Forem: Matthew The latest articles on Forem by Matthew (@matthewdipo). https://forem.com/matthewdipo https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2968204%2Fd722f79d-c63b-4895-81c0-b4a80d203dfd.jpeg Forem: Matthew https://forem.com/matthewdipo en Part 6: CI/CD Pipeline Matthew Wed, 15 Apr 2026 14:00:00 +0000 https://forem.com/matthewdipo/part-6-cicd-pipeline-5fde https://forem.com/matthewdipo/part-6-cicd-pipeline-5fde <h2> Part 6: CI/CD Pipeline — GitHub Actions, Trivy, Cosign, and ECR </h2> <p><em>Part of the series: Building a Production-Grade DevSecOps Pipeline on AWS</em></p> <h2> Introduction </h2> <p>The CI/CD pipeline is the gateway between a developer's <code>git push</code> and a running container in production. Every security control that can be automated should live here — not as an afterthought but as a first-class gate that blocks bad artifacts from ever reaching a cluster.</p> <p>This pipeline enforces:</p> <ul> <li> <strong>No HIGH or CRITICAL CVEs</strong> — Trivy blocks the build before the image is pushed</li> <li> <strong>No static AWS credentials</strong> — GitHub OIDC exchanges JWT tokens for temporary STS creds</li> <li> <strong>Cryptographic image provenance</strong> — Cosign signs every image with an AWS KMS key; Kyverno verifies the signature before admitting the pod</li> <li> <strong>Immutable image tags</strong> — <code>sha-&lt;full-commit-sha&gt;</code>, never <code>:latest</code> </li> <li> <strong>Audit trail</strong> — every push is logged to S3 with digest, timestamp, and caller identity</li> </ul> <h2> The Application (myapp) </h2> <p>A minimal Node.js/Express API that represents any real production service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>myapp/ ├── src/ │ └── index.js # Express app with /health and /metrics ├── Dockerfile ├── package.json └── .github/ └── workflows/ └── ci.yaml </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// src/index.js</span> <span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">promClient</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">prom-client</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">register</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">promClient</span><span class="p">.</span><span class="nc">Registry</span><span class="p">();</span> <span class="nx">promClient</span><span class="p">.</span><span class="nf">collectDefaultMetrics</span><span class="p">({</span> <span class="nx">register</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">httpRequestsTotal</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">promClient</span><span class="p">.</span><span class="nc">Counter</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">myapp_http_requests_total</span><span class="dl">'</span><span class="p">,</span> <span class="na">help</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Total HTTP requests</span><span class="dl">'</span><span class="p">,</span> <span class="na">labelNames</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">method</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">route</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">status_code</span><span class="dl">'</span><span class="p">],</span> <span class="na">registers</span><span class="p">:</span> <span class="p">[</span><span class="nx">register</span><span class="p">],</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">finish</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">httpRequestsTotal</span><span class="p">.</span><span class="nf">inc</span><span class="p">({</span> <span class="na">method</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">method</span><span class="p">,</span> <span class="na">route</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">path</span><span class="p">,</span> <span class="na">status_code</span><span class="p">:</span> <span class="nx">res</span><span class="p">.</span><span class="nx">statusCode</span><span class="p">,</span> <span class="p">});</span> <span class="p">});</span> <span class="nf">next</span><span class="p">();</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/health</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">healthy</span><span class="dl">'</span><span class="p">,</span> <span class="na">region</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AWS_REGION</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">unknown</span><span class="dl">'</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/metrics</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">,</span> <span class="nx">register</span><span class="p">.</span><span class="nx">contentType</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">end</span><span class="p">(</span><span class="k">await</span> <span class="nx">register</span><span class="p">.</span><span class="nf">metrics</span><span class="p">());</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">8080</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Listening on :8080</span><span class="dl">'</span><span class="p">));</span> </code></pre> </div> <h2> Dockerfile — Distroless Nonroot </h2> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Stage 1: Build dependencies</span> <span class="k">FROM</span><span class="w"> </span><span class="s">node:18-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> package*.json ./</span> <span class="k">RUN </span>npm ci <span class="nt">--only</span><span class="o">=</span>production <span class="c"># Stage 2: Runtime — distroless (no shell, no package manager)</span> <span class="k">FROM</span><span class="s"> gcr.io/distroless/nodejs18-debian12:nonroot</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Copy only what's needed — no node_modules dev dependencies, no source maps</span> <span class="k">COPY</span><span class="s"> --from=builder /app/node_modules ./node_modules</span> <span class="k">COPY</span><span class="s"> src/ ./src/</span> <span class="k">COPY</span><span class="s"> package.json ./</span> <span class="c"># nonroot image runs as uid 65532 by default — no root, ever</span> <span class="k">EXPOSE</span><span class="s"> 8080</span> <span class="k">CMD</span><span class="s"> ["src/index.js"]</span> </code></pre> </div> <p><strong>Why distroless?</strong><br> The <code>nonroot</code> variant contains only the Node.js runtime. There is no:</p> <ul> <li> <code>/bin/sh</code> or <code>/bin/bash</code> — an attacker with RCE cannot spawn an interactive shell</li> <li> <code>apt</code>, <code>apk</code>, <code>yum</code> — cannot install additional tools</li> <li> <code>curl</code>, <code>wget</code> — cannot exfiltrate data or download payloads</li> <li>Any other utility that would help lateral movement</li> </ul> <p>Falco still alerts on any unexpected syscalls, but the attack surface is dramatically reduced.</p> <h2> Pipeline Overview </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmlcmtteraw33w16cqrau.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmlcmtteraw33w16cqrau.png" alt="GitHub Actions CI/CD Pipeline — 7 stages from git push to pods running, &lt;br&gt; including OIDC auth, Trivy scanning, Cosign signing, and ArgoCD GitOps &lt;br&gt; deployment" width="800" height="295"></a></p> <p><em>The complete pipeline: no static AWS credentials anywhere. OIDC authenticates <br> GitHub Actions to AWS. Every image is signed with Cosign before Kyverno will <br> admit it to the cluster.</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────────────┐ │ git push → main │ │ │ │ │ ▼ │ │ ┌──────────────────┐ │ │ │ Job 1: test │ npm ci + npm test │ │ └────────┬─────────┘ │ │ │ needs: test │ │ ▼ │ │ ┌──────────────────┐ │ │ │ Job 2: scan │ trivy image → fail on HIGH/CRITICAL │ │ └────────┬─────────┘ │ │ │ needs: scan │ │ ▼ │ │ ┌──────────────────────────────────────────────┐ │ │ │ Job 3: build-push-sign │ │ │ │ ├─ OIDC → assume IAM role (no static keys) │ │ │ │ ├─ docker build (distroless) │ │ │ │ ├─ push → ECR us-east-1 │ │ │ │ ├─ push → ECR us-west-2 │ │ │ │ ├─ cosign sign (AWS KMS) │ │ │ │ └─ S3 audit log │ │ │ └────────┬─────────────────────────────────────┘ │ │ │ needs: build-push-sign │ │ ▼ │ │ ┌──────────────────────────────────────────────┐ │ │ │ Job 4: update-gitops │ │ │ │ └─ patch image.tag in values-*.yaml → push │ │ │ └──────────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h2> Full GitHub Actions Workflow </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/ci.yaml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CI</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">env</span><span class="pi">:</span> <span class="na">ECR_REGISTRY_USE1</span><span class="pi">:</span> <span class="s">206617159586.dkr.ecr.us-east-1.amazonaws.com</span> <span class="na">ECR_REGISTRY_USW2</span><span class="pi">:</span> <span class="s">206617159586.dkr.ecr.us-west-2.amazonaws.com</span> <span class="na">IMAGE_NAME</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">AWS_REGION_USE1</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="na">AWS_REGION_USW2</span><span class="pi">:</span> <span class="s">us-west-2</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="c1"># Required for OIDC</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">write</span> <span class="c1"># Required for gitops update commit</span> <span class="na">packages</span><span class="pi">:</span> <span class="s">read</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Node.js</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">18'</span> <span class="na">cache</span><span class="pi">:</span> <span class="s1">'</span><span class="s">npm'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run tests</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm test</span> <span class="na">scan</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">test</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build image for scanning</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker build -t ${{ env.IMAGE_NAME }}:scan-${{ github.sha }} .</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Trivy vulnerability scan</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aquasecurity/trivy-action@master</span> <span class="na">with</span><span class="pi">:</span> <span class="na">image-ref</span><span class="pi">:</span> <span class="s">${{ env.IMAGE_NAME }}:scan-${{ github.sha }}</span> <span class="na">format</span><span class="pi">:</span> <span class="s">table</span> <span class="na">exit-code</span><span class="pi">:</span> <span class="s1">'</span><span class="s">1'</span> <span class="c1"># Fail the pipeline on findings</span> <span class="na">severity</span><span class="pi">:</span> <span class="s1">'</span><span class="s">HIGH,CRITICAL'</span> <span class="c1"># Only fail on HIGH and CRITICAL</span> <span class="na">ignore-unfixed</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># Skip CVEs with no available fix</span> <span class="na">build-push-sign</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">scan</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.ref == 'refs/heads/main'</span> <span class="c1"># Only push on main branch, not PRs</span> <span class="na">outputs</span><span class="pi">:</span> <span class="na">image-digest-use1</span><span class="pi">:</span> <span class="s">${{ steps.push-use1.outputs.digest }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials via OIDC</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">role-to-assume</span><span class="pi">:</span> <span class="s">${{ vars.AWS_ROLE_ARN_USE1 }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">${{ env.AWS_REGION_USE1 }}</span> <span class="c1"># No static access keys — OIDC exchanges GitHub JWT for STS temp creds</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Login to ECR us-east-1</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/amazon-ecr-login@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">region</span><span class="pi">:</span> <span class="s">${{ env.AWS_REGION_USE1 }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Login to ECR us-west-2</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/amazon-ecr-login@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">region</span><span class="pi">:</span> <span class="s">${{ env.AWS_REGION_USW2 }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Docker Buildx</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/setup-buildx-action@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and push to us-east-1</span> <span class="na">id</span><span class="pi">:</span> <span class="s">push-use1</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/build-push-action@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">.</span> <span class="na">push</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">${{ env.ECR_REGISTRY_USE1 }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}</span> <span class="s">${{ env.ECR_REGISTRY_USE1 }}/${{ env.IMAGE_NAME }}:latest</span> <span class="na">cache-from</span><span class="pi">:</span> <span class="s">type=gha</span> <span class="na">cache-to</span><span class="pi">:</span> <span class="s">type=gha,mode=max</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Copy image to us-west-2</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">DIGEST="${{ steps.push-use1.outputs.digest }}"</span> <span class="s">docker buildx imagetools create \</span> <span class="s">--tag ${{ env.ECR_REGISTRY_USW2 }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }} \</span> <span class="s">${{ env.ECR_REGISTRY_USE1 }}/${{ env.IMAGE_NAME }}@${DIGEST}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Cosign</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">sigstore/cosign-installer@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Sign image with AWS KMS</span> <span class="na">env</span><span class="pi">:</span> <span class="na">COSIGN_KEY</span><span class="pi">:</span> <span class="s">${{ vars.COSIGN_KMS_KEY_ARN }}</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">DIGEST="${{ steps.push-use1.outputs.digest }}"</span> <span class="s">IMAGE="${{ env.ECR_REGISTRY_USE1 }}/${{ env.IMAGE_NAME }}@${DIGEST}"</span> <span class="s"># Sign the image — creates an OCI attestation artifact in ECR</span> <span class="s">cosign sign --key awskms:///${COSIGN_KEY} \</span> <span class="s">--yes \</span> <span class="s">${IMAGE}</span> <span class="s">echo "Signed: ${IMAGE}"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Write S3 audit log</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">DIGEST="${{ steps.push-use1.outputs.digest }}"</span> <span class="s">TIMESTAMP=$(date -u +%Y-%m-%dT%H:%M:%SZ)</span> <span class="s">CALLER=$(aws sts get-caller-identity --query Arn --output text)</span> <span class="s">echo "{</span> <span class="s">\"timestamp\": \"${TIMESTAMP}\",</span> <span class="s">\"repo\": \"${{ github.repository }}\",</span> <span class="s">\"sha\": \"${{ github.sha }}\",</span> <span class="s">\"digest\": \"${DIGEST}\",</span> <span class="s">\"pushed_by\": \"${CALLER}\",</span> <span class="s">\"workflow\": \"${{ github.workflow }}\",</span> <span class="s">\"run_id\": \"${{ github.run_id }}\"</span> <span class="s">}" | aws s3 cp - \</span> <span class="s">s3://${{ vars.AUDIT_BUCKET }}/ci-push-audit/${{ github.sha }}.json</span> <span class="na">update-gitops</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">build-push-sign</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.ref == 'refs/heads/main'</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout myapp-gitops</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">repository</span><span class="pi">:</span> <span class="s">MatthewDipo/myapp-gitops</span> <span class="na">token</span><span class="pi">:</span> <span class="s">${{ secrets.GITOPS_PAT }}</span> <span class="na">path</span><span class="pi">:</span> <span class="s">myapp-gitops</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Update image tags</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cd myapp-gitops</span> <span class="s">NEW_TAG="sha-${{ github.sha }}"</span> <span class="s"># Update all environment value files</span> <span class="s">for FILE in apps/myapp/values-dev.yaml \</span> <span class="s">apps/myapp/values-staging.yaml \</span> <span class="s">apps/myapp/values-production.yaml; do</span> <span class="s">sed -i "s|tag: sha-[a-f0-9]*|tag: ${NEW_TAG}|g" $FILE</span> <span class="s">echo "Updated $FILE → ${NEW_TAG}"</span> <span class="s">done</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Commit and push</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cd myapp-gitops</span> <span class="s">git config user.email "ci@github.com"</span> <span class="s">git config user.name "GitHub Actions"</span> <span class="s">git add apps/myapp/values-*.yaml</span> <span class="s">git commit -m "ci: update image tag to sha-${{ github.sha }}"</span> <span class="s">git push origin main</span> </code></pre> </div> <h2> GitHub Repository Variables (not secrets) </h2> <p>These are set in the GitHub UI under <strong>Settings → Secrets and variables → Actions → Variables</strong>:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Variable</th> <th>Value</th> <th>Why not a secret?</th> </tr> </thead> <tbody> <tr> <td><code>AWS_ROLE_ARN_USE1</code></td> <td><code>arn:aws:iam::206617159586:role/myapp-dev-use1-github-ci</code></td> <td>Not sensitive — it's a role ARN, useless without the OIDC token</td> </tr> <tr> <td><code>COSIGN_KMS_KEY_ARN</code></td> <td><code>arn:aws:kms:us-east-1:206617159586:key/...</code></td> <td>Not sensitive — KMS key ID alone grants nothing</td> </tr> <tr> <td><code>AUDIT_BUCKET</code></td> <td><code>myapp-ci-audit-206617159586</code></td> <td>Not sensitive</td> </tr> </tbody> </table></div> <p>Only <code>GITOPS_PAT</code> (GitHub Personal Access Token to push to myapp-gitops) is a <strong>secret</strong>.</p> <blockquote> <p><strong>No AWS_ACCESS_KEY_ID. No AWS_SECRET_ACCESS_KEY.</strong> These should never appear in a modern CI pipeline.</p> </blockquote> <h2> Cosign Image Signing </h2> <p>Cosign attaches a cryptographic signature to the image in the same ECR repository. The signature is stored as a separate OCI artifact tagged with the image digest.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ECR Repository: myapp sha-abc123def456... ← Your application image sha256-abc123def456...sig ← Cosign signature (OCI artifact) sha256-abc123def456...att ← Cosign attestation (SBOM, etc.) </code></pre> </div> <p><strong>Verification (what Kyverno does at admission time):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cosign verify <span class="se">\</span> <span class="nt">--key</span> awskms:///arn:aws:kms:us-east-1:206617159586:key/YOUR_KEY_ID <span class="se">\</span> 206617159586.dkr.ecr.us-east-1.amazonaws.com/myapp:sha-abc123 <span class="c"># Output if valid:</span> <span class="c"># Verification for 206617159586.dkr.ecr.us-east-1.amazonaws.com/myapp:sha-abc123</span> <span class="c"># The following checks were performed on each of these signatures:</span> <span class="c"># - The cosign claims were validated</span> <span class="c"># - The signatures were verified against the specified public key</span> </code></pre> </div> <h2> Image Naming Convention </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>206617159586.dkr.ecr.us-east-1.amazonaws.com/myapp:sha-&lt;full-40-char-git-sha&gt; </code></pre> </div> <p><strong>Why <code>sha-&lt;full-sha&gt;</code> and not semantic versioning?</strong></p> <ul> <li> <strong>Traceability:</strong> Given any running pod, you can run <code>git show &lt;sha&gt;</code> to see the exact commit</li> <li> <strong>Immutability:</strong> Two builds of the same SHA produce the same image (deterministic builds)</li> <li> <strong>No tag collisions:</strong> <code>v1.0.0</code> can be overwritten; a git SHA cannot</li> <li> <strong>No <code>:latest</code>:</strong> <code>:latest</code> is the devil — it means different things at different times and breaks reproducibility</li> </ul> <h2> Pre-commit Hooks </h2> <p>Before code ever reaches GitHub, pre-commit hooks catch common issues locally:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .pre-commit-config.yaml</span> <span class="na">repos</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">repo</span><span class="pi">:</span> <span class="s">https://github.com/pre-commit/pre-commit-hooks</span> <span class="na">rev</span><span class="pi">:</span> <span class="s">v4.5.0</span> <span class="na">hooks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">trailing-whitespace</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">end-of-file-fixer</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">check-yaml</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">check-merge-conflict</span> <span class="pi">-</span> <span class="na">repo</span><span class="pi">:</span> <span class="s">https://github.com/hadolint/hadolint</span> <span class="na">rev</span><span class="pi">:</span> <span class="s">v2.12.0</span> <span class="na">hooks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">hadolint-docker</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">--ignore'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">DL3006'</span><span class="pi">]</span> <span class="c1"># DL3006: always tag FROM image</span> <span class="pi">-</span> <span class="na">repo</span><span class="pi">:</span> <span class="s">https://github.com/Yelp/detect-secrets</span> <span class="na">rev</span><span class="pi">:</span> <span class="s">v1.5.0</span> <span class="na">hooks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">detect-secrets</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">--baseline'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">.secrets.baseline'</span><span class="pi">]</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install pre-commit</span> pip <span class="nb">install </span>pre-commit pre-commit <span class="nb">install</span> <span class="c"># Run manually against all files</span> pre-commit run <span class="nt">--all-files</span> </code></pre> </div> <h2> Pipeline Security Properties </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Property</th> <th>How Achieved</th> </tr> </thead> <tbody> <tr> <td>No secrets in Git</td> <td>detect-secrets pre-commit hook</td> </tr> <tr> <td>No secrets in CI</td> <td>OIDC replaces static AWS keys</td> </tr> <tr> <td>No HIGH/CRITICAL CVEs</td> <td>Trivy scan blocks pipeline</td> </tr> <tr> <td>No unverified images</td> <td>Kyverno admission webhook</td> </tr> <tr> <td>Immutable artifacts</td> <td>ECR <code>IMMUTABLE</code> tag mutability</td> </tr> <tr> <td>Cryptographic provenance</td> <td>Cosign + AWS KMS signing</td> </tr> <tr> <td>Full audit trail</td> <td>S3 + CloudTrail</td> </tr> <tr> <td>Reproducible builds</td> <td>Pinned base image SHA, <code>npm ci</code> </td> </tr> </tbody> </table></div> <h2> Summary </h2> <p>By the end of Part 6 you have:</p> <ul> <li>✅ A secure Dockerfile using distroless/nonroot with multi-stage build</li> <li>✅ GitHub Actions pipeline with 4 jobs: test → scan → build/push/sign → gitops update</li> <li>✅ OIDC-based AWS authentication (zero static credentials)</li> <li>✅ Trivy CVE scanning blocking HIGH/CRITICAL vulnerabilities</li> <li>✅ Cosign image signing with AWS KMS</li> <li>✅ Automatic image tag update in myapp-gitops triggering ArgoCD sync</li> <li>✅ S3 audit log for every image push</li> <li>✅ Pre-commit hooks catching issues before they reach CI</li> </ul> <h3> Screenshot Placeholders </h3> <blockquote> <p><strong>SCREENSHOT: GitHub Actions — workflow run showing all 4 jobs passing (green checkmarks)</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsp8eecy972exm49fze9h.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsp8eecy972exm49fze9h.png" alt="Show in frame: A completed workflow run showing all 4 jobs (build-test, build-push, sign, deploy) with green checkmarks. Click into the run to show the job list." width="800" height="445"></a></p> <p><strong>SCREENSHOT: ECR repository showing images with sha- tags and scan results (no HIGH/CRITICAL)</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9koskql8iqphgf5aldyt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9koskql8iqphgf5aldyt.png" alt="ECR repository showing images with sha- tags and scan results (no HIGH/CRITICAL)" width="800" height="444"></a></p> <p><strong>SCREENSHOT: GitHub Actions — Job 3 logs showing "Signed: ..." cosign output</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy44tu0l190e6wvmh5myv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy44tu0l190e6wvmh5myv.png" alt=" " width="800" height="444"></a></p> </blockquote> <p><em>Next: Part 7 — Secrets Management: AWS Secrets Manager + External Secrets Operator + IRSA</em></p> <p><strong>Follow the series</strong> — next part publishes next Wednesday.<br> <strong>Live system:</strong> <a href="https://www.matthewoladipupo.dev/health" rel="noopener noreferrer">https://www.matthewoladipupo.dev/health</a><br> <strong>Runbook:</strong> <a href="https://github.com/MatthewDipo/myapp-infra/blob/main/docs/runbook.md" rel="noopener noreferrer">Operations Guide</a><br> <strong>Source code:</strong> <a href="https://github.com/MatthewDipo/myapp-infra" rel="noopener noreferrer">myapp-infra</a> | <a href="https://github.com/MatthewDipo/myapp-gitops" rel="noopener noreferrer">myapp-gitops</a> | <a href="https://github.com/MatthewDipo/myapp" rel="noopener noreferrer">myapp</a></p> githubactions devops docker kubernetes Part 5: GitOps with ArgoCD Matthew Thu, 09 Apr 2026 23:50:20 +0000 https://forem.com/matthewdipo/part-5-gitops-with-argocd-4p36 https://forem.com/matthewdipo/part-5-gitops-with-argocd-4p36 <p>5: GitOps with ArgoCD — Hub-Spoke Model</p> <p><em>Part of the series: Building a Production-Grade DevSecOps Pipeline on AWS</em></p> <h2> Introduction </h2> <p>GitOps flips the traditional CI/CD model. Instead of a pipeline <em>pushing</em> manifests into a cluster, the cluster <em>pulls</em> its desired state from Git. The result:</p> <ul> <li> <strong>Audit trail built-in:</strong> every cluster change is a Git commit with author, timestamp, and diff</li> <li> <strong>Self-healing:</strong> ArgoCD continuously reconciles — if someone <code>kubectl apply</code>s something manually, ArgoCD reverts it within minutes</li> <li> <strong>Rollback is <code>git revert</code>:</strong> no special tooling, no cluster access needed</li> <li> <strong>Drift detection:</strong> ArgoCD shows you exactly when a cluster diverges from what's in Git</li> </ul> <p>This pipeline uses ArgoCD in a <strong>hub-spoke</strong> topology: one ArgoCD installation on <code>myapp-production-use1</code> manages all six clusters.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────┐ │ ArgoCD HUB: myapp-production-use1 │ │ │ │ Watches: github.com/MatthewDipo/myapp-gitops (main branch) │ │ Manages: 6 clusters via registered cluster credentials │ │ │ │ ApplicationSets generate Applications per cluster: │ │ ┌──────────────────────────────────────────────────────────┐ │ │ │ environments/production/applicationset.yaml │ │ │ │ → prometheus-myapp-production-use1 │ │ │ │ → prometheus-myapp-production-usw2 │ │ │ │ → prometheus-myapp-staging-use1 (staging project) │ │ │ │ → prometheus-myapp-staging-usw2 │ │ │ └──────────────────────────────────────────────────────────┘ │ └────────────────────────────┬────────────────────────────────────┘ VPC Peering (private │ endpoints) ┌────────────────────────┤ │ ┌───────────────────┤ │ │ ┌──────────────┤──────────────┐ ▼ ▼ ▼ ▼ ▼ prod-usw2 staging-use1 staging-usw2 dev-use1 dev-usw2 </code></pre> </div> <p><strong>Why hub-spoke over running ArgoCD in every cluster?</strong><br> One ArgoCD = one UI, one set of secrets, one audit log. Running six ArgoCD instances means six independent control planes to maintain, upgrade, and monitor. The operational overhead multiplies linearly with clusters.</p> <h2> Step 1: Install ArgoCD on the Hub </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Enable public endpoint on prod-use1 for bootstrapping</span> aws eks update-cluster-config <span class="se">\</span> <span class="nt">--name</span> myapp-production-use1 <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="nt">--profile</span> myapp-prod-use1 <span class="se">\</span> <span class="nt">--resources-vpc-config</span> <span class="nv">endpointPublicAccess</span><span class="o">=</span><span class="nb">true</span>,endpointPrivateAccess<span class="o">=</span><span class="nb">true</span>,publicAccessCidrs<span class="o">=</span><span class="s2">"0.0.0.0/0"</span> <span class="nb">sleep </span>180 <span class="c"># Wait for propagation</span> <span class="c"># Install ArgoCD</span> kubectl <span class="nt">--context</span> prod-use1 create namespace argocd helm repo add argo https://argoproj.github.io/argo-helm helm <span class="nb">install </span>argocd argo/argo-cd <span class="se">\</span> <span class="nt">--namespace</span> argocd <span class="se">\</span> <span class="nt">--version</span> 6.7.3 <span class="se">\</span> <span class="nt">--set</span> server.service.type<span class="o">=</span>LoadBalancer <span class="se">\</span> <span class="nt">--set</span> configs.params.<span class="s2">"server</span><span class="se">\.</span><span class="s2">insecure"</span><span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--no-hooks</span> <span class="se">\</span> <span class="nt">--wait</span> <span class="nt">--timeout</span> 5m <span class="c"># Get the LoadBalancer URL</span> kubectl <span class="nt">--context</span> prod-use1 get svc <span class="nt">-n</span> argocd argocd-server <span class="se">\</span> <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.status.loadBalancer.ingress[0].hostname}'</span> <span class="c"># Get initial admin password</span> kubectl <span class="nt">--context</span> prod-use1 get secret <span class="nt">-n</span> argocd argocd-initial-admin-secret <span class="se">\</span> <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.data.password}'</span> | <span class="nb">base64</span> <span class="nt">-d</span> <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="c"># Login via CLI</span> argocd login &lt;LB_HOSTNAME&gt; <span class="nt">--username</span> admin <span class="nt">--password</span> &lt;PASSWORD&gt; <span class="nt">--insecure</span> </code></pre> </div> <h2> Step 2: Create AppProjects </h2> <p>AppProjects define what each group of Applications is allowed to do — which source repos, which destination clusters, and which namespaces. They are the RBAC boundary in ArgoCD.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># argocd/project-production.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">AppProject</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">production</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Production workloads and infrastructure</span> <span class="na">sourceRepos</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">https://github.com/MatthewDipo/myapp-gitops.git</span> <span class="pi">-</span> <span class="s">https://prometheus-community.github.io/helm-charts</span> <span class="pi">-</span> <span class="s">https://charts.external-secrets.io</span> <span class="pi">-</span> <span class="s">https://aws.github.io/eks-charts</span> <span class="pi">-</span> <span class="s">https://kyverno.github.io/kyverno</span> <span class="pi">-</span> <span class="s">https://falcosecurity.github.io/charts</span> <span class="pi">-</span> <span class="s">https://vmware-tanzu.github.io/helm-charts</span> <span class="pi">-</span> <span class="s">https://charts.jetstack.io</span> <span class="pi">-</span> <span class="s">https://grafana.github.io/helm-charts</span> <span class="na">destinations</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">server</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="c1"># IMPORTANT: use server: "*" not name: "*"</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="c1"># ArgoCD resolves cluster name → server URL for permission checks</span> <span class="na">clusterResourceWhitelist</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">group</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="na">kind</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="na">namespaceResourceWhitelist</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">group</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="na">kind</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> </code></pre> </div> <blockquote> <p><strong>Critical lesson:</strong> Use <code>server: "*"</code> not <code>name: "*"</code> in AppProject destinations. ArgoCD resolves cluster names to server URLs when enforcing project permissions. With <code>name: "*"</code> alone, syncs to named clusters fail with permission errors. With <code>server: "*"</code>, it works correctly.</p> </blockquote> <p>Apply all three projects:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> argocd/project-dev.yaml kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> argocd/project-staging.yaml kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> argocd/project-production.yaml </code></pre> </div> <h2> Step 3: Add the Private GitOps Repo </h2> <p>ArgoCD needs credentials to pull from a private repository:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>argocd repo add https://github.com/MatthewDipo/myapp-gitops.git <span class="se">\</span> <span class="nt">--username</span> MatthewDipo <span class="se">\</span> <span class="nt">--password</span> &lt;GITHUB_PAT&gt; <span class="se">\</span> <span class="nt">--insecure-skip-server-verification</span> <span class="c"># Verify</span> argocd repo list </code></pre> </div> <h2> Step 4: Register Spoke Clusters </h2> <p>Each spoke cluster is registered by running <code>argocd cluster add</code> with the cluster's kubeconfig context. This creates a ServiceAccount and ClusterRoleBinding in the spoke cluster that ArgoCD uses to manage resources.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Dev clusters (public endpoints — accessible directly)</span> argocd cluster add dev-use1 <span class="nt">--name</span> myapp-dev-use1 <span class="nt">--yes</span> argocd cluster add dev-usw2 <span class="nt">--name</span> myapp-dev-usw2 <span class="nt">--yes</span> <span class="c"># Private clusters — must temporarily enable public endpoint first</span> <span class="k">for </span>CLUSTER <span class="k">in </span>myapp-staging-use1 myapp-staging-usw2 myapp-production-usw2<span class="p">;</span> <span class="k">do </span><span class="nv">REGION</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="nv">$CLUSTER</span> | <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"use1"</span> <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="s2">"us-east-1"</span> <span class="o">||</span> <span class="nb">echo</span> <span class="s2">"us-west-2"</span><span class="si">)</span> <span class="nv">ENV</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="nv">$CLUSTER</span> | <span class="nb">cut</span> <span class="nt">-d-</span> <span class="nt">-f2</span><span class="si">)</span> <span class="nv">PROFILE</span><span class="o">=</span><span class="s2">"myapp-</span><span class="k">${</span><span class="nv">ENV</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="nv">REGION</span><span class="p">//us-east-1/use1</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="nv">REGION</span><span class="p">//us-west-2/usw2</span><span class="k">}</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Enabling public endpoint on </span><span class="nv">$CLUSTER</span><span class="s2">..."</span> aws eks update-cluster-config <span class="nt">--name</span> <span class="nv">$CLUSTER</span> <span class="nt">--region</span> <span class="nv">$REGION</span> <span class="se">\</span> <span class="nt">--profile</span> myapp-<span class="k">${</span><span class="nv">ENV</span><span class="k">}</span>-<span class="si">$(</span><span class="nb">echo</span> <span class="nv">$REGION</span> | <span class="nb">sed</span> <span class="s1">'s/us-east-1/use1/;s/us-west-2/usw2/'</span><span class="si">)</span> <span class="se">\</span> <span class="nt">--resources-vpc-config</span> <span class="nv">endpointPublicAccess</span><span class="o">=</span><span class="nb">true</span>,endpointPrivateAccess<span class="o">=</span><span class="nb">true</span>,publicAccessCidrs<span class="o">=</span><span class="s2">"0.0.0.0/0"</span> <span class="nb">sleep </span>180 <span class="nv">CTX</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="nv">$CLUSTER</span> | <span class="nb">sed</span> <span class="s1">'s/myapp-//;s/-use1/-use1/;s/-usw2/-usw2/'</span><span class="si">)</span> argocd cluster add <span class="nv">$CTX</span> <span class="nt">--name</span> <span class="nv">$CLUSTER</span> <span class="nt">--yes</span> <span class="nb">echo</span> <span class="s2">"Locking </span><span class="nv">$CLUSTER</span><span class="s2"> back to private..."</span> aws eks update-cluster-config <span class="nt">--name</span> <span class="nv">$CLUSTER</span> <span class="nt">--region</span> <span class="nv">$REGION</span> <span class="se">\</span> <span class="nt">--profile</span> myapp-<span class="k">${</span><span class="nv">ENV</span><span class="k">}</span>-<span class="si">$(</span><span class="nb">echo</span> <span class="nv">$REGION</span> | <span class="nb">sed</span> <span class="s1">'s/us-east-1/use1/;s/us-west-2/usw2/'</span><span class="si">)</span> <span class="se">\</span> <span class="nt">--resources-vpc-config</span> <span class="nv">endpointPublicAccess</span><span class="o">=</span><span class="nb">false</span>,endpointPrivateAccess<span class="o">=</span><span class="nb">true </span><span class="k">done</span> <span class="c"># Verify all clusters registered</span> argocd cluster list </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">SERVER NAME VERSION STATUS https://kubernetes.default.svc in-cluster 1.29 Successful </span><span class="gp">&lt;spoke-endpoint&gt;</span><span class="w"> </span>myapp-dev-use1 1.29 Successful <span class="gp">&lt;spoke-endpoint&gt;</span><span class="w"> </span>myapp-dev-usw2 1.29 Successful <span class="gp">&lt;spoke-endpoint&gt;</span><span class="w"> </span>myapp-staging-use1 1.29 Successful <span class="gp">&lt;spoke-endpoint&gt;</span><span class="w"> </span>myapp-staging-usw2 1.29 Successful <span class="gp">&lt;spoke-endpoint&gt;</span><span class="w"> </span>myapp-production-usw2 1.29 Successful </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdqx02fxnc4ybl2t3xltd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdqx02fxnc4ybl2t3xltd.png" alt="ArgoCD Hub-Spoke GitOps Architecture — production-use1 as hub managing 5 &lt;br&gt; spoke clusters via VPC Peering, with dev clusters on public endpoints" width="800" height="429"></a></p> <p><em>Solid lines = VPC Peering (private). Dashed lines = public endpoints (dev only). <br> The hub cluster runs ArgoCD and manages 47 Applications across all 6 clusters.</em></p> <h2> Step 5: ApplicationSet — The Core of Hub-Spoke GitOps </h2> <p>An ApplicationSet is a controller that generates ArgoCD Applications from a template and a generator. The <strong>list generator</strong> creates one Application per element in the list — one per cluster.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># environments/production/applicationset.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ApplicationSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp-production</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">generators</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">list</span><span class="pi">:</span> <span class="na">elements</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">myapp-production-use1</span> <span class="na">region</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="na">certArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:acm:us-east-1:591120834781:certificate/9ab022c9-..."</span> <span class="na">wafAclArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:wafv2:us-east-1:591120834781:regional/webacl/..."</span> <span class="na">irsaRoleArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::591120834781:role/myapp-production-use1-eso"</span> <span class="pi">-</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">myapp-production-usw2</span> <span class="na">region</span><span class="pi">:</span> <span class="s">us-west-2</span> <span class="na">certArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:acm:us-west-2:591120834781:certificate/171cac9d-..."</span> <span class="na">wafAclArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:wafv2:us-west-2:591120834781:regional/webacl/..."</span> <span class="na">irsaRoleArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::591120834781:role/myapp-production-usw2-eso"</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">myapp-production-{{cluster}}"</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">component</span><span class="pi">:</span> <span class="s">application</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">production</span> <span class="na">region</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{region}}"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">production</span> <span class="na">sources</span><span class="pi">:</span> <span class="c1"># Source 1: the Helm chart (from gitops repo)</span> <span class="pi">-</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/MatthewDipo/myapp-gitops.git</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">main</span> <span class="na">ref</span><span class="pi">:</span> <span class="s">gitopsValues</span> <span class="c1"># Named reference — used in source 2</span> <span class="c1"># Source 2: Helm chart with values from the gitops repo</span> <span class="pi">-</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/MatthewDipo/myapp-gitops.git</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">main</span> <span class="na">path</span><span class="pi">:</span> <span class="s">apps/myapp</span> <span class="na">helm</span><span class="pi">:</span> <span class="na">valueFiles</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">$gitopsValues/apps/myapp/values.yaml</span> <span class="pi">-</span> <span class="s">$gitopsValues/apps/myapp/values-production.yaml</span> <span class="na">parameters</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">image.tag"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">sha-45d92fc5ffd4555caf35b996ed1eec4e45152dce"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">env.AWS_REGION"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{region}}"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ingress.certArn"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{certArn}}"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ingress.wafAclArn"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{wafAclArn}}"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">externalSecrets.irsaRoleArn"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{irsaRoleArn}}"</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{cluster}}"</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># Remove resources deleted from Git</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># Revert manual kubectl changes</span> <span class="na">syncOptions</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">CreateNamespace=true</span> <span class="pi">-</span> <span class="s">ServerSideApply=true</span> <span class="na">retry</span><span class="pi">:</span> <span class="na">limit</span><span class="pi">:</span> <span class="m">3</span> <span class="na">backoff</span><span class="pi">:</span> <span class="na">duration</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">maxDuration</span><span class="pi">:</span> <span class="s">10m</span> <span class="na">factor</span><span class="pi">:</span> <span class="m">2</span> </code></pre> </div> <h3> Key ApplicationSet concepts: </h3> <p><strong><code>automated.prune: true</code></strong> — If you delete a file from Git, ArgoCD deletes the corresponding Kubernetes resource. Without this, deleted manifests leave orphaned resources.</p> <p><strong><code>automated.selfHeal: true</code></strong> — If someone runs <code>kubectl edit</code> and changes something, ArgoCD detects the drift and reverts it within ~3 minutes. This enforces Git as the only source of truth.</p> <p><strong><code>ServerSideApply: true</code></strong> — Required for CRDs and resources that multiple controllers manage (e.g., Prometheus operator patches its own webhook config). Without this, field ownership conflicts cause sync failures.</p> <p><strong><code>retry</code></strong> — Network blips or transient API errors shouldn't fail a deployment permanently. The retry policy handles intermittent failures automatically.</p> <h2> Step 6: Deploy the ApplicationSets </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Apply all ApplicationSets from the hub cluster</span> kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> environments/dev/applicationset.yaml kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> environments/staging/applicationset.yaml kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> environments/production/applicationset.yaml <span class="c"># Infrastructure ApplicationSets</span> kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> infrastructure/eso/applicationset.yaml kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> infrastructure/kyverno/applicationset.yaml kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> infrastructure/falco/applicationset.yaml kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> infrastructure/monitoring/applicationset.yaml kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> infrastructure/logging/applicationset.yaml kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> infrastructure/velero/applicationset.yaml kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> infrastructure/karpenter/applicationset.yaml kubectl <span class="nt">--context</span> prod-use1 apply <span class="nt">-f</span> infrastructure/argo-rollouts/applicationset.yaml <span class="c"># Watch sync status</span> argocd app list </code></pre> </div> <h2> Sync Status and Known False Positives </h2> <p>After deploying, most apps show <code>Synced/Healthy</code>. A few will permanently show <code>OutOfSync/Healthy</code> — this is expected and safe:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>App</th> <th>Why OutOfSync</th> <th>Safe?</th> </tr> </thead> <tbody> <tr> <td>ESO (<code>external-secrets-*</code>)</td> <td>ESO writes <code>status.refreshTime</code> at runtime; ArgoCD sees this as drift</td> <td>✅ Yes</td> </tr> <tr> <td> <code>myapp-*</code> (with ESO)</td> <td>Same ESO status drift propagates to the parent app</td> <td>✅ Yes</td> </tr> <tr> <td><code>prometheus-*</code></td> <td>Prometheus operator patches its own ValidatingWebhookConfiguration at runtime</td> <td>✅ Yes</td> </tr> </tbody> </table></div> <p><strong>Real sync failures</strong> (need action):</p> <ul> <li> <code>SyncFailed</code> — usually a YAML error or missing CRD</li> <li> <code>Degraded</code> — pods crashing; check <code>kubectl describe pod</code> </li> <li> <code>Missing</code> — ArgoCD can't reach the cluster</li> </ul> <h2> Troubleshooting </h2> <p><strong>Orphaned resources after a Helm release name change:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Force prune all resources not in current Git state</span> argocd app <span class="nb">sync </span>argocd/karpenter-myapp-production-use1 <span class="nt">--prune</span> <span class="nt">--force</span> </code></pre> </div> <p><strong>App stuck in Progressing:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>argocd app get argocd/myapp-production-myapp-production-use1 <span class="c"># Check the "Conditions" and "Events" sections</span> </code></pre> </div> <p><strong>Cluster shows Unknown:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Re-register the cluster (token may have expired)</span> argocd cluster add prod-usw2 <span class="nt">--name</span> myapp-production-usw2 <span class="nt">--yes</span> </code></pre> </div> <p><strong>AppProject permission denied:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Ensure project destinations include server: "*"</span> <span class="c"># Ensure sourceRepos includes the chart repo URL</span> kubectl <span class="nt">--context</span> prod-use1 edit appproject production <span class="nt">-n</span> argocd </code></pre> </div> <h2> VPC Peering for Hub → Spoke Connectivity </h2> <p>ArgoCD hub reaches spoke private endpoints via VPC peering. Three peering connections:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>prod-use1 VPC (10.20.0.0/16) ◄──────► prod-usw2 VPC (10.21.0.0/16) prod-use1 VPC (10.20.0.0/16) ◄──────► staging-use1 VPC (10.10.0.0/16) prod-use1 VPC (10.20.0.0/16) ◄──────► staging-usw2 VPC (10.11.0.0/16) </code></pre> </div> <p>After the peering is active, ArgoCD can communicate with spoke API servers on their private IPs (<code>10.x.x.x:443</code>) without any traffic touching the internet.</p> <h2> Summary </h2> <p>By the end of Part 5 you have:</p> <ul> <li>✅ ArgoCD running on the hub cluster with a public LoadBalancer URL</li> <li>✅ Three AppProjects (dev, staging, production) with correct source and destination restrictions</li> <li>✅ All 5 spoke clusters registered (ArgoCD SA + ClusterRoleBinding installed in each)</li> <li>✅ ApplicationSets generating Applications for all environments and infrastructure components</li> <li>✅ GitOps loop closed: a commit to <code>myapp-gitops</code> triggers automatic sync to all clusters</li> </ul> <h3> Screenshot Placeholders </h3> <blockquote> <p><strong>SCREENSHOT: ArgoCD UI — Applications view showing all apps, most Synced/Healthy</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbk62osg4qfx71l3zlnim.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbk62osg4qfx71l3zlnim.png" alt="Applications view" width="800" height="444"></a>## Part<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5h35ndmkjns6nx7zittk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5h35ndmkjns6nx7zittk.png" alt="Applications view" width="800" height="444"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ful8wrc5q11xqapyvpkcn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ful8wrc5q11xqapyvpkcn.png" alt="Applications view" width="800" height="443"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fguld8zxneyw3qvv19dyf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fguld8zxneyw3qvv19dyf.png" alt="Applications view" width="800" height="444"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdldjo262ufhw8v7gpm1l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdldjo262ufhw8v7gpm1l.png" alt="Applications view" width="800" height="443"></a></p> <p><strong>SCREENSHOT: ArgoCD UI — Cluster list showing all 6 clusters registered and Successful</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsbxyl1gli84tvj3irpki.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsbxyl1gli84tvj3irpki.png" alt="Show in frame: All 6 cluster entries with status Successful, showing cluster names and server URLs." width="800" height="441"></a></p> <p><strong>SCREENSHOT: ArgoCD UI — One Application detail view showing resource tree</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg6fswzlu2dqis9oi8kjj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg6fswzlu2dqis9oi8kjj.png" alt="Show in frame: The resource tree showing Rollout → ReplicaSet → Pods, Service, Ingress, HPA, ExternalSecret all connected." width="800" height="447"></a></p> <p><strong>SCREENSHOT: GitOps Repo Structure on GitHub</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvw08qoe1mq8y9sag5nqv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvw08qoe1mq8y9sag5nqv.png" alt="Show in frame: The folder tree showing environments/, infrastructure/, argocd/ with subfolders expanded." width="800" height="444"></a></p> </blockquote> <p><em>Next: Part 6 — CI/CD Pipeline: GitHub Actions, Trivy, Cosign, ECR</em></p> <p><strong>Follow the series</strong> — next part publishes next Wednesday.<br> <strong>Live system:</strong> <a href="https://www.matthewoladipupo.dev/health" rel="noopener noreferrer">https://www.matthewoladipupo.dev/health</a><br> <strong>Runbook:</strong> <a href="https://github.com/MatthewDipo/myapp-infra/blob/main/docs/runbook.md" rel="noopener noreferrer">Operations Guide</a><br> <strong>Source code:</strong> <a href="https://github.com/MatthewDipo/myapp-infra" rel="noopener noreferrer">myapp-infra</a> | <a href="https://github.com/MatthewDipo/myapp-gitops" rel="noopener noreferrer">myapp-gitops</a> | <a href="https://github.com/MatthewDipo/myapp" rel="noopener noreferrer">myapp</a></p> kubernetes devops gitops cloud Part 4: EKS Multi-Cluster Setup Matthew Wed, 01 Apr 2026 13:00:00 +0000 https://forem.com/matthewdipo/part-4-eks-multi-cluster-setup-2i3m https://forem.com/matthewdipo/part-4-eks-multi-cluster-setup-2i3m <h2> Part 4: EKS Multi-Cluster Setup — Six Clusters Across Two Regions </h2> <p><em>Part of the series: Building a Production-Grade DevSecOps Pipeline on AWS</em></p> <h2> Introduction </h2> <p>Why six clusters instead of one? The answer is isolation and resilience:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────────────────────────────────────────────────────────────┐ │ ONE CLUSTER (anti-pattern) │ │ │ │ Dev pods → same etcd as Production pods │ │ A misconfigured dev deployment can consume all cluster resources │ │ Cluster upgrade = every environment goes down simultaneously │ │ Cost visibility: impossible to attribute spend per environment │ └──────────────────────────────────────────────────────────────────────────┘ ┌────────────────────────────────────────────────────────────────────────────┐ │ SIX CLUSTERS (this guide) │ │ │ │ myapp-dev-use1 (us-east-1, public endpoint, 2 nodes) │ │ myapp-dev-usw2 (us-west-2, public endpoint, 2 nodes) │ │ myapp-staging-use1 (us-east-1, private endpoint, 2 nodes) │ │ myapp-staging-usw2 (us-west-2, private endpoint, 2 nodes) │ │ myapp-production-use1 (us-east-1, private endpoint, 2+ nodes + Karpenter) │ │ myapp-production-usw2 (us-west-2, private endpoint, 2+ nodes + Karpenter) │ │ │ │ Benefits: │ │ ✓ Complete IAM isolation between environments │ │ ✓ Production upgrade independent of dev │ │ ✓ Regional failover — us-east-1 outage → us-west-2 serves traffic │ │ ✓ Clear cost attribution per cluster tag │ └────────────────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h2> Cluster Overview </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Cluster</th> <th>Region</th> <th>Endpoint</th> <th>Nodes</th> <th>Karpenter</th> </tr> </thead> <tbody> <tr> <td><code>myapp-dev-use1</code></td> <td>us-east-1</td> <td>Public</td> <td>2 × t3.medium</td> <td>No</td> </tr> <tr> <td><code>myapp-dev-usw2</code></td> <td>us-west-2</td> <td>Public</td> <td>2 × t3.medium</td> <td>No</td> </tr> <tr> <td><code>myapp-staging-use1</code></td> <td>us-east-1</td> <td>Private</td> <td>2 × t3.medium</td> <td>No</td> </tr> <tr> <td><code>myapp-staging-usw2</code></td> <td>us-west-2</td> <td>Private</td> <td>2 × t3.medium</td> <td>No</td> </tr> <tr> <td><code>myapp-production-use1</code></td> <td>us-east-1</td> <td>Private</td> <td>2+ × t3.medium</td> <td>Yes</td> </tr> <tr> <td><code>myapp-production-usw2</code></td> <td>us-west-2</td> <td>Private</td> <td>2+ × t3.medium</td> <td>Yes</td> </tr> </tbody> </table></div> <h2> EKS Terraform Module </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># _modules/eks/main.tf</span> <span class="nx">module</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/eks/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 20.0"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.29"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="c1"># Nodes always in private subnets</span> <span class="nx">control_plane_subnet_ids</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="c1"># Endpoint access: private always on, public only for dev</span> <span class="nx">cluster_endpoint_private_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">cluster_endpoint_public_access</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">public_api</span> <span class="nx">cluster_endpoint_public_access_cidrs</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">public_api</span> <span class="err">?</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="err">:</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="c1"># Note: AWS rejects empty list when public is disabled — always set to 0.0.0.0/0</span> <span class="c1"># Without this the cluster creator IAM role (your Terragrunt role) can't kubectl</span> <span class="nx">enable_cluster_creator_admin_permissions</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Encrypt Kubernetes secrets in etcd with KMS</span> <span class="nx">cluster_encryption_config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">provider_key_arn</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">kms_key_arn</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"secrets"</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># EKS managed add-ons (AWS manages patching)</span> <span class="nx">cluster_addons</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">coredns</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">kube-proxy</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">vpc-cni</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">service_account_role_arn</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc_cni_irsa</span><span class="p">.</span><span class="nx">iam_role_arn</span> <span class="p">}</span> <span class="nx">aws-ebs-csi-driver</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">service_account_role_arn</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ebs_csi_irsa</span><span class="p">.</span><span class="nx">iam_role_arn</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">eks_managed_node_groups</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">main</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_types</span> <span class="c1"># ["t3.medium"]</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">min_nodes</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">max_nodes</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">desired_nodes</span> <span class="c1"># IMPORTANT: name_prefix has a 38 character limit.</span> <span class="c1"># "myapp-production-use1-eks-node-group-" = 39 chars → FAILS.</span> <span class="c1"># Fix: use explicit role name (IAM limit is 64 chars).</span> <span class="nx">iam_role_name</span> <span class="p">=</span> <span class="s2">"${var.cluster_name}-node-group"</span> <span class="nx">iam_role_use_name_prefix</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># Nodes need these policies to pull from ECR, write to CloudWatch, etc.</span> <span class="nx">iam_role_additional_policies</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">AmazonSSMManagedInstanceCore</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"</span> <span class="p">}</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"node-type"</span> <span class="p">=</span> <span class="s2">"general"</span> <span class="p">}</span> <span class="c1"># Karpenter discovery tag — only needed on production node groups</span> <span class="c1"># (Karpenter uses this to find the right security group)</span> <span class="nx">taints</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">karpenter_enabled</span> <span class="err">?</span> <span class="p">[]</span> <span class="err">:</span> <span class="p">[]</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Node security group — allow Karpenter to manage nodes</span> <span class="nx">node_security_group_tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">karpenter_enabled</span> <span class="err">?</span> <span class="p">{</span> <span class="s2">"karpenter.sh/discovery"</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="p">}</span> <span class="err">:</span> <span class="p">{}</span> <span class="p">}</span> <span class="c1"># IRSA for VPC CNI (pod networking)</span> <span class="nx">module</span> <span class="s2">"vpc_cni_irsa"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="nx">role_name</span> <span class="p">=</span> <span class="s2">"${var.cluster_name}-vpc-cni"</span> <span class="nx">attach_vpc_cni_policy</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">vpc_cni_enable_ipv4</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">oidc_providers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">main</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">provider_arn</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">oidc_provider_arn</span> <span class="nx">namespace_service_accounts</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"kube-system:aws-node"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># IRSA for EBS CSI Driver (persistent volumes)</span> <span class="nx">module</span> <span class="s2">"ebs_csi_irsa"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="nx">role_name</span> <span class="p">=</span> <span class="s2">"${var.cluster_name}-ebs-csi"</span> <span class="nx">attach_ebs_csi_policy</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">oidc_providers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">main</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">provider_arn</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">oidc_provider_arn</span> <span class="nx">namespace_service_accounts</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"kube-system:ebs-csi-controller-sa"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># _modules/eks/outputs.tf</span> <span class="nx">output</span> <span class="s2">"cluster_name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"cluster_endpoint"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_endpoint</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"cluster_certificate_authority_data"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_certificate_authority_data</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"oidc_provider_arn"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">oidc_provider_arn</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"oidc_provider"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">oidc_provider</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"node_security_group_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">node_security_group_id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"node_subnet_ids"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="p">}</span> </code></pre> </div> <h2> Per-Environment Terragrunt Configs </h2> <p><strong>Dev (public endpoint):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># live/dev/us-east-1/eks/terragrunt.hcl</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">()</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../../../_modules/eks"</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"../vpc"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="s2">"vpc-mock"</span> <span class="nx">private_subnet_ids</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"subnet-mock1"</span><span class="p">,</span> <span class="s2">"subnet-mock2"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"kms"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"../kms"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">key_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:kms:us-east-1:123456789:key/mock"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"myapp-dev-use1"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">private_subnet_ids</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="nx">kms_key_arn</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">kms</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">key_arn</span> <span class="nx">public_api</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Dev gets public endpoint for laptop + CI access</span> <span class="nx">min_nodes</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">max_nodes</span> <span class="p">=</span> <span class="mi">4</span> <span class="nx">desired_nodes</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"t3.medium"</span><span class="p">]</span> <span class="nx">karpenter_enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> </code></pre> </div> <p><strong>Production (private endpoint + Karpenter):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># live/production/us-east-1/eks/terragrunt.hcl</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">()</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../../../_modules/eks"</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"../vpc"</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"kms"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"../kms"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"myapp-production-use1"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">private_subnet_ids</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="nx">kms_key_arn</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">kms</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">key_arn</span> <span class="nx">public_api</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># Private endpoint only — no public internet access</span> <span class="nx">min_nodes</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">max_nodes</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">desired_nodes</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"t3.medium"</span><span class="p">]</span> <span class="nx">karpenter_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Karpenter manages additional nodes beyond the initial 2</span> <span class="p">}</span> </code></pre> </div> <h2> Bootstrapping Private Clusters </h2> <p>Staging and production clusters have <code>endpointPublicAccess: false</code>. This means <code>kubectl</code> from your laptop or CI cannot reach the API server directly. You must temporarily enable public access, bootstrap the cluster (install ArgoCD, register spokes, etc.), then lock it back down.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Step 1: Temporarily enable public access</span> aws eks update-cluster-config <span class="se">\</span> <span class="nt">--name</span> myapp-production-use1 <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--profile</span> myapp-prod-use1 <span class="se">\</span> <span class="nt">--resources-vpc-config</span> <span class="se">\</span> <span class="nv">endpointPublicAccess</span><span class="o">=</span><span class="nb">true</span>,<span class="se">\</span> <span class="nv">endpointPrivateAccess</span><span class="o">=</span><span class="nb">true</span>,<span class="se">\</span> <span class="nv">publicAccessCidrs</span><span class="o">=</span><span class="s2">"0.0.0.0/0"</span> <span class="c"># Step 2: Wait 3 minutes — AWS takes time to update the Elastic Network Interfaces</span> <span class="nb">sleep </span>180 <span class="c"># Step 3: Verify access</span> kubectl <span class="nt">--context</span> prod-use1 get nodes <span class="c"># Step 4: Bootstrap (install ArgoCD, apply ApplicationSets, etc.)</span> <span class="c"># ... your bootstrap commands ...</span> <span class="c"># Step 5: Lock back to private-only</span> aws eks update-cluster-config <span class="se">\</span> <span class="nt">--name</span> myapp-production-use1 <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--profile</span> myapp-prod-use1 <span class="se">\</span> <span class="nt">--resources-vpc-config</span> <span class="se">\</span> <span class="nv">endpointPublicAccess</span><span class="o">=</span><span class="nb">false</span>,<span class="se">\</span> <span class="nv">endpointPrivateAccess</span><span class="o">=</span><span class="nb">true</span> </code></pre> </div> <blockquote> <p><strong>Do not forget Step 5.</strong> A production cluster with a public API endpoint is a security risk — the API server is internet-accessible, relying solely on authentication for protection.</p> </blockquote> <h2> kubectl Context Setup </h2> <p>After <code>terragrunt apply</code> completes for each cluster, add it to your kubeconfig:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Update kubeconfig for all 6 clusters</span> aws eks update-kubeconfig <span class="se">\</span> <span class="nt">--name</span> myapp-dev-use1 <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--alias</span> dev-use1 <span class="se">\</span> <span class="nt">--profile</span> myapp-dev-use1 aws eks update-kubeconfig <span class="se">\</span> <span class="nt">--name</span> myapp-dev-usw2 <span class="se">\</span> <span class="nt">--region</span> us-west-2 <span class="se">\</span> <span class="nt">--alias</span> dev-usw2 <span class="se">\</span> <span class="nt">--profile</span> myapp-dev-usw2 aws eks update-kubeconfig <span class="se">\</span> <span class="nt">--name</span> myapp-staging-use1 <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--alias</span> staging-use1 <span class="se">\</span> <span class="nt">--profile</span> myapp-staging-use1 aws eks update-kubeconfig <span class="se">\</span> <span class="nt">--name</span> myapp-staging-usw2 <span class="se">\</span> <span class="nt">--region</span> us-west-2 <span class="se">\</span> <span class="nt">--alias</span> staging-usw2 <span class="se">\</span> <span class="nt">--profile</span> myapp-staging-usw2 aws eks update-kubeconfig <span class="se">\</span> <span class="nt">--name</span> myapp-production-use1 <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--alias</span> prod-use1 <span class="se">\</span> <span class="nt">--profile</span> myapp-prod-use1 aws eks update-kubeconfig <span class="se">\</span> <span class="nt">--name</span> myapp-production-usw2 <span class="se">\</span> <span class="nt">--region</span> us-west-2 <span class="se">\</span> <span class="nt">--alias</span> prod-usw2 <span class="se">\</span> <span class="nt">--profile</span> myapp-prod-usw2 <span class="c"># Verify</span> kubectl config get-contexts </code></pre> </div> <h2> EKS Add-ons </h2> <p>EKS managed add-ons are maintained by AWS — they patch security vulnerabilities in CoreDNS, kube-proxy, and vpc-cni without you having to manage Helm releases.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kube-proxy — handles iptables rules for Service routing coredns — in-cluster DNS resolution vpc-cni — AWS VPC networking for pods (each pod gets a real VPC IP) aws-ebs-csi-driver — allows EKS to provision EBS volumes for PersistentVolumeClaims </code></pre> </div> <p><strong>Why IRSA for vpc-cni and ebs-csi?</strong><br> These add-ons need to call AWS APIs (EC2 for ENI management, EC2 for EBS volume ops). Without IRSA they would use the node's EC2 instance profile — giving every pod on the node those permissions. With IRSA, only the specific add-on service account has the permissions.</p> <h2> Fixing kubectl 401 Errors </h2> <p>If <code>kubectl get nodes</code> returns HTTP 401 Unauthorized, the IAM role you're using is not in the cluster's access entries.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List current access entries</span> aws eks list-access-entries <span class="se">\</span> <span class="nt">--cluster-name</span> myapp-production-use1 <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--profile</span> myapp-prod-use1 <span class="c"># If your OrganizationAccountAccessRole is missing, add it:</span> <span class="nv">ROLE_ARN</span><span class="o">=</span><span class="s2">"arn:aws:iam::591120834781:role/OrganizationAccountAccessRole"</span> aws eks create-access-entry <span class="se">\</span> <span class="nt">--cluster-name</span> myapp-production-use1 <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--profile</span> myapp-prod-use1 <span class="se">\</span> <span class="nt">--principal-arn</span> <span class="nv">$ROLE_ARN</span> aws eks associate-access-policy <span class="se">\</span> <span class="nt">--cluster-name</span> myapp-production-use1 <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--profile</span> myapp-prod-use1 <span class="se">\</span> <span class="nt">--principal-arn</span> <span class="nv">$ROLE_ARN</span> <span class="se">\</span> <span class="nt">--policy-arn</span> arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy <span class="se">\</span> <span class="nt">--access-scope</span> <span class="nb">type</span><span class="o">=</span>cluster </code></pre> </div> <blockquote> <p>The root cause: <code>enable_cluster_creator_admin_permissions = true</code> must be explicitly set in the EKS module. If it's missing, Terraform creates the cluster but the IAM role that ran Terraform doesn't get an access entry.</p> </blockquote> <h2> AWS Load Balancer Controller </h2> <p>The AWS Load Balancer Controller (LBC) runs in every cluster and watches for Ingress resources with <code>ingressClassName: alb</code>. When it sees one, it provisions an Application Load Balancer in AWS automatically.</p> <p>Install via Helm (or ArgoCD) after the cluster is up:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># IRSA for LBC</span> eksctl create iamserviceaccount <span class="se">\</span> <span class="nt">--cluster</span> myapp-production-use1 <span class="se">\</span> <span class="nt">--namespace</span> kube-system <span class="se">\</span> <span class="nt">--name</span> aws-load-balancer-controller <span class="se">\</span> <span class="nt">--attach-policy-arn</span> arn:aws:iam::aws:policy/ElasticLoadBalancingFullAccess <span class="se">\</span> <span class="nt">--override-existing-serviceaccounts</span> <span class="se">\</span> <span class="nt">--approve</span> <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--profile</span> myapp-prod-use1 <span class="c"># Install controller</span> helm repo add eks https://aws.github.io/eks-charts helm <span class="nb">install </span>aws-load-balancer-controller eks/aws-load-balancer-controller <span class="se">\</span> <span class="nt">-n</span> kube-system <span class="se">\</span> <span class="nt">--set</span> <span class="nv">clusterName</span><span class="o">=</span>myapp-production-use1 <span class="se">\</span> <span class="nt">--set</span> serviceAccount.create<span class="o">=</span><span class="nb">false</span> <span class="se">\</span> <span class="nt">--set</span> serviceAccount.name<span class="o">=</span>aws-load-balancer-controller <span class="se">\</span> <span class="nt">--set</span> <span class="nv">region</span><span class="o">=</span>us-east-1 <span class="se">\</span> <span class="nt">--set</span> <span class="nv">vpcId</span><span class="o">=</span>&lt;VPC_ID&gt; </code></pre> </div> <p>In this pipeline, the LBC is deployed via ArgoCD ApplicationSet — the Helm release is version-controlled in <code>myapp-gitops/infrastructure/aws-lbc/</code>.</p> <h2> StorageClass for EBS PVCs </h2> <p>kube-prometheus-stack needs persistent storage for Prometheus and Grafana data. With the EBS CSI driver installed, create a StorageClass:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">storage.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StorageClass</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">gp2</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">storageclass.kubernetes.io/is-default-class</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">provisioner</span><span class="pi">:</span> <span class="s">ebs.csi.aws.com</span> <span class="na">volumeBindingMode</span><span class="pi">:</span> <span class="s">WaitForFirstConsumer</span> <span class="c1"># Don't provision until pod is scheduled</span> <span class="na">reclaimPolicy</span><span class="pi">:</span> <span class="s">Retain</span> <span class="c1"># Don't delete EBS volume if PVC is deleted</span> <span class="na">parameters</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">gp2</span> <span class="na">encrypted</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">kmsKeyId</span><span class="pi">:</span> <span class="s">&lt;your-kms-key-arn&gt;</span> </code></pre> </div> <h2> Node Security Group Tags </h2> <p>For Karpenter to manage node lifecycles, it needs to find the cluster's node security group. Tag it during EKS creation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">node_security_group_tags</span> <span class="err">=</span> <span class="p">{</span> <span class="s2">"karpenter.sh/discovery"</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="p">}</span> </code></pre> </div> <p>Similarly, private subnets need the discovery tag:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">private_subnet_tags</span> <span class="err">=</span> <span class="p">{</span> <span class="s2">"karpenter.sh/discovery"</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="p">}</span> </code></pre> </div> <h2> Verifying All Six Clusters </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">for </span>CTX <span class="k">in </span>dev-use1 dev-usw2 staging-use1 staging-usw2 prod-use1 prod-usw2<span class="p">;</span> <span class="k">do </span><span class="nb">echo</span> <span class="s2">"=== </span><span class="nv">$CTX</span><span class="s2"> ==="</span> kubectl <span class="nt">--context</span> <span class="nv">$CTX</span> get nodes <span class="nt">-o</span> wide <span class="k">done</span> </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">=== dev-use1 === NAME STATUS ROLES AGE VERSION </span><span class="gp">ip-10-0-8-xx.ec2.internal Ready &lt;none&gt;</span><span class="w"> </span>5d v1.29.15-eks-ac2d5a0 <span class="gp">ip-10-0-16-xx.ec2.internal Ready &lt;none&gt;</span><span class="w"> </span>5d v1.29.15-eks-ac2d5a0 <span class="go"> === prod-use1 === NAME STATUS ROLES AGE VERSION </span><span class="gp">ip-10-20-8-xx.ec2.internal Ready &lt;none&gt;</span><span class="w"> </span>5d v1.29.15-eks-ac2d5a0 <span class="gp">ip-10-20-16-xx.ec2.internal Ready &lt;none&gt;</span><span class="w"> </span>5d v1.29.15-eks-ac2d5a0 </code></pre> </div> <h2> Summary </h2> <p>By the end of Part 4 you have:</p> <ul> <li>✅ Six EKS clusters (Kubernetes 1.29) across three environments and two regions</li> <li>✅ Private endpoints on staging and production (public on dev)</li> <li>✅ KMS encryption for Kubernetes secrets in etcd</li> <li>✅ IAM IRSA for VPC CNI and EBS CSI add-ons</li> <li>✅ AWS Load Balancer Controller installed</li> <li>✅ kubectl contexts configured for all six clusters</li> <li>✅ Karpenter discovery tags on production node security groups and subnets</li> </ul> <h3> Screenshot Placeholders </h3> <blockquote> <p><strong>SCREENSHOT: AWS EKS console showing 2 clusters running in production with ACTIVE status</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqlriaib1dnv6lg8xvsaj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqlriaib1dnv6lg8xvsaj.png" alt="AWS EKS console showing 2 clusters running in production with ACTIVE status" width="800" height="443"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff5n9ggmwhiy27xdg2puo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff5n9ggmwhiy27xdg2puo.png" alt="AWS EKS console showing 2 clusters running in production with ACTIVE status" width="800" height="442"></a></p> <p><strong>SCREENSHOT: kubectl get nodes output for all 6 clusters</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4nsb4n1jnm1bz2cfrb55.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4nsb4n1jnm1bz2cfrb55.png" alt="kubectl get nodes output for all 6 clusters" width="800" height="733"></a></p> </blockquote> <p><em>Next: Part 5 — GitOps with ArgoCD: Hub-Spoke Model</em></p> <p><strong>Follow the series</strong> — next part publishes next Wednesday.<br> <strong>Live system:</strong> <a href="https://www.matthewoladipupo.dev/health" rel="noopener noreferrer">https://www.matthewoladipupo.dev/health</a><br> <strong>Runbook:</strong> <a href="https://github.com/MatthewDipo/myapp-infra/blob/main/docs/runbook.md" rel="noopener noreferrer">Operations Guide</a><br> <strong>Source code:</strong> <a href="https://github.com/MatthewDipo/myapp-infra" rel="noopener noreferrer">myapp-infra</a> | <a href="https://github.com/MatthewDipo/myapp-gitops" rel="noopener noreferrer">myapp-gitops</a> | <a href="https://github.com/MatthewDipo/myapp" rel="noopener noreferrer">myapp</a></p> kubernetes aws devops cloud Part 3: Infrastructure as Code Matthew Wed, 25 Mar 2026 08:00:00 +0000 https://forem.com/matthewdipo/part-3-infrastructure-as-code-2o86 https://forem.com/matthewdipo/part-3-infrastructure-as-code-2o86 <h2> Part 3: Infrastructure as Code — Terraform Modules + Terragrunt </h2> <p><em>Part of the series: Building a Production-Grade DevSecOps Pipeline on AWS</em></p> <h2> Introduction </h2> <p>Plain Terraform works fine for a single environment. But this pipeline has 6 clusters across 3 environments and 2 regions — 18+ Terragrunt child directories. Without a DRY strategy, you end up copy-pasting the same <code>provider</code>, <code>backend</code>, and <code>module</code> blocks everywhere, and a single account ID change means updating 18 files.</p> <p>Terragrunt solves this with two mechanisms:</p> <ul> <li> <strong><code>include</code></strong> — child configs inherit the root config's provider generation and remote state</li> <li> <strong><code>dependency</code></strong> — explicit ordering ensures VPC exists before EKS, KMS before EKS, etc.</li> </ul> <p>The result: each child <code>terragrunt.hcl</code> is typically 10–30 lines of pure inputs, with all boilerplate generated automatically.</p> <h2> Repository Layout </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>myapp-infra/ ├── _modules/ # Reusable Terraform modules (no Terragrunt here) │ ├── vpc/ │ │ ├── main.tf │ │ ├── variables.tf │ │ └── outputs.tf │ ├── eks/ │ ├── kms/ │ ├── iam/ │ ├── ecr/ │ ├── waf/ │ ├── guardduty/ │ ├── eso-irsa/ │ ├── fluent-bit-irsa/ │ ├── karpenter/ │ └── velero/ │ └── live/ # Terragrunt wrappers — one dir per resource per env/region ├── terragrunt.hcl # ROOT config (provider + backend generation) ├── dev/ │ ├── us-east-1/ │ │ ├── vpc/ │ │ │ └── terragrunt.hcl │ │ ├── kms/ │ │ │ └── terragrunt.hcl │ │ ├── eks/ │ │ │ └── terragrunt.hcl │ │ └── iam/ │ │ └── terragrunt.hcl │ └── us-west-2/ │ └── ... (mirror) ├── staging/ │ └── ... └── production/ └── ... </code></pre> </div> <p><strong>Key principle:</strong> modules in <code>_modules/</code> are pure Terraform — no Terragrunt, no state config, no provider config. They are just reusable building blocks. The <code>live/</code> tree contains nothing but thin Terragrunt wrappers that call those modules with environment-specific values.</p> <h2> Dependency Ordering </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────┐ │ APPLY ORDER (Terragrunt resolves this from dependency graph)│ │ │ │ 1. kms (no dependencies) │ │ 2. vpc (no dependencies) │ │ 3. eks (depends on: vpc, kms) │ │ 4. iam (depends on: eks — needs OIDC provider URL)│ │ 5. eso-irsa (depends on: eks, iam) │ │ 6. fluent-bit-irsa (depends on: eks) │ │ 7. karpenter (depends on: eks, iam) │ │ 8. velero (depends on: eks) │ │ 9. waf (no dependencies) │ │ 10. guardduty (no dependencies) │ └─────────────────────────────────────────────────────────────┘ </code></pre> </div> <p>Run everything in order automatically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>live/production/us-east-1 terragrunt run-all apply </code></pre> </div> <p>Terragrunt reads all <code>dependency</code> blocks, builds a DAG, and applies in the correct order.</p> <h2> Root Terragrunt Config </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># live/terragrunt.hcl</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">path_parts</span> <span class="p">=</span> <span class="nx">split</span><span class="p">(</span><span class="s2">"/"</span><span class="p">,</span> <span class="nx">path_relative_to_include</span><span class="p">())</span> <span class="nx">env</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">path_parts</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="c1"># dev | staging | production</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">path_parts</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="c1"># us-east-1 | us-west-2</span> <span class="nx">account_ids</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">dev</span> <span class="p">=</span> <span class="s2">"557702566877"</span> <span class="nx">staging</span> <span class="p">=</span> <span class="s2">"YOUR_STAGING_ACCOUNT_ID"</span> <span class="nx">production</span> <span class="p">=</span> <span class="s2">"591120834781"</span> <span class="p">}</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">account_ids</span><span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">]</span> <span class="c1"># Region short alias for naming (avoids long names hitting IAM limits)</span> <span class="nx">region_alias</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">region</span> <span class="p">==</span> <span class="s2">"us-east-1"</span> <span class="err">?</span> <span class="s2">"use1"</span> <span class="err">:</span> <span class="s2">"usw2"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"myapp-${local.env}-${local.region_alias}"</span> <span class="p">}</span> <span class="c1"># Auto-generate provider.tf in every child directory</span> <span class="nx">generate</span> <span class="s2">"provider"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"provider.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite_terragrunt"</span> <span class="nx">contents</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> provider "aws" { region = "${local.region}" assume_role { role_arn = "arn:aws:iam::${local.account_id}:role/OrganizationAccountAccessRole" } default_tags { tags = { Environment = "${local.env}" Region = "${local.region}" ManagedBy = "Terraform" Project = "myapp" Cluster = "${local.cluster_name}" } } } </span><span class="no"> EOF </span><span class="p">}</span> <span class="c1"># Auto-generate backend.tf — per-module state file in S3</span> <span class="nx">remote_state</span> <span class="p">{</span> <span class="nx">backend</span> <span class="p">=</span> <span class="s2">"s3"</span> <span class="nx">generate</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"backend.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite_terragrunt"</span> <span class="p">}</span> <span class="nx">config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"myapp-terraform-state-${local.account_id}"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"${path_relative_to_include()}/terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="c1"># State always in us-east-1 regardless of resource region</span> <span class="nx">encrypt</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">dynamodb_table</span> <span class="p">=</span> <span class="s2">"myapp-terraform-locks"</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::${local.account_id}:role/OrganizationAccountAccessRole"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> VPC Module </h2> <p>The VPC is the network foundation everything else sits in. Each environment gets its own VPC per region — 6 VPCs total.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>CIDR allocation: dev us-east-1: 10.0.0.0/16 dev us-west-2: 10.1.0.0/16 staging us-east-1: 10.10.0.0/16 staging us-west-2: 10.11.0.0/16 prod us-east-1: 10.20.0.0/16 prod us-west-2: 10.21.0.0/16 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># _modules/vpc/main.tf</span> <span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/vpc/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_name</span> <span class="nx">cidr</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span> <span class="nx">azs</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"${var.region}a"</span><span class="p">,</span> <span class="s2">"${var.region}b"</span><span class="p">,</span> <span class="s2">"${var.region}c"</span> <span class="p">]</span> <span class="c1"># Public subnets — for NAT Gateways, Internet-facing ALBs</span> <span class="nx">public_subnets</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">0</span><span class="p">),</span> <span class="c1"># x.x.0.0/24</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">1</span><span class="p">),</span> <span class="c1"># x.x.1.0/24</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">2</span><span class="p">),</span> <span class="c1"># x.x.2.0/24</span> <span class="p">]</span> <span class="c1"># Private subnets — EKS nodes, RDS, ElastiCache</span> <span class="nx">private_subnets</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">1</span><span class="p">),</span> <span class="c1"># x.x.8.0/21 (2048 IPs)</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">2</span><span class="p">),</span> <span class="c1"># x.x.16.0/21</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">3</span><span class="p">),</span> <span class="c1"># x.x.24.0/21</span> <span class="p">]</span> <span class="nx">enable_nat_gateway</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">single_nat_gateway</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">single_nat_gateway</span> <span class="c1"># true for dev (cost), false for prod (HA)</span> <span class="nx">enable_vpn_gateway</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Required tags for AWS Load Balancer Controller to discover subnets</span> <span class="nx">public_subnet_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/role/elb"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="s2">"kubernetes.io/cluster/${var.cluster_name}"</span> <span class="p">=</span> <span class="s2">"shared"</span> <span class="p">}</span> <span class="nx">private_subnet_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/role/internal-elb"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="s2">"kubernetes.io/cluster/${var.cluster_name}"</span> <span class="p">=</span> <span class="s2">"shared"</span> <span class="s2">"karpenter.sh/discovery"</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="c1"># Karpenter node discovery</span> <span class="p">}</span> <span class="c1"># VPC Flow Logs for network traffic auditing</span> <span class="nx">enable_flow_log</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">create_flow_log_cloudwatch_log_group</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">create_flow_log_cloudwatch_iam_role</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">flow_log_max_aggregation_interval</span> <span class="p">=</span> <span class="mi">60</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># _modules/vpc/outputs.tf</span> <span class="nx">output</span> <span class="s2">"vpc_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"private_subnet_ids"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"public_subnet_ids"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">public_subnets</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vpc_cidr_block"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_cidr_block</span> <span class="p">}</span> </code></pre> </div> <p><strong>Terragrunt child config:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># live/production/us-east-1/vpc/terragrunt.hcl</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">()</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../../../_modules/vpc"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">vpc_name</span> <span class="p">=</span> <span class="s2">"myapp-production-use1"</span> <span class="nx">vpc_cidr</span> <span class="p">=</span> <span class="s2">"10.20.0.0/16"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"myapp-production-use1"</span> <span class="nx">single_nat_gateway</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># HA: one NAT GW per AZ</span> <span class="p">}</span> </code></pre> </div> <h2> KMS Module </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># _modules/kms/main.tf</span> <span class="c1"># Handle the AWSServiceRoleForAutoScaling chicken-and-egg problem.</span> <span class="c1"># In a fresh account this SLR doesn't exist yet, so we optionally create it.</span> <span class="nx">resource</span> <span class="s2">"aws_iam_service_linked_role"</span> <span class="s2">"autoscaling"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">create_autoscaling_slr</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">aws_service_name</span> <span class="p">=</span> <span class="s2">"autoscaling.amazonaws.com"</span> <span class="p">}</span> <span class="c1"># Wait 10s for IAM to propagate before referencing it in KMS key policy</span> <span class="nx">resource</span> <span class="s2">"null_resource"</span> <span class="s2">"wait_for_slr"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">create_autoscaling_slr</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_iam_service_linked_role</span><span class="p">.</span><span class="nx">autoscaling</span><span class="p">]</span> <span class="nx">provisioner</span> <span class="s2">"local-exec"</span> <span class="p">{</span> <span class="nx">command</span> <span class="p">=</span> <span class="s2">"sleep 10"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_kms_key"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">null_resource</span><span class="p">.</span><span class="nx">wait_for_slr</span><span class="p">]</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"${var.env}-${var.region}-main"</span> <span class="nx">deletion_window_in_days</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">enable_key_rotation</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"RootFullAccess"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">AWS</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::${var.account_id}:root"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"kms:*"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"AutoScalingSLR"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">AWS</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::${var.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"kms:Encrypt"</span><span class="p">,</span> <span class="s2">"kms:Decrypt"</span><span class="p">,</span> <span class="s2">"kms:ReEncrypt*"</span><span class="p">,</span> <span class="s2">"kms:GenerateDataKey*"</span><span class="p">,</span> <span class="s2">"kms:DescribeKey"</span><span class="p">,</span> <span class="s2">"kms:CreateGrant"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_kms_alias"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"alias/${var.env}-${var.region_alias}-main"</span> <span class="nx">target_key_id</span> <span class="p">=</span> <span class="nx">aws_kms_key</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">key_id</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>Critical lesson:</strong> <code>AWSServiceRoleForAutoScaling</code> is an account-scoped IAM entity, not region-scoped. If you're deploying to two regions in the same account, only the <strong>first region</strong> should set <code>create_autoscaling_slr = true</code>. The second region's KMS config uses <code>create_autoscaling_slr = false</code> because the SLR already exists from the first apply.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># live/production/us-east-1/kms/terragrunt.hcl</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">()</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../../../_modules/kms"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">env</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">region_alias</span> <span class="p">=</span> <span class="s2">"use1"</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="s2">"591120834781"</span> <span class="nx">create_autoscaling_slr</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># Already created by us-west-2 first apply</span> <span class="p">}</span> </code></pre> </div> <h2> EKS Module (overview — full detail in Part 4) </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># _modules/eks/main.tf (abbreviated)</span> <span class="nx">module</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/eks/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 20.0"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.29"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="nx">control_plane_subnet_ids</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="c1"># Private endpoint — spokes only; dev gets public too</span> <span class="nx">cluster_endpoint_private_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">cluster_endpoint_public_access</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">public_api</span> <span class="c1"># Must be explicit — without this the creator role can't kubectl</span> <span class="nx">enable_cluster_creator_admin_permissions</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">cluster_encryption_config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">provider_key_arn</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">kms_key_arn</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"secrets"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">eks_managed_node_groups</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">main</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"t3.medium"</span><span class="p">]</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="mi">2</span> <span class="c1"># Workaround: name_prefix is limited to 38 chars.</span> <span class="c1"># Long cluster names (staging, production) overflow this limit.</span> <span class="c1"># Using explicit name bypasses the prefix (IAM name limit is 64 chars).</span> <span class="nx">iam_role_name</span> <span class="p">=</span> <span class="s2">"${var.cluster_name}-node-group"</span> <span class="nx">iam_role_use_name_prefix</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> VPC Peering (for ArgoCD hub-spoke) </h2> <p>ArgoCD on <code>myapp-production-use1</code> needs to reach the private API endpoints of the 5 spoke clusters. VPC peering provides private connectivity without internet traversal.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>prod-use1 (10.20.0.0/16) ←──── VPC Peering ────► prod-usw2 (10.21.0.0/16) prod-use1 (10.20.0.0/16) ←──── VPC Peering ────► staging-use1 (10.10.0.0/16) prod-use1 (10.20.0.0/16) ←──── VPC Peering ────► staging-usw2 (10.11.0.0/16) </code></pre> </div> <blockquote> <p>Dev clusters use public endpoints — no VPC peering needed.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># live/production/us-east-1/vpc-peering/terragrunt.hcl</span> <span class="c1"># NOTE: vpc-peering configs CANNOT use include "root" with remote_state.</span> <span class="c1"># They must define remote_state explicitly because the generate label</span> <span class="c1"># conflicts with the parent. Define it inline instead.</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">env</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="nx">remote_state</span> <span class="p">{</span> <span class="nx">backend</span> <span class="p">=</span> <span class="s2">"s3"</span> <span class="nx">generate</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"backend.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite_terragrunt"</span> <span class="p">}</span> <span class="nx">config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"myapp-terraform-state-591120834781"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"production/us-east-1/vpc-peering/terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">encrypt</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">dynamodb_table</span> <span class="p">=</span> <span class="s2">"myapp-terraform-locks"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">generate</span> <span class="s2">"provider"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"provider.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite_terragrunt"</span> <span class="nx">contents</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> provider "aws" { region = "us-east-1" assume_role { role_arn = "arn:aws:iam::591120834781:role/OrganizationAccountAccessRole" } } # Peer VPC is in the staging account — needs its own provider alias provider "aws" { alias = "staging" region = "us-east-1" assume_role { role_arn = "arn:aws:iam::STAGING_ACCOUNT_ID:role/OrganizationAccountAccessRole" } } </span><span class="no"> EOF </span><span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">requester_vpc_id</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">prod_use1_vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">accepter_vpc_id</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">staging_use1_vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="c1"># ... route table IDs, CIDR blocks, etc.</span> <span class="p">}</span> </code></pre> </div> <h2> Running the Stack </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># First apply: production us-east-1 (this region creates the AutoScaling SLR)</span> <span class="nb">cd </span>live/production/us-west-2 terragrunt run-all apply <span class="nt">--terragrunt-non-interactive</span> <span class="c"># Second: production us-east-1 (SLR already exists, create_autoscaling_slr=false)</span> <span class="nb">cd </span>live/production/us-east-1 terragrunt run-all apply <span class="nt">--terragrunt-non-interactive</span> <span class="c"># Check what changed before applying</span> <span class="nb">cd </span>live/staging/us-east-1 terragrunt run-all plan <span class="c"># Destroy a specific module (e.g., for re-creating)</span> <span class="nb">cd </span>live/dev/us-east-1/eks terragrunt destroy </code></pre> </div> <h2> State Management Best Practices </h2> <p>Each module has its own state file: <code>{env}/{region}/{module}/terraform.tfstate</code>.</p> <p><strong>Why not one big state file?</strong></p> <ul> <li>A corrupt or locked state file affects only one module, not the entire environment</li> <li> <code>terraform plan</code> on EKS doesn't load/lock VPC state — faster, safer</li> <li>Different engineers can work on different modules concurrently</li> </ul> <p><strong>State file key examples:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>production/us-east-1/vpc/terraform.tfstate production/us-east-1/eks/terraform.tfstate production/us-east-1/iam/terraform.tfstate production/us-west-2/vpc/terraform.tfstate </code></pre> </div> <h2> Common Pitfalls </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Problem</th> <th>Symptom</th> <th>Fix</th> </tr> </thead> <tbody> <tr> <td>AutoScaling SLR doesn't exist</td> <td> <code>MalformedPolicyDocumentException</code> on KMS create</td> <td>Set <code>create_autoscaling_slr = true</code> in first region; <code>false</code> in subsequent</td> </tr> <tr> <td>IAM name_prefix &gt; 38 chars</td> <td> <code>ValidationError: name_prefix</code> on node group create</td> <td>Use <code>iam_role_name</code> + <code>iam_role_use_name_prefix = false</code> </td> </tr> <tr> <td>VPC peering uses <code>include "root"</code> </td> <td> <code>generate label already defined</code> error</td> <td>Define <code>remote_state</code> block explicitly in vpc-peering configs</td> </tr> <tr> <td>AWS SG description has Unicode</td> <td> <code>Invalid description</code> on security group</td> <td>Use plain ASCII only in SG descriptions — no arrows (→) or greater-than (&gt;)</td> </tr> </tbody> </table></div> <h2> Summary </h2> <p>By the end of Part 3 you have:</p> <ul> <li>✅ DRY Terragrunt root config (provider + backend auto-generated from path)</li> <li>✅ VPC module with public/private subnets, NAT gateways, flow logs</li> <li>✅ KMS module handling the AutoScaling SLR chicken-and-egg problem</li> <li>✅ Dependency graph ensuring correct apply order</li> <li>✅ Per-module S3 state isolation</li> <li>✅ VPC peering between production hub and all spoke VPCs</li> </ul> <p><em>Next: Part 4 — EKS Multi-Cluster: Six Clusters Across Two Regions</em></p> <p><strong>Follow the series</strong> — next part publishes next Wednesday.<br> <strong>Live system:</strong> <a href="https://www.matthewoladipupo.dev/health" rel="noopener noreferrer">https://www.matthewoladipupo.dev/health</a><br> <strong>Runbook:</strong> <a href="https://github.com/MatthewDipo/myapp-infra/blob/main/docs/runbook.md" rel="noopener noreferrer">Operations Guide</a><br> <strong>Source code:</strong> <a href="https://github.com/MatthewDipo/myapp-infra" rel="noopener noreferrer">myapp-infra</a> | <a href="https://github.com/MatthewDipo/myapp-gitops" rel="noopener noreferrer">myapp-gitops</a> | <a href="https://github.com/MatthewDipo/myapp" rel="noopener noreferrer">myapp</a></p> terraform devops aws infrastructureascode Part 2: AWS Foundation Matthew Wed, 18 Mar 2026 09:00:00 +0000 https://forem.com/matthewdipo/part-2-aws-foundation-m5o https://forem.com/matthewdipo/part-2-aws-foundation-m5o <h2> Part 2: AWS Foundation — Organizations, SSO, and Account Setup </h2> <p><em>Part of the series: Building a Production-Grade DevSecOps Pipeline on AWS</em></p> <h2> Introduction </h2> <p>The foundation of any serious AWS deployment is a well-structured multi-account setup. Running everything in one AWS account is the equivalent of putting all your files on a single server with no access controls — the blast radius of any mistake or breach is your entire infrastructure.</p> <p>In this part we set up AWS Organizations with four accounts, configure AWS IAM Identity Center (SSO) for human access, and establish the IAM trust relationships that allow GitHub Actions to deploy to our clusters without static credentials.</p> <h2> Why Multi-Account? </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────────┐ │ SINGLE ACCOUNT (anti-pattern) │ │ │ │ Dev workloads ─────────────────────────────┐ │ │ Staging workloads ─────────────────────────┤── Same IAM boundary │ │ Production workloads ──────────────────────┘ Same VPC space │ │ Same billing │ │ Risk: dev engineer accidentally deletes production RDS │ │ Risk: security incident in dev reaches production secrets │ └─────────────────────────────────────────────────────────────────────┘ ┌─────────────────────────────────────────────────────────────────────┐ │ MULTI-ACCOUNT (this guide) │ │ │ │ Dev Account: strong IAM isolation, cheap instance sizes │ │ Staging Account: production-like, but no real data │ │ Production Account: SCPs block destructive operations │ │ Management Account: no workloads, only ECR + SSO + billing │ │ │ │ Benefit: IAM permissions are account-scoped │ │ Benefit: Service Control Policies (SCPs) protect production │ │ Benefit: Separate billing per environment │ │ Benefit: VPC IP space per account (no CIDR conflicts) │ └─────────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h2> Step 1: Create AWS Organizations </h2> <p>Log in to your root AWS account (the one you used to sign up for AWS).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AWS Console → AWS Organizations → Create Organization </code></pre> </div> <p>AWS Organizations gives you a single management pane for all accounts, consolidated billing, and — crucially — Service Control Policies (SCPs) that act as guardrails even for account root users.</p> <p>After creating the organization, note your <strong>Organization ID</strong> (format: <code>o-xxxxxxxxxx</code>).</p> <h2> Step 2: Create Member Accounts </h2> <p>Navigate to <strong>AWS Organizations → AWS Accounts → Add an AWS Account</strong>.</p> <p>Create three accounts:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Account Name</th> <th>Purpose</th> <th>Example ID</th> </tr> </thead> <tbody> <tr> <td><code>myapp-dev</code></td> <td>Development environment</td> <td><code>557702566877</code></td> </tr> <tr> <td><code>myapp-staging</code></td> <td>Staging environment</td> <td>(your value)</td> </tr> <tr> <td><code>myapp-production</code></td> <td>Production environment</td> <td><code>591120834781</code></td> </tr> </tbody> </table></div> <blockquote> <p><strong>Important:</strong> Use <code>+</code> email aliases to reuse your existing email. If your email is <code>you@gmail.com</code>, use <code>you+aws-dev@gmail.com</code>, <code>you+aws-staging@gmail.com</code>, etc. Gmail (and most providers) deliver these to the same inbox.</p> <p><strong>Tip:</strong> Record each account ID immediately. You will reference them throughout this series.</p> <p><strong>SCREENSHOT: AWS Organizations showing all 4 accounts in their OUs</strong></p> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fri4vrvqinuo5ejw3lgpx.png" alt="AWS Organizations showing all 4 accounts in their OUs" width="800" height="427"> </h2> </blockquote> <h2> Step 3: Organize Accounts into OUs </h2> <p>Organizational Units (OUs) let you apply different SCPs to groups of accounts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AWS Console → AWS Organizations → AWS Accounts → Root Create OUs: Root ├── Management (leave root account here) ├── Workloads │ ├── Dev (move myapp-dev here) │ ├── Staging (move myapp-staging here) │ └── Production (move myapp-production here) </code></pre> </div> <h2> Step 4: Apply Service Control Policies </h2> <p>SCPs are JSON IAM policies attached to OUs. They define the <strong>maximum permissions</strong> any principal in that OU can ever have — even the account root user cannot exceed them.</p> <p>Apply this SCP to the <strong>Production OU</strong> to prevent accidental deletion of critical resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DenyDangerousEKSOperations"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Deny"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"eks:DeleteCluster"</span><span class="p">,</span><span class="w"> </span><span class="s2">"eks:DeleteNodegroup"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringNotEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:PrincipalTag/AllowDestructive"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DenyRDSDelete"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Deny"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"rds:DeleteDBInstance"</span><span class="p">,</span><span class="w"> </span><span class="s2">"rds:DeleteDBCluster"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"RequireRegions"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Deny"</span><span class="p">,</span><span class="w"> </span><span class="nl">"NotAction"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"iam:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"sts:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"route53:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"cloudfront:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"waf:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"acm:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"support:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"health:*"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringNotEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:RequestedRegion"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"us-east-1"</span><span class="p">,</span><span class="w"> </span><span class="s2">"us-west-2"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <blockquote> <p>The region restriction SCP ensures no resources are accidentally created outside your approved regions. IAM, STS, Route53, and ACM are excluded because they are global services.</p> </blockquote> <h2> Step 5: Configure AWS IAM Identity Center (SSO) </h2> <p>AWS IAM Identity Center (formerly AWS SSO) lets your team log in with a single set of credentials across all accounts. It is far superior to creating IAM users in every account.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AWS Console → IAM Identity Center → Enable Steps: 1. Choose identity source: "Identity Center directory" (built-in, no external IdP needed) 2. Create users for each team member 3. Create Permission Sets (these become IAM roles in each account) 4. Assign users to accounts with appropriate Permission Sets </code></pre> </div> <p><strong>Create two Permission Sets:</strong></p> <p><em>AdministratorAccess (for platform engineers):</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Name: AdministratorAccess Session duration: 8 hours Managed policy: AdministratorAccess </code></pre> </div> <p><em>ReadOnlyAccess (for developers / auditors):</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Name: ReadOnlyAccess Session duration: 8 hours Managed policy: ReadOnlyAccess </code></pre> </div> <p><strong>Assign to accounts:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>myapp-dev: you → AdministratorAccess myapp-staging: you → AdministratorAccess myapp-production: you → AdministratorAccess Management: you → AdministratorAccess </code></pre> </div> <p><strong>Configure the AWS CLI for SSO:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Run on your local machine</span> aws configure sso <span class="c"># When prompted:</span> SSO session name: admin SSO start URL: https://your-id.awsapps.com/start SSO region: us-east-1 SSO registration scopes: sso:account:access <span class="c"># After login, name each profile:</span> <span class="c"># Profile for dev/us-east-1: myapp-dev-use1</span> <span class="c"># Profile for dev/us-west-2: myapp-dev-usw2</span> <span class="c"># etc.</span> </code></pre> </div> <p>Your <code>~/.aws/config</code> will look like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[sso-session admin]</span> <span class="py">sso_start_url</span> <span class="p">=</span> <span class="s">https://your-id.awsapps.com/start</span> <span class="py">sso_region</span> <span class="p">=</span> <span class="s">us-east-1</span> <span class="py">sso_registration_scopes</span> <span class="p">=</span> <span class="s">sso:account:access</span> <span class="nn">[profile myapp-prod-use1]</span> <span class="py">sso_session</span> <span class="p">=</span> <span class="s">admin</span> <span class="py">sso_account_id</span> <span class="p">=</span> <span class="s">591120834781</span> <span class="py">sso_role_name</span> <span class="p">=</span> <span class="s">AdministratorAccess</span> <span class="py">region</span> <span class="p">=</span> <span class="s">us-east-1</span> <span class="py">output</span> <span class="p">=</span> <span class="s">json</span> <span class="nn">[profile myapp-prod-usw2]</span> <span class="py">sso_session</span> <span class="p">=</span> <span class="s">admin</span> <span class="py">sso_account_id</span> <span class="p">=</span> <span class="s">591120834781</span> <span class="py">sso_role_name</span> <span class="p">=</span> <span class="s">AdministratorAccess</span> <span class="py">region</span> <span class="p">=</span> <span class="s">us-west-2</span> <span class="py">output</span> <span class="p">=</span> <span class="s">json</span> <span class="nn">[profile myapp-dev-use1]</span> <span class="py">sso_session</span> <span class="p">=</span> <span class="s">admin</span> <span class="py">sso_account_id</span> <span class="p">=</span> <span class="s">557702566877</span> <span class="py">sso_role_name</span> <span class="p">=</span> <span class="s">AdministratorAccess</span> <span class="py">region</span> <span class="p">=</span> <span class="s">us-east-1</span> <span class="py">output</span> <span class="p">=</span> <span class="s">json</span> </code></pre> </div> <p><strong>Authenticate:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws sso login <span class="nt">--sso-session</span> admin <span class="c"># Opens browser → log in → token saved locally for 8 hours</span> <span class="c"># Test:</span> aws sts get-caller-identity <span class="nt">--profile</span> myapp-prod-use1 </code></pre> </div> <blockquote> <p><strong>SCREENSHOT: IAM Identity Center showing SSO portal with all accounts and permission sets</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F02oyn6ra1zcetkf73vdp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F02oyn6ra1zcetkf73vdp.png" alt="IAM Identity Center showing SSO portal with all accounts and permission sets" width="800" height="442"></a></p> </blockquote> <h2> Step 6: GitHub OIDC — No Static AWS Keys in CI </h2> <p>This is one of the most important security decisions in the entire pipeline. Traditional CI/CD stores AWS access keys as GitHub Secrets. Those keys:</p> <ul> <li>Never expire automatically</li> <li>Are as powerful as the IAM user they belong to</li> <li>Can be exfiltrated from logs if misconfigured</li> </ul> <p>OIDC (OpenID Connect) eliminates static keys. GitHub Actions generates a short-lived JWT token for each workflow run. AWS validates this token cryptographically and exchanges it for a temporary STS credential that expires when the job ends.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────────┐ │ OIDC TOKEN FLOW │ │ │ │ GitHub Actions Job starts │ │ │ │ │ ▼ │ │ GitHub generates JWT (signed by GitHub's OIDC provider) │ │ Claims include: │ │ sub: repo:MatthewDipo/myapp:ref:refs/heads/main │ │ aud: sts.amazonaws.com │ │ │ │ │ ▼ │ │ aws sts assume-role-with-web-identity │ │ --role-arn arn:aws:iam::ACCOUNT:role/ROLE │ │ --web-identity-token &lt;JWT&gt; │ │ │ │ │ ▼ │ │ AWS validates JWT against GitHub's OIDC endpoint │ │ (https://token.actions.githubusercontent.com) │ │ │ │ │ ▼ │ │ Returns: AccessKeyId + SecretAccessKey + SessionToken │ │ (valid for 1 hour maximum, then automatically expire) │ └─────────────────────────────────────────────────────────────────────┘ </code></pre> </div> <p><strong>Terraform to create the OIDC provider (management account, us-east-1 only — it is global):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># _modules/iam/main.tf</span> <span class="c1"># Fetch GitHub's OIDC thumbprint automatically</span> <span class="nx">data</span> <span class="s2">"tls_certificate"</span> <span class="s2">"github"</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="s2">"https://token.actions.githubusercontent.com"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_openid_connect_provider"</span> <span class="s2">"github"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">create_github_oidc</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">url</span> <span class="p">=</span> <span class="s2">"https://token.actions.githubusercontent.com"</span> <span class="nx">client_id_list</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts.amazonaws.com"</span><span class="p">]</span> <span class="nx">thumbprint_list</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">data</span><span class="p">.</span><span class="nx">tls_certificate</span><span class="p">.</span><span class="nx">github</span><span class="p">.</span><span class="nx">certificates</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">sha1_fingerprint</span> <span class="p">]</span> <span class="p">}</span> <span class="c1"># IAM role for GitHub Actions CI — one per cluster</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"github_ci"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.cluster_name}-github-ci"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Federated</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">github_oidc_provider_arn</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRoleWithWebIdentity"</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringEquals</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"token.actions.githubusercontent.com:aud"</span> <span class="p">=</span> <span class="s2">"sts.amazonaws.com"</span> <span class="p">}</span> <span class="nx">StringLike</span> <span class="p">=</span> <span class="p">{</span> <span class="c1"># Only main branch of your specific repo can assume this role</span> <span class="s2">"token.actions.githubusercontent.com:sub"</span> <span class="p">=</span> <span class="s2">"repo:${var.github_user}/${var.github_repo}:ref:refs/heads/main"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"github_ci"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"github-ci-policy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">github_ci</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"ECRAuth"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ecr:GetAuthorizationToken"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"ECRPush"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ecr:BatchCheckLayerAvailability"</span><span class="p">,</span> <span class="s2">"ecr:GetDownloadUrlForLayer"</span><span class="p">,</span> <span class="s2">"ecr:BatchGetImage"</span><span class="p">,</span> <span class="s2">"ecr:InitiateLayerUpload"</span><span class="p">,</span> <span class="s2">"ecr:UploadLayerPart"</span><span class="p">,</span> <span class="s2">"ecr:CompleteLayerUpload"</span><span class="p">,</span> <span class="s2">"ecr:PutImage"</span><span class="p">,</span> <span class="s2">"ecr:DescribeImages"</span><span class="p">,</span> <span class="s2">"ecr:ListImages"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"arn:aws:ecr:*:${var.account_id}:repository/myapp"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"KMSCosignSign"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"kms:Sign"</span><span class="p">,</span> <span class="s2">"kms:GetPublicKey"</span><span class="p">,</span> <span class="s2">"kms:DescribeKey"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cosign_kms_key_arn</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"S3AuditWrite"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"s3:PutObject"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"${var.audit_bucket_arn}/ci-push-audit/*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p><strong>Key security insight:</strong> The <code>Condition</code> block in the trust policy is critical. It restricts role assumption to:</p> <ol> <li>Only your specific repository (<code>repo:MatthewDipo/myapp</code>)</li> <li>Only the <code>main</code> branch</li> </ol> <p>A fork of your repository, or a branch other than <code>main</code>, cannot assume this role.</p> <h2> Step 7: ECR Repository in the Management Account </h2> <p>We store Docker images in the management account's ECR rather than per-environment accounts. This means one place to manage image lifecycle policies and one IAM policy for cross-account pull permissions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># _modules/ecr/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_ecr_repository"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">name</span> <span class="nx">image_tag_mutability</span> <span class="p">=</span> <span class="s2">"IMMUTABLE"</span> <span class="c1"># Tags cannot be overwritten</span> <span class="nx">image_scanning_configuration</span> <span class="p">{</span> <span class="nx">scan_on_push</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># ECR runs basic CVE scan on every push</span> <span class="p">}</span> <span class="nx">encryption_configuration</span> <span class="p">{</span> <span class="nx">encryption_type</span> <span class="p">=</span> <span class="s2">"KMS"</span> <span class="nx">kms_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">kms_key_arn</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_ecr_lifecycle_policy"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">repository</span> <span class="p">=</span> <span class="nx">aws_ecr_repository</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">rules</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">rulePriority</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Keep last 30 tagged images"</span> <span class="nx">selection</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">tagStatus</span> <span class="p">=</span> <span class="s2">"tagged"</span> <span class="nx">tagPrefixList</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sha-"</span><span class="p">]</span> <span class="nx">countType</span> <span class="p">=</span> <span class="s2">"imageCountMoreThan"</span> <span class="nx">countNumber</span> <span class="p">=</span> <span class="mi">30</span> <span class="p">}</span> <span class="nx">action</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"expire"</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">rulePriority</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Delete untagged images after 1 day"</span> <span class="nx">selection</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">tagStatus</span> <span class="p">=</span> <span class="s2">"untagged"</span> <span class="nx">countType</span> <span class="p">=</span> <span class="s2">"sinceImagePushed"</span> <span class="nx">countUnit</span> <span class="p">=</span> <span class="s2">"days"</span> <span class="nx">countNumber</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">action</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"expire"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Cross-account pull policy — allows dev/staging/prod accounts to pull images</span> <span class="nx">resource</span> <span class="s2">"aws_ecr_repository_policy"</span> <span class="s2">"cross_account"</span> <span class="p">{</span> <span class="nx">repository</span> <span class="p">=</span> <span class="nx">aws_ecr_repository</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"CrossAccountPull"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">AWS</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"arn:aws:iam::${var.dev_account_id}:root"</span><span class="p">,</span> <span class="s2">"arn:aws:iam::${var.staging_account_id}:root"</span><span class="p">,</span> <span class="s2">"arn:aws:iam::${var.prod_account_id}:root"</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ecr:GetDownloadUrlForLayer"</span><span class="p">,</span> <span class="s2">"ecr:BatchGetImage"</span><span class="p">,</span> <span class="s2">"ecr:BatchCheckLayerAvailability"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p><code>IMMUTABLE</code> tags mean that once you push <code>sha-abc123</code>, that tag forever points to that exact image digest. No one can silently overwrite an existing tag with a different image — a subtle but important supply chain security control.</p> <blockquote> <p><strong>SCREENSHOT: ECR repository showing images with sha- tags and scan results</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyjuzifv2e29obgl1n0w8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyjuzifv2e29obgl1n0w8.png" alt="ECR repository showing images with sha- tags and scan results" width="800" height="443"></a></p> </blockquote> <h2> Step 8: KMS Keys for Encryption at Rest </h2> <p>Each environment gets its own KMS key for encrypting:</p> <ul> <li>EKS Kubernetes secrets (etcd encryption)</li> <li>EBS volumes (Prometheus/Grafana/Velero PVCs)</li> <li>ECR images</li> <li>S3 buckets (Velero backups, CI audit logs) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># _modules/kms/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_kms_key"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"${var.env}-${var.region}-main"</span> <span class="nx">deletion_window_in_days</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">enable_key_rotation</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Rotate annually, automatically</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"Enable IAM User Permissions"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">AWS</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::${var.account_id}:root"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"kms:*"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"Allow EKS"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"eks.amazonaws.com"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"kms:Encrypt"</span><span class="p">,</span> <span class="s2">"kms:Decrypt"</span><span class="p">,</span> <span class="s2">"kms:GenerateDataKey*"</span><span class="p">,</span> <span class="s2">"kms:DescribeKey"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"Allow AutoScaling"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">AWS</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::${var.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"kms:Encrypt"</span><span class="p">,</span> <span class="s2">"kms:Decrypt"</span><span class="p">,</span> <span class="s2">"kms:ReEncrypt*"</span><span class="p">,</span> <span class="s2">"kms:GenerateDataKey*"</span><span class="p">,</span> <span class="s2">"kms:DescribeKey"</span><span class="p">,</span> <span class="s2">"kms:CreateGrant"</span><span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_kms_alias"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"alias/${var.env}-${var.region}-main"</span> <span class="nx">target_key_id</span> <span class="p">=</span> <span class="nx">aws_kms_key</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">key_id</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>Lesson learned:</strong> The <code>AWSServiceRoleForAutoScaling</code> must exist in the account before you can reference it in the KMS key policy. In fresh accounts, create this Service Linked Role first or AWS will reject the key policy with <code>MalformedPolicyDocumentException</code>. See Part 3 for the Terragrunt pattern that handles this.</p> </blockquote> <h2> Step 9: Terragrunt Root Configuration </h2> <p>Before writing any Terragrunt configs, establish the root <code>terragrunt.hcl</code> that all child configs inherit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># live/terragrunt.hcl (root)</span> <span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Parse path to extract env and region</span> <span class="c1"># e.g., live/production/us-east-1/eks → env=production, region=us-east-1</span> <span class="nx">path_parts</span> <span class="p">=</span> <span class="nx">split</span><span class="p">(</span><span class="s2">"/"</span><span class="p">,</span> <span class="nx">path_relative_to_include</span><span class="p">())</span> <span class="nx">env</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">path_parts</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">path_parts</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="nx">account_ids</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">dev</span> <span class="p">=</span> <span class="s2">"557702566877"</span> <span class="nx">staging</span> <span class="p">=</span> <span class="s2">"STAGING_ACCOUNT_ID"</span> <span class="nx">production</span> <span class="p">=</span> <span class="s2">"591120834781"</span> <span class="nx">management</span> <span class="p">=</span> <span class="s2">"MGMT_ACCOUNT_ID"</span> <span class="p">}</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">account_ids</span><span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># Generate provider.tf in every child directory</span> <span class="nx">generate</span> <span class="s2">"provider"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"provider.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite_terragrunt"</span> <span class="nx">contents</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> provider "aws" { region = "${local.region}" assume_role { role_arn = "arn:aws:iam::${local.account_id}:role/OrganizationAccountAccessRole" } default_tags { tags = { Environment = "${local.env}" ManagedBy = "Terraform" Project = "myapp" } } } </span><span class="no">EOF </span><span class="p">}</span> <span class="c1"># Generate backend.tf — S3 state, DynamoDB lock table</span> <span class="nx">remote_state</span> <span class="p">{</span> <span class="nx">backend</span> <span class="p">=</span> <span class="s2">"s3"</span> <span class="nx">generate</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"backend.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite_terragrunt"</span> <span class="p">}</span> <span class="nx">config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"myapp-terraform-state-${local.account_id}"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"${path_relative_to_include()}/terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">encrypt</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">dynamodb_table</span> <span class="p">=</span> <span class="s2">"myapp-terraform-locks"</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::${local.account_id}:role/OrganizationAccountAccessRole"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The <code>generate "provider"</code> block means you never write a <code>provider.tf</code> by hand. Every module automatically gets the correct AWS account and region based purely on its directory path. This is the key DRY benefit of Terragrunt.</p> <h2> Understanding <code>OrganizationAccountAccessRole</code> </h2> <p>When you create a member account via AWS Organizations, AWS automatically creates a role called <code>OrganizationAccountAccessRole</code> in that account. This role trusts your management account, allowing management account principals to assume it and perform actions in the member account.</p> <p>This is how Terraform (running with management account credentials) deploys infrastructure into dev, staging, and production without needing separate credentials per account.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Management Account (your terminal / CI) │ │ sts:AssumeRole ▼ arn:aws:iam::591120834781:role/OrganizationAccountAccessRole │ │ (full AdministratorAccess in production account) ▼ Production Account resources </code></pre> </div> <h2> Step 10: Bootstrap S3 State Buckets </h2> <p>Before running any Terragrunt, each account needs its S3 bucket and DynamoDB table for Terraform state.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Run this once per account (adjust account ID and profile)</span> <span class="k">for </span>PROFILE <span class="k">in </span>myapp-dev-use1 myapp-staging-use1 myapp-prod-use1<span class="p">;</span> <span class="k">do </span><span class="nv">ACCOUNT_ID</span><span class="o">=</span><span class="si">$(</span>aws sts get-caller-identity <span class="nt">--profile</span> <span class="nv">$PROFILE</span> <span class="nt">--query</span> Account <span class="nt">--output</span> text<span class="si">)</span> <span class="nv">REGION</span><span class="o">=</span><span class="s2">"us-east-1"</span> <span class="c"># Create state bucket</span> aws s3api create-bucket <span class="se">\</span> <span class="nt">--bucket</span> <span class="s2">"myapp-terraform-state-</span><span class="k">${</span><span class="nv">ACCOUNT_ID</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--region</span> <span class="nv">$REGION</span> <span class="se">\</span> <span class="nt">--profile</span> <span class="nv">$PROFILE</span> <span class="c"># Enable versioning (lets you recover from bad applies)</span> aws s3api put-bucket-versioning <span class="se">\</span> <span class="nt">--bucket</span> <span class="s2">"myapp-terraform-state-</span><span class="k">${</span><span class="nv">ACCOUNT_ID</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--versioning-configuration</span> <span class="nv">Status</span><span class="o">=</span>Enabled <span class="se">\</span> <span class="nt">--profile</span> <span class="nv">$PROFILE</span> <span class="c"># Enable encryption</span> aws s3api put-bucket-encryption <span class="se">\</span> <span class="nt">--bucket</span> <span class="s2">"myapp-terraform-state-</span><span class="k">${</span><span class="nv">ACCOUNT_ID</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--server-side-encryption-configuration</span> <span class="s1">'{ "Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}] }'</span> <span class="se">\</span> <span class="nt">--profile</span> <span class="nv">$PROFILE</span> <span class="c"># Block public access</span> aws s3api put-public-access-block <span class="se">\</span> <span class="nt">--bucket</span> <span class="s2">"myapp-terraform-state-</span><span class="k">${</span><span class="nv">ACCOUNT_ID</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--public-access-block-configuration</span> <span class="se">\</span> <span class="s2">"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"</span> <span class="se">\</span> <span class="nt">--profile</span> <span class="nv">$PROFILE</span> <span class="c"># Create DynamoDB lock table</span> aws dynamodb create-table <span class="se">\</span> <span class="nt">--table-name</span> myapp-terraform-locks <span class="se">\</span> <span class="nt">--attribute-definitions</span> <span class="nv">AttributeName</span><span class="o">=</span>LockID,AttributeType<span class="o">=</span>S <span class="se">\</span> <span class="nt">--key-schema</span> <span class="nv">AttributeName</span><span class="o">=</span>LockID,KeyType<span class="o">=</span>HASH <span class="se">\</span> <span class="nt">--billing-mode</span> PAY_PER_REQUEST <span class="se">\</span> <span class="nt">--region</span> <span class="nv">$REGION</span> <span class="se">\</span> <span class="nt">--profile</span> <span class="nv">$PROFILE</span> <span class="nb">echo</span> <span class="s2">"State backend ready for account </span><span class="nv">$ACCOUNT_ID</span><span class="s2">"</span> <span class="k">done</span> </code></pre> </div> <h2> Summary </h2> <p>By the end of this part you have:</p> <ul> <li>✅ AWS Organizations with four accounts (management, dev, staging, production)</li> <li>✅ Service Control Policies protecting production from accidental destruction</li> <li>✅ AWS SSO for human access (no IAM users with permanent credentials)</li> <li>✅ GitHub OIDC provider enabling keyless CI authentication</li> <li>✅ ECR repository with immutable tags, cross-account pull, and lifecycle policies</li> <li>✅ KMS keys for encryption at rest in every environment</li> <li>✅ Terragrunt root config that automatically derives account/region from directory path</li> <li>✅ S3 + DynamoDB Terraform state backend per account</li> </ul> <p><strong>If this was useful, follow me on dev.to</strong> — I publish Part 3 next Wednesday covering the Infrastructure as Code — Terraform Modules + Terragrunt.</p> <p><strong>Questions?</strong> Drop them in the comments — I read and reply to every one.</p> <p><em>Next: Part 3 — Infrastructure as Code: Terraform Modules + Terragrunt</em></p> <p><strong>Follow the series</strong> — next part publishes next Wednesday.<br> <strong>Live system:</strong> <a href="https://www.matthewoladipupo.dev/health" rel="noopener noreferrer">https://www.matthewoladipupo.dev/health</a><br> <strong>Runbook:</strong> <a href="https://github.com/MatthewDipo/myapp-infra/blob/main/docs/runbook.md" rel="noopener noreferrer">Operations Guide</a><br> <strong>Source code:</strong> <a href="https://github.com/MatthewDipo/myapp-infra" rel="noopener noreferrer">myapp-infra</a> | <a href="https://github.com/MatthewDipo/myapp-gitops" rel="noopener noreferrer">myapp-gitops</a> | <a href="https://github.com/MatthewDipo/myapp" rel="noopener noreferrer">myapp</a></p> aws devops security terraform Part 1: Architecture Overview Matthew Wed, 11 Mar 2026 09:24:20 +0000 https://forem.com/matthewdipo/part-1-architecture-overview-20p2 https://forem.com/matthewdipo/part-1-architecture-overview-20p2 <h2> Building a Production-Grade DevSecOps Pipeline on AWS: A Complete Guide </h2> <blockquote> <p><strong>Series Overview:</strong> This 10-part series walks you through building a real-world, production-grade DevSecOps platform on AWS from scratch — the same architecture used at mature engineering organizations. By the end, you will have six EKS clusters, a GitOps delivery model, a hardened CI/CD pipeline, runtime security, full-stack observability, and automated disaster recovery.</p> <p><strong>Live system:</strong> Everything in this series is running in production right now.<br> Check it: <code>curl https://www.matthewoladipupo.dev/health</code><br> → <code>{"status":"healthy","region":"us-east-1"}</code></p> </blockquote> <p>This is Part 1 of a 10-part series. You can follow the full series here on dev.to.</p> <h2> Part 1: Architecture Overview &amp; What We Are Building </h2> <h3> Introduction </h3> <p>Most DevSecOps tutorials show you one piece of the puzzle — a Kubernetes cluster here, a CI pipeline there. This series is different. We build the entire platform end to end: infrastructure-as-code, multi-environment clusters, GitOps, security policy enforcement, runtime threat detection, secrets management, observability, canary deployments, autoscaling, and backup — all wired together the way a production engineering team would actually build it.</p> <p>Every component in this guide is running live. The screenshots you will see throughout this series come from the actual deployment at <code>matthewoladipupo.dev</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs0wyx83zqs883ffi533o.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs0wyx83zqs883ffi533o.png" alt="Production-Grade DevSecOps Pipeline — Full Architecture Overview showing &lt;br&gt; 6 EKS clusters, ArgoCD hub-spoke GitOps, GitHub Actions CI/CD, and AWS &lt;br&gt; security services" width="800" height="545"></a><em>The complete system: GitHub → CI/CD → ECR → ArgoCD hub → 6 EKS clusters <br> across 3 environments and 2 AWS regions. Every component is covered in this <br> 10-part series.</em></p> <p><strong>What you will build:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>Tools</th> </tr> </thead> <tbody> <tr> <td>Infrastructure as Code</td> <td>Terraform + Terragrunt</td> </tr> <tr> <td>Cloud Platform</td> <td>AWS (multi-account, multi-region)</td> </tr> <tr> <td>Container Orchestration</td> <td>Amazon EKS (6 clusters)</td> </tr> <tr> <td>GitOps Delivery</td> <td>ArgoCD (hub-spoke)</td> </tr> <tr> <td>CI/CD Pipeline</td> <td>GitHub Actions</td> </tr> <tr> <td>Container Security</td> <td>Trivy, Cosign, Distroless images</td> </tr> <tr> <td>Policy Enforcement</td> <td>Kyverno</td> </tr> <tr> <td>Runtime Security</td> <td>Falco</td> </tr> <tr> <td>Secrets Management</td> <td>AWS Secrets Manager + External Secrets Operator</td> </tr> <tr> <td>Monitoring</td> <td>Prometheus + Grafana (kube-prometheus-stack)</td> </tr> <tr> <td>Logging</td> <td>Fluent Bit → AWS CloudWatch</td> </tr> <tr> <td>Canary Deployments</td> <td>Argo Rollouts</td> </tr> <tr> <td>Autoscaling</td> <td>Karpenter + HPA</td> </tr> <tr> <td>Backup &amp; DR</td> <td>Velero + S3</td> </tr> <tr> <td>Web Application Firewall</td> <td>AWS WAF v2</td> </tr> <tr> <td>Threat Detection</td> <td>AWS GuardDuty</td> </tr> <tr> <td>DNS &amp; TLS</td> <td>Route53 + ACM (wildcard cert)</td> </tr> <tr> <td>Load Balancing</td> <td>AWS Load Balancer Controller</td> </tr> </tbody> </table></div> <h3> High-Level Architecture </h3> <p>The platform follows a <strong>hub-spoke GitOps model</strong> across three environments and two AWS regions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────────────────────┐ │ AWS ORGANIZATION │ │ │ │ ┌──────────────────┐ ┌──────────────────┐ ┌──────────────────────────┐ │ │ │ Management Acct │ │ Dev Account │ │ Staging Account │ │ │ │ (ECR, CI Audit) │ │ 557702566877 │ │ │ │ │ │ │ │ ┌─────────────┐ │ │ ┌────────┐ ┌────────┐ │ │ │ │ ┌───────────┐ │ │ │ EKS use1 │ │ │ │EKS use1│ │EKS usw2│ │ │ │ │ │ECR: myapp │ │ │ │ (public ep) │ │ │ │ │ │ │ │ │ │ │ └───────────┘ │ │ └─────────────┘ │ │ └────────┘ └────────┘ │ │ │ └──────────────────┘ │ ┌─────────────┐ │ └──────────────────────────┘ │ │ │ │ EKS usw2 │ │ │ │ │ │ (public ep) │ │ ┌──────────────────────────┐ │ │ │ └─────────────┘ │ │ Production Account │ │ │ └──────────────────┘ │ 591120834781 │ │ │ │ │ │ │ │ ┌────────┐ ┌────────┐ │ │ │ │ │EKS use1│ │EKS usw2│ │ │ │ │ │ HUB │ │ Spoke │ │ │ │ │ │(ArgoCD)│ │ │ │ │ │ │ └────────┘ └────────┘ │ │ │ └──────────────────────────┘ │ └─────────────────────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h3> Detailed Architecture Diagram </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> DEVELOPER WORKFLOW ────────────────── git push → GitHub │ ▼ ┌─────────────────────────────────────────────────────────────────────────────────┐ │ GITHUB ACTIONS CI PIPELINE │ │ │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────────────┐ │ │ │ Lint + │ │ Trivy │ │ Docker │ │ Cosign │ │ Push to ECR │ │ │ │ Test │→ │ Scan │→ │ Build │→ │ Sign │→ │ (multi-region) │ │ │ └──────────┘ └──────────┘ └──────────┘ └──────────┘ └──────────────────┘ │ │ │ │ │ OIDC (no static keys) │ │ │ IAM Roles per cluster │ │ └────────────────────────────────────────────────────────────────────┼────────────┘ │ ▼ myapp-gitops repo (image tag updated) │ ▼ ┌─────────────────────────────────────────────────────────────────────────────────┐ │ ARGOCD HUB (myapp-production-use1) │ │ │ │ ApplicationSets (list generators per cluster) │ │ ┌─────────────────────────────────────────────────────────────────────────┐ │ │ │ environments/ infrastructure/ argocd/ │ │ │ │ ├─ dev ├─ monitoring └─ project-*.yaml │ │ │ │ ├─ staging ├─ logging │ │ │ │ └─ production ├─ eso │ │ │ │ ├─ kyverno │ │ │ │ ├─ falco │ │ │ │ ├─ velero │ │ │ │ ├─ karpenter │ │ │ │ └─ argo-rollouts │ │ │ └─────────────────────────────────────────────────────────────────────────┘ │ │ │ │ Syncs to ──────────────────────────────────────────────────────────────────► │ └──────┬──────────────────────────────────────────────────────────────────────────┘ │ VPC Peering (private endpoints) ├────────────────────────────────► myapp-production-usw2 ├────────────────────────────────► myapp-staging-use1 ├────────────────────────────────► myapp-staging-usw2 ├────────────────────────────────► myapp-dev-use1 └────────────────────────────────► myapp-dev-usw2 </code></pre> </div> <h3> Per-Cluster Component Stack </h3> <p>Every cluster runs the same security and observability baseline. The diagram below shows what runs on each cluster after bootstrapping:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────────────────────────────────────────────────────────┐ │ EKS CLUSTER (per-cluster stack) │ │ │ │ SYSTEM NAMESPACES │ │ ┌─────────────┐ ┌──────────────────┐ ┌────────────────────────┐ │ │ │ kube-system│ │ kyverno │ │ falco │ │ │ │ (aws-lbc, │ │ (policy engine) │ │ (runtime security) │ │ │ │ coreDNS) │ │ │ │ │ │ │ └─────────────┘ └──────────────────┘ └────────────────────────┘ │ │ │ │ ┌─────────────────────┐ ┌───────────────────────────────────────┐ │ │ │ external-secrets │ │ monitoring │ │ │ │ (ESO operator) │ │ Prometheus ── Grafana ── Alertmanager│ │ │ └─────────────────────┘ └───────────────────────────────────────┘ │ │ │ │ ┌───────────────────────┐ ┌──────────────────┐ ┌─────────────┐ │ │ │ logging │ │ velero │ │ karpenter │ │ │ │ (Fluent Bit DS) │ │ (backup) │ │ (prod only)│ │ │ └───────────────────────┘ └──────────────────┘ └─────────────┘ │ │ │ │ ┌───────────────────────┐ ┌──────────────────────────────────────┐ │ │ │ argo-rollouts │ │ myapp (prod) / myapp (dev/staging) │ │ │ │ (canary controller) │ │ Rollout ──► canary ──► stable │ │ │ └───────────────────────┘ └──────────────────────────────────────┘ │ └──────────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h3> Network Architecture </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> AWS REGION: us-east-1 ┌───────────────────────────────────────────────────────────┐ │ VPC: production-use1 (10.20.0.0/16) │ │ │ │ ┌──────────────────────────┐ ┌──────────────────────┐ │ │ │ Public Subnets │ │ Private Subnets │ │ │ │ 10.20.0.0/24 (us-east-1a) 10.20.8.0/21 (use1a) │ │ │ │ 10.20.1.0/24 (us-east-1b) 10.20.16.0/21 (use1b) │ │ │ │ 10.20.2.0/24 (us-east-1c) 10.20.24.0/21 (use1c) │ │ │ │ │ │ │ │ │ │ NAT Gateways │ │ EKS Node Groups │ │ │ │ Internet Gateway │ │ EKS API endpoint │ │ │ │ ALB (internet-facing) │ │ (private only) │ │ │ └──────────────────────────┘ └──────────────────────┘ │ └───────────────────────────────────────────────────────────┘ │ │ │ VPC Peering │ │ (private, encrypted) │ ▼ ▼ ┌────────────────────┐ ┌────────────────────────────────┐ │ VPC: prod-usw2 │ │ VPC: staging-use1 │ │ (10.21.0.0/16) │ │ (10.10.0.0/16) │ └────────────────────┘ └────────────────────────────────┘ Internet Traffic Flow: User → Route53 (latency routing) → ALB → AWS WAF → ALB Target Group → Pod (via ALB target type: ip, directly to pod IP) → Response back to user </code></pre> </div> <h3> CI/CD Pipeline Flow </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────────┐ │ GitHub: MatthewDipo/myapp │ │ │ │ Developer: git push origin main │ └──────────────────────────────┬──────────────────────────────────────┘ │ triggers ▼ ┌─────────────────────────────────────────────────────────────────────┐ │ GitHub Actions: .github/workflows/ci.yaml │ │ │ │ Job 1: lint-and-test │ │ └─ npm ci &amp;&amp; npm test │ │ │ │ Job 2: scan (needs: lint-and-test) │ │ └─ trivy image --severity HIGH,CRITICAL │ │ │ │ Job 3: build-push-sign (needs: scan) │ │ ├─ OIDC → assume IAM role (no static AWS keys) │ │ ├─ docker build (distroless:nonroot base) │ │ ├─ docker push → ECR us-east-1 (management account) │ │ ├─ docker push → ECR us-west-2 (management account) │ │ ├─ cosign sign --key awskms:// (KMS signing key) │ │ └─ Write S3 audit log (image digest + timestamp) │ │ │ │ Job 4: update-gitops (needs: build-push-sign) │ │ └─ Patch myapp-gitops/apps/myapp/values-*.yaml (image.tag) │ └──────────────────────────────┬──────────────────────────────────────┘ │ git push to myapp-gitops ▼ ┌─────────────────────────────────────────────────────────────────────┐ │ GitHub: MatthewDipo/myapp-gitops │ │ ArgoCD detects diff → triggers sync per cluster │ │ │ │ Production: Argo Rollouts Canary │ │ ├─ Step 1: setWeight 20% (canary gets 20% traffic) │ │ ├─ Step 2: pause 5 minutes │ │ ├─ Step 3: AnalysisRun (check error rate &lt; 1%) │ │ └─ Step 4: setWeight 100% (promote to stable) │ │ │ │ Dev/Staging: Rolling Update (immediate) │ └─────────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h3> Security Architecture </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────────────┐ │ SECURITY LAYERS │ │ │ │ Layer 1: SUPPLY CHAIN SECURITY │ │ ┌────────────────────────────────────────────────────────────────────┐ │ │ │ Source: GitHub branch protection + required reviews │ │ │ │ Build: Trivy CVE scan (fails pipeline on HIGH/CRITICAL) │ │ │ │ Image: Distroless base (no shell, no package manager) │ │ │ │ Sign: Cosign + AWS KMS (cryptographic attestation) │ │ │ │ Verify: Kyverno policy blocks unsigned images at admission │ │ │ └────────────────────────────────────────────────────────────────────┘ │ │ │ │ Layer 2: INFRASTRUCTURE SECURITY │ │ ┌────────────────────────────────────────────────────────────────────┐ │ │ │ Network: Private EKS endpoints (staging/prod) │ │ │ │ VPC peering (no internet traversal between clusters) │ │ │ │ NetworkPolicies (deny-all default, allow explicitly) │ │ │ │ IAM: IRSA (pod-level IAM, no node-level credentials) │ │ │ │ OIDC for GitHub Actions (no static AWS keys in CI) │ │ │ │ Secrets: AWS Secrets Manager (never stored in Git) │ │ │ │ KMS: Envelope encryption for EKS secrets + ECR + S3 │ │ │ └────────────────────────────────────────────────────────────────────┘ │ │ │ │ Layer 3: WORKLOAD ADMISSION CONTROL (Kyverno) │ │ ┌────────────────────────────────────────────────────────────────────┐ │ │ │ ✗ Block privileged containers │ │ │ │ ✗ Block hostPath volume mounts │ │ │ │ ✗ Block containers running as root (uid=0) │ │ │ │ ✗ Block images without valid Cosign signature │ │ │ │ ✗ Block missing resource limits │ │ │ │ ✓ Allow myapp from ECR with valid signature │ │ │ └────────────────────────────────────────────────────────────────────┘ │ │ │ │ Layer 4: RUNTIME THREAT DETECTION (Falco) │ │ ┌────────────────────────────────────────────────────────────────────┐ │ │ │ Alert on: shell spawned in container │ │ │ │ Alert on: sensitive file read (/etc/shadow, /etc/passwd) │ │ │ │ Alert on: unexpected outbound network connection │ │ │ │ Alert on: privilege escalation attempts │ │ │ │ Output: CloudWatch Logs (via Fluent Bit) │ │ │ └────────────────────────────────────────────────────────────────────┘ │ │ │ │ Layer 5: PERIMETER SECURITY │ │ ┌────────────────────────────────────────────────────────────────────┐ │ │ │ AWS WAF v2: Managed rules (OWASP Top 10, SQL injection, XSS) │ │ │ │ AWS GuardDuty: Account-level threat intelligence │ │ │ │ ACM: TLS 1.2+ enforced, HTTP → HTTPS redirect │ │ │ └────────────────────────────────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h3> GitOps Repository Structure </h3> <p>Two GitHub repositories drive everything after the CI pipeline builds the image:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>MatthewDipo/myapp-gitops/ │ ├── argocd/ │ ├── project-dev.yaml # AppProject: dev clusters │ ├── project-staging.yaml # AppProject: staging clusters │ └── project-production.yaml # AppProject: production clusters │ ├── environments/ │ ├── dev/ │ │ └── applicationset.yaml # Deploys myapp to dev-use1, dev-usw2 │ ├── staging/ │ │ └── applicationset.yaml # Deploys myapp to staging-use1, staging-usw2 │ └── production/ │ └── applicationset.yaml # Deploys myapp to prod-use1, prod-usw2 │ ├── infrastructure/ │ ├── monitoring/ │ │ ├── applicationset.yaml # kube-prometheus-stack (4 clusters) │ │ ├── prometheus-values.yaml │ │ └── alert-rules/ │ │ └── applicationset.yaml # PrometheusRule CRDs │ ├── logging/ │ │ └── applicationset.yaml # Fluent Bit DaemonSet (6 clusters) │ ├── eso/ │ │ └── applicationset.yaml # External Secrets Operator (6 clusters) │ ├── kyverno/ │ │ └── applicationset.yaml # Kyverno + policies (6 clusters) │ ├── falco/ │ │ └── applicationset.yaml # Falco DaemonSet (6 clusters) │ ├── velero/ │ │ └── applicationset.yaml # Velero (6 clusters) │ ├── karpenter/ │ │ ├── applicationset.yaml # Karpenter controller (2 prod) │ │ └── nodepools/ │ │ └── applicationset.yaml # NodePool + EC2NodeClass CRDs │ └── argo-rollouts/ │ └── applicationset.yaml # Argo Rollouts controller (2 prod) │ └── apps/ └── myapp/ # Helm chart for the application ├── Chart.yaml ├── values.yaml # Default values ├── values-dev.yaml ├── values-staging.yaml ├── values-production.yaml └── templates/ ├── deployment.yaml # Deployment OR Rollout (conditional) ├── service.yaml ├── service-canary.yaml # Canary service (prod only) ├── ingress.yaml ├── hpa.yaml ├── networkpolicy.yaml ├── serviceaccount.yaml ├── external-secret.yaml ├── servicemonitor.yaml # Prometheus scraping └── analysis-template.yaml </code></pre> </div> <h3> Infrastructure Repository Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>MatthewDipo/myapp-infra/ │ ├── _modules/ # Reusable Terraform modules │ ├── vpc/ │ ├── eks/ │ ├── kms/ │ ├── iam/ │ ├── ecr/ │ ├── waf/ │ ├── guardduty/ │ ├── eso-irsa/ │ ├── fluent-bit-irsa/ │ ├── karpenter/ │ └── velero/ │ └── live/ # Terragrunt configurations (per env/region) ├── terragrunt.hcl # Root config (provider, remote state) ├── dev/ │ ├── us-east-1/ │ │ ├── vpc/terragrunt.hcl │ │ ├── kms/terragrunt.hcl │ │ ├── eks/terragrunt.hcl │ │ ├── iam/terragrunt.hcl │ │ └── fluent-bit-irsa/terragrunt.hcl │ └── us-west-2/ │ └── ... (mirror of use1) ├── staging/ │ ├── us-east-1/ │ │ ├── vpc/ kms/ eks/ iam/ │ │ ├── waf/terragrunt.hcl │ │ ├── guardduty/terragrunt.hcl │ │ ├── eso-irsa/terragrunt.hcl │ │ └── fluent-bit-irsa/terragrunt.hcl │ └── us-west-2/ │ └── ... └── production/ ├── us-east-1/ │ ├── vpc/ kms/ eks/ iam/ │ ├── waf/ │ ├── guardduty/ │ ├── eso-irsa/ │ ├── fluent-bit-irsa/ │ ├── karpenter/ │ └── velero/ └── us-west-2/ └── ... </code></pre> </div> <h3> AWS Account Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────────────────────────────────┐ │ AWS Organizations Root │ │ │ │ ┌───────────────────────────────────────┐ │ │ │ Management / Root Account │ │ │ │ • AWS SSO (Identity Center) │ │ │ │ • ECR repositories (shared) │ │ │ │ • S3 CI audit bucket │ │ │ │ • GitHub OIDC provider │ │ │ └───────────────────────────────────────┘ │ │ │ │ │ │ │ ▼ ▼ ▼ │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │ │ Dev │ │ Staging │ │Production│ │ │ │ Account │ │ Account │ │ Account │ │ │ │ │ │ │ │ │ │ │ │ 2x EKS │ │ 2x EKS │ │ 2x EKS │ │ │ │ VPCs │ │ VPCs │ │ VPCs │ │ │ │ KMS keys │ │ KMS keys │ │ KMS keys │ │ │ │ Secrets │ │ Secrets │ │ Secrets │ │ │ │ Manager │ │ Manager │ │ Manager │ │ │ └──────────┘ └──────────┘ └──────────┘ │ └──────────────────────────────────────────────┘ </code></pre> </div> <h3> Technology Decision Rationale </h3> <p>Understanding WHY each tool was chosen matters as much as knowing HOW to configure it.</p> <p><strong>Terragrunt over plain Terraform</strong><br> Terragrunt provides DRY (Don't Repeat Yourself) configuration. Without it, you would have near-identical <code>provider</code>, <code>backend</code>, and <code>module</code> blocks repeated across 18+ directories. Terragrunt's <code>include</code> and <code>dependency</code> blocks eliminate 90% of that duplication while keeping each environment's overrides explicit and auditable.</p> <p><strong>ArgoCD hub-spoke over fleet management per cluster</strong><br> Running ArgoCD on every cluster is operationally expensive. The hub-spoke model means one ArgoCD installation manages all six clusters via VPC peering. This single pane of glass dramatically simplifies debugging — you see all cluster states in one place.</p> <p><strong>Kyverno over OPA/Gatekeeper</strong><br> Kyverno policies are written in YAML and operate on the same resource schema as Kubernetes objects. OPA/Gatekeeper requires learning Rego, a purpose-built policy language. For Kubernetes-native teams, Kyverno is faster to adopt and maintain.</p> <p><strong>External Secrets Operator over Sealed Secrets</strong><br> Sealed Secrets encrypts secrets and commits them to Git — meaning the encrypted value is your source of truth. ESO keeps secrets out of Git entirely: the secret lives in AWS Secrets Manager, and ESO fetches it at runtime with IRSA credentials. This is a fundamentally stronger posture because a compromised Git repo never exposes secret material.</p> <p><strong>Argo Rollouts over plain Kubernetes rolling updates</strong><br> Rolling updates are binary — you either roll forward or roll back. Argo Rollouts adds weighted traffic splitting between stable and canary versions, analysis runs (automated metric-based promotion gates), and pause steps for manual inspection. A canary deployment that automatically fails back on a rising error rate is far safer than a rolling update you monitor manually.</p> <p><strong>Distroless base images</strong><br> The Google distroless <code>nonroot</code> image contains only the application runtime and its direct dependencies — no shell (<code>sh</code>, <code>bash</code>), no package manager (<code>apt</code>, <code>apk</code>), no <code>curl</code> or <code>wget</code>. If an attacker achieves code execution inside the container, they have almost no tools available to escalate or exfiltrate. Combined with Falco alerting on shell spawning, you get both prevention and detection.</p> <h3> Cost Estimate </h3> <blockquote> <p>These are rough estimates for running the full stack 24/7 in AWS us-east-1 + us-west-2. Production workloads should be sized to actual usage.</p> </blockquote> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Approx. Monthly Cost</th> </tr> </thead> <tbody> <tr> <td>6x EKS cluster control planes</td> <td>~$216 ($0.10/hr × 6)</td> </tr> <tr> <td>12x EC2 t3.medium nodes (2 per cluster)</td> <td>~$300</td> </tr> <tr> <td>6x EBS volumes (gp2, 50–100GB each)</td> <td>~$60</td> </tr> <tr> <td>NAT Gateways (2 per VPC, 6 VPCs)</td> <td>~$250</td> </tr> <tr> <td>ALBs (production + monitoring)</td> <td>~$30</td> </tr> <tr> <td>Route53 hosted zone + queries</td> <td>~$5</td> </tr> <tr> <td>ACM (free)</td> <td>$0</td> </tr> <tr> <td>ECR storage</td> <td>~$5</td> </tr> <tr> <td>CloudWatch logs (Fluent Bit)</td> <td>~$15</td> </tr> <tr> <td>S3 (Velero backups, CI audit)</td> <td>~$10</td> </tr> <tr> <td>AWS WAF</td> <td>~$15</td> </tr> <tr> <td>GuardDuty</td> <td>~$10</td> </tr> <tr> <td>Secrets Manager</td> <td>~$2</td> </tr> <tr> <td><strong>Total</strong></td> <td><strong>~$918/month</strong></td> </tr> </tbody> </table></div> <blockquote> <p><strong>Cost reduction tip:</strong> For a demo/learning setup, use 1 node per cluster, <code>t3.small</code> instances, and skip the second region. This brings the cost to approximately $200–300/month.</p> </blockquote> <h3> Prerequisites </h3> <p>Before starting Part 2, ensure you have the following:</p> <p><strong>Tools to install:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># AWS CLI v2</span> curl <span class="s2">"https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"</span> <span class="nt">-o</span> <span class="s2">"awscliv2.zip"</span> unzip awscliv2.zip <span class="o">&amp;&amp;</span> <span class="nb">sudo</span> ./aws/install <span class="c"># Terraform 1.6+</span> brew <span class="nb">install </span>terraform <span class="c"># or download from terraform.io</span> <span class="c"># Terragrunt 0.54+</span> brew <span class="nb">install </span>terragrunt <span class="c"># or download from terragrunt.gruntwork.io</span> <span class="c"># kubectl</span> curl <span class="nt">-LO</span> <span class="s2">"https://dl.k8s.io/release/</span><span class="si">$(</span>curl <span class="nt">-sL</span> https://dl.k8s.io/release/stable.txt<span class="si">)</span><span class="s2">/bin/linux/amd64/kubectl"</span> <span class="nb">sudo install</span> <span class="nt">-o</span> root <span class="nt">-g</span> root <span class="nt">-m</span> 0755 kubectl /usr/local/bin/kubectl <span class="c"># Helm 3</span> curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash <span class="c"># ArgoCD CLI</span> curl <span class="nt">-sSL</span> <span class="nt">-o</span> argocd https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64 <span class="nb">sudo install</span> <span class="nt">-m</span> 555 argocd /usr/local/bin/argocd <span class="c"># Cosign</span> curl <span class="nt">-sSfL</span> https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 <span class="se">\</span> <span class="nt">-o</span> cosign <span class="o">&amp;&amp;</span> <span class="nb">sudo install</span> <span class="nt">-m</span> 0755 cosign /usr/local/bin/cosign <span class="c"># Trivy</span> <span class="nb">sudo </span>apt-get <span class="nb">install </span>wget apt-transport-https gnupg lsb-release wget <span class="nt">-qO</span> - https://aquasecurity.github.io/trivy-repo/deb/public.key | <span class="nb">sudo </span>apt-key add - <span class="nb">echo</span> <span class="s2">"deb https://aquasecurity.github.io/trivy-repo/deb </span><span class="si">$(</span>lsb_release <span class="nt">-sc</span><span class="si">)</span><span class="s2"> main"</span> <span class="se">\</span> | <span class="nb">sudo tee</span> /etc/apt/sources.list.d/trivy.list <span class="nb">sudo </span>apt-get update <span class="o">&amp;&amp;</span> <span class="nb">sudo </span>apt-get <span class="nb">install </span>trivy </code></pre> </div> <p><strong>AWS accounts needed:</strong></p> <ul> <li>AWS Organization root account (or a management account)</li> <li>Three member accounts: dev, staging, production</li> <li>AWS SSO (IAM Identity Center) configured</li> </ul> <p><strong>GitHub:</strong></p> <ul> <li>Two repositories: <code>myapp</code> (application code) and <code>myapp-gitops</code> (manifests)</li> <li>A Personal Access Token for ArgoCD to pull from the GitOps repo</li> </ul> <p><strong>Domain name:</strong></p> <ul> <li>A registered domain you control (we use <code>matthewoladipupo.dev</code>)</li> <li>Nameservers pointed to Route53</li> </ul> <h3> Series Roadmap </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Part</th> <th>Title</th> </tr> </thead> <tbody> <tr> <td><strong>Part 1</strong></td> <td>Architecture Overview (this article)</td> </tr> <tr> <td><strong>Part 2</strong></td> <td>AWS Foundation: Organizations, SSO, and Account Setup</td> </tr> <tr> <td><strong>Part 3</strong></td> <td>Infrastructure as Code: Terraform Modules + Terragrunt</td> </tr> <tr> <td><strong>Part 4</strong></td> <td>EKS Multi-Cluster: Six Clusters Across Two Regions</td> </tr> <tr> <td><strong>Part 5</strong></td> <td>GitOps with ArgoCD: Hub-Spoke Model</td> </tr> <tr> <td><strong>Part 6</strong></td> <td>CI/CD Pipeline: GitHub Actions, Trivy, Cosign, ECR</td> </tr> <tr> <td><strong>Part 7</strong></td> <td>Secrets Management: AWS Secrets Manager + ESO + IRSA</td> </tr> <tr> <td><strong>Part 8</strong></td> <td>Security Stack: Kyverno, Falco, WAF, GuardDuty</td> </tr> <tr> <td><strong>Part 9</strong></td> <td>Observability: Prometheus, Grafana, Fluent Bit, CloudWatch</td> </tr> <tr> <td><strong>Part 10</strong></td> <td>Resilience: Karpenter, HPA, Argo Rollouts, Velero</td> </tr> <tr> <td><strong>Live Data</strong></td> <td>Appendix</td> </tr> <tr> <td><strong>Codes</strong></td> <td>Runbook</td> </tr> </tbody> </table></div> <h3> Screenshot Placeholders </h3> <blockquote> <p><strong>SCREENSHOT: ArgoCD UI showing all 6 clusters registered and all ApplicationSets synced</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgx4bvv9xqr6w1fcyb3ck.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgx4bvv9xqr6w1fcyb3ck.png" alt="ArgoCD UI showing all 6 clusters registered and all ApplicationSets synced" width="800" height="441"></a></p> </blockquote> <blockquote> <p><strong>SCREENSHOT: Grafana dashboard — Node CPU/Memory overview across production clusters</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdz9aks78837grslqzru4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdz9aks78837grslqzru4.png" alt="Grafana dashboard — Node CPU/Memory overview across production clusters" width="800" height="445"></a></p> </blockquote> <blockquote> <p><strong>SCREENSHOT: GitHub Actions workflow showing all steps passing (lint → scan → build → sign → push → gitops update)</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7ylgumnafddwkd6jmqyc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7ylgumnafddwkd6jmqyc.png" alt="GitHub Actions workflow showing all steps passing (lint → scan → build → sign → push → gitops update" width="800" height="444"></a></p> </blockquote> <blockquote> <p><strong>SCREENSHOT: AWS ECR showing signed image with cosign attestation tag</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo4l8a7we3a8zkfthkivi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo4l8a7we3a8zkfthkivi.png" alt="AWS ECR showing signed image with cosign attestation tag" width="800" height="443"></a></p> </blockquote> <p><strong>If this was useful, follow me on dev.to</strong> — I will publish Part 2 next Wednesday covering the AWS Organizations + IAM Identity Center setup.<br> <strong>Questions?</strong> Drop them in the comments — I read and reply to every one.</p> <p><em>Next up: Part 2 — AWS Foundation: Organizations, SSO, and Account Setup</em></p> <p><strong>Source code:</strong> <a href="https://github.com/MatthewDipo/myapp-infra" rel="noopener noreferrer">myapp-infra</a> | <a href="https://github.com/MatthewDipo/myapp-gitops" rel="noopener noreferrer">myapp-gitops</a> | <a href="https://github.com/MatthewDipo/myapp" rel="noopener noreferrer">myapp</a><br> <strong>Runbook:</strong> <a href="https://github.com/MatthewDipo/myapp-infra/blob/main/docs/runbook.md" rel="noopener noreferrer">Operations Guide</a> — every operational procedure for this pipeline.</p> devops kubernetes aws terraform