service = "lambda.amazonaws.com" } } ] }) } </code></pre> </div> <h4> - IAM policy for the Lambda </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>resource "aws_iam_policy" "lambda_policy" { name = "iam-key-rotation-policy" description = "Policy for Lambda function to rotate IAM keys" policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = [ "iam:ListAccessKeys", "iam:ListUsers", ] Effect = "Allow" Resource = "*" }, { Action = [ "ses:SendEmail", "ses:SendRawEmail", ] Effect = "Allow" Resource = "*" } ] }) } </code></pre> </div> <ul> <li>Attach the policy to the role </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>#### # attach policy to role resource "aws_iam_role_policy_attachment" "lambda_policy_attachment" { role = aws_iam_role.lambda_role.name policy_arn = aws_iam_policy.lambda_policy.arn } </code></pre> </div> <h4> - Lambda function </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># lambda resource "aws_lambda_function" "my_lambda_function" { function_name = "iam-key-rotation" role = aws_iam_role.lambda_role.arn handler = "main.main" runtime = "python3.13" timeout = 60 memory_size = 128 # Use the Archive data source to zip the code filename = data.archive_file.lambda_zip.output_path source_code_hash = data.archive_file.lambda_zip.output_base64sha256 } </code></pre> </div> <ul> <li><p>source_code_hash will enable Lambda to update the Lambda code whenever a change happens in the Python code.</p></li> <li><p>timeout is set to 60 seconds, if not set, will fall back to the default 3 seconds</p></li> <li><p>handler Use the format python_code.python_function. In this use case, main.py is the code that runs when Lambda is invoked, and main() is the entry-level function. Hence, handler = main.main<br> To enable the cron job trigger, we use an AWS eventbridge rule.<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>resource "aws_cloudwatch_event_rule" "cron_lambdas" { name = "cronjob" description = "to triggr lambda daily 7.15 pm ist" schedule_expression = "cron(40 13 * * ? *)" } resource "aws_cloudwatch_event_target" "cron_lambdas" { rule = aws_cloudwatch_event_rule.cron_lambdas.name arn = aws_lambda_function.my_lambda_function.arn } </code></pre> </div> <p>Also, this cron will need permissions to invoke the lambda on schedule<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Invoke lambda permission resource "aws_lambda_permission" "cron_lambdas" { statement_id = "key-rotation-lambda-allow" action = "lambda:InvokeFunction" principal = "events.amazonaws.com" function_name = aws_lambda_function.my_lambda_function.arn source_arn = aws_cloudwatch_event_rule.cron_lambdas.arn } </code></pre> </div> <p>Lambda code is set. I will use the Terraform provider AWS and a remote state file</p> <p>*<em>providers.tf<br> *</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform { required_version = "1.8.1" required_providers { aws = { source = "hashicorp/aws" version = "&gt;= 5.32.0" } } } provider "aws" { region = "ap-south-1" } # remote backend terraform { backend "s3" { bucket = "state-bucket-879381234673" key = "lambda-blog/terraform.tfstate" region = "ap-south-1" encrypt = true } } </code></pre> </div> <p>Now we can deploy the lambda function<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform init terraform plan terraform apply </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpoy72zytcxxgyzyhku8c.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpoy72zytcxxgyzyhku8c.png" alt="Image description" width="800" height="246"></a></p> <h2> Better version of Python and Lambda code </h2> <p>To ensure the automation is flexible and maintainable, I’ll implement a configuration-driven approach using environment variables.</p> <p>This eliminates hardcoded values and allows dynamic configuration management through Terraform, making the solution easily adaptable across different environments and organizations.</p> <p>Here is the final version of the code.</p> <p>main.py<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import boto3 from datetime import date from email.mime.multipart import MIMEMultipart from email.mime.text import MIMEText import os from_email = os.environ.get('FROM_EMAIL') to_email = os.environ.get('TO_EMAIL') Expiry_days = int(os.environ.get('EXPIRY_DAYS', 90)) # Default to 90 days if not set reminder_email_age = Expiry_days - 5 def get_users(): iam_client = boto3.client('iam') response = iam_client.list_users() return [user['UserName'] for user in response['Users']] def get_access_keys_age(username): iam_client = boto3.client('iam') response = iam_client.list_access_keys(UserName=username).get('AccessKeyMetadata', []) access_keys_info = [] for item in response: if item['Status'] == 'Active': access_key_id = item['AccessKeyId'] create_date = item['CreateDate'].date() age = (date.today() - create_date).days access_keys_info.append((access_key_id, age)) return access_keys_info def if_key_expired(username, access_key_id, age, reminder_email_age): if age &gt;= reminder_email_age: return f''' &lt;p&gt;Reminder: Access key &lt;strong&gt;{access_key_id}&lt;/strong&gt; is &lt;strong&gt;{age}&lt;/strong&gt; days old. Please rotate it.&lt;/p&gt; &lt;p&gt;For more details, visit the &lt;a href="https://us-east-1.console.aws.amazon.com/iam/home?region=us-east-1#/users/details/{username}?section=security_credentials"&gt; Rotate this key here&lt;/a&gt;.&lt;/p&gt; return None def process_users(): email_body_list = [] users = get_users() for user in users: access_keys_info = get_access_keys_age(user) for keys in access_keys_info: access_key_id, age = keys email_body = if_key_expired(user, access_key_id, age, reminder_email_age) if email_body: email_body_list.append(email_body) return email_body_list def build_email_message(to_email, from_email, subject, body): msg = MIMEMultipart() msg['From'] = from_email msg['To'] = to_email msg['Subject'] = subject body_part = MIMEText(body, 'html') msg.attach(body_part) return msg def send_email(msg, to_emails): ses_client = boto3.client('ses') response = ses_client.send_raw_email( Source=msg["From"], Destinations=to_emails, RawMessage={"Data": msg.as_string()}, ) return response.get('MessageId', None) def main(event, context): subject = f"AWS Access Key Rotation Reminder" for email_body in process_users(): email_msg = build_email_message(to_email, from_email, subject, email_body) email_sent =send_email(email_msg, [to_email]) print(f"Email sent with Message ID: {email_sent}") </code></pre> </div> <p>And updated the Terraform resource for Lambda<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># lambda resource "aws_lambda_function" "my_lambda_function" { function_name = "iam-key-rotation" role = aws_iam_role.lambda_role.arn handler = "lambda_function.lambda_handler" runtime = "python3.13" timeout = 60 memory_size = 128 # Use the Archive data source to zip the code filename = data.archive_file.lambda_zip.output_path source_code_hash = data.archive_file.lambda_zip.output_base64sha256 environment { variables = { "to_email" = "akhileshmishratoemail@gmail.com" "from_email" = "akhileshmishra1from@gmail.com" "Expiry_days" = 20 } } </code></pre> </div> <p>✅ <a href="https://github.com/akhileshmishrabiz/Devops-zero-to-hero/tree/main/AWS-Projects/lambda-iam-key-rotation" rel="noopener noreferrer">You can find the entire code for this blog post on my public GitHub repo.</a></p> <p><a href="https://livingdevops.com/devops/aws-lambda-tutorial-python-terraform/" rel="noopener noreferrer">This blog is originally published on my personal blog, livingdevops<br> </a></p> <h2> Let's connect </h2> <p><strong><a href="https://www.linkedin.com/in/akhilesh-mishra-0ab886124/" rel="noopener noreferrer">- Connect with me on Linkedin</a><br> **<br> **<a href="https://x.com/livingdevops" rel="noopener noreferrer">- Connect with me on twitter (@livingdevops)<br> </a></strong></p> aws lambda terraform python