Part 4 – Lessons Learned and Takeaways
In Part 3 I explained how I used Terraform and Terraform Cloud to provision Azure infrastructure while keeping security at the core.
Now, it’s time to wrap up this series with some real talk: what went wrong, what went right, and what I learned along the way.
⚠️ The Struggles
Let’s be honest! This wasn’t smooth sailing.
- SonarCloud kept failing → My app was just HTML/CSS/JS, so SonarCloud gave me 0% test coverage. At first, that meant failed pipelines, which was frustrating.
- Docker “latest” confusion → I thought every push would create a new image version in ECR. Wrong. Without unique tags, I couldn’t track versions or roll back easily.
- Trivy misconfigurations → My first vulnerability scans failed because I didn’t reference the full ECR image path. Rookie mistake, but it cost me time.
- Secret management headaches → Hardcoding secrets was a no-go. Finding the right balance between Terraform Cloud, GitHub Actions, and AWS credentials took trial and error.
Every failure made me slow down, rethink, and fix things the right way.
✅ The Wins
Despite the bumps, here’s what I walked away with:
- A fully automated CI/CD pipeline for my portfolio app
- Cross-cloud integration: AWS ECR → Azure Container Apps
- Security-first approach with SonarCloud, TFSEC, and Trivy
- Infrastructure fully managed as code with Terraform
- Secrets handled safely using Terraform Cloud sensitive variables
The app itself? Just a simple portfolio.
But the pipeline? Enterprise-grade.
As at writing this documentation blog, the deployment was 100% functional, fired by Github actions, and deployed by Terraform Cloud.
Last screenshots.
Before destroying project.
As to everything, it has an end. While this isn't the total end, it's just a milestone with it, the beginning of a newer and more sophisticated challenge. More is coming!!
💡 Key Lessons Learned
Looking back, here are the big takeaways from this journey:
Even a static app can teach you real DevOps.
It’s not about the complexity of the code — it’s about how you build, ship, and secure it.Always version your Docker images.
Using Git commit SHAs as tags solved so many headaches and gave me rollback safety.Security isn’t an afterthought.
TFSEC and Trivy forced me to think like a DevSecOps engineer. Better to fix issues now than explain them later.Secrets should never live in repos.
Terraform Cloud’s sensitive variables saved me from bad practices and kept everything professional.Documentation is part of DevOps.
This Dev.to series itself is proof. If you can’t explain what you built, it’s almost like it doesn’t exist.
🚀 What’s Next?
This project was just the beginning. If I were to extend it, I’d:
- Add monitoring & observability (Prometheus, Grafana, or Azure Monitor)
- Deploy to multiple environments (staging + prod) with approval gates
- Write basic tests for my JavaScript to make SonarCloud happier
- Add a rollback strategy in the pipeline (in case a deploy fails)
Each of those would push this portfolio pipeline even closer to what real-world production systems look like.
🎯 Final Thoughts
I started this journey wanting “just a portfolio site.”
But I ended up building something much more:
- A CI/CD pipeline
- A multi-cloud deployment
- A DevSecOps showcase
The biggest lesson?
👉 You don’t need a big app to prove your skills. You just need discipline, automation, and security woven into your process.
This wasn’t just about HTML, CSS, and JS.
It was about showing that I can think, build, and operate like a DevOps engineer.
And that’s the story behind my portfolio.
Feel free to check out my Repo
Thank you for reading.
Feel free to like, leave a comment and share.
Top comments (1)
Thanks for tackling an often-overlooked niche—applying real DevSecOps rigor to a simple static portfolio. The practical takeaways on image versioning, secret management, and scanner setup (Sonar/Trivy/TFSEC) are gold. The cross-cloud pipeline and clear documentation are especially helpful. Looking forward to what you build next!