DEV Community: Sherifdeen Adebayo The latest articles on DEV Community by Sherifdeen Adebayo (@0xsherifdev). https://dev.to/0xsherifdev https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1107625%2Fe363f4d5-bcb1-4bb8-a2b6-530532ad3ecf.jpg DEV Community: Sherifdeen Adebayo https://dev.to/0xsherifdev en Containerized Microservices with Full Automation Sherifdeen Adebayo Tue, 09 Dec 2025 21:18:11 +0000 https://dev.to/0xsherifdev/containerized-microservices-with-full-automation-2plf https://dev.to/0xsherifdev/containerized-microservices-with-full-automation-2plf <h3> The Big Picture </h3> <p><strong>What we're building:</strong><br> A production-ready TODO application with:</p> <ul> <li>Multiple microservices (5 different programming languages!)</li> <li>Automated infrastructure provisioning (Terraform)</li> <li>Automated configuration management (Ansible)</li> <li>CI/CD pipelines with drift detection</li> <li>Automatic HTTPS with Traefik</li> <li>Zero-trust security model</li> </ul> <p><strong>Architecture:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ┌──────────────┐ │ Traefik │ │ (HTTPS/Proxy)│ └───────┬──────┘ │ ┌──────────────────────┼──────────────────────┐ │ │ │ ┌───────▼────────┐ ┌───────▼────────┐ ┌───────▼────────┐ │ Frontend │ │ Auth API │ │ Todos API │ │ (Vue.js) │ │ (Go) │ │ (Node.js) │ └────────────────┘ └────────────────┘ └────────────────┘ │ ┌──────────────┼──────────────┐ │ │ │ ┌───────▼────────┐ ┌──▼────┐ ┌─────▼──────┐ │ Users API │ │ Redis │ │ Log │ │ (Java Spring) │ │ Queue │ │ Processor │ └────────────────┘ └───────┘ │ (Python) │ └────────────┘ </code></pre> </div> <h3> Understanding the Application </h3> <h4> The Services </h4> <p><strong>1. Frontend (Vue.js)</strong></p> <ul> <li>User interface</li> <li>Login page → TODO dashboard</li> <li>Communicates with backend APIs</li> <li>Port: 80/443 (via Traefik)</li> </ul> <p><strong>2. Auth API (Go)</strong></p> <ul> <li>Handles user authentication</li> <li>Issues JWT tokens</li> <li>Endpoint: <code>/api/auth</code> </li> </ul> <p><strong>3. Todos API (Node.js)</strong></p> <ul> <li>Manages TODO items</li> <li>CRUD operations</li> <li>Requires valid JWT token</li> <li>Endpoint: <code>/api/todos</code> </li> </ul> <p><strong>4. Users API (Java Spring Boot)</strong></p> <ul> <li>User management</li> <li>Profile operations</li> <li>Endpoint: <code>/api/users</code> </li> </ul> <p><strong>5. Log Processor (Python)</strong></p> <ul> <li>Processes background tasks</li> <li>Consumes from Redis queue</li> <li>Writes audit logs</li> </ul> <p><strong>6. Redis Queue</strong></p> <ul> <li>Message broker</li> <li>Task queue for async operations</li> </ul> <h3> Phase 1: Containerization </h3> <p>Let's containerize each service. The key is understanding that each language has its own best practices.</p> <h4> Frontend Dockerfile (Vue.js) </h4> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Multi-stage build for optimized production image</span> <span class="c"># Stage 1: Build the application</span> <span class="k">FROM</span><span class="w"> </span><span class="s">node:18-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Copy package files</span> <span class="k">COPY</span><span class="s"> package*.json ./</span> <span class="c"># Install dependencies</span> <span class="k">RUN </span>npm ci <span class="nt">--only</span><span class="o">=</span>production <span class="c"># Copy source code</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="c"># Build for production</span> <span class="k">RUN </span>npm run build <span class="c"># Stage 2: Serve with nginx</span> <span class="k">FROM</span><span class="s"> nginx:alpine</span> <span class="c"># Copy built assets from builder stage</span> <span class="k">COPY</span><span class="s"> --from=builder /app/dist /usr/share/nginx/html</span> <span class="c"># Copy nginx configuration</span> <span class="k">COPY</span><span class="s"> nginx.conf /etc/nginx/conf.d/default.conf</span> <span class="c"># Health check</span> <span class="k">HEALTHCHECK</span><span class="s"> --interval=30s --timeout=3s \</span> CMD wget --quiet --tries=1 --spider http://localhost/ || exit 1 <span class="k">EXPOSE</span><span class="s"> 80</span> <span class="k">CMD</span><span class="s"> ["nginx", "-g", "daemon off;"]</span> </code></pre> </div> <p><strong>Why multi-stage builds?</strong></p> <ul> <li> <strong>Builder stage:</strong> 800MB (includes build tools)</li> <li> <strong>Final stage:</strong> 25MB (only nginx + static files)</li> <li>97% size reduction!</li> </ul> <p><strong>Frontend nginx config:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">80</span><span class="p">;</span> <span class="kn">root</span> <span class="n">/usr/share/nginx/html</span><span class="p">;</span> <span class="kn">index</span> <span class="s">index.html</span><span class="p">;</span> <span class="c1"># SPA routing - send all requests to index.html</span> <span class="kn">location</span> <span class="n">/</span> <span class="p">{</span> <span class="kn">try_files</span> <span class="nv">$uri</span> <span class="nv">$uri</span><span class="n">/</span> <span class="n">/index.html</span><span class="p">;</span> <span class="p">}</span> <span class="c1"># Cache static assets</span> <span class="kn">location</span> <span class="p">~</span><span class="sr">*</span> <span class="err">\</span><span class="s">.(js|css|png|jpg|jpeg|gif|ico|svg)</span>$ <span class="p">{</span> <span class="kn">expires</span> <span class="s">1y</span><span class="p">;</span> <span class="kn">add_header</span> <span class="s">Cache-Control</span> <span class="s">"public,</span> <span class="s">immutable"</span><span class="p">;</span> <span class="p">}</span> <span class="c1"># Security headers</span> <span class="kn">add_header</span> <span class="s">X-Frame-Options</span> <span class="s">"SAMEORIGIN"</span> <span class="s">always</span><span class="p">;</span> <span class="kn">add_header</span> <span class="s">X-Content-Type-Options</span> <span class="s">"nosniff"</span> <span class="s">always</span><span class="p">;</span> <span class="kn">add_header</span> <span class="s">X-XSS-Protection</span> <span class="s">"1</span><span class="p">;</span> <span class="kn">mode=block"</span> <span class="s">always</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h4> Auth API Dockerfile (Go) </h4> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Multi-stage build for Go</span> <span class="c"># Stage 1: Build the binary</span> <span class="k">FROM</span><span class="w"> </span><span class="s">golang:1.21-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Copy go mod files</span> <span class="k">COPY</span><span class="s"> go.mod go.sum ./</span> <span class="c"># Download dependencies</span> <span class="k">RUN </span>go mod download <span class="c"># Copy source code</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="c"># Build the binary</span> <span class="c"># CGO_ENABLED=0 creates a static binary (no external dependencies)</span> <span class="k">RUN </span><span class="nv">CGO_ENABLED</span><span class="o">=</span>0 <span class="nv">GOOS</span><span class="o">=</span>linux go build <span class="nt">-a</span> <span class="nt">-installsuffix</span> cgo <span class="nt">-o</span> main . <span class="c"># Stage 2: Create minimal runtime image</span> <span class="k">FROM</span><span class="s"> alpine:latest</span> <span class="c"># Add ca-certificates for HTTPS calls</span> <span class="k">RUN </span>apk <span class="nt">--no-cache</span> add ca-certificates <span class="k">WORKDIR</span><span class="s"> /root/</span> <span class="c"># Copy the binary from builder</span> <span class="k">COPY</span><span class="s"> --from=builder /app/main .</span> <span class="c"># Health check</span> <span class="k">HEALTHCHECK</span><span class="s"> --interval=30s --timeout=3s \</span> CMD wget --quiet --tries=1 --spider http://localhost:8080/health || exit 1 <span class="k">EXPOSE</span><span class="s"> 8080</span> <span class="k">CMD</span><span class="s"> ["./main"]</span> </code></pre> </div> <p><strong>Why this approach?</strong></p> <ul> <li> <strong>Builder stage:</strong> 400MB</li> <li> <strong>Final stage:</strong> 15MB (just Alpine + binary)</li> <li>Static binary = no runtime dependencies</li> <li>Faster startup, smaller attack surface</li> </ul> <h4> Todos API Dockerfile (Node.js) </h4> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> node:18-alpine</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Install dependencies first (better caching)</span> <span class="k">COPY</span><span class="s"> package*.json ./</span> <span class="k">RUN </span>npm ci <span class="nt">--only</span><span class="o">=</span>production <span class="c"># Copy application code</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="c"># Create non-root user for security</span> <span class="k">RUN </span>addgroup <span class="nt">-g</span> 1001 <span class="nt">-S</span> nodejs <span class="o">&amp;&amp;</span> <span class="se">\ </span> adduser <span class="nt">-S</span> nodejs <span class="nt">-u</span> 1001 <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">chown</span> <span class="nt">-R</span> nodejs:nodejs /app <span class="k">USER</span><span class="s"> nodejs</span> <span class="c"># Health check</span> <span class="k">HEALTHCHECK</span><span class="s"> --interval=30s --timeout=3s \</span> CMD node healthcheck.js || exit 1 <span class="k">EXPOSE</span><span class="s"> 3000</span> <span class="k">CMD</span><span class="s"> ["node", "server.js"]</span> </code></pre> </div> <p><strong>Security note:</strong> Running as non-root user limits damage if container is compromised.</p> <h4> Users API Dockerfile (Java Spring Boot) </h4> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Multi-stage build for Java</span> <span class="c"># Stage 1: Build with Maven</span> <span class="k">FROM</span><span class="w"> </span><span class="s">maven:3.9-eclipse-temurin-17</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Copy pom.xml first (dependency caching)</span> <span class="k">COPY</span><span class="s"> pom.xml ./</span> <span class="k">RUN </span>mvn dependency:go-offline <span class="c"># Copy source and build</span> <span class="k">COPY</span><span class="s"> src ./src</span> <span class="k">RUN </span>mvn clean package <span class="nt">-DskipTests</span> <span class="c"># Stage 2: Runtime</span> <span class="k">FROM</span><span class="s"> eclipse-temurin:17-jre-alpine</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Copy JAR from builder</span> <span class="k">COPY</span><span class="s"> --from=builder /app/target/*.jar app.jar</span> <span class="c"># Health check</span> <span class="k">HEALTHCHECK</span><span class="s"> --interval=30s --timeout=3s \</span> CMD wget --quiet --tries=1 --spider http://localhost:8080/actuator/health || exit 1 <span class="k">EXPOSE</span><span class="s"> 8080</span> <span class="c"># Use exec form to ensure proper signal handling</span> <span class="k">ENTRYPOINT</span><span class="s"> ["java", "-jar", "/app/app.jar"]</span> </code></pre> </div> <p><strong>Java-specific optimizations:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Production optimization flags</span> <span class="k">ENTRYPOINT</span><span class="s"> ["java", \</span> "-XX:+UseContainerSupport", \ "-XX:MaxRAMPercentage=75.0", \ "-XX:+ExitOnOutOfMemoryError", \ "-jar", "/app/app.jar"] </code></pre> </div> <h4> Log Processor Dockerfile (Python) </h4> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> python:3.11-slim</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Install dependencies</span> <span class="k">COPY</span><span class="s"> requirements.txt ./</span> <span class="k">RUN </span>pip <span class="nb">install</span> <span class="nt">--no-cache-dir</span> <span class="nt">-r</span> requirements.txt <span class="c"># Copy application</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="c"># Create non-root user</span> <span class="k">RUN </span>useradd <span class="nt">-m</span> <span class="nt">-u</span> 1001 processor <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">chown</span> <span class="nt">-R</span> processor:processor /app <span class="k">USER</span><span class="s"> processor</span> <span class="c"># Health check (check if process is running)</span> <span class="k">HEALTHCHECK</span><span class="s"> --interval=30s --timeout=3s \</span> CMD ps aux | grep processor.py || exit 1 <span class="k">CMD</span><span class="s"> ["python", "processor.py"]</span> </code></pre> </div> <h4> Docker Compose - Orchestrating Everything </h4> <p>Now let's tie it all together with <code>docker-compose.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3.8'</span> <span class="na">services</span><span class="pi">:</span> <span class="c1"># Traefik reverse proxy</span> <span class="na">traefik</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">traefik:v2.10</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">traefik</span> <span class="na">command</span><span class="pi">:</span> <span class="c1"># API and dashboard</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--api.dashboard=true"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--api.insecure=true"</span> <span class="c1"># Docker provider</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--providers.docker=true"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--providers.docker.exposedbydefault=false"</span> <span class="c1"># Entrypoints</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--entrypoints.web.address=:80"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--entrypoints.websecure.address=:443"</span> <span class="c1"># HTTP to HTTPS redirect</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--entrypoints.web.http.redirections.entrypoint.to=websecure"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--entrypoints.web.http.redirections.entrypoint.scheme=https"</span> <span class="c1"># Let's Encrypt</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--certificatesresolvers.letsencrypt.acme.tlschallenge=true"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--certificatesresolvers.letsencrypt.acme.email=${ACME_EMAIL}"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">80:80"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">443:443"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8080:8080"</span> <span class="c1"># Dashboard</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">/var/run/docker.sock:/var/run/docker.sock:ro"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">./letsencrypt:/letsencrypt"</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">web</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># Frontend</span> <span class="na">frontend</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">./frontend</span> <span class="na">dockerfile</span><span class="pi">:</span> <span class="s">Dockerfile</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">frontend</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.enable=true"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.frontend.rule=Host(`${DOMAIN}`)"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.frontend.entrypoints=websecure"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.frontend.tls.certresolver=letsencrypt"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.services.frontend.loadbalancer.server.port=80"</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">web</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># Auth API</span> <span class="na">auth</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">./auth-api</span> <span class="na">dockerfile</span><span class="pi">:</span> <span class="s">Dockerfile</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">auth-api</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">DB_HOST=postgres</span> <span class="pi">-</span> <span class="s">DB_PORT=5432</span> <span class="pi">-</span> <span class="s">DB_NAME=${DB_NAME}</span> <span class="pi">-</span> <span class="s">DB_USER=${DB_USER}</span> <span class="pi">-</span> <span class="s">DB_PASSWORD=${DB_PASSWORD}</span> <span class="pi">-</span> <span class="s">JWT_SECRET=${JWT_SECRET}</span> <span class="pi">-</span> <span class="s">REDIS_URL=redis://redis:6379</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.enable=true"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.auth.rule=Host(`${DOMAIN}`)</span><span class="nv"> </span><span class="s">&amp;&amp;</span><span class="nv"> </span><span class="s">PathPrefix(`/api/auth`)"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.auth.entrypoints=websecure"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.auth.tls.certresolver=letsencrypt"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.services.auth.loadbalancer.server.port=8080"</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres</span> <span class="pi">-</span> <span class="s">redis</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">web</span> <span class="pi">-</span> <span class="s">backend</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># Todos API</span> <span class="na">todos</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">./todos-api</span> <span class="na">dockerfile</span><span class="pi">:</span> <span class="s">Dockerfile</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">todos-api</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">DB_HOST=postgres</span> <span class="pi">-</span> <span class="s">DB_PORT=5432</span> <span class="pi">-</span> <span class="s">DB_NAME=${DB_NAME}</span> <span class="pi">-</span> <span class="s">DB_USER=${DB_USER}</span> <span class="pi">-</span> <span class="s">DB_PASSWORD=${DB_PASSWORD}</span> <span class="pi">-</span> <span class="s">REDIS_URL=redis://redis:6379</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.enable=true"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.todos.rule=Host(`${DOMAIN}`)</span><span class="nv"> </span><span class="s">&amp;&amp;</span><span class="nv"> </span><span class="s">PathPrefix(`/api/todos`)"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.todos.entrypoints=websecure"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.todos.tls.certresolver=letsencrypt"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.services.todos.loadbalancer.server.port=3000"</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres</span> <span class="pi">-</span> <span class="s">redis</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">web</span> <span class="pi">-</span> <span class="s">backend</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># Users API</span> <span class="na">users</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">./users-api</span> <span class="na">dockerfile</span><span class="pi">:</span> <span class="s">Dockerfile</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">users-api</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">SPRING_DATASOURCE_URL=jdbc:postgresql://postgres:5432/${DB_NAME}</span> <span class="pi">-</span> <span class="s">SPRING_DATASOURCE_USERNAME=${DB_USER}</span> <span class="pi">-</span> <span class="s">SPRING_DATASOURCE_PASSWORD=${DB_PASSWORD}</span> <span class="pi">-</span> <span class="s">SPRING_REDIS_HOST=redis</span> <span class="pi">-</span> <span class="s">SPRING_REDIS_PORT=6379</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.enable=true"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.users.rule=Host(`${DOMAIN}`)</span><span class="nv"> </span><span class="s">&amp;&amp;</span><span class="nv"> </span><span class="s">PathPrefix(`/api/users`)"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.users.entrypoints=websecure"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.users.tls.certresolver=letsencrypt"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.services.users.loadbalancer.server.port=8080"</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres</span> <span class="pi">-</span> <span class="s">redis</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">web</span> <span class="pi">-</span> <span class="s">backend</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># Log Processor</span> <span class="na">log-processor</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">./log-processor</span> <span class="na">dockerfile</span><span class="pi">:</span> <span class="s">Dockerfile</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">log-processor</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">REDIS_URL=redis://redis:6379</span> <span class="pi">-</span> <span class="s">LOG_PATH=/logs</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./logs:/logs</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">redis</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">backend</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># Redis</span> <span class="na">redis</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">redis:7-alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">command</span><span class="pi">:</span> <span class="s">redis-server --appendonly yes</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">redis-data:/data</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">backend</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">redis-cli"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">ping"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">3s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">3</span> <span class="c1"># PostgreSQL</span> <span class="na">postgres</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:15-alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">POSTGRES_DB=${DB_NAME}</span> <span class="pi">-</span> <span class="s">POSTGRES_USER=${DB_USER}</span> <span class="pi">-</span> <span class="s">POSTGRES_PASSWORD=${DB_PASSWORD}</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres-data:/var/lib/postgresql/data</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">backend</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD-SHELL"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">pg_isready</span><span class="nv"> </span><span class="s">-U</span><span class="nv"> </span><span class="s">${DB_USER}"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">3s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">3</span> <span class="na">networks</span><span class="pi">:</span> <span class="na">web</span><span class="pi">:</span> <span class="na">driver</span><span class="pi">:</span> <span class="s">bridge</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">driver</span><span class="pi">:</span> <span class="s">bridge</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">postgres-data</span><span class="pi">:</span> <span class="na">redis-data</span><span class="pi">:</span> </code></pre> </div> <p><strong>Key concepts in this compose file:</strong></p> <p><strong>1. Networks:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">networks</span><span class="pi">:</span> <span class="na">web</span><span class="pi">:</span> <span class="c1"># Public-facing services</span> <span class="na">backend</span><span class="pi">:</span> <span class="c1"># Internal services only</span> </code></pre> </div> <ul> <li>Frontend, APIs → <code>web</code> network (accessible via Traefik)</li> <li>Database, Redis → <code>backend</code> network only (isolated)</li> <li>This provides network-level security</li> </ul> <p><strong>2. Traefik Labels:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">labels</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.enable=true"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.auth.rule=Host(`${DOMAIN}`)</span><span class="nv"> </span><span class="s">&amp;&amp;</span><span class="nv"> </span><span class="s">PathPrefix(`/api/auth`)"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.auth.tls.certresolver=letsencrypt"</span> </code></pre> </div> <p>These labels tell Traefik how to route traffic:</p> <ul> <li>Route requests to <code>yourdomain.com/api/auth</code> → auth service</li> <li>Automatically get SSL certificate from Let's Encrypt</li> <li>Handle HTTPS termination</li> </ul> <p><strong>3. Environment Variables:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">DB_HOST=postgres</span> <span class="pi">-</span> <span class="s">JWT_SECRET=${JWT_SECRET}</span> </code></pre> </div> <p>Secrets come from <code>.env</code> file (never committed to git!).</p> <h4> Environment Configuration </h4> <p>Create <code>.env</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Domain configuration</span> <span class="nv">DOMAIN</span><span class="o">=</span>your-domain.com <span class="nv">ACME_EMAIL</span><span class="o">=</span>your-email@example.com <span class="c"># Database</span> <span class="nv">DB_NAME</span><span class="o">=</span>todoapp <span class="nv">DB_USER</span><span class="o">=</span>todouser <span class="nv">DB_PASSWORD</span><span class="o">=</span>change-this-strong-password <span class="c"># Security</span> <span class="nv">JWT_SECRET</span><span class="o">=</span>change-this-to-random-string-min-32-chars <span class="c"># Optional: Docker registry</span> <span class="nv">DOCKER_REGISTRY</span><span class="o">=</span>ghcr.io/yourusername </code></pre> </div> <p><strong>Security checklist for .env:</strong></p> <ul> <li>[ ] Never commit .env to git</li> <li>[ ] Add .env to .gitignore</li> <li>[ ] Use strong passwords (20+ characters)</li> <li>[ ] Use different passwords for each service</li> <li>[ ] Rotate secrets regularly</li> </ul> <h3> Phase 2: Infrastructure as Code with Terraform </h3> <p>Now let's provision the cloud infrastructure automatically.</p> <h4> Project Structure </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>infra/ ├── terraform/ │ ├── main.tf # Main configuration │ ├── variables.tf # Input variables │ ├── outputs.tf # Output values │ ├── provider.tf # Provider configuration │ └── backend.tf # Remote state configuration ├── ansible/ │ ├── inventory/ # Dynamic inventory │ ├── roles/ │ │ ├── dependencies/ # Install Docker, etc. │ │ └── deploy/ # Deploy application │ ├── playbook.yml # Main playbook │ └── ansible.cfg # Ansible configuration └── scripts/ ├── deploy.sh # Deployment orchestration └── drift-check.sh # Drift detection </code></pre> </div> <h4> Terraform Configuration </h4> <p><strong>provider.tf:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Provider configuration</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"&gt;= 1.0"</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="p">}</span> <span class="nx">local</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/local"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 2.0"</span> <span class="p">}</span> <span class="kc">null</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/null"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 3.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">aws_region</span> <span class="nx">default_tags</span> <span class="p">{</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Project</span> <span class="p">=</span> <span class="s2">"todo-app"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">ManagedBy</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>backend.tf:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Remote state storage - crucial for team collaboration</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"your-terraform-state-bucket"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"todo-app/terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">encrypt</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">dynamodb_table</span> <span class="p">=</span> <span class="s2">"terraform-state-lock"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why remote state?</strong></p> <ul> <li>Team collaboration - everyone sees same state</li> <li>State locking - prevents concurrent modifications</li> <li>Backup - state is backed up in S3</li> <li>Encryption - sensitive data encrypted at rest</li> </ul> <p><strong>variables.tf:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"aws_region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"AWS region to deploy resources"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Environment name"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"instance_type"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"EC2 instance type"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"t3.medium"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"ssh_public_key"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"SSH public key for access"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"domain_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Domain name for the application"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"alert_email"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Email for drift detection alerts"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"app_port"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Application port"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">80</span> <span class="p">}</span> </code></pre> </div> <p><strong>main.tf:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># VPC for network isolation</span> <span class="nx">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"todo-app-vpc"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Internet Gateway</span> <span class="nx">resource</span> <span class="s2">"aws_internet_gateway"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"todo-app-igw"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Public Subnet</span> <span class="nx">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.1.0/24"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="s2">"${var.aws_region}a"</span> <span class="nx">map_public_ip_on_launch</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"todo-app-public-subnet"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Route Table</span> <span class="nx">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">gateway_id</span> <span class="p">=</span> <span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"todo-app-public-rt"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Route Table Association</span> <span class="nx">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">public</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="c1"># Security Group</span> <span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"todo-app-sg"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Security group for TODO application"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="c1"># SSH</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"SSH access"</span> <span class="p">}</span> <span class="c1"># HTTP</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"HTTP access"</span> <span class="p">}</span> <span class="c1"># HTTPS</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"HTTPS access"</span> <span class="p">}</span> <span class="c1"># Outbound - allow all</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow all outbound"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"todo-app-sg"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># SSH Key Pair</span> <span class="nx">resource</span> <span class="s2">"aws_key_pair"</span> <span class="s2">"deployer"</span> <span class="p">{</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="s2">"todo-app-deployer"</span> <span class="nx">public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="p">}</span> <span class="c1"># Latest Ubuntu AMI</span> <span class="nx">data</span> <span class="s2">"aws_ami"</span> <span class="s2">"ubuntu"</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">owners</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"099720109477"</span><span class="p">]</span> <span class="c1"># Canonical</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"name"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"virtualization-type"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"hvm"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># EC2 Instance</span> <span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_ami</span><span class="p">.</span><span class="nx">ubuntu</span><span class="p">.</span><span class="nx">id</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="nx">aws_key_pair</span><span class="p">.</span><span class="nx">deployer</span><span class="p">.</span><span class="nx">key_name</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public</span><span class="p">.</span><span class="nx">id</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">root_block_device</span> <span class="p">{</span> <span class="nx">volume_size</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">volume_type</span> <span class="p">=</span> <span class="s2">"gp3"</span> <span class="nx">encrypted</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> #!/bin/bash apt-get update apt-get install -y python3 python3-pip </span><span class="no"> EOF </span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"todo-app-server"</span> <span class="p">}</span> <span class="c1"># Lifecycle rule for idempotency</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">ignore_changes</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">user_data</span><span class="p">,</span> <span class="c1"># Don't recreate if user_data changes</span> <span class="nx">ami</span><span class="p">,</span> <span class="c1"># Don't recreate on AMI updates unless forced</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Elastic IP for stable public IP</span> <span class="nx">resource</span> <span class="s2">"aws_eip"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">instance</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">id</span> <span class="nx">domain</span> <span class="p">=</span> <span class="s2">"vpc"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"todo-app-eip"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Generate Ansible inventory</span> <span class="nx">resource</span> <span class="s2">"local_file"</span> <span class="s2">"ansible_inventory"</span> <span class="p">{</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">templatefile</span><span class="p">(</span><span class="s2">"${path.module}/templates/inventory.tpl"</span><span class="p">,</span> <span class="p">{</span> <span class="nx">app_server_ip</span> <span class="p">=</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">public_ip</span> <span class="nx">ssh_key_path</span> <span class="p">=</span> <span class="s2">"~/.ssh/id_rsa"</span> <span class="nx">ssh_user</span> <span class="p">=</span> <span class="s2">"ubuntu"</span> <span class="p">})</span> <span class="nx">filename</span> <span class="p">=</span> <span class="s2">"${path.module}/../ansible/inventory/hosts"</span> <span class="c1"># Only regenerate if values change</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">create_before_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Trigger Ansible after provisioning</span> <span class="nx">resource</span> <span class="s2">"null_resource"</span> <span class="s2">"ansible_provisioner"</span> <span class="p">{</span> <span class="c1"># Run when instance changes</span> <span class="nx">triggers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">instance_id</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">id</span> <span class="nx">timestamp</span> <span class="p">=</span> <span class="nx">timestamp</span><span class="p">()</span> <span class="p">}</span> <span class="c1"># Wait for instance to be ready</span> <span class="nx">provisioner</span> <span class="s2">"local-exec"</span> <span class="p">{</span> <span class="nx">command</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOT</span><span class="sh"> echo "Waiting for SSH to be ready..." until ssh -o StrictHostKeyChecking=no -o ConnectTimeout=2 ubuntu@${aws_eip.app.public_ip} echo "SSH Ready"; do sleep 5 done echo "Running Ansible playbook..." cd ${path.module}/../ansible ansible-playbook -i inventory/hosts playbook.yml </span><span class="no"> EOT </span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">local_file</span><span class="p">.</span><span class="nx">ansible_inventory</span><span class="p">,</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">app</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p><strong>templates/inventory.tpl:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[app_servers]</span> <span class="err">todo-app</span> <span class="py">ansible_host</span><span class="p">=</span><span class="s">${app_server_ip} ansible_user=${ssh_user} ansible_ssh_private_key_file=${ssh_key_path}</span> <span class="nn">[app_servers:vars]</span> <span class="py">ansible_python_interpreter</span><span class="p">=</span><span class="s">/usr/bin/python3</span> </code></pre> </div> <p><strong>outputs.tf:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"instance_public_ip"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Public IP of the application server"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">public_ip</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"instance_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"ID of the EC2 instance"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"domain_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Domain name for the application"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">domain_name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"ssh_command"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"SSH command to connect to the server"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"ssh ubuntu@${aws_eip.app.public_ip}"</span> <span class="p">}</span> </code></pre> </div> <h4> Understanding Terraform Idempotency </h4> <p><strong>What is idempotency?</strong><br> Running the same Terraform code multiple times produces the same result without creating duplicates.</p> <p><strong>Example - Non-idempotent (bad):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="s2">"ami-12345"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t3.medium"</span> <span class="c1"># This causes recreation on every apply!</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Timestamp</span> <span class="p">=</span> <span class="nx">timestamp</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Idempotent (good):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="s2">"ami-12345"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t3.medium"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"todo-app-server"</span> <span class="p">}</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">ignore_changes</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">tags</span><span class="p">[</span><span class="s2">"Timestamp"</span><span class="p">],</span> <span class="nx">user_data</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h4> Drift Detection </h4> <p><strong>What is drift?</strong><br> Drift occurs when actual infrastructure differs from Terraform state (manual changes, external tools, etc.).</p> <p><strong>drift-check.sh:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nb">echo</span> <span class="s2">"Checking for infrastructure drift..."</span> <span class="c"># Run terraform plan and capture output</span> <span class="nv">PLAN_OUTPUT</span><span class="o">=</span><span class="si">$(</span>terraform plan <span class="nt">-detailed-exitcode</span> <span class="nt">-no-color</span> 2&gt;&amp;1<span class="si">)</span> <span class="o">||</span> <span class="nv">EXIT_CODE</span><span class="o">=</span><span class="nv">$?</span> <span class="c"># Exit codes:</span> <span class="c"># 0 = no changes</span> <span class="c"># 1 = error</span> <span class="c"># 2 = changes detected (drift!)</span> <span class="k">if</span> <span class="o">[</span> <span class="nv">$EXIT_CODE</span> <span class="nt">-eq</span> 0 <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"✅ No drift detected - infrastructure matches desired state"</span> <span class="nb">exit </span>0 <span class="k">elif</span> <span class="o">[</span> <span class="nv">$EXIT_CODE</span> <span class="nt">-eq</span> 2 <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"⚠️ DRIFT DETECTED - infrastructure has changed!"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$PLAN_OUTPUT</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="c"># Send email alert</span> ./send-drift-alert.sh <span class="s2">"</span><span class="nv">$PLAN_OUTPUT</span><span class="s2">"</span> <span class="c"># In CI/CD, pause for manual approval</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$CI</span><span class="s2">"</span> <span class="o">=</span> <span class="s2">"true"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Pausing for manual approval..."</span> <span class="c"># GitHub Actions, GitLab CI, etc. have approval mechanisms</span> <span class="nb">exit </span>2 <span class="k">fi else </span><span class="nb">echo</span> <span class="s2">"❌ Error running terraform plan"</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$PLAN_OUTPUT</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi</span> </code></pre> </div> <p><strong>send-drift-alert.sh:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nv">DRIFT_DETAILS</span><span class="o">=</span><span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="nv">ALERT_EMAIL</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">ALERT_EMAIL</span><span class="k">:-</span><span class="nv">admin</span><span class="p">@example.com</span><span class="k">}</span><span class="s2">"</span> <span class="c"># Using AWS SES</span> aws ses send-email <span class="se">\</span> <span class="nt">--from</span> <span class="s2">"terraform@example.com"</span> <span class="se">\</span> <span class="nt">--to</span> <span class="s2">"</span><span class="nv">$ALERT_EMAIL</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--subject</span> <span class="s2">"⚠️ Terraform Drift Detected"</span> <span class="se">\</span> <span class="nt">--text</span> <span class="s2">"</span><span class="nv">$DRIFT_DETAILS</span><span class="s2">"</span> <span class="c"># Or using curl with Mailgun, SendGrid, etc.</span> curl <span class="nt">-s</span> <span class="nt">--user</span> <span class="s2">"api:</span><span class="nv">$MAILGUN_API_KEY</span><span class="s2">"</span> <span class="se">\</span> https://api.mailgun.net/v3/<span class="nv">$MAILGUN_DOMAIN</span>/messages <span class="se">\</span> <span class="nt">-F</span> <span class="nv">from</span><span class="o">=</span><span class="s2">"terraform@example.com"</span> <span class="se">\</span> <span class="nt">-F</span> <span class="nv">to</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ALERT_EMAIL</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-F</span> <span class="nv">subject</span><span class="o">=</span><span class="s2">"⚠️ Terraform Drift Detected"</span> <span class="se">\</span> <span class="nt">-F</span> <span class="nv">text</span><span class="o">=</span><span class="s2">"</span><span class="nv">$DRIFT_DETAILS</span><span class="s2">"</span> </code></pre> </div> <h3> Phase 3: Configuration Management with Ansible </h3> <p>Terraform provisions infrastructure, Ansible configures it.</p> <h4> Ansible Project Structure </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ansible/ ├── inventory/ │ └── hosts # Generated by Terraform ├── roles/ │ ├── dependencies/ │ │ ├── tasks/ │ │ │ └── main.yml │ │ └── handlers/ │ │ └── main.yml │ └── deploy/ │ ├── tasks/ │ │ └── main.yml │ ├── templates/ │ │ └── .env.j2 │ └── handlers/ │ └── main.yml ├── playbook.yml └── ansible.cfg </code></pre> </div> <h4> ansible.cfg </h4> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[defaults]</span> <span class="py">inventory</span> <span class="p">=</span> <span class="s">inventory/hosts</span> <span class="py">remote_user</span> <span class="p">=</span> <span class="s">ubuntu</span> <span class="py">private_key_file</span> <span class="p">=</span> <span class="s">~/.ssh/id_rsa</span> <span class="py">host_key_checking</span> <span class="p">=</span> <span class="s">False</span> <span class="py">retry_files_enabled</span> <span class="p">=</span> <span class="s">False</span> <span class="c"># Faster execution </span><span class="py">gathering</span> <span class="p">=</span> <span class="s">smart</span> <span class="py">fact_caching</span> <span class="p">=</span> <span class="s">jsonfile</span> <span class="py">fact_caching_connection</span> <span class="p">=</span> <span class="s">/tmp/ansible_facts</span> <span class="py">fact_caching_timeout</span> <span class="p">=</span> <span class="s">3600</span> <span class="c"># Better output </span><span class="py">stdout_callback</span> <span class="p">=</span> <span class="s">yaml</span> <span class="py">bin_ansible_callbacks</span> <span class="p">=</span> <span class="s">True</span> <span class="nn">[ssh_connection]</span> <span class="py">pipelining</span> <span class="p">=</span> <span class="s">True</span> </code></pre> </div> <h4> roles/dependencies/tasks/main.yml </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Install required system dependencies</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Update apt cache</span> <span class="na">apt</span><span class="pi">:</span> <span class="na">update_cache</span><span class="pi">:</span> <span class="s">yes</span> <span class="na">cache_valid_time</span><span class="pi">:</span> <span class="m">3600</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install required packages</span> <span class="na">apt</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apt-transport-https</span> <span class="pi">-</span> <span class="s">ca-certificates</span> <span class="pi">-</span> <span class="s">curl</span> <span class="pi">-</span> <span class="s">gnupg</span> <span class="pi">-</span> <span class="s">lsb-release</span> <span class="pi">-</span> <span class="s">python3-pip</span> <span class="pi">-</span> <span class="s">git</span> <span class="pi">-</span> <span class="s">ufw</span> <span class="na">state</span><span class="pi">:</span> <span class="s">present</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Add Docker GPG key</span> <span class="na">apt_key</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://download.docker.com/linux/ubuntu/gpg</span> <span class="na">state</span><span class="pi">:</span> <span class="s">present</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Add Docker repository</span> <span class="na">apt_repository</span><span class="pi">:</span> <span class="na">repo</span><span class="pi">:</span> <span class="s2">"</span><span class="s">deb</span><span class="nv"> </span><span class="s">[arch=amd64]</span><span class="nv"> </span><span class="s">https://download.docker.com/linux/ubuntu</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">ansible_distribution_release</span><span class="nv"> </span><span class="s">}}</span><span class="nv"> </span><span class="s">stable"</span> <span class="na">state</span><span class="pi">:</span> <span class="s">present</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Docker</span> <span class="na">apt</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker-ce</span> <span class="pi">-</span> <span class="s">docker-ce-cli</span> <span class="pi">-</span> <span class="s">containerd.io</span> <span class="pi">-</span> <span class="s">docker-buildx-plugin</span> <span class="pi">-</span> <span class="s">docker-compose-plugin</span> <span class="na">state</span><span class="pi">:</span> <span class="s">present</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> <span class="na">notify</span><span class="pi">:</span> <span class="s">Restart Docker</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Add user to docker group</span> <span class="na">user</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">ansible_user</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">groups</span><span class="pi">:</span> <span class="s">docker</span> <span class="na">append</span><span class="pi">:</span> <span class="s">yes</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Docker Compose (standalone)</span> <span class="na">get_url</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://github.com/docker/compose/releases/download/v2.23.0/docker-compose-linux-x86_64"</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">/usr/local/bin/docker-compose</span> <span class="na">mode</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0755'</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure UFW firewall</span> <span class="na">ufw</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">item.rule</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">port</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">item.port</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">proto</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">item.proto</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">loop</span><span class="pi">:</span> <span class="pi">-</span> <span class="pi">{</span> <span class="nv">rule</span><span class="pi">:</span> <span class="s1">'</span><span class="s">allow'</span><span class="pi">,</span> <span class="nv">port</span><span class="pi">:</span> <span class="s1">'</span><span class="s">22'</span><span class="pi">,</span> <span class="nv">proto</span><span class="pi">:</span> <span class="s1">'</span><span class="s">tcp'</span> <span class="pi">}</span> <span class="pi">-</span> <span class="pi">{</span> <span class="nv">rule</span><span class="pi">:</span> <span class="s1">'</span><span class="s">allow'</span><span class="pi">,</span> <span class="nv">port</span><span class="pi">:</span> <span class="s1">'</span><span class="s">80'</span><span class="pi">,</span> <span class="nv">proto</span><span class="pi">:</span> <span class="s1">'</span><span class="s">tcp'</span> <span class="pi">}</span> <span class="pi">-</span> <span class="pi">{</span> <span class="nv">rule</span><span class="pi">:</span> <span class="s1">'</span><span class="s">allow'</span><span class="pi">,</span> <span class="nv">port</span><span class="pi">:</span> <span class="s1">'</span><span class="s">443'</span><span class="pi">,</span> <span class="nv">proto</span><span class="pi">:</span> <span class="s1">'</span><span class="s">tcp'</span> <span class="pi">}</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Enable UFW</span> <span class="na">ufw</span><span class="pi">:</span> <span class="na">state</span><span class="pi">:</span> <span class="s">enabled</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> </code></pre> </div> <h4> roles/dependencies/handlers/main.yml </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Restart Docker</span> <span class="na">systemd</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">docker</span> <span class="na">state</span><span class="pi">:</span> <span class="s">restarted</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">yes</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> </code></pre> </div> <h4> roles/deploy/tasks/main.yml </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Deploy the application</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create application directory</span> <span class="na">file</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/opt/todo-app</span> <span class="na">state</span><span class="pi">:</span> <span class="s">directory</span> <span class="na">owner</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">ansible_user</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">group</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">ansible_user</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">mode</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0755'</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Clone application repository</span> <span class="na">git</span><span class="pi">:</span> <span class="na">repo</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">app_repo_url</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">/opt/todo-app</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">app_branch</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">default('main')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">force</span><span class="pi">:</span> <span class="s">yes</span> <span class="na">register</span><span class="pi">:</span> <span class="s">git_clone</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create environment file from template</span> <span class="na">template</span><span class="pi">:</span> <span class="na">src</span><span class="pi">:</span> <span class="s">.env.j2</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">/opt/todo-app/.env</span> <span class="na">owner</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">ansible_user</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">mode</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0600'</span> <span class="na">no_log</span><span class="pi">:</span> <span class="s">yes</span> <span class="c1"># Don't log sensitive env vars</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create letsencrypt directory</span> <span class="na">file</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/opt/todo-app/letsencrypt</span> <span class="na">state</span><span class="pi">:</span> <span class="s">directory</span> <span class="na">mode</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0755'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Pull latest Docker images</span> <span class="na">community.docker.docker_compose</span><span class="pi">:</span> <span class="na">project_src</span><span class="pi">:</span> <span class="s">/opt/todo-app</span> <span class="na">pull</span><span class="pi">:</span> <span class="s">yes</span> <span class="na">when</span><span class="pi">:</span> <span class="s">git_clone.changed</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Start application with Docker Compose</span> <span class="na">community.docker.docker_compose</span><span class="pi">:</span> <span class="na">project_src</span><span class="pi">:</span> <span class="s">/opt/todo-app</span> <span class="na">state</span><span class="pi">:</span> <span class="s">present</span> <span class="na">restarted</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">git_clone.changed</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">register</span><span class="pi">:</span> <span class="s">compose_output</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Wait for application to be healthy</span> <span class="na">uri</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://{{</span><span class="nv"> </span><span class="s">domain_name</span><span class="nv"> </span><span class="s">}}/health"</span> <span class="na">status_code</span><span class="pi">:</span> <span class="m">200</span> <span class="na">validate_certs</span><span class="pi">:</span> <span class="s">no</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">10</span> <span class="na">delay</span><span class="pi">:</span> <span class="m">10</span> <span class="na">register</span><span class="pi">:</span> <span class="s">health_check</span> <span class="na">until</span><span class="pi">:</span> <span class="s">health_check.status == </span><span class="m">200</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Display deployment status</span> <span class="na">debug</span><span class="pi">:</span> <span class="na">msg</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Application</span><span class="nv"> </span><span class="s">deployed</span><span class="nv"> </span><span class="s">successfully</span><span class="nv"> </span><span class="s">at</span><span class="nv"> </span><span class="s">https://{{</span><span class="nv"> </span><span class="s">domain_name</span><span class="nv"> </span><span class="s">}}"</span> </code></pre> </div> <h4> roles/deploy/templates/.env.j2 </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Auto-generated by Ansible - DO NOT EDIT MANUALLY # Domain configuration DOMAIN={{ domain_name }} ACME_EMAIL={{ acme_email }} # Database DB_NAME={{ db_name }} DB_USER={{ db_user }} DB_PASSWORD={{ db_password }} # Security JWT_SECRET={{ jwt_secret }} # Application NODE_ENV=production LOG_LEVEL=info </code></pre> </div> <h4> playbook.yml </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy TODO Application</span> <span class="na">hosts</span><span class="pi">:</span> <span class="s">app_servers</span> <span class="na">become</span><span class="pi">:</span> <span class="s">no</span> <span class="na">vars</span><span class="pi">:</span> <span class="na">app_repo_url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://github.com/yourusername/todo-app.git"</span> <span class="na">app_branch</span><span class="pi">:</span> <span class="s2">"</span><span class="s">main"</span> <span class="na">domain_name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('env',</span><span class="nv"> </span><span class="s">'DOMAIN')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">acme_email</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('env',</span><span class="nv"> </span><span class="s">'ACME_EMAIL')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">db_name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('env',</span><span class="nv"> </span><span class="s">'DB_NAME')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">db_user</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('env',</span><span class="nv"> </span><span class="s">'DB_USER')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">db_password</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('env',</span><span class="nv"> </span><span class="s">'DB_PASSWORD')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">jwt_secret</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('env',</span><span class="nv"> </span><span class="s">'JWT_SECRET')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">roles</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">dependencies</span> <span class="pi">-</span> <span class="s">deploy</span> <span class="na">post_tasks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Verify deployment</span> <span class="na">uri</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://{{</span><span class="nv"> </span><span class="s">domain_name</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">status_code</span><span class="pi">:</span> <span class="m">200</span> <span class="na">validate_certs</span><span class="pi">:</span> <span class="s">yes</span> <span class="na">delegate_to</span><span class="pi">:</span> <span class="s">localhost</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Display application URL</span> <span class="na">debug</span><span class="pi">:</span> <span class="na">msg</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Application</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">live</span><span class="nv"> </span><span class="s">at</span><span class="nv"> </span><span class="s">https://{{</span><span class="nv"> </span><span class="s">domain_name</span><span class="nv"> </span><span class="s">}}"</span> </code></pre> </div> <h3> Phase 4: CI/CD Pipeline </h3> <p>Now let's automate everything with GitHub Actions.</p> <h4> .github/workflows/infrastructure.yml </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Infrastructure Deployment</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">infra/terraform/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">infra/ansible/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">.github/workflows/infrastructure.yml'</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="c1"># Manual trigger</span> <span class="na">env</span><span class="pi">:</span> <span class="na">TF_VERSION</span><span class="pi">:</span> <span class="s1">'</span><span class="s">1.6.0'</span> <span class="na">AWS_REGION</span><span class="pi">:</span> <span class="s1">'</span><span class="s">us-east-1'</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">terraform-plan</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Plan &amp; Drift Detection</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">outputs</span><span class="pi">:</span> <span class="na">has_changes</span><span class="pi">:</span> <span class="s">${{ steps.plan.outputs.has_changes }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">terraform_version</span><span class="pi">:</span> <span class="s">${{ env.TF_VERSION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">${{ env.AWS_REGION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Init</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cd infra/terraform</span> <span class="s">terraform init</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Plan</span> <span class="na">id</span><span class="pi">:</span> <span class="s">plan</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cd infra/terraform</span> <span class="s">terraform plan -detailed-exitcode -out=tfplan || EXIT_CODE=$?</span> <span class="s">if [ $EXIT_CODE -eq 0 ]; then</span> <span class="s">echo "has_changes=false" &gt;&gt; $GITHUB_OUTPUT</span> <span class="s">echo "✅ No infrastructure changes detected"</span> <span class="s">elif [ $EXIT_CODE -eq 2 ]; then</span> <span class="s">echo "has_changes=true" &gt;&gt; $GITHUB_OUTPUT</span> <span class="s">echo "⚠️ Infrastructure drift detected!"</span> <span class="s">else</span> <span class="s">echo "❌ Terraform plan failed"</span> <span class="s">exit 1</span> <span class="s">fi</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Save plan</span> <span class="na">if</span><span class="pi">:</span> <span class="s">steps.plan.outputs.has_changes == 'true'</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/upload-artifact@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tfplan</span> <span class="na">path</span><span class="pi">:</span> <span class="s">infra/terraform/tfplan</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Send drift alert email</span> <span class="na">if</span><span class="pi">:</span> <span class="s">steps.plan.outputs.has_changes == 'true'</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">dawidd6/action-send-mail@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">server_address</span><span class="pi">:</span> <span class="s">smtp.gmail.com</span> <span class="na">server_port</span><span class="pi">:</span> <span class="m">465</span> <span class="na">username</span><span class="pi">:</span> <span class="s">${{ secrets.MAIL_USERNAME }}</span> <span class="na">password</span><span class="pi">:</span> <span class="s">${{ secrets.MAIL_PASSWORD }}</span> <span class="na">subject</span><span class="pi">:</span> <span class="s">⚠️ Terraform Drift Detected - TODO App</span> <span class="na">to</span><span class="pi">:</span> <span class="s">${{ secrets.ALERT_EMAIL }}</span> <span class="na">from</span><span class="pi">:</span> <span class="s">Terraform CI/CD</span> <span class="na">body</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">Infrastructure drift has been detected!</span> <span class="s">Review the changes and approve the workflow to apply:</span> <span class="s">${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}</span> <span class="na">terraform-apply</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Apply</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">terraform-plan</span> <span class="na">if</span><span class="pi">:</span> <span class="s">needs.terraform-plan.outputs.has_changes == 'true'</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">production</span> <span class="c1"># Requires manual approval</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">terraform_version</span><span class="pi">:</span> <span class="s">${{ env.TF_VERSION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">${{ env.AWS_REGION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Download plan</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/download-artifact@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tfplan</span> <span class="na">path</span><span class="pi">:</span> <span class="s">infra/terraform/</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Init</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cd infra/terraform</span> <span class="s">terraform init</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Apply</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cd infra/terraform</span> <span class="s">terraform apply tfplan</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Save outputs</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cd infra/terraform</span> <span class="s">terraform output -json &gt; outputs.json</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Upload outputs</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/upload-artifact@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">terraform-outputs</span> <span class="na">path</span><span class="pi">:</span> <span class="s">infra/terraform/outputs.json</span> <span class="na">ansible-deploy</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Ansible Deployment</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">terraform-apply</span> <span class="na">if</span><span class="pi">:</span> <span class="s">always() &amp;&amp; (needs.terraform-apply.result == 'success' || needs.terraform-plan.outputs.has_changes == 'false')</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Python</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-python@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">python-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3.11'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Ansible</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">pip install ansible</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup SSH key</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">mkdir -p ~/.ssh</span> <span class="s">echo "${{ secrets.SSH_PRIVATE_KEY }}" &gt; ~/.ssh/id_rsa</span> <span class="s">chmod 600 ~/.ssh/id_rsa</span> <span class="s">ssh-keyscan -H ${{ secrets.SERVER_IP }} &gt;&gt; ~/.ssh/known_hosts</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run Ansible playbook</span> <span class="na">env</span><span class="pi">:</span> <span class="na">DOMAIN</span><span class="pi">:</span> <span class="s">${{ secrets.DOMAIN }}</span> <span class="na">ACME_EMAIL</span><span class="pi">:</span> <span class="s">${{ secrets.ACME_EMAIL }}</span> <span class="na">DB_NAME</span><span class="pi">:</span> <span class="s">${{ secrets.DB_NAME }}</span> <span class="na">DB_USER</span><span class="pi">:</span> <span class="s">${{ secrets.DB_USER }}</span> <span class="na">DB_PASSWORD</span><span class="pi">:</span> <span class="s">${{ secrets.DB_PASSWORD }}</span> <span class="na">JWT_SECRET</span><span class="pi">:</span> <span class="s">${{ secrets.JWT_SECRET }}</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cd infra/ansible</span> <span class="s">ansible-playbook -i inventory/hosts playbook.yml</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Verify deployment</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">sleep 30 # Wait for services to stabilize</span> <span class="s">curl -f https://${{ secrets.DOMAIN }}/health || exit 1</span> <span class="s">echo "✅ Deployment verified!"</span> </code></pre> </div> <h4> .github/workflows/application.yml </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Application Deployment</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">frontend/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">auth-api/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">todos-api/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">users-api/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">log-processor/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">docker-compose.yml'</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy Application</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup SSH key</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">mkdir -p ~/.ssh</span> <span class="s">echo "${{ secrets.SSH_PRIVATE_KEY }}" &gt; ~/.ssh/id_rsa</span> <span class="s">chmod 600 ~/.ssh/id_rsa</span> <span class="s">ssh-keyscan -H ${{ secrets.SERVER_IP }} &gt;&gt; ~/.ssh/known_hosts</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to server</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">ssh ubuntu@${{ secrets.SERVER_IP }} &lt;&lt; 'EOF'</span> <span class="s">cd /opt/todo-app</span> <span class="s">git pull origin main</span> <span class="s">docker-compose pull</span> <span class="s">docker-compose up -d --build</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Wait for deployment</span> <span class="na">run</span><span class="pi">:</span> <span class="s">sleep </span><span class="m">30</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Health check</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">curl -f https://${{ secrets.DOMAIN }}/health || exit 1</span> <span class="s">echo "✅ Application deployed successfully!"</span> </code></pre> </div> <h3> Understanding the CI/CD Flow </h3> <p><strong>Infrastructure changes (Terraform/Ansible):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Push to main ↓ 2. Run terraform plan ↓ 3. Detect drift? → Send email ↓ 4. Pause for manual approval (GitHub Environment protection) ↓ 5. Apply changes ↓ 6. Run Ansible ↓ 7. Verify deployment </code></pre> </div> <p><strong>Application changes:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Push to main ↓ 2. SSH to server ↓ 3. Git pull ↓ 4. docker-compose pull ↓ 5. docker-compose up ↓ 6. Health check </code></pre> </div> <h3> Testing the Complete Setup </h3> <h4> Local Testing </h4> <p><strong>1. Test containers locally:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Start everything</span> docker-compose up <span class="nt">-d</span> <span class="c"># Check status</span> docker-compose ps <span class="c"># View logs</span> docker-compose logs <span class="nt">-f</span> <span class="c"># Test frontend</span> curl http://localhost <span class="c"># Test APIs</span> curl http://localhost/api/auth/health curl http://localhost/api/todos/health curl http://localhost/api/users/health <span class="c"># Stop everything</span> docker-compose down </code></pre> </div> <p><strong>2. Test Terraform:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>infra/terraform <span class="c"># Initialize</span> terraform init <span class="c"># Validate</span> terraform validate <span class="c"># Plan (dry run)</span> terraform plan <span class="c"># Apply (create infrastructure)</span> terraform apply <span class="c"># Show outputs</span> terraform output <span class="c"># Destroy (cleanup)</span> terraform destroy </code></pre> </div> <p><strong>3. Test Ansible:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>infra/ansible <span class="c"># Test connection</span> ansible all <span class="nt">-m</span> ping <span class="c"># Check syntax</span> ansible-playbook playbook.yml <span class="nt">--syntax-check</span> <span class="c"># Dry run</span> ansible-playbook playbook.yml <span class="nt">--check</span> <span class="c"># Run for real</span> ansible-playbook playbook.yml <span class="c"># Run specific role</span> ansible-playbook playbook.yml <span class="nt">--tags</span> deploy </code></pre> </div> <h4> Production Deployment </h4> <p><strong>Complete deployment from scratch:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Clone the repository</span> git clone https://github.com/yourusername/todo-app.git <span class="nb">cd </span>todo-app <span class="c"># 2. Configure secrets</span> <span class="nb">cp</span> .env.example .env <span class="c"># Edit .env with your values</span> <span class="c"># 3. Initialize Terraform</span> <span class="nb">cd </span>infra/terraform terraform init <span class="c"># 4. Create infrastructure</span> terraform plan terraform apply <span class="c"># Wait for Ansible to complete (triggered automatically)</span> <span class="c"># 5. Configure DNS</span> <span class="c"># Point your domain to the Elastic IP shown in terraform outputs</span> <span class="c"># 6. Verify deployment</span> curl https://your-domain.com </code></pre> </div> <p><strong>Expected result:</strong></p> <ul> <li>Login page loads at <a href="https://your-domain.com" rel="noopener noreferrer">https://your-domain.com</a> </li> <li>HTTPS works (automatic certificate from Let's Encrypt)</li> <li>APIs respond at /api/auth, /api/todos, /api/users</li> </ul> <h3> Troubleshooting </h3> <h4> Issue: Terraform fails with "state locked" </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check lock info</span> terraform force-unlock &lt;LOCK_ID&gt; <span class="c"># Or wait for other operation to complete</span> </code></pre> </div> <h4> Issue: Ansible can't connect to server </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test SSH manually</span> ssh <span class="nt">-i</span> ~/.ssh/id_rsa ubuntu@&lt;SERVER_IP&gt; <span class="c"># Check inventory</span> ansible-inventory <span class="nt">--list</span> <span class="nt">-i</span> inventory/hosts <span class="c"># Verbose output</span> ansible-playbook playbook.yml <span class="nt">-vvv</span> </code></pre> </div> <h4> Issue: Containers won't start </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check logs</span> docker-compose logs &lt;service-name&gt; <span class="c"># Check disk space</span> <span class="nb">df</span> <span class="nt">-h</span> <span class="c"># Check memory</span> free <span class="nt">-h</span> <span class="c"># Restart specific service</span> docker-compose restart &lt;service-name&gt; </code></pre> </div> <h4> Issue: HTTPS not working </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check Traefik logs</span> docker logs traefik <span class="c"># Verify DNS points to server</span> dig your-domain.com <span class="c"># Check certificate</span> docker <span class="nb">exec </span>traefik <span class="nb">cat</span> /letsencrypt/acme.json <span class="c"># Force certificate renewal</span> docker-compose down <span class="nb">rm</span> <span class="nt">-rf</span> letsencrypt/acme.json docker-compose up <span class="nt">-d</span> </code></pre> </div> microservices devops docker terraform Blue/Green Deployment with Nginx Auto-Failover Sherifdeen Adebayo Tue, 09 Dec 2025 21:16:01 +0000 https://dev.to/0xsherifdev/bluegreen-deployment-with-nginx-auto-failover-2abo https://dev.to/0xsherifdev/bluegreen-deployment-with-nginx-auto-failover-2abo <h3> What is Blue/Green Deployment? </h3> <p>Imagine you're running a restaurant. You have two identical kitchens: Kitchen Blue (currently serving customers) and Kitchen Green (on standby). When you want to update the menu or equipment, you:</p> <ol> <li>Update Kitchen Green while Kitchen Blue serves customers</li> <li>Test Kitchen Green thoroughly</li> <li>Switch all orders to Kitchen Green</li> <li>Now Kitchen Blue is on standby for the next update</li> </ol> <p>That's exactly how blue/green deployment works in software! You maintain two identical production environments and can switch between them instantly.</p> <h3> Why Use This Approach? </h3> <p><strong>Traditional deployment problems:</strong></p> <ul> <li>Downtime during updates (users see "Site under maintenance")</li> <li>No easy rollback if something breaks</li> <li>Risk of breaking production with untested changes</li> </ul> <p><strong>Blue/Green deployment benefits:</strong></p> <ul> <li>Zero downtime - users never notice the switch</li> <li>Instant rollback - just switch back if issues arise</li> <li>Safe testing - new version runs in production environment before switch</li> </ul> <h3> Project Architecture </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ┌─────────────┐ │ Nginx │ │ :8080 │ └──────┬──────┘ │ ┌──────────────────────┴──────────────────────┐ │ │ ┌─────────▼──────────┐ ┌─────────▼──────────┐ │ Blue (Primary) │ │ Green (Backup) │ │ :8081 │ │ :8082 │ └────────────────────┘ └────────────────────┘ </code></pre> </div> <p><strong>How it works:</strong></p> <ol> <li> <strong>Nginx</strong> sits at port 8080 (your main entry point)</li> <li> <strong>Blue service</strong> at port 8081 (currently handling all traffic)</li> <li> <strong>Green service</strong> at port 8082 (backup, ready to take over)</li> <li>When Blue fails, Nginx automatically routes traffic to Green</li> <li>No requests are dropped during the transition</li> </ol> <h3> Setting Up the Project </h3> <h4> Step 1: Project Structure </h4> <p>Create your project directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>blue-green-deployment <span class="nb">cd </span>blue-green-deployment </code></pre> </div> <p>Your final structure will look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>blue-green-deployment/ ├── docker-compose.yml # Orchestrates all services ├── nginx.conf.template # Nginx configuration ├── entrypoint.sh # Nginx startup script ├── env.example # Environment variables template ├── .env # Your actual environment variables ├── Makefile # Convenient commands ├── test-failover.sh # Automated testing script ├── README.md # Documentation ├── DECISION.md # Technical decisions └── PART_B_RESEARCH.md # Infrastructure research </code></pre> </div> <h4> Step 2: Docker Compose Configuration </h4> <p>The <code>docker-compose.yml</code> file is the heart of this setup. Let's break it down:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="c1"># Nginx acts as the load balancer with automatic failover</span> <span class="na">nginx</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">nginx-lb</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8080:80"</span> <span class="c1"># Main entry point for users</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./nginx.conf.template:/etc/nginx/nginx.conf:ro</span> <span class="pi">-</span> <span class="s">./entrypoint.sh:/entrypoint.sh:ro</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ACTIVE_POOL=${ACTIVE_POOL:-blue}</span> <span class="c1"># Which pool is primary?</span> <span class="pi">-</span> <span class="s">BLUE_UPSTREAM=app_blue:${PORT:-3000}</span> <span class="pi">-</span> <span class="s">GREEN_UPSTREAM=app_green:${PORT:-3000}</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">app_blue</span> <span class="pi">-</span> <span class="s">app_green</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">/bin/sh"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">/entrypoint.sh"</span><span class="pi">]</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">app-network</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># Blue pool - primary by default</span> <span class="na">app_blue</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">${BLUE_IMAGE}</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">app_blue</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8081:${PORT:-3000}"</span> <span class="c1"># Direct access for testing</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">APP_POOL=blue</span> <span class="pi">-</span> <span class="s">RELEASE_ID=${RELEASE_ID_BLUE:-v1.0.0-blue}</span> <span class="pi">-</span> <span class="s">PORT=${PORT:-3000}</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">app-network</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">wget"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--quiet"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--tries=1"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--spider"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">http://localhost:${PORT:-3000}/healthz"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">3s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">3</span> <span class="c1"># Green pool - backup by default</span> <span class="na">app_green</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">${GREEN_IMAGE}</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">app_green</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8082:${PORT:-3000}"</span> <span class="c1"># Direct access for testing</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">APP_POOL=green</span> <span class="pi">-</span> <span class="s">RELEASE_ID=${RELEASE_ID_GREEN:-v1.0.0-green}</span> <span class="pi">-</span> <span class="s">PORT=${PORT:-3000}</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">app-network</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">wget"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--quiet"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--tries=1"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--spider"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">http://localhost:${PORT:-3000}/healthz"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">3s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">3</span> <span class="na">networks</span><span class="pi">:</span> <span class="na">app-network</span><span class="pi">:</span> <span class="na">driver</span><span class="pi">:</span> <span class="s">bridge</span> </code></pre> </div> <p><strong>Key points to understand:</strong></p> <ol> <li> <p><strong>Port Strategy:</strong></p> <ul> <li>Port 8080: Public-facing Nginx (users hit this)</li> <li>Port 8081: Direct access to Blue (for chaos testing)</li> <li>Port 8082: Direct access to Green (for chaos testing)</li> </ul> </li> <li> <p><strong>Health Checks:</strong></p> <ul> <li>Every 5 seconds, Docker checks if the service is healthy</li> <li>Uses the <code>/healthz</code> endpoint</li> <li>After 3 failed attempts (3s timeout each), marks as unhealthy</li> </ul> </li> <li> <p><strong>Environment Variables:</strong></p> <ul> <li> <code>ACTIVE_POOL</code>: Which service gets traffic first (blue/green)</li> <li> <code>RELEASE_ID</code>: Tracks which version is running</li> <li> <code>PORT</code>: Application port (default: 3000)</li> </ul> </li> </ol> <h4> Step 3: Nginx Configuration Magic </h4> <p>The <code>nginx.conf.template</code> is where the failover magic happens:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">events</span> <span class="p">{</span> <span class="kn">worker_connections</span> <span class="mi">1024</span><span class="p">;</span> <span class="p">}</span> <span class="k">http</span> <span class="p">{</span> <span class="c1"># Logging to help debug issues</span> <span class="kn">access_log</span> <span class="n">/var/log/nginx/access.log</span><span class="p">;</span> <span class="kn">error_log</span> <span class="n">/var/log/nginx/error.log</span> <span class="s">warn</span><span class="p">;</span> <span class="c1"># Combined upstream with failover logic</span> <span class="kn">upstream</span> <span class="s">app_backend</span> <span class="p">{</span> <span class="c1"># Active pool (primary)</span> <span class="kn">server</span> $<span class="p">{</span><span class="kn">ACTIVE_UPSTREAM</span><span class="err">}</span> <span class="s">max_fails=2</span> <span class="s">fail_timeout=5s</span><span class="p">;</span> <span class="c1"># Backup pool - only used if primary fails</span> <span class="kn">server</span> $<span class="p">{</span><span class="kn">BACKUP_UPSTREAM</span><span class="err">}</span> <span class="s">max_fails=2</span> <span class="s">fail_timeout=5s</span> <span class="s">backup</span><span class="p">;</span> <span class="p">}</span> <span class="kn">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">80</span><span class="p">;</span> <span class="kn">server_name</span> <span class="s">localhost</span><span class="p">;</span> <span class="c1"># Aggressive timeouts for quick failover detection</span> <span class="kn">proxy_connect_timeout</span> <span class="s">2s</span><span class="p">;</span> <span class="kn">proxy_send_timeout</span> <span class="s">3s</span><span class="p">;</span> <span class="kn">proxy_read_timeout</span> <span class="s">3s</span><span class="p">;</span> <span class="c1"># Retry logic - crucial for zero-downtime failover</span> <span class="kn">proxy_next_upstream</span> <span class="s">error</span> <span class="s">timeout</span> <span class="s">http_500</span> <span class="s">http_502</span> <span class="s">http_503</span> <span class="s">http_504</span><span class="p">;</span> <span class="kn">proxy_next_upstream_tries</span> <span class="mi">2</span><span class="p">;</span> <span class="kn">proxy_next_upstream_timeout</span> <span class="s">10s</span><span class="p">;</span> <span class="c1"># Don't buffer - we want real-time responses</span> <span class="kn">proxy_buffering</span> <span class="no">off</span><span class="p">;</span> <span class="c1"># Forward original client info</span> <span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$host</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Real-IP</span> <span class="nv">$remote_addr</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-For</span> <span class="nv">$proxy_add_x_forwarded_for</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-Proto</span> <span class="nv">$scheme</span><span class="p">;</span> <span class="kn">location</span> <span class="n">/</span> <span class="p">{</span> <span class="kn">proxy_pass</span> <span class="s">http://app_backend</span><span class="p">;</span> <span class="kn">proxy_pass_request_headers</span> <span class="no">on</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Let's decode this configuration:</strong></p> <p><strong>1. Upstream Block:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">upstream</span> <span class="s">app_backend</span> <span class="p">{</span> <span class="kn">server</span> $<span class="p">{</span><span class="kn">ACTIVE_UPSTREAM</span><span class="err">}</span> <span class="s">max_fails=2</span> <span class="s">fail_timeout=5s</span><span class="p">;</span> <span class="kn">server</span> $<span class="p">{</span><span class="kn">BACKUP_UPSTREAM</span><span class="err">}</span> <span class="s">max_fails=2</span> <span class="s">fail_timeout=5s</span> <span class="s">backup</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <ul> <li> <code>max_fails=2</code>: After 2 failed requests, mark server as down</li> <li> <code>fail_timeout=5s</code>: Server is down for 5 seconds before retry</li> <li> <code>backup</code>: This server only receives traffic when primary fails</li> </ul> <p><strong>2. Timeout Settings:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">proxy_connect_timeout</span> <span class="s">2s</span><span class="p">;</span> <span class="c1"># Can't connect? Fail fast</span> <span class="k">proxy_read_timeout</span> <span class="s">3s</span><span class="p">;</span> <span class="c1"># No response? Move to backup</span> </code></pre> </div> <p>These are aggressive timeouts for quick failure detection. In production, you might increase these based on your app's response times.</p> <p><strong>3. Retry Logic:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">proxy_next_upstream</span> <span class="s">error</span> <span class="s">timeout</span> <span class="s">http_500</span> <span class="s">http_502</span> <span class="s">http_503</span> <span class="s">http_504</span><span class="p">;</span> <span class="k">proxy_next_upstream_tries</span> <span class="mi">2</span><span class="p">;</span> </code></pre> </div> <p>This tells Nginx: "If you get an error, timeout, or 5xx status code, try the next server (backup) automatically."</p> <h4> Step 4: The Entrypoint Script </h4> <p>Nginx doesn't support environment variables natively in its config. We use <code>envsubst</code> to template it at runtime:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/sh</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="c"># Figure out which upstream is active and which is backup</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$ACTIVE_POOL</span><span class="s2">"</span> <span class="o">=</span> <span class="s2">"blue"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nv">ACTIVE_UPSTREAM</span><span class="o">=</span><span class="s2">"</span><span class="nv">$BLUE_UPSTREAM</span><span class="s2">"</span> <span class="nv">BACKUP_UPSTREAM</span><span class="o">=</span><span class="s2">"</span><span class="nv">$GREEN_UPSTREAM</span><span class="s2">"</span> <span class="k">else </span><span class="nv">ACTIVE_UPSTREAM</span><span class="o">=</span><span class="s2">"</span><span class="nv">$GREEN_UPSTREAM</span><span class="s2">"</span> <span class="nv">BACKUP_UPSTREAM</span><span class="o">=</span><span class="s2">"</span><span class="nv">$BLUE_UPSTREAM</span><span class="s2">"</span> <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"==&gt; Setting up Nginx with active pool: </span><span class="nv">$ACTIVE_POOL</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" Active upstream: </span><span class="nv">$ACTIVE_UPSTREAM</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" Backup upstream: </span><span class="nv">$BACKUP_UPSTREAM</span><span class="s2">"</span> <span class="c"># Use envsubst to replace variables in the template</span> <span class="nb">export </span>ACTIVE_UPSTREAM <span class="nb">export </span>BACKUP_UPSTREAM envsubst <span class="s1">'${ACTIVE_UPSTREAM} ${BACKUP_UPSTREAM}'</span> <span class="se">\</span> &lt; /etc/nginx/nginx.conf <span class="o">&gt;</span> /tmp/nginx.conf <span class="c"># Test the config before starting (ALWAYS do this!)</span> nginx <span class="nt">-t</span> <span class="nt">-c</span> /tmp/nginx.conf <span class="c"># Start nginx in foreground</span> <span class="nb">echo</span> <span class="s2">"==&gt; Starting Nginx..."</span> <span class="nb">exec </span>nginx <span class="nt">-g</span> <span class="s1">'daemon off;'</span> <span class="nt">-c</span> /tmp/nginx.conf </code></pre> </div> <p><strong>What this script does:</strong></p> <ol> <li>Reads the <code>ACTIVE_POOL</code> environment variable</li> <li>Sets up which upstream is active vs backup</li> <li>Replaces placeholders in nginx.conf</li> <li>Tests the configuration (prevents broken configs from starting)</li> <li>Starts Nginx with the processed config</li> </ol> <h4> Step 5: Environment Configuration </h4> <p>Create your <code>.env</code> file from the example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cp </span>env.example .env </code></pre> </div> <p>The <code>.env</code> file contents:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Docker images for blue and green pools</span> <span class="nv">BLUE_IMAGE</span><span class="o">=</span>your-registry/your-app:blue <span class="nv">GREEN_IMAGE</span><span class="o">=</span>your-registry/your-app:green <span class="c"># Which pool should be active? (blue or green)</span> <span class="nv">ACTIVE_POOL</span><span class="o">=</span>blue <span class="c"># Release identifiers - show up in X-Release-Id header</span> <span class="nv">RELEASE_ID_BLUE</span><span class="o">=</span>v1.0.0-blue-20250129 <span class="nv">RELEASE_ID_GREEN</span><span class="o">=</span>v1.0.0-green-20250129 <span class="c"># Application port</span> <span class="nv">PORT</span><span class="o">=</span>3000 </code></pre> </div> <p><strong>Pro tip:</strong> In a real deployment, <code>BLUE_IMAGE</code> and <code>GREEN_IMAGE</code> might point to different versions of your app:</p> <ul> <li>Blue: <code>myapp:v1.2.3</code> </li> <li>Green: <code>myapp:v1.2.4</code> (new version being tested)</li> </ul> <h4> Step 6: Makefile for Convenience </h4> <p>The <code>Makefile</code> provides friendly commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight make"><code><span class="nl">.PHONY</span><span class="o">:</span> <span class="nf">help up down restart logs test clean</span> <span class="nl">help</span><span class="o">:</span> <span class="c">##</span><span class="nf"> Show available commands</span> <span class="p">@</span><span class="nb">grep</span> <span class="nt">-E</span> <span class="s1">'^[a-zA-Z_-]+:.*?## .*$$'</span> <span class="p">$(</span>MAKEFILE_LIST<span class="p">)</span> | <span class="se">\</span> <span class="nb">awk</span> <span class="s1">'BEGIN {FS = ":.*?## "}; {printf " %-15s %s\n", $$1, $$2}'</span> <span class="nl">up</span><span class="o">:</span> <span class="c">##</span><span class="nf"> Start all services</span> <span class="p">@</span><span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> .env <span class="o">]</span><span class="p">;</span> <span class="k">then</span> <span class="se">\</span> <span class="nb">echo</span> <span class="s2">"Creating .env from env.example..."</span><span class="p">;</span> <span class="se">\</span> <span class="nb">cp </span>env.example .env<span class="p">;</span> <span class="se">\</span> <span class="k">fi</span> docker-compose up <span class="nt">-d</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"Services started!"</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"Nginx: http://localhost:8080"</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"Blue: http://localhost:8081"</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"Green: http://localhost:8082"</span> <span class="nl">down</span><span class="o">:</span> <span class="c">##</span><span class="nf"> Stop all services</span> docker-compose down <span class="nl">test</span><span class="o">:</span> <span class="c">##</span><span class="nf"> Run failover test</span> ./test-failover.sh <span class="nl">blue</span><span class="o">:</span> <span class="c">##</span><span class="nf"> Switch to blue as active</span> <span class="p">@</span><span class="nb">sed</span> <span class="nt">-i</span>.bak <span class="s1">'s/ACTIVE_POOL=.*/ACTIVE_POOL=blue/'</span> .env <span class="p">@$(</span>MAKE<span class="p">)</span> restart <span class="nl">green</span><span class="o">:</span> <span class="c">##</span><span class="nf"> Switch to green as active</span> <span class="p">@</span><span class="nb">sed</span> <span class="nt">-i</span>.bak <span class="s1">'s/ACTIVE_POOL=.*/ACTIVE_POOL=green/'</span> .env <span class="p">@$(</span>MAKE<span class="p">)</span> restart </code></pre> </div> <p><strong>Usage:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>make <span class="nb">help</span> <span class="c"># See all commands</span> make up <span class="c"># Start everything</span> make <span class="nb">test</span> <span class="c"># Run failover tests</span> make green <span class="c"># Switch to green pool</span> </code></pre> </div> <h3> Running the Project </h3> <h4> Start the Stack </h4> <p><strong>Option 1: Using Make (recommended)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>make up </code></pre> </div> <p><strong>Option 2: Manual</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cp </span>env.example .env docker-compose up <span class="nt">-d</span> </code></pre> </div> <h4> Verify It's Working </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check service status</span> docker-compose ps <span class="c"># Hit the main endpoint</span> curl <span class="nt">-i</span> http://localhost:8080/version </code></pre> </div> <p>You should see headers like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HTTP/1.1 200 OK X-App-Pool: blue X-Release-Id: v1.0.0-blue-20250129 </code></pre> </div> <h3> Testing the Failover </h3> <p>This is where it gets exciting! Let's break the blue service and watch Nginx automatically switch to green.</p> <h4> Automated Test Script </h4> <p>The <code>test-failover.sh</code> script automates the entire test:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nb">echo</span> <span class="s2">"🔵 Blue/Green Failover Test"</span> <span class="nb">echo</span> <span class="s2">"============================"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="c"># Step 1: Baseline check</span> <span class="nb">echo</span> <span class="s2">"📊 Step 1: Checking baseline (should be blue)..."</span> <span class="k">for </span>i <span class="k">in</span> <span class="o">{</span>1..3<span class="o">}</span><span class="p">;</span> <span class="k">do </span><span class="nv">response</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nt">-i</span> http://localhost:8080/version<span class="si">)</span> <span class="nv">pool</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$response</span><span class="s2">"</span> | <span class="nb">grep</span> <span class="nt">-i</span> <span class="s2">"X-App-Pool:"</span> | <span class="nb">cut</span> <span class="nt">-d</span>: <span class="nt">-f2</span> | <span class="nb">tr</span> <span class="nt">-d</span> <span class="s1">' \r'</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">" Request </span><span class="nv">$i</span><span class="s2">: Pool=</span><span class="nv">$pool</span><span class="s2">"</span> <span class="k">done</span> <span class="c"># Step 2: Trigger chaos on blue</span> <span class="nb">echo</span> <span class="s2">"💥 Step 2: Triggering chaos on blue..."</span> curl <span class="nt">-s</span> <span class="nt">-X</span> POST <span class="s2">"http://localhost:8081/chaos/start?mode=error"</span> <span class="nb">sleep </span>1 <span class="c"># Step 3: Test failover</span> <span class="nb">echo</span> <span class="s2">"🔄 Step 3: Testing failover (should switch to green)..."</span> <span class="nv">success_count</span><span class="o">=</span>0 <span class="nv">green_count</span><span class="o">=</span>0 <span class="k">for </span>i <span class="k">in</span> <span class="o">{</span>1..10<span class="o">}</span><span class="p">;</span> <span class="k">do </span><span class="nv">http_code</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nt">-o</span> /dev/null <span class="nt">-w</span> <span class="s2">"%{http_code}"</span> http://localhost:8080/version<span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$http_code</span><span class="s2">"</span> <span class="o">=</span> <span class="s2">"200"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nv">success_count</span><span class="o">=</span><span class="k">$((</span>success_count <span class="o">+</span> <span class="m">1</span><span class="k">))</span> <span class="nv">response</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nt">-i</span> http://localhost:8080/version<span class="si">)</span> <span class="nv">pool</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$response</span><span class="s2">"</span> | <span class="nb">grep</span> <span class="nt">-i</span> <span class="s2">"X-App-Pool:"</span> | <span class="nb">cut</span> <span class="nt">-d</span>: <span class="nt">-f2</span> | <span class="nb">tr</span> <span class="nt">-d</span> <span class="s1">' \r'</span><span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$pool</span><span class="s2">"</span> <span class="o">=</span> <span class="s2">"green"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nv">green_count</span><span class="o">=</span><span class="k">$((</span>green_count <span class="o">+</span> <span class="m">1</span><span class="k">))</span> <span class="k">fi </span><span class="nb">echo</span> <span class="s2">" Request </span><span class="nv">$i</span><span class="s2">: HTTP </span><span class="nv">$http_code</span><span class="s2">, Pool=</span><span class="nv">$pool</span><span class="s2"> ✓"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">" Request </span><span class="nv">$i</span><span class="s2">: HTTP </span><span class="nv">$http_code</span><span class="s2"> ✗ FAILED"</span> <span class="k">fi </span><span class="nb">sleep </span>0.5 <span class="k">done</span> <span class="c"># Step 4: Stop chaos</span> <span class="nb">echo</span> <span class="s2">"🛑 Step 4: Stopping chaos..."</span> curl <span class="nt">-s</span> <span class="nt">-X</span> POST <span class="s2">"http://localhost:8081/chaos/stop"</span> <span class="c"># Results</span> <span class="nb">echo</span> <span class="s2">"📈 Results:"</span> <span class="nb">echo</span> <span class="s2">" ├─ Total requests: 10"</span> <span class="nb">echo</span> <span class="s2">" ├─ Successful (200): </span><span class="nv">$success_count</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" └─ Routed to green: </span><span class="nv">$green_count</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[</span> <span class="nv">$success_count</span> <span class="nt">-eq</span> 10 <span class="o">]</span> <span class="o">&amp;&amp;</span> <span class="o">[</span> <span class="nv">$green_count</span> <span class="nt">-ge</span> 9 <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"✅ Test PASSED - Failover working correctly!"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"❌ Test FAILED - Check the logs"</span> <span class="k">fi</span> </code></pre> </div> <p><strong>Run the test:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod</span> +x test-failover.sh ./test-failover.sh </code></pre> </div> <p><strong>Expected output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>🔵 Blue/Green Failover Test ============================ 📊 Step 1: Checking baseline (should be blue)... Request 1: Pool=blue Request 2: Pool=blue Request 3: Pool=blue 💥 Step 2: Triggering chaos on blue... Chaos initiated: {"status":"chaos_started","mode":"error"} 🔄 Step 3: Testing failover (should switch to green)... Request 1: HTTP 200, Pool=green ✓ Request 2: HTTP 200, Pool=green ✓ Request 3: HTTP 200, Pool=green ✓ ... Request 10: HTTP 200, Pool=green ✓ 📈 Results: ├─ Total requests: 10 ├─ Successful (200): 10 └─ Routed to green: 10 ✅ Test PASSED - Failover working correctly! </code></pre> </div> <p><strong>What just happened?</strong></p> <ol> <li>All requests initially went to blue</li> <li>We triggered chaos mode (blue starts returning 500 errors)</li> <li>Nginx detected blue was failing</li> <li> <strong>Zero requests failed</strong> - Nginx automatically retried on green</li> <li>All subsequent requests went to green</li> </ol> <h3> Manual Testing (Understanding Each Step) </h3> <p>Let's do it manually to understand what's happening:</p> <p><strong>1. Check baseline:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">for </span>i <span class="k">in</span> <span class="o">{</span>1..5<span class="o">}</span><span class="p">;</span> <span class="k">do </span>curl <span class="nt">-s</span> http://localhost:8080/version | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"pool|release"</span> <span class="k">done</span> </code></pre> </div> <p>All responses show <code>"pool": "blue"</code>.</p> <p><strong>2. Break blue service:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Trigger chaos mode - makes blue return 500 errors</span> curl <span class="nt">-X</span> POST <span class="s2">"http://localhost:8081/chaos/start?mode=error"</span> </code></pre> </div> <p><strong>3. Watch the magic:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Keep hitting the endpoint</span> <span class="k">for </span>i <span class="k">in</span> <span class="o">{</span>1..10<span class="o">}</span><span class="p">;</span> <span class="k">do </span>curl <span class="nt">-s</span> <span class="nt">-w</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">Status: %{http_code}</span><span class="se">\n</span><span class="s2">"</span> http://localhost:8080/version | <span class="se">\</span> <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"pool|release|Status"</span> <span class="nb">sleep </span>1 <span class="k">done</span> </code></pre> </div> <p><strong>You'll see:</strong></p> <ul> <li>All requests still return 200 (no failures!)</li> <li>Pool changes from "blue" to "green"</li> <li>Headers now show <code>"pool": "green"</code> </li> </ul> <p><strong>4. Fix blue:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST <span class="s2">"http://localhost:8081/chaos/stop"</span> </code></pre> </div> <p>After a few seconds, traffic goes back to blue (it's the primary).</p> <h3> Key Concepts Explained </h3> <h4> Why Aggressive Timeouts? </h4> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">proxy_connect_timeout</span> <span class="s">2s</span><span class="p">;</span> <span class="k">proxy_read_timeout</span> <span class="s">3s</span><span class="p">;</span> </code></pre> </div> <p><strong>Scenario:</strong> Your blue service starts hanging (taking 10+ seconds to respond).</p> <p><strong>With loose timeouts (10s):</strong></p> <ul> <li>User makes request → Nginx waits 10s on blue → Fails → Retries on green</li> <li>User waited 10+ seconds (bad experience)</li> </ul> <p><strong>With tight timeouts (2-3s):</strong></p> <ul> <li>User makes request → Nginx waits 2s on blue → Fails fast → Retries on green</li> <li>User gets response in ~2-3 seconds (much better!)</li> </ul> <p><strong>Trade-off:</strong> If your app legitimately takes 5 seconds to respond, 3s timeouts will cause false failures. Tune based on your app's performance.</p> <h4> The Backup Directive </h4> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">server</span> $<span class="p">{</span><span class="kn">ACTIVE_UPSTREAM</span><span class="err">}</span> <span class="s">max_fails=2</span> <span class="s">fail_timeout=5s</span><span class="p">;</span> <span class="kn">server</span> $<span class="p">{</span><span class="kn">BACKUP_UPSTREAM</span><span class="err">}</span> <span class="s">max_fails=2</span> <span class="s">fail_timeout=5s</span> <span class="s">backup</span><span class="p">;</span> </code></pre> </div> <p>The <code>backup</code> keyword is crucial:</p> <ul> <li> <strong>Without it:</strong> Nginx load-balances 50/50 between blue and green</li> <li> <strong>With it:</strong> Nginx sends all traffic to blue, green only gets traffic when blue is down</li> </ul> <p>This is what makes it true blue/green deployment (not load balancing).</p> <h4> Health Checks vs Failover </h4> <p><strong>Docker health checks:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">wget"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--quiet"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--tries=1"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--spider"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">http://localhost:3000/healthz"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">5s</span> </code></pre> </div> <p><strong>Nginx failover:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">max_fails=2</span> <span class="s">fail_timeout=5s</span> </code></pre> </div> <p>These serve different purposes:</p> <ul> <li> <strong>Docker health checks:</strong> Tell Docker orchestration layer if container is healthy</li> <li> <strong>Nginx failover:</strong> Actual traffic routing decisions</li> </ul> <p>Both are important, but Nginx failover is what keeps users happy during failures.</p> <h3> Production Considerations </h3> <h4> What Would Change in Production? </h4> <p><strong>1. Timeouts would be tuned:</strong></p> <ul> <li>Measure your app's real response times</li> <li>Set timeouts slightly above p95 latency</li> <li>Balance fast failover vs false positives</li> </ul> <p><strong>2. Monitoring &amp; Alerting:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="c1"># Add Prometheus metrics</span> <span class="k">location</span> <span class="n">/metrics</span> <span class="p">{</span> <span class="kn">stub_status</span> <span class="no">on</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>3. Structured Logging:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">log_format</span> <span class="s">json</span> <span class="s">escape=json</span> <span class="s">'</span><span class="p">{</span><span class="kn">'</span> <span class="s">'"time":"</span><span class="nv">$time_iso8601</span><span class="s">",'</span> <span class="s">'"remote_addr":"</span><span class="nv">$remote_addr</span><span class="s">",'</span> <span class="s">'"request":"</span><span class="nv">$request</span><span class="s">",'</span> <span class="s">'"status":</span><span class="nv">$status</span><span class="s">,'</span> <span class="s">'"upstream":"</span><span class="nv">$upstream_addr</span><span class="s">"'</span> <span class="s">'</span><span class="err">}</span><span class="s">'</span><span class="p">;</span> <span class="kn">access_log</span> <span class="n">/var/log/nginx/access.log</span> <span class="s">json</span><span class="p">;</span> </code></pre> </div> <p><strong>4. SSL/TLS:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">443</span> <span class="s">ssl</span> <span class="s">http2</span><span class="p">;</span> <span class="kn">ssl_certificate</span> <span class="n">/etc/ssl/certs/cert.pem</span><span class="p">;</span> <span class="kn">ssl_certificate_key</span> <span class="n">/etc/ssl/private/key.pem</span><span class="p">;</span> <span class="c1"># ... rest of config</span> <span class="p">}</span> </code></pre> </div> <p><strong>5. Rate Limiting:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">limit_req_zone</span> <span class="nv">$binary_remote_addr</span> <span class="s">zone=api:10m</span> <span class="s">rate=10r/s</span><span class="p">;</span> <span class="k">location</span> <span class="n">/</span> <span class="p">{</span> <span class="kn">limit_req</span> <span class="s">zone=api</span> <span class="s">burst=20</span> <span class="s">nodelay</span><span class="p">;</span> <span class="kn">proxy_pass</span> <span class="s">http://app_backend</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> Troubleshooting Guide </h3> <h4> Problem: All requests failing </h4> <p><strong>Check if containers are running:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker-compose ps </code></pre> </div> <p><strong>Expected output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NAME STATE PORTS nginx-lb Up 0.0.0.0:8080-&gt;80/tcp app_blue Up 0.0.0.0:8081-&gt;3000/tcp app_green Up 0.0.0.0:8082-&gt;3000/tcp </code></pre> </div> <p><strong>If containers are down:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker-compose logs </code></pre> </div> <h4> Problem: Not seeing failover </h4> <p><strong>Check Nginx logs:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker logs nginx-lb <span class="c"># Or live tail:</span> docker logs <span class="nt">-f</span> nginx-lb </code></pre> </div> <p><strong>Look for:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[error] ... upstream timed out ... while connecting to upstream [warn] ... marking server app_blue:3000 as down </code></pre> </div> <h4> Problem: Services won't start </h4> <p><strong>Check if ports are already in use:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>lsof <span class="nt">-i</span> :8080 lsof <span class="nt">-i</span> :8081 lsof <span class="nt">-i</span> :8082 </code></pre> </div> <p><strong>If something is using these ports:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Kill the process</span> <span class="nb">kill</span> <span class="nt">-9</span> &lt;PID&gt; <span class="c"># Or change ports in docker-compose.yml</span> ports: - <span class="s2">"9080:80"</span> <span class="c"># Use 9080 instead of 8080</span> </code></pre> </div> <h4> Problem: Changes to .env not taking effect </h4> <p><strong>You need to recreate containers:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker-compose down docker-compose up <span class="nt">-d</span> </code></pre> </div> <p>Just restarting isn't enough - environment variables are set at container creation time.</p> <h3> Real-World Use Cases </h3> <h4> Scenario 1: Deploying a New Version </h4> <p><strong>Without blue/green:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Take site down</span> docker-compose down <span class="c"># Update to new version</span> docker-compose up <span class="nt">-d</span> <span class="c"># Hope nothing broke (users see downtime)</span> </code></pre> </div> <p><strong>With blue/green:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Update green to new version while blue serves traffic</span> <span class="nb">sed</span> <span class="nt">-i</span> <span class="s1">'s/GREEN_IMAGE=.*/GREEN_IMAGE=myapp:v2.0.0/'</span> .env <span class="c"># Start green with new version</span> docker-compose up <span class="nt">-d</span> app_green <span class="c"># Test green directly</span> curl http://localhost:8082/version <span class="c"># Switch traffic to green (instant, zero downtime)</span> make green <span class="c"># If something's wrong, instant rollback</span> make blue </code></pre> </div> <h4> Scenario 2: Database Migration </h4> <p><strong>Challenge:</strong> New version needs schema changes.</p> <p><strong>Approach:</strong></p> <ol> <li>Make schema changes backward-compatible</li> <li>Deploy new version to green (with migration)</li> <li>Test thoroughly</li> <li>Switch traffic</li> <li>Keep blue running for quick rollback</li> <li>After validation, update blue too</li> </ol> <p><strong>Example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Update green with new code + migrations</span> <span class="nv">GREEN_IMAGE</span><span class="o">=</span>myapp:v2.0.0 docker-compose up <span class="nt">-d</span> app_green <span class="c"># Run migrations on green</span> docker <span class="nb">exec </span>app_green npm run migrate <span class="c"># Test green</span> curl http://localhost:8082/test-endpoint <span class="c"># Switch traffic</span> make green <span class="c"># Monitor for issues</span> docker logs <span class="nt">-f</span> app_green <span class="c"># If problems occur, instant rollback</span> make blue </code></pre> </div> architecture cicd devops From Zero to DevOps Hero: A Complete Guide to Blue/Green Deployments and Microservices Automation Sherifdeen Adebayo Tue, 09 Dec 2025 11:05:29 +0000 https://dev.to/0xsherifdev/from-zero-to-devops-hero-a-complete-guide-to-bluegreen-deployments-and-microservices-automation-3phf https://dev.to/0xsherifdev/from-zero-to-devops-hero-a-complete-guide-to-bluegreen-deployments-and-microservices-automation-3phf <p>A comprehensive walkthrough of two production-ready DevOps projects, perfect for beginners looking to level up their deployment game.</p> <h2> Table of Contents </h2> <ol> <li>Introduction</li> <li>Project 1: Blue/Green Deployment with Nginx Auto-Failover</li> <li>Project 2: Containerized Microservices with Full Automation</li> <li>Key Takeaways</li> <li>Next Steps</li> </ol> <h2> Introduction </h2> <p>Ever wonder how major tech companies achieve zero-downtime deployments? How do they update their applications without users noticing? In this guide, we'll walk through two real-world DevOps projects that answer these questions.</p> <p><strong>What You'll Learn:</strong></p> <ul> <li>Blue/Green deployment strategies for zero-downtime releases</li> <li>Nginx configuration for automatic failover</li> <li>Docker containerization for multiple programming languages</li> <li>Infrastructure as Code with Terraform</li> <li>Configuration management with Ansible</li> <li>CI/CD pipeline design with drift detection</li> <li>Production-ready security practices</li> </ul> <p><strong>Prerequisites:</strong></p> <ul> <li>Basic understanding of Docker and Docker Compose</li> <li>Familiarity with command-line operations</li> <li>A code editor (VS Code, Vim, etc.)</li> <li>Git installed on your machine</li> <li>Access to a cloud provider (AWS, DigitalOcean, Hetzner, etc.) for Project 2</li> </ul> <p><strong>Time Investment:</strong></p> <ul> <li>Project 1: 2-3 hours</li> <li>Project 2: 8-12 hours</li> </ul> <p>Let's dive in!</p> <h2> Project 1: Blue/Green Deployment with Nginx Auto-Failover </h2> <h3> What is Blue/Green Deployment? </h3> <p>Imagine you're running a restaurant. You have two identical kitchens: Kitchen Blue (currently serving customers) and Kitchen Green (on standby). When you want to update the menu or equipment, you:</p> <ol> <li>Update Kitchen Green while Kitchen Blue serves customers</li> <li>Test Kitchen Green thoroughly</li> <li>Switch all orders to Kitchen Green</li> <li>Now Kitchen Blue is on standby for the next update</li> </ol> <p>That's exactly how blue/green deployment works in software! You maintain two identical production environments and can switch between them instantly.</p> <h3> Why Use This Approach? </h3> <p><strong>Traditional deployment problems:</strong></p> <ul> <li>Downtime during updates (users see "Site under maintenance")</li> <li>No easy rollback if something breaks</li> <li>Risk of breaking production with untested changes</li> </ul> <p><strong>Blue/Green deployment benefits:</strong></p> <ul> <li>Zero downtime - users never notice the switch</li> <li>Instant rollback - just switch back if issues arise</li> <li>Safe testing - new version runs in production environment before switch</li> </ul> <h3> Project Architecture </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ┌─────────────┐ │ Nginx │ │ :8080 │ └──────┬──────┘ │ ┌──────────────────────┴──────────────────────┐ │ │ ┌─────────▼──────────┐ ┌─────────▼──────────┐ │ Blue (Primary) │ │ Green (Backup) │ │ :8081 │ │ :8082 │ └────────────────────┘ └────────────────────┘ </code></pre> </div> <p><strong>How it works:</strong></p> <ol> <li> <strong>Nginx</strong> sits at port 8080 (your main entry point)</li> <li> <strong>Blue service</strong> at port 8081 (currently handling all traffic)</li> <li> <strong>Green service</strong> at port 8082 (backup, ready to take over)</li> <li>When Blue fails, Nginx automatically routes traffic to Green</li> <li>No requests are dropped during the transition</li> </ol> <h3> Setting Up the Project </h3> <h4> Step 1: Project Structure </h4> <p>Create your project directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>blue-green-deployment <span class="nb">cd </span>blue-green-deployment </code></pre> </div> <p>Your final structure will look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>blue-green-deployment/ ├── docker-compose.yml # Orchestrates all services ├── nginx.conf.template # Nginx configuration ├── entrypoint.sh # Nginx startup script ├── env.example # Environment variables template ├── .env # Your actual environment variables ├── Makefile # Convenient commands ├── test-failover.sh # Automated testing script ├── README.md # Documentation ├── DECISION.md # Technical decisions └── PART_B_RESEARCH.md # Infrastructure research </code></pre> </div> <h4> Step 2: Docker Compose Configuration </h4> <p>The <code>docker-compose.yml</code> file is the heart of this setup. Let's break it down:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="c1"># Nginx acts as the load balancer with automatic failover</span> <span class="na">nginx</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">nginx-lb</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8080:80"</span> <span class="c1"># Main entry point for users</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./nginx.conf.template:/etc/nginx/nginx.conf:ro</span> <span class="pi">-</span> <span class="s">./entrypoint.sh:/entrypoint.sh:ro</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ACTIVE_POOL=${ACTIVE_POOL:-blue}</span> <span class="c1"># Which pool is primary?</span> <span class="pi">-</span> <span class="s">BLUE_UPSTREAM=app_blue:${PORT:-3000}</span> <span class="pi">-</span> <span class="s">GREEN_UPSTREAM=app_green:${PORT:-3000}</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">app_blue</span> <span class="pi">-</span> <span class="s">app_green</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">/bin/sh"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">/entrypoint.sh"</span><span class="pi">]</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">app-network</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># Blue pool - primary by default</span> <span class="na">app_blue</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">${BLUE_IMAGE}</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">app_blue</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8081:${PORT:-3000}"</span> <span class="c1"># Direct access for testing</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">APP_POOL=blue</span> <span class="pi">-</span> <span class="s">RELEASE_ID=${RELEASE_ID_BLUE:-v1.0.0-blue}</span> <span class="pi">-</span> <span class="s">PORT=${PORT:-3000}</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">app-network</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">wget"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--quiet"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--tries=1"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--spider"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">http://localhost:${PORT:-3000}/healthz"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">3s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">3</span> <span class="c1"># Green pool - backup by default</span> <span class="na">app_green</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">${GREEN_IMAGE}</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">app_green</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8082:${PORT:-3000}"</span> <span class="c1"># Direct access for testing</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">APP_POOL=green</span> <span class="pi">-</span> <span class="s">RELEASE_ID=${RELEASE_ID_GREEN:-v1.0.0-green}</span> <span class="pi">-</span> <span class="s">PORT=${PORT:-3000}</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">app-network</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">wget"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--quiet"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--tries=1"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--spider"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">http://localhost:${PORT:-3000}/healthz"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">3s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">3</span> <span class="na">networks</span><span class="pi">:</span> <span class="na">app-network</span><span class="pi">:</span> <span class="na">driver</span><span class="pi">:</span> <span class="s">bridge</span> </code></pre> </div> <p><strong>Key points to understand:</strong></p> <ol> <li> <p><strong>Port Strategy:</strong></p> <ul> <li>Port 8080: Public-facing Nginx (users hit this)</li> <li>Port 8081: Direct access to Blue (for chaos testing)</li> <li>Port 8082: Direct access to Green (for chaos testing)</li> </ul> </li> <li> <p><strong>Health Checks:</strong></p> <ul> <li>Every 5 seconds, Docker checks if the service is healthy</li> <li>Uses the <code>/healthz</code> endpoint</li> <li>After 3 failed attempts (3s timeout each), marks as unhealthy</li> </ul> </li> <li> <p><strong>Environment Variables:</strong></p> <ul> <li> <code>ACTIVE_POOL</code>: Which service gets traffic first (blue/green)</li> <li> <code>RELEASE_ID</code>: Tracks which version is running</li> <li> <code>PORT</code>: Application port (default: 3000)</li> </ul> </li> </ol> <h4> Step 3: Nginx Configuration Magic </h4> <p>The <code>nginx.conf.template</code> is where the failover magic happens:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">events</span> <span class="p">{</span> <span class="kn">worker_connections</span> <span class="mi">1024</span><span class="p">;</span> <span class="p">}</span> <span class="k">http</span> <span class="p">{</span> <span class="c1"># Logging to help debug issues</span> <span class="kn">access_log</span> <span class="n">/var/log/nginx/access.log</span><span class="p">;</span> <span class="kn">error_log</span> <span class="n">/var/log/nginx/error.log</span> <span class="s">warn</span><span class="p">;</span> <span class="c1"># Combined upstream with failover logic</span> <span class="kn">upstream</span> <span class="s">app_backend</span> <span class="p">{</span> <span class="c1"># Active pool (primary)</span> <span class="kn">server</span> $<span class="p">{</span><span class="kn">ACTIVE_UPSTREAM</span><span class="err">}</span> <span class="s">max_fails=2</span> <span class="s">fail_timeout=5s</span><span class="p">;</span> <span class="c1"># Backup pool - only used if primary fails</span> <span class="kn">server</span> $<span class="p">{</span><span class="kn">BACKUP_UPSTREAM</span><span class="err">}</span> <span class="s">max_fails=2</span> <span class="s">fail_timeout=5s</span> <span class="s">backup</span><span class="p">;</span> <span class="p">}</span> <span class="kn">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">80</span><span class="p">;</span> <span class="kn">server_name</span> <span class="s">localhost</span><span class="p">;</span> <span class="c1"># Aggressive timeouts for quick failover detection</span> <span class="kn">proxy_connect_timeout</span> <span class="s">2s</span><span class="p">;</span> <span class="kn">proxy_send_timeout</span> <span class="s">3s</span><span class="p">;</span> <span class="kn">proxy_read_timeout</span> <span class="s">3s</span><span class="p">;</span> <span class="c1"># Retry logic - crucial for zero-downtime failover</span> <span class="kn">proxy_next_upstream</span> <span class="s">error</span> <span class="s">timeout</span> <span class="s">http_500</span> <span class="s">http_502</span> <span class="s">http_503</span> <span class="s">http_504</span><span class="p">;</span> <span class="kn">proxy_next_upstream_tries</span> <span class="mi">2</span><span class="p">;</span> <span class="kn">proxy_next_upstream_timeout</span> <span class="s">10s</span><span class="p">;</span> <span class="c1"># Don't buffer - we want real-time responses</span> <span class="kn">proxy_buffering</span> <span class="no">off</span><span class="p">;</span> <span class="c1"># Forward original client info</span> <span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$host</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Real-IP</span> <span class="nv">$remote_addr</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-For</span> <span class="nv">$proxy_add_x_forwarded_for</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-Proto</span> <span class="nv">$scheme</span><span class="p">;</span> <span class="kn">location</span> <span class="n">/</span> <span class="p">{</span> <span class="kn">proxy_pass</span> <span class="s">http://app_backend</span><span class="p">;</span> <span class="kn">proxy_pass_request_headers</span> <span class="no">on</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Let's decode this configuration:</strong></p> <p><strong>1. Upstream Block:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">upstream</span> <span class="s">app_backend</span> <span class="p">{</span> <span class="kn">server</span> $<span class="p">{</span><span class="kn">ACTIVE_UPSTREAM</span><span class="err">}</span> <span class="s">max_fails=2</span> <span class="s">fail_timeout=5s</span><span class="p">;</span> <span class="kn">server</span> $<span class="p">{</span><span class="kn">BACKUP_UPSTREAM</span><span class="err">}</span> <span class="s">max_fails=2</span> <span class="s">fail_timeout=5s</span> <span class="s">backup</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <ul> <li> <code>max_fails=2</code>: After 2 failed requests, mark server as down</li> <li> <code>fail_timeout=5s</code>: Server is down for 5 seconds before retry</li> <li> <code>backup</code>: This server only receives traffic when primary fails</li> </ul> <p><strong>2. Timeout Settings:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">proxy_connect_timeout</span> <span class="s">2s</span><span class="p">;</span> <span class="c1"># Can't connect? Fail fast</span> <span class="k">proxy_read_timeout</span> <span class="s">3s</span><span class="p">;</span> <span class="c1"># No response? Move to backup</span> </code></pre> </div> <p>These are aggressive timeouts for quick failure detection. In production, you might increase these based on your app's response times.</p> <p><strong>3. Retry Logic:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">proxy_next_upstream</span> <span class="s">error</span> <span class="s">timeout</span> <span class="s">http_500</span> <span class="s">http_502</span> <span class="s">http_503</span> <span class="s">http_504</span><span class="p">;</span> <span class="k">proxy_next_upstream_tries</span> <span class="mi">2</span><span class="p">;</span> </code></pre> </div> <p>This tells Nginx: "If you get an error, timeout, or 5xx status code, try the next server (backup) automatically."</p> <h4> Step 4: The Entrypoint Script </h4> <p>Nginx doesn't support environment variables natively in its config. We use <code>envsubst</code> to template it at runtime:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/sh</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="c"># Figure out which upstream is active and which is backup</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$ACTIVE_POOL</span><span class="s2">"</span> <span class="o">=</span> <span class="s2">"blue"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nv">ACTIVE_UPSTREAM</span><span class="o">=</span><span class="s2">"</span><span class="nv">$BLUE_UPSTREAM</span><span class="s2">"</span> <span class="nv">BACKUP_UPSTREAM</span><span class="o">=</span><span class="s2">"</span><span class="nv">$GREEN_UPSTREAM</span><span class="s2">"</span> <span class="k">else </span><span class="nv">ACTIVE_UPSTREAM</span><span class="o">=</span><span class="s2">"</span><span class="nv">$GREEN_UPSTREAM</span><span class="s2">"</span> <span class="nv">BACKUP_UPSTREAM</span><span class="o">=</span><span class="s2">"</span><span class="nv">$BLUE_UPSTREAM</span><span class="s2">"</span> <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"==&gt; Setting up Nginx with active pool: </span><span class="nv">$ACTIVE_POOL</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" Active upstream: </span><span class="nv">$ACTIVE_UPSTREAM</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" Backup upstream: </span><span class="nv">$BACKUP_UPSTREAM</span><span class="s2">"</span> <span class="c"># Use envsubst to replace variables in the template</span> <span class="nb">export </span>ACTIVE_UPSTREAM <span class="nb">export </span>BACKUP_UPSTREAM envsubst <span class="s1">'${ACTIVE_UPSTREAM} ${BACKUP_UPSTREAM}'</span> <span class="se">\</span> &lt; /etc/nginx/nginx.conf <span class="o">&gt;</span> /tmp/nginx.conf <span class="c"># Test the config before starting (ALWAYS do this!)</span> nginx <span class="nt">-t</span> <span class="nt">-c</span> /tmp/nginx.conf <span class="c"># Start nginx in foreground</span> <span class="nb">echo</span> <span class="s2">"==&gt; Starting Nginx..."</span> <span class="nb">exec </span>nginx <span class="nt">-g</span> <span class="s1">'daemon off;'</span> <span class="nt">-c</span> /tmp/nginx.conf </code></pre> </div> <p><strong>What this script does:</strong></p> <ol> <li>Reads the <code>ACTIVE_POOL</code> environment variable</li> <li>Sets up which upstream is active vs backup</li> <li>Replaces placeholders in nginx.conf</li> <li>Tests the configuration (prevents broken configs from starting)</li> <li>Starts Nginx with the processed config</li> </ol> <h4> Step 5: Environment Configuration </h4> <p>Create your <code>.env</code> file from the example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cp </span>env.example .env </code></pre> </div> <p>The <code>.env</code> file contents:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Docker images for blue and green pools</span> <span class="nv">BLUE_IMAGE</span><span class="o">=</span>your-registry/your-app:blue <span class="nv">GREEN_IMAGE</span><span class="o">=</span>your-registry/your-app:green <span class="c"># Which pool should be active? (blue or green)</span> <span class="nv">ACTIVE_POOL</span><span class="o">=</span>blue <span class="c"># Release identifiers - show up in X-Release-Id header</span> <span class="nv">RELEASE_ID_BLUE</span><span class="o">=</span>v1.0.0-blue-20250129 <span class="nv">RELEASE_ID_GREEN</span><span class="o">=</span>v1.0.0-green-20250129 <span class="c"># Application port</span> <span class="nv">PORT</span><span class="o">=</span>3000 </code></pre> </div> <p><strong>Pro tip:</strong> In a real deployment, <code>BLUE_IMAGE</code> and <code>GREEN_IMAGE</code> might point to different versions of your app:</p> <ul> <li>Blue: <code>myapp:v1.2.3</code> </li> <li>Green: <code>myapp:v1.2.4</code> (new version being tested)</li> </ul> <h4> Step 6: Makefile for Convenience </h4> <p>The <code>Makefile</code> provides friendly commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight make"><code><span class="nl">.PHONY</span><span class="o">:</span> <span class="nf">help up down restart logs test clean</span> <span class="nl">help</span><span class="o">:</span> <span class="c">##</span><span class="nf"> Show available commands</span> <span class="p">@</span><span class="nb">grep</span> <span class="nt">-E</span> <span class="s1">'^[a-zA-Z_-]+:.*?## .*$$'</span> <span class="p">$(</span>MAKEFILE_LIST<span class="p">)</span> | <span class="se">\</span> <span class="nb">awk</span> <span class="s1">'BEGIN {FS = ":.*?## "}; {printf " %-15s %s\n", $$1, $$2}'</span> <span class="nl">up</span><span class="o">:</span> <span class="c">##</span><span class="nf"> Start all services</span> <span class="p">@</span><span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-f</span> .env <span class="o">]</span><span class="p">;</span> <span class="k">then</span> <span class="se">\</span> <span class="nb">echo</span> <span class="s2">"Creating .env from env.example..."</span><span class="p">;</span> <span class="se">\</span> <span class="nb">cp </span>env.example .env<span class="p">;</span> <span class="se">\</span> <span class="k">fi</span> docker-compose up <span class="nt">-d</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"Services started!"</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"Nginx: http://localhost:8080"</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"Blue: http://localhost:8081"</span> <span class="p">@</span><span class="nb">echo</span> <span class="s2">"Green: http://localhost:8082"</span> <span class="nl">down</span><span class="o">:</span> <span class="c">##</span><span class="nf"> Stop all services</span> docker-compose down <span class="nl">test</span><span class="o">:</span> <span class="c">##</span><span class="nf"> Run failover test</span> ./test-failover.sh <span class="nl">blue</span><span class="o">:</span> <span class="c">##</span><span class="nf"> Switch to blue as active</span> <span class="p">@</span><span class="nb">sed</span> <span class="nt">-i</span>.bak <span class="s1">'s/ACTIVE_POOL=.*/ACTIVE_POOL=blue/'</span> .env <span class="p">@$(</span>MAKE<span class="p">)</span> restart <span class="nl">green</span><span class="o">:</span> <span class="c">##</span><span class="nf"> Switch to green as active</span> <span class="p">@</span><span class="nb">sed</span> <span class="nt">-i</span>.bak <span class="s1">'s/ACTIVE_POOL=.*/ACTIVE_POOL=green/'</span> .env <span class="p">@$(</span>MAKE<span class="p">)</span> restart </code></pre> </div> <p><strong>Usage:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>make <span class="nb">help</span> <span class="c"># See all commands</span> make up <span class="c"># Start everything</span> make <span class="nb">test</span> <span class="c"># Run failover tests</span> make green <span class="c"># Switch to green pool</span> </code></pre> </div> <h3> Running the Project </h3> <h4> Start the Stack </h4> <p><strong>Option 1: Using Make (recommended)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>make up </code></pre> </div> <p><strong>Option 2: Manual</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cp </span>env.example .env docker-compose up <span class="nt">-d</span> </code></pre> </div> <h4> Verify It's Working </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check service status</span> docker-compose ps <span class="c"># Hit the main endpoint</span> curl <span class="nt">-i</span> http://localhost:8080/version </code></pre> </div> <p>You should see headers like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HTTP/1.1 200 OK X-App-Pool: blue X-Release-Id: v1.0.0-blue-20250129 </code></pre> </div> <h3> Testing the Failover </h3> <p>This is where it gets exciting! Let's break the blue service and watch Nginx automatically switch to green.</p> <h4> Automated Test Script </h4> <p>The <code>test-failover.sh</code> script automates the entire test:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nb">echo</span> <span class="s2">"🔵 Blue/Green Failover Test"</span> <span class="nb">echo</span> <span class="s2">"============================"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="c"># Step 1: Baseline check</span> <span class="nb">echo</span> <span class="s2">"📊 Step 1: Checking baseline (should be blue)..."</span> <span class="k">for </span>i <span class="k">in</span> <span class="o">{</span>1..3<span class="o">}</span><span class="p">;</span> <span class="k">do </span><span class="nv">response</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nt">-i</span> http://localhost:8080/version<span class="si">)</span> <span class="nv">pool</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$response</span><span class="s2">"</span> | <span class="nb">grep</span> <span class="nt">-i</span> <span class="s2">"X-App-Pool:"</span> | <span class="nb">cut</span> <span class="nt">-d</span>: <span class="nt">-f2</span> | <span class="nb">tr</span> <span class="nt">-d</span> <span class="s1">' \r'</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">" Request </span><span class="nv">$i</span><span class="s2">: Pool=</span><span class="nv">$pool</span><span class="s2">"</span> <span class="k">done</span> <span class="c"># Step 2: Trigger chaos on blue</span> <span class="nb">echo</span> <span class="s2">"💥 Step 2: Triggering chaos on blue..."</span> curl <span class="nt">-s</span> <span class="nt">-X</span> POST <span class="s2">"http://localhost:8081/chaos/start?mode=error"</span> <span class="nb">sleep </span>1 <span class="c"># Step 3: Test failover</span> <span class="nb">echo</span> <span class="s2">"🔄 Step 3: Testing failover (should switch to green)..."</span> <span class="nv">success_count</span><span class="o">=</span>0 <span class="nv">green_count</span><span class="o">=</span>0 <span class="k">for </span>i <span class="k">in</span> <span class="o">{</span>1..10<span class="o">}</span><span class="p">;</span> <span class="k">do </span><span class="nv">http_code</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nt">-o</span> /dev/null <span class="nt">-w</span> <span class="s2">"%{http_code}"</span> http://localhost:8080/version<span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$http_code</span><span class="s2">"</span> <span class="o">=</span> <span class="s2">"200"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nv">success_count</span><span class="o">=</span><span class="k">$((</span>success_count <span class="o">+</span> <span class="m">1</span><span class="k">))</span> <span class="nv">response</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nt">-i</span> http://localhost:8080/version<span class="si">)</span> <span class="nv">pool</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$response</span><span class="s2">"</span> | <span class="nb">grep</span> <span class="nt">-i</span> <span class="s2">"X-App-Pool:"</span> | <span class="nb">cut</span> <span class="nt">-d</span>: <span class="nt">-f2</span> | <span class="nb">tr</span> <span class="nt">-d</span> <span class="s1">' \r'</span><span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$pool</span><span class="s2">"</span> <span class="o">=</span> <span class="s2">"green"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nv">green_count</span><span class="o">=</span><span class="k">$((</span>green_count <span class="o">+</span> <span class="m">1</span><span class="k">))</span> <span class="k">fi </span><span class="nb">echo</span> <span class="s2">" Request </span><span class="nv">$i</span><span class="s2">: HTTP </span><span class="nv">$http_code</span><span class="s2">, Pool=</span><span class="nv">$pool</span><span class="s2"> ✓"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">" Request </span><span class="nv">$i</span><span class="s2">: HTTP </span><span class="nv">$http_code</span><span class="s2"> ✗ FAILED"</span> <span class="k">fi </span><span class="nb">sleep </span>0.5 <span class="k">done</span> <span class="c"># Step 4: Stop chaos</span> <span class="nb">echo</span> <span class="s2">"🛑 Step 4: Stopping chaos..."</span> curl <span class="nt">-s</span> <span class="nt">-X</span> POST <span class="s2">"http://localhost:8081/chaos/stop"</span> <span class="c"># Results</span> <span class="nb">echo</span> <span class="s2">"📈 Results:"</span> <span class="nb">echo</span> <span class="s2">" ├─ Total requests: 10"</span> <span class="nb">echo</span> <span class="s2">" ├─ Successful (200): </span><span class="nv">$success_count</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">" └─ Routed to green: </span><span class="nv">$green_count</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[</span> <span class="nv">$success_count</span> <span class="nt">-eq</span> 10 <span class="o">]</span> <span class="o">&amp;&amp;</span> <span class="o">[</span> <span class="nv">$green_count</span> <span class="nt">-ge</span> 9 <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"✅ Test PASSED - Failover working correctly!"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"❌ Test FAILED - Check the logs"</span> <span class="k">fi</span> </code></pre> </div> <p><strong>Run the test:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod</span> +x test-failover.sh ./test-failover.sh </code></pre> </div> <p><strong>Expected output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>🔵 Blue/Green Failover Test ============================ 📊 Step 1: Checking baseline (should be blue)... Request 1: Pool=blue Request 2: Pool=blue Request 3: Pool=blue 💥 Step 2: Triggering chaos on blue... Chaos initiated: {"status":"chaos_started","mode":"error"} 🔄 Step 3: Testing failover (should switch to green)... Request 1: HTTP 200, Pool=green ✓ Request 2: HTTP 200, Pool=green ✓ Request 3: HTTP 200, Pool=green ✓ ... Request 10: HTTP 200, Pool=green ✓ 📈 Results: ├─ Total requests: 10 ├─ Successful (200): 10 └─ Routed to green: 10 ✅ Test PASSED - Failover working correctly! </code></pre> </div> <p><strong>What just happened?</strong></p> <ol> <li>All requests initially went to blue</li> <li>We triggered chaos mode (blue starts returning 500 errors)</li> <li>Nginx detected blue was failing</li> <li> <strong>Zero requests failed</strong> - Nginx automatically retried on green</li> <li>All subsequent requests went to green</li> </ol> <h3> Manual Testing (Understanding Each Step) </h3> <p>Let's do it manually to understand what's happening:</p> <p><strong>1. Check baseline:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">for </span>i <span class="k">in</span> <span class="o">{</span>1..5<span class="o">}</span><span class="p">;</span> <span class="k">do </span>curl <span class="nt">-s</span> http://localhost:8080/version | <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"pool|release"</span> <span class="k">done</span> </code></pre> </div> <p>All responses show <code>"pool": "blue"</code>.</p> <p><strong>2. Break blue service:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Trigger chaos mode - makes blue return 500 errors</span> curl <span class="nt">-X</span> POST <span class="s2">"http://localhost:8081/chaos/start?mode=error"</span> </code></pre> </div> <p><strong>3. Watch the magic:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Keep hitting the endpoint</span> <span class="k">for </span>i <span class="k">in</span> <span class="o">{</span>1..10<span class="o">}</span><span class="p">;</span> <span class="k">do </span>curl <span class="nt">-s</span> <span class="nt">-w</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">Status: %{http_code}</span><span class="se">\n</span><span class="s2">"</span> http://localhost:8080/version | <span class="se">\</span> <span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"pool|release|Status"</span> <span class="nb">sleep </span>1 <span class="k">done</span> </code></pre> </div> <p><strong>You'll see:</strong></p> <ul> <li>All requests still return 200 (no failures!)</li> <li>Pool changes from "blue" to "green"</li> <li>Headers now show <code>"pool": "green"</code> </li> </ul> <p><strong>4. Fix blue:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST <span class="s2">"http://localhost:8081/chaos/stop"</span> </code></pre> </div> <p>After a few seconds, traffic goes back to blue (it's the primary).</p> <h3> Key Concepts Explained </h3> <h4> Why Aggressive Timeouts? </h4> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">proxy_connect_timeout</span> <span class="s">2s</span><span class="p">;</span> <span class="k">proxy_read_timeout</span> <span class="s">3s</span><span class="p">;</span> </code></pre> </div> <p><strong>Scenario:</strong> Your blue service starts hanging (taking 10+ seconds to respond).</p> <p><strong>With loose timeouts (10s):</strong></p> <ul> <li>User makes request → Nginx waits 10s on blue → Fails → Retries on green</li> <li>User waited 10+ seconds (bad experience)</li> </ul> <p><strong>With tight timeouts (2-3s):</strong></p> <ul> <li>User makes request → Nginx waits 2s on blue → Fails fast → Retries on green</li> <li>User gets response in ~2-3 seconds (much better!)</li> </ul> <p><strong>Trade-off:</strong> If your app legitimately takes 5 seconds to respond, 3s timeouts will cause false failures. Tune based on your app's performance.</p> <h4> The Backup Directive </h4> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">server</span> $<span class="p">{</span><span class="kn">ACTIVE_UPSTREAM</span><span class="err">}</span> <span class="s">max_fails=2</span> <span class="s">fail_timeout=5s</span><span class="p">;</span> <span class="kn">server</span> $<span class="p">{</span><span class="kn">BACKUP_UPSTREAM</span><span class="err">}</span> <span class="s">max_fails=2</span> <span class="s">fail_timeout=5s</span> <span class="s">backup</span><span class="p">;</span> </code></pre> </div> <p>The <code>backup</code> keyword is crucial:</p> <ul> <li> <strong>Without it:</strong> Nginx load-balances 50/50 between blue and green</li> <li> <strong>With it:</strong> Nginx sends all traffic to blue, green only gets traffic when blue is down</li> </ul> <p>This is what makes it true blue/green deployment (not load balancing).</p> <h4> Health Checks vs Failover </h4> <p><strong>Docker health checks:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">wget"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--quiet"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--tries=1"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--spider"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">http://localhost:3000/healthz"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">5s</span> </code></pre> </div> <p><strong>Nginx failover:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">max_fails=2</span> <span class="s">fail_timeout=5s</span> </code></pre> </div> <p>These serve different purposes:</p> <ul> <li> <strong>Docker health checks:</strong> Tell Docker orchestration layer if container is healthy</li> <li> <strong>Nginx failover:</strong> Actual traffic routing decisions</li> </ul> <p>Both are important, but Nginx failover is what keeps users happy during failures.</p> <h3> Production Considerations </h3> <h4> What Would Change in Production? </h4> <p><strong>1. Timeouts would be tuned:</strong></p> <ul> <li>Measure your app's real response times</li> <li>Set timeouts slightly above p95 latency</li> <li>Balance fast failover vs false positives</li> </ul> <p><strong>2. Monitoring &amp; Alerting:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="c1"># Add Prometheus metrics</span> <span class="k">location</span> <span class="n">/metrics</span> <span class="p">{</span> <span class="kn">stub_status</span> <span class="no">on</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>3. Structured Logging:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">log_format</span> <span class="s">json</span> <span class="s">escape=json</span> <span class="s">'</span><span class="p">{</span><span class="kn">'</span> <span class="s">'"time":"</span><span class="nv">$time_iso8601</span><span class="s">",'</span> <span class="s">'"remote_addr":"</span><span class="nv">$remote_addr</span><span class="s">",'</span> <span class="s">'"request":"</span><span class="nv">$request</span><span class="s">",'</span> <span class="s">'"status":</span><span class="nv">$status</span><span class="s">,'</span> <span class="s">'"upstream":"</span><span class="nv">$upstream_addr</span><span class="s">"'</span> <span class="s">'</span><span class="err">}</span><span class="s">'</span><span class="p">;</span> <span class="kn">access_log</span> <span class="n">/var/log/nginx/access.log</span> <span class="s">json</span><span class="p">;</span> </code></pre> </div> <p><strong>4. SSL/TLS:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">443</span> <span class="s">ssl</span> <span class="s">http2</span><span class="p">;</span> <span class="kn">ssl_certificate</span> <span class="n">/etc/ssl/certs/cert.pem</span><span class="p">;</span> <span class="kn">ssl_certificate_key</span> <span class="n">/etc/ssl/private/key.pem</span><span class="p">;</span> <span class="c1"># ... rest of config</span> <span class="p">}</span> </code></pre> </div> <p><strong>5. Rate Limiting:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">limit_req_zone</span> <span class="nv">$binary_remote_addr</span> <span class="s">zone=api:10m</span> <span class="s">rate=10r/s</span><span class="p">;</span> <span class="k">location</span> <span class="n">/</span> <span class="p">{</span> <span class="kn">limit_req</span> <span class="s">zone=api</span> <span class="s">burst=20</span> <span class="s">nodelay</span><span class="p">;</span> <span class="kn">proxy_pass</span> <span class="s">http://app_backend</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> Troubleshooting Guide </h3> <h4> Problem: All requests failing </h4> <p><strong>Check if containers are running:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker-compose ps </code></pre> </div> <p><strong>Expected output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NAME STATE PORTS nginx-lb Up 0.0.0.0:8080-&gt;80/tcp app_blue Up 0.0.0.0:8081-&gt;3000/tcp app_green Up 0.0.0.0:8082-&gt;3000/tcp </code></pre> </div> <p><strong>If containers are down:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker-compose logs </code></pre> </div> <h4> Problem: Not seeing failover </h4> <p><strong>Check Nginx logs:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker logs nginx-lb <span class="c"># Or live tail:</span> docker logs <span class="nt">-f</span> nginx-lb </code></pre> </div> <p><strong>Look for:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[error] ... upstream timed out ... while connecting to upstream [warn] ... marking server app_blue:3000 as down </code></pre> </div> <h4> Problem: Services won't start </h4> <p><strong>Check if ports are already in use:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>lsof <span class="nt">-i</span> :8080 lsof <span class="nt">-i</span> :8081 lsof <span class="nt">-i</span> :8082 </code></pre> </div> <p><strong>If something is using these ports:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Kill the process</span> <span class="nb">kill</span> <span class="nt">-9</span> &lt;PID&gt; <span class="c"># Or change ports in docker-compose.yml</span> ports: - <span class="s2">"9080:80"</span> <span class="c"># Use 9080 instead of 8080</span> </code></pre> </div> <h4> Problem: Changes to .env not taking effect </h4> <p><strong>You need to recreate containers:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker-compose down docker-compose up <span class="nt">-d</span> </code></pre> </div> <p>Just restarting isn't enough - environment variables are set at container creation time.</p> <h3> Real-World Use Cases </h3> <h4> Scenario 1: Deploying a New Version </h4> <p><strong>Without blue/green:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Take site down</span> docker-compose down <span class="c"># Update to new version</span> docker-compose up <span class="nt">-d</span> <span class="c"># Hope nothing broke (users see downtime)</span> </code></pre> </div> <p><strong>With blue/green:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Update green to new version while blue serves traffic</span> <span class="nb">sed</span> <span class="nt">-i</span> <span class="s1">'s/GREEN_IMAGE=.*/GREEN_IMAGE=myapp:v2.0.0/'</span> .env <span class="c"># Start green with new version</span> docker-compose up <span class="nt">-d</span> app_green <span class="c"># Test green directly</span> curl http://localhost:8082/version <span class="c"># Switch traffic to green (instant, zero downtime)</span> make green <span class="c"># If something's wrong, instant rollback</span> make blue </code></pre> </div> <h4> Scenario 2: Database Migration </h4> <p><strong>Challenge:</strong> New version needs schema changes.</p> <p><strong>Approach:</strong></p> <ol> <li>Make schema changes backward-compatible</li> <li>Deploy new version to green (with migration)</li> <li>Test thoroughly</li> <li>Switch traffic</li> <li>Keep blue running for quick rollback</li> <li>After validation, update blue too</li> </ol> <p><strong>Example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Update green with new code + migrations</span> <span class="nv">GREEN_IMAGE</span><span class="o">=</span>myapp:v2.0.0 docker-compose up <span class="nt">-d</span> app_green <span class="c"># Run migrations on green</span> docker <span class="nb">exec </span>app_green npm run migrate <span class="c"># Test green</span> curl http://localhost:8082/test-endpoint <span class="c"># Switch traffic</span> make green <span class="c"># Monitor for issues</span> docker logs <span class="nt">-f</span> app_green <span class="c"># If problems occur, instant rollback</span> make blue </code></pre> </div> <h2> Project 2: Containerized Microservices with Full Automation </h2> <p>Now that we understand blue/green deployments, let's scale up to a complete microservices application with full infrastructure automation.</p> <h3> The Big Picture </h3> <p><strong>What we're building:</strong><br> A production-ready TODO application with:</p> <ul> <li>Multiple microservices (5 different programming languages!)</li> <li>Automated infrastructure provisioning (Terraform)</li> <li>Automated configuration management (Ansible)</li> <li>CI/CD pipelines with drift detection</li> <li>Automatic HTTPS with Traefik</li> <li>Zero-trust security model</li> </ul> <p><strong>Architecture:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ┌──────────────┐ │ Traefik │ │ (HTTPS/Proxy)│ └───────┬──────┘ │ ┌──────────────────────┼──────────────────────┐ │ │ │ ┌───────▼────────┐ ┌───────▼────────┐ ┌───────▼────────┐ │ Frontend │ │ Auth API │ │ Todos API │ │ (Vue.js) │ │ (Go) │ │ (Node.js) │ └────────────────┘ └────────────────┘ └────────────────┘ │ ┌──────────────┼──────────────┐ │ │ │ ┌───────▼────────┐ ┌──▼────┐ ┌─────▼──────┐ │ Users API │ │ Redis │ │ Log │ │ (Java Spring) │ │ Queue │ │ Processor │ └────────────────┘ └───────┘ │ (Python) │ └────────────┘ </code></pre> </div> <h3> Understanding the Application </h3> <h4> The Services </h4> <p><strong>1. Frontend (Vue.js)</strong></p> <ul> <li>User interface</li> <li>Login page → TODO dashboard</li> <li>Communicates with backend APIs</li> <li>Port: 80/443 (via Traefik)</li> </ul> <p><strong>2. Auth API (Go)</strong></p> <ul> <li>Handles user authentication</li> <li>Issues JWT tokens</li> <li>Endpoint: <code>/api/auth</code> </li> </ul> <p><strong>3. Todos API (Node.js)</strong></p> <ul> <li>Manages TODO items</li> <li>CRUD operations</li> <li>Requires valid JWT token</li> <li>Endpoint: <code>/api/todos</code> </li> </ul> <p><strong>4. Users API (Java Spring Boot)</strong></p> <ul> <li>User management</li> <li>Profile operations</li> <li>Endpoint: <code>/api/users</code> </li> </ul> <p><strong>5. Log Processor (Python)</strong></p> <ul> <li>Processes background tasks</li> <li>Consumes from Redis queue</li> <li>Writes audit logs</li> </ul> <p><strong>6. Redis Queue</strong></p> <ul> <li>Message broker</li> <li>Task queue for async operations</li> </ul> <h3> Phase 1: Containerization </h3> <p>Let's containerize each service. The key is understanding that each language has its own best practices.</p> <h4> Frontend Dockerfile (Vue.js) </h4> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Multi-stage build for optimized production image</span> <span class="c"># Stage 1: Build the application</span> <span class="k">FROM</span><span class="w"> </span><span class="s">node:18-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Copy package files</span> <span class="k">COPY</span><span class="s"> package*.json ./</span> <span class="c"># Install dependencies</span> <span class="k">RUN </span>npm ci <span class="nt">--only</span><span class="o">=</span>production <span class="c"># Copy source code</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="c"># Build for production</span> <span class="k">RUN </span>npm run build <span class="c"># Stage 2: Serve with nginx</span> <span class="k">FROM</span><span class="s"> nginx:alpine</span> <span class="c"># Copy built assets from builder stage</span> <span class="k">COPY</span><span class="s"> --from=builder /app/dist /usr/share/nginx/html</span> <span class="c"># Copy nginx configuration</span> <span class="k">COPY</span><span class="s"> nginx.conf /etc/nginx/conf.d/default.conf</span> <span class="c"># Health check</span> <span class="k">HEALTHCHECK</span><span class="s"> --interval=30s --timeout=3s \</span> CMD wget --quiet --tries=1 --spider http://localhost/ || exit 1 <span class="k">EXPOSE</span><span class="s"> 80</span> <span class="k">CMD</span><span class="s"> ["nginx", "-g", "daemon off;"]</span> </code></pre> </div> <p><strong>Why multi-stage builds?</strong></p> <ul> <li> <strong>Builder stage:</strong> 800MB (includes build tools)</li> <li> <strong>Final stage:</strong> 25MB (only nginx + static files)</li> <li>97% size reduction!</li> </ul> <p><strong>Frontend nginx config:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">80</span><span class="p">;</span> <span class="kn">root</span> <span class="n">/usr/share/nginx/html</span><span class="p">;</span> <span class="kn">index</span> <span class="s">index.html</span><span class="p">;</span> <span class="c1"># SPA routing - send all requests to index.html</span> <span class="kn">location</span> <span class="n">/</span> <span class="p">{</span> <span class="kn">try_files</span> <span class="nv">$uri</span> <span class="nv">$uri</span><span class="n">/</span> <span class="n">/index.html</span><span class="p">;</span> <span class="p">}</span> <span class="c1"># Cache static assets</span> <span class="kn">location</span> <span class="p">~</span><span class="sr">*</span> <span class="err">\</span><span class="s">.(js|css|png|jpg|jpeg|gif|ico|svg)</span>$ <span class="p">{</span> <span class="kn">expires</span> <span class="s">1y</span><span class="p">;</span> <span class="kn">add_header</span> <span class="s">Cache-Control</span> <span class="s">"public,</span> <span class="s">immutable"</span><span class="p">;</span> <span class="p">}</span> <span class="c1"># Security headers</span> <span class="kn">add_header</span> <span class="s">X-Frame-Options</span> <span class="s">"SAMEORIGIN"</span> <span class="s">always</span><span class="p">;</span> <span class="kn">add_header</span> <span class="s">X-Content-Type-Options</span> <span class="s">"nosniff"</span> <span class="s">always</span><span class="p">;</span> <span class="kn">add_header</span> <span class="s">X-XSS-Protection</span> <span class="s">"1</span><span class="p">;</span> <span class="kn">mode=block"</span> <span class="s">always</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h4> Auth API Dockerfile (Go) </h4> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Multi-stage build for Go</span> <span class="c"># Stage 1: Build the binary</span> <span class="k">FROM</span><span class="w"> </span><span class="s">golang:1.21-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Copy go mod files</span> <span class="k">COPY</span><span class="s"> go.mod go.sum ./</span> <span class="c"># Download dependencies</span> <span class="k">RUN </span>go mod download <span class="c"># Copy source code</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="c"># Build the binary</span> <span class="c"># CGO_ENABLED=0 creates a static binary (no external dependencies)</span> <span class="k">RUN </span><span class="nv">CGO_ENABLED</span><span class="o">=</span>0 <span class="nv">GOOS</span><span class="o">=</span>linux go build <span class="nt">-a</span> <span class="nt">-installsuffix</span> cgo <span class="nt">-o</span> main . <span class="c"># Stage 2: Create minimal runtime image</span> <span class="k">FROM</span><span class="s"> alpine:latest</span> <span class="c"># Add ca-certificates for HTTPS calls</span> <span class="k">RUN </span>apk <span class="nt">--no-cache</span> add ca-certificates <span class="k">WORKDIR</span><span class="s"> /root/</span> <span class="c"># Copy the binary from builder</span> <span class="k">COPY</span><span class="s"> --from=builder /app/main .</span> <span class="c"># Health check</span> <span class="k">HEALTHCHECK</span><span class="s"> --interval=30s --timeout=3s \</span> CMD wget --quiet --tries=1 --spider http://localhost:8080/health || exit 1 <span class="k">EXPOSE</span><span class="s"> 8080</span> <span class="k">CMD</span><span class="s"> ["./main"]</span> </code></pre> </div> <p><strong>Why this approach?</strong></p> <ul> <li> <strong>Builder stage:</strong> 400MB</li> <li> <strong>Final stage:</strong> 15MB (just Alpine + binary)</li> <li>Static binary = no runtime dependencies</li> <li>Faster startup, smaller attack surface</li> </ul> <h4> Todos API Dockerfile (Node.js) </h4> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> node:18-alpine</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Install dependencies first (better caching)</span> <span class="k">COPY</span><span class="s"> package*.json ./</span> <span class="k">RUN </span>npm ci <span class="nt">--only</span><span class="o">=</span>production <span class="c"># Copy application code</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="c"># Create non-root user for security</span> <span class="k">RUN </span>addgroup <span class="nt">-g</span> 1001 <span class="nt">-S</span> nodejs <span class="o">&amp;&amp;</span> <span class="se">\ </span> adduser <span class="nt">-S</span> nodejs <span class="nt">-u</span> 1001 <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">chown</span> <span class="nt">-R</span> nodejs:nodejs /app <span class="k">USER</span><span class="s"> nodejs</span> <span class="c"># Health check</span> <span class="k">HEALTHCHECK</span><span class="s"> --interval=30s --timeout=3s \</span> CMD node healthcheck.js || exit 1 <span class="k">EXPOSE</span><span class="s"> 3000</span> <span class="k">CMD</span><span class="s"> ["node", "server.js"]</span> </code></pre> </div> <p><strong>Security note:</strong> Running as non-root user limits damage if container is compromised.</p> <h4> Users API Dockerfile (Java Spring Boot) </h4> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Multi-stage build for Java</span> <span class="c"># Stage 1: Build with Maven</span> <span class="k">FROM</span><span class="w"> </span><span class="s">maven:3.9-eclipse-temurin-17</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Copy pom.xml first (dependency caching)</span> <span class="k">COPY</span><span class="s"> pom.xml ./</span> <span class="k">RUN </span>mvn dependency:go-offline <span class="c"># Copy source and build</span> <span class="k">COPY</span><span class="s"> src ./src</span> <span class="k">RUN </span>mvn clean package <span class="nt">-DskipTests</span> <span class="c"># Stage 2: Runtime</span> <span class="k">FROM</span><span class="s"> eclipse-temurin:17-jre-alpine</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Copy JAR from builder</span> <span class="k">COPY</span><span class="s"> --from=builder /app/target/*.jar app.jar</span> <span class="c"># Health check</span> <span class="k">HEALTHCHECK</span><span class="s"> --interval=30s --timeout=3s \</span> CMD wget --quiet --tries=1 --spider http://localhost:8080/actuator/health || exit 1 <span class="k">EXPOSE</span><span class="s"> 8080</span> <span class="c"># Use exec form to ensure proper signal handling</span> <span class="k">ENTRYPOINT</span><span class="s"> ["java", "-jar", "/app/app.jar"]</span> </code></pre> </div> <p><strong>Java-specific optimizations:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Production optimization flags</span> <span class="k">ENTRYPOINT</span><span class="s"> ["java", \</span> "-XX:+UseContainerSupport", \ "-XX:MaxRAMPercentage=75.0", \ "-XX:+ExitOnOutOfMemoryError", \ "-jar", "/app/app.jar"] </code></pre> </div> <h4> Log Processor Dockerfile (Python) </h4> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> python:3.11-slim</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Install dependencies</span> <span class="k">COPY</span><span class="s"> requirements.txt ./</span> <span class="k">RUN </span>pip <span class="nb">install</span> <span class="nt">--no-cache-dir</span> <span class="nt">-r</span> requirements.txt <span class="c"># Copy application</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="c"># Create non-root user</span> <span class="k">RUN </span>useradd <span class="nt">-m</span> <span class="nt">-u</span> 1001 processor <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">chown</span> <span class="nt">-R</span> processor:processor /app <span class="k">USER</span><span class="s"> processor</span> <span class="c"># Health check (check if process is running)</span> <span class="k">HEALTHCHECK</span><span class="s"> --interval=30s --timeout=3s \</span> CMD ps aux | grep processor.py || exit 1 <span class="k">CMD</span><span class="s"> ["python", "processor.py"]</span> </code></pre> </div> <h4> Docker Compose - Orchestrating Everything </h4> <p>Now let's tie it all together with <code>docker-compose.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3.8'</span> <span class="na">services</span><span class="pi">:</span> <span class="c1"># Traefik reverse proxy</span> <span class="na">traefik</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">traefik:v2.10</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">traefik</span> <span class="na">command</span><span class="pi">:</span> <span class="c1"># API and dashboard</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--api.dashboard=true"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--api.insecure=true"</span> <span class="c1"># Docker provider</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--providers.docker=true"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--providers.docker.exposedbydefault=false"</span> <span class="c1"># Entrypoints</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--entrypoints.web.address=:80"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--entrypoints.websecure.address=:443"</span> <span class="c1"># HTTP to HTTPS redirect</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--entrypoints.web.http.redirections.entrypoint.to=websecure"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--entrypoints.web.http.redirections.entrypoint.scheme=https"</span> <span class="c1"># Let's Encrypt</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--certificatesresolvers.letsencrypt.acme.tlschallenge=true"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--certificatesresolvers.letsencrypt.acme.email=${ACME_EMAIL}"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">80:80"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">443:443"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8080:8080"</span> <span class="c1"># Dashboard</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">/var/run/docker.sock:/var/run/docker.sock:ro"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">./letsencrypt:/letsencrypt"</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">web</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># Frontend</span> <span class="na">frontend</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">./frontend</span> <span class="na">dockerfile</span><span class="pi">:</span> <span class="s">Dockerfile</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">frontend</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.enable=true"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.frontend.rule=Host(`${DOMAIN}`)"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.frontend.entrypoints=websecure"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.frontend.tls.certresolver=letsencrypt"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.services.frontend.loadbalancer.server.port=80"</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">web</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># Auth API</span> <span class="na">auth</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">./auth-api</span> <span class="na">dockerfile</span><span class="pi">:</span> <span class="s">Dockerfile</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">auth-api</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">DB_HOST=postgres</span> <span class="pi">-</span> <span class="s">DB_PORT=5432</span> <span class="pi">-</span> <span class="s">DB_NAME=${DB_NAME}</span> <span class="pi">-</span> <span class="s">DB_USER=${DB_USER}</span> <span class="pi">-</span> <span class="s">DB_PASSWORD=${DB_PASSWORD}</span> <span class="pi">-</span> <span class="s">JWT_SECRET=${JWT_SECRET}</span> <span class="pi">-</span> <span class="s">REDIS_URL=redis://redis:6379</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.enable=true"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.auth.rule=Host(`${DOMAIN}`)</span><span class="nv"> </span><span class="s">&amp;&amp;</span><span class="nv"> </span><span class="s">PathPrefix(`/api/auth`)"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.auth.entrypoints=websecure"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.auth.tls.certresolver=letsencrypt"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.services.auth.loadbalancer.server.port=8080"</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres</span> <span class="pi">-</span> <span class="s">redis</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">web</span> <span class="pi">-</span> <span class="s">backend</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># Todos API</span> <span class="na">todos</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">./todos-api</span> <span class="na">dockerfile</span><span class="pi">:</span> <span class="s">Dockerfile</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">todos-api</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">DB_HOST=postgres</span> <span class="pi">-</span> <span class="s">DB_PORT=5432</span> <span class="pi">-</span> <span class="s">DB_NAME=${DB_NAME}</span> <span class="pi">-</span> <span class="s">DB_USER=${DB_USER}</span> <span class="pi">-</span> <span class="s">DB_PASSWORD=${DB_PASSWORD}</span> <span class="pi">-</span> <span class="s">REDIS_URL=redis://redis:6379</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.enable=true"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.todos.rule=Host(`${DOMAIN}`)</span><span class="nv"> </span><span class="s">&amp;&amp;</span><span class="nv"> </span><span class="s">PathPrefix(`/api/todos`)"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.todos.entrypoints=websecure"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.todos.tls.certresolver=letsencrypt"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.services.todos.loadbalancer.server.port=3000"</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres</span> <span class="pi">-</span> <span class="s">redis</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">web</span> <span class="pi">-</span> <span class="s">backend</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># Users API</span> <span class="na">users</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">./users-api</span> <span class="na">dockerfile</span><span class="pi">:</span> <span class="s">Dockerfile</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">users-api</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">SPRING_DATASOURCE_URL=jdbc:postgresql://postgres:5432/${DB_NAME}</span> <span class="pi">-</span> <span class="s">SPRING_DATASOURCE_USERNAME=${DB_USER}</span> <span class="pi">-</span> <span class="s">SPRING_DATASOURCE_PASSWORD=${DB_PASSWORD}</span> <span class="pi">-</span> <span class="s">SPRING_REDIS_HOST=redis</span> <span class="pi">-</span> <span class="s">SPRING_REDIS_PORT=6379</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.enable=true"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.users.rule=Host(`${DOMAIN}`)</span><span class="nv"> </span><span class="s">&amp;&amp;</span><span class="nv"> </span><span class="s">PathPrefix(`/api/users`)"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.users.entrypoints=websecure"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.users.tls.certresolver=letsencrypt"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.services.users.loadbalancer.server.port=8080"</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres</span> <span class="pi">-</span> <span class="s">redis</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">web</span> <span class="pi">-</span> <span class="s">backend</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># Log Processor</span> <span class="na">log-processor</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">./log-processor</span> <span class="na">dockerfile</span><span class="pi">:</span> <span class="s">Dockerfile</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">log-processor</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">REDIS_URL=redis://redis:6379</span> <span class="pi">-</span> <span class="s">LOG_PATH=/logs</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./logs:/logs</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">redis</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">backend</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="c1"># Redis</span> <span class="na">redis</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">redis:7-alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">redis</span> <span class="na">command</span><span class="pi">:</span> <span class="s">redis-server --appendonly yes</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">redis-data:/data</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">backend</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">redis-cli"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">ping"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">3s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">3</span> <span class="c1"># PostgreSQL</span> <span class="na">postgres</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:15-alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">POSTGRES_DB=${DB_NAME}</span> <span class="pi">-</span> <span class="s">POSTGRES_USER=${DB_USER}</span> <span class="pi">-</span> <span class="s">POSTGRES_PASSWORD=${DB_PASSWORD}</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres-data:/var/lib/postgresql/data</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">backend</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD-SHELL"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">pg_isready</span><span class="nv"> </span><span class="s">-U</span><span class="nv"> </span><span class="s">${DB_USER}"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">3s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">3</span> <span class="na">networks</span><span class="pi">:</span> <span class="na">web</span><span class="pi">:</span> <span class="na">driver</span><span class="pi">:</span> <span class="s">bridge</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">driver</span><span class="pi">:</span> <span class="s">bridge</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">postgres-data</span><span class="pi">:</span> <span class="na">redis-data</span><span class="pi">:</span> </code></pre> </div> <p><strong>Key concepts in this compose file:</strong></p> <p><strong>1. Networks:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">networks</span><span class="pi">:</span> <span class="na">web</span><span class="pi">:</span> <span class="c1"># Public-facing services</span> <span class="na">backend</span><span class="pi">:</span> <span class="c1"># Internal services only</span> </code></pre> </div> <ul> <li>Frontend, APIs → <code>web</code> network (accessible via Traefik)</li> <li>Database, Redis → <code>backend</code> network only (isolated)</li> <li>This provides network-level security</li> </ul> <p><strong>2. Traefik Labels:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">labels</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.enable=true"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.auth.rule=Host(`${DOMAIN}`)</span><span class="nv"> </span><span class="s">&amp;&amp;</span><span class="nv"> </span><span class="s">PathPrefix(`/api/auth`)"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.auth.tls.certresolver=letsencrypt"</span> </code></pre> </div> <p>These labels tell Traefik how to route traffic:</p> <ul> <li>Route requests to <code>yourdomain.com/api/auth</code> → auth service</li> <li>Automatically get SSL certificate from Let's Encrypt</li> <li>Handle HTTPS termination</li> </ul> <p><strong>3. Environment Variables:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">DB_HOST=postgres</span> <span class="pi">-</span> <span class="s">JWT_SECRET=${JWT_SECRET}</span> </code></pre> </div> <p>Secrets come from <code>.env</code> file (never committed to git!).</p> <h4> Environment Configuration </h4> <p>Create <code>.env</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Domain configuration</span> <span class="nv">DOMAIN</span><span class="o">=</span>your-domain.com <span class="nv">ACME_EMAIL</span><span class="o">=</span>your-email@example.com <span class="c"># Database</span> <span class="nv">DB_NAME</span><span class="o">=</span>todoapp <span class="nv">DB_USER</span><span class="o">=</span>todouser <span class="nv">DB_PASSWORD</span><span class="o">=</span>change-this-strong-password <span class="c"># Security</span> <span class="nv">JWT_SECRET</span><span class="o">=</span>change-this-to-random-string-min-32-chars <span class="c"># Optional: Docker registry</span> <span class="nv">DOCKER_REGISTRY</span><span class="o">=</span>ghcr.io/yourusername </code></pre> </div> <p><strong>Security checklist for .env:</strong></p> <ul> <li>[ ] Never commit .env to git</li> <li>[ ] Add .env to .gitignore</li> <li>[ ] Use strong passwords (20+ characters)</li> <li>[ ] Use different passwords for each service</li> <li>[ ] Rotate secrets regularly</li> </ul> <h3> Phase 2: Infrastructure as Code with Terraform </h3> <p>Now let's provision the cloud infrastructure automatically.</p> <h4> Project Structure </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>infra/ ├── terraform/ │ ├── main.tf # Main configuration │ ├── variables.tf # Input variables │ ├── outputs.tf # Output values │ ├── provider.tf # Provider configuration │ └── backend.tf # Remote state configuration ├── ansible/ │ ├── inventory/ # Dynamic inventory │ ├── roles/ │ │ ├── dependencies/ # Install Docker, etc. │ │ └── deploy/ # Deploy application │ ├── playbook.yml # Main playbook │ └── ansible.cfg # Ansible configuration └── scripts/ ├── deploy.sh # Deployment orchestration └── drift-check.sh # Drift detection </code></pre> </div> <h4> Terraform Configuration </h4> <p><strong>provider.tf:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Provider configuration</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"&gt;= 1.0"</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="p">}</span> <span class="nx">local</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/local"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 2.0"</span> <span class="p">}</span> <span class="kc">null</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/null"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 3.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">aws_region</span> <span class="nx">default_tags</span> <span class="p">{</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Project</span> <span class="p">=</span> <span class="s2">"todo-app"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">ManagedBy</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>backend.tf:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Remote state storage - crucial for team collaboration</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"your-terraform-state-bucket"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"todo-app/terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">encrypt</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">dynamodb_table</span> <span class="p">=</span> <span class="s2">"terraform-state-lock"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why remote state?</strong></p> <ul> <li>Team collaboration - everyone sees same state</li> <li>State locking - prevents concurrent modifications</li> <li>Backup - state is backed up in S3</li> <li>Encryption - sensitive data encrypted at rest</li> </ul> <p><strong>variables.tf:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"aws_region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"AWS region to deploy resources"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Environment name"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"instance_type"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"EC2 instance type"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"t3.medium"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"ssh_public_key"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"SSH public key for access"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"domain_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Domain name for the application"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"alert_email"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Email for drift detection alerts"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"app_port"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Application port"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">80</span> <span class="p">}</span> </code></pre> </div> <p><strong>main.tf:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># VPC for network isolation</span> <span class="nx">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"todo-app-vpc"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Internet Gateway</span> <span class="nx">resource</span> <span class="s2">"aws_internet_gateway"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"todo-app-igw"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Public Subnet</span> <span class="nx">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.1.0/24"</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="s2">"${var.aws_region}a"</span> <span class="nx">map_public_ip_on_launch</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"todo-app-public-subnet"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Route Table</span> <span class="nx">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">gateway_id</span> <span class="p">=</span> <span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"todo-app-public-rt"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Route Table Association</span> <span class="nx">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">public</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="c1"># Security Group</span> <span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"todo-app-sg"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Security group for TODO application"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="c1"># SSH</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"SSH access"</span> <span class="p">}</span> <span class="c1"># HTTP</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"HTTP access"</span> <span class="p">}</span> <span class="c1"># HTTPS</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"HTTPS access"</span> <span class="p">}</span> <span class="c1"># Outbound - allow all</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow all outbound"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"todo-app-sg"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># SSH Key Pair</span> <span class="nx">resource</span> <span class="s2">"aws_key_pair"</span> <span class="s2">"deployer"</span> <span class="p">{</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="s2">"todo-app-deployer"</span> <span class="nx">public_key</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_public_key</span> <span class="p">}</span> <span class="c1"># Latest Ubuntu AMI</span> <span class="nx">data</span> <span class="s2">"aws_ami"</span> <span class="s2">"ubuntu"</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">owners</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"099720109477"</span><span class="p">]</span> <span class="c1"># Canonical</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"name"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"virtualization-type"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"hvm"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># EC2 Instance</span> <span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_ami</span><span class="p">.</span><span class="nx">ubuntu</span><span class="p">.</span><span class="nx">id</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="nx">aws_key_pair</span><span class="p">.</span><span class="nx">deployer</span><span class="p">.</span><span class="nx">key_name</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public</span><span class="p">.</span><span class="nx">id</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">root_block_device</span> <span class="p">{</span> <span class="nx">volume_size</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">volume_type</span> <span class="p">=</span> <span class="s2">"gp3"</span> <span class="nx">encrypted</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOF</span><span class="sh"> #!/bin/bash apt-get update apt-get install -y python3 python3-pip </span><span class="no"> EOF </span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"todo-app-server"</span> <span class="p">}</span> <span class="c1"># Lifecycle rule for idempotency</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">ignore_changes</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">user_data</span><span class="p">,</span> <span class="c1"># Don't recreate if user_data changes</span> <span class="nx">ami</span><span class="p">,</span> <span class="c1"># Don't recreate on AMI updates unless forced</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Elastic IP for stable public IP</span> <span class="nx">resource</span> <span class="s2">"aws_eip"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">instance</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">id</span> <span class="nx">domain</span> <span class="p">=</span> <span class="s2">"vpc"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"todo-app-eip"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Generate Ansible inventory</span> <span class="nx">resource</span> <span class="s2">"local_file"</span> <span class="s2">"ansible_inventory"</span> <span class="p">{</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">templatefile</span><span class="p">(</span><span class="s2">"${path.module}/templates/inventory.tpl"</span><span class="p">,</span> <span class="p">{</span> <span class="nx">app_server_ip</span> <span class="p">=</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">public_ip</span> <span class="nx">ssh_key_path</span> <span class="p">=</span> <span class="s2">"~/.ssh/id_rsa"</span> <span class="nx">ssh_user</span> <span class="p">=</span> <span class="s2">"ubuntu"</span> <span class="p">})</span> <span class="nx">filename</span> <span class="p">=</span> <span class="s2">"${path.module}/../ansible/inventory/hosts"</span> <span class="c1"># Only regenerate if values change</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">create_before_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Trigger Ansible after provisioning</span> <span class="nx">resource</span> <span class="s2">"null_resource"</span> <span class="s2">"ansible_provisioner"</span> <span class="p">{</span> <span class="c1"># Run when instance changes</span> <span class="nx">triggers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">instance_id</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">id</span> <span class="nx">timestamp</span> <span class="p">=</span> <span class="nx">timestamp</span><span class="p">()</span> <span class="p">}</span> <span class="c1"># Wait for instance to be ready</span> <span class="nx">provisioner</span> <span class="s2">"local-exec"</span> <span class="p">{</span> <span class="nx">command</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOT</span><span class="sh"> echo "Waiting for SSH to be ready..." until ssh -o StrictHostKeyChecking=no -o ConnectTimeout=2 ubuntu@${aws_eip.app.public_ip} echo "SSH Ready"; do sleep 5 done echo "Running Ansible playbook..." cd ${path.module}/../ansible ansible-playbook -i inventory/hosts playbook.yml </span><span class="no"> EOT </span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">local_file</span><span class="p">.</span><span class="nx">ansible_inventory</span><span class="p">,</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">app</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p><strong>templates/inventory.tpl:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[app_servers]</span> <span class="err">todo-app</span> <span class="py">ansible_host</span><span class="p">=</span><span class="s">${app_server_ip} ansible_user=${ssh_user} ansible_ssh_private_key_file=${ssh_key_path}</span> <span class="nn">[app_servers:vars]</span> <span class="py">ansible_python_interpreter</span><span class="p">=</span><span class="s">/usr/bin/python3</span> </code></pre> </div> <p><strong>outputs.tf:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"instance_public_ip"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Public IP of the application server"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">public_ip</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"instance_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"ID of the EC2 instance"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"domain_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Domain name for the application"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">domain_name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"ssh_command"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"SSH command to connect to the server"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"ssh ubuntu@${aws_eip.app.public_ip}"</span> <span class="p">}</span> </code></pre> </div> <h4> Understanding Terraform Idempotency </h4> <p><strong>What is idempotency?</strong><br> Running the same Terraform code multiple times produces the same result without creating duplicates.</p> <p><strong>Example - Non-idempotent (bad):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="s2">"ami-12345"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t3.medium"</span> <span class="c1"># This causes recreation on every apply!</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Timestamp</span> <span class="p">=</span> <span class="nx">timestamp</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Idempotent (good):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="s2">"ami-12345"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t3.medium"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"todo-app-server"</span> <span class="p">}</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">ignore_changes</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">tags</span><span class="p">[</span><span class="s2">"Timestamp"</span><span class="p">],</span> <span class="nx">user_data</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h4> Drift Detection </h4> <p><strong>What is drift?</strong><br> Drift occurs when actual infrastructure differs from Terraform state (manual changes, external tools, etc.).</p> <p><strong>drift-check.sh:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="nb">echo</span> <span class="s2">"Checking for infrastructure drift..."</span> <span class="c"># Run terraform plan and capture output</span> <span class="nv">PLAN_OUTPUT</span><span class="o">=</span><span class="si">$(</span>terraform plan <span class="nt">-detailed-exitcode</span> <span class="nt">-no-color</span> 2&gt;&amp;1<span class="si">)</span> <span class="o">||</span> <span class="nv">EXIT_CODE</span><span class="o">=</span><span class="nv">$?</span> <span class="c"># Exit codes:</span> <span class="c"># 0 = no changes</span> <span class="c"># 1 = error</span> <span class="c"># 2 = changes detected (drift!)</span> <span class="k">if</span> <span class="o">[</span> <span class="nv">$EXIT_CODE</span> <span class="nt">-eq</span> 0 <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"✅ No drift detected - infrastructure matches desired state"</span> <span class="nb">exit </span>0 <span class="k">elif</span> <span class="o">[</span> <span class="nv">$EXIT_CODE</span> <span class="nt">-eq</span> 2 <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"⚠️ DRIFT DETECTED - infrastructure has changed!"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$PLAN_OUTPUT</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="c"># Send email alert</span> ./send-drift-alert.sh <span class="s2">"</span><span class="nv">$PLAN_OUTPUT</span><span class="s2">"</span> <span class="c"># In CI/CD, pause for manual approval</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$CI</span><span class="s2">"</span> <span class="o">=</span> <span class="s2">"true"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Pausing for manual approval..."</span> <span class="c"># GitHub Actions, GitLab CI, etc. have approval mechanisms</span> <span class="nb">exit </span>2 <span class="k">fi else </span><span class="nb">echo</span> <span class="s2">"❌ Error running terraform plan"</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$PLAN_OUTPUT</span><span class="s2">"</span> <span class="nb">exit </span>1 <span class="k">fi</span> </code></pre> </div> <p><strong>send-drift-alert.sh:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nv">DRIFT_DETAILS</span><span class="o">=</span><span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="nv">ALERT_EMAIL</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">ALERT_EMAIL</span><span class="k">:-</span><span class="nv">admin</span><span class="p">@example.com</span><span class="k">}</span><span class="s2">"</span> <span class="c"># Using AWS SES</span> aws ses send-email <span class="se">\</span> <span class="nt">--from</span> <span class="s2">"terraform@example.com"</span> <span class="se">\</span> <span class="nt">--to</span> <span class="s2">"</span><span class="nv">$ALERT_EMAIL</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--subject</span> <span class="s2">"⚠️ Terraform Drift Detected"</span> <span class="se">\</span> <span class="nt">--text</span> <span class="s2">"</span><span class="nv">$DRIFT_DETAILS</span><span class="s2">"</span> <span class="c"># Or using curl with Mailgun, SendGrid, etc.</span> curl <span class="nt">-s</span> <span class="nt">--user</span> <span class="s2">"api:</span><span class="nv">$MAILGUN_API_KEY</span><span class="s2">"</span> <span class="se">\</span> https://api.mailgun.net/v3/<span class="nv">$MAILGUN_DOMAIN</span>/messages <span class="se">\</span> <span class="nt">-F</span> <span class="nv">from</span><span class="o">=</span><span class="s2">"terraform@example.com"</span> <span class="se">\</span> <span class="nt">-F</span> <span class="nv">to</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ALERT_EMAIL</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-F</span> <span class="nv">subject</span><span class="o">=</span><span class="s2">"⚠️ Terraform Drift Detected"</span> <span class="se">\</span> <span class="nt">-F</span> <span class="nv">text</span><span class="o">=</span><span class="s2">"</span><span class="nv">$DRIFT_DETAILS</span><span class="s2">"</span> </code></pre> </div> <h3> Phase 3: Configuration Management with Ansible </h3> <p>Terraform provisions infrastructure, Ansible configures it.</p> <h4> Ansible Project Structure </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ansible/ ├── inventory/ │ └── hosts # Generated by Terraform ├── roles/ │ ├── dependencies/ │ │ ├── tasks/ │ │ │ └── main.yml │ │ └── handlers/ │ │ └── main.yml │ └── deploy/ │ ├── tasks/ │ │ └── main.yml │ ├── templates/ │ │ └── .env.j2 │ └── handlers/ │ └── main.yml ├── playbook.yml └── ansible.cfg </code></pre> </div> <h4> ansible.cfg </h4> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[defaults]</span> <span class="py">inventory</span> <span class="p">=</span> <span class="s">inventory/hosts</span> <span class="py">remote_user</span> <span class="p">=</span> <span class="s">ubuntu</span> <span class="py">private_key_file</span> <span class="p">=</span> <span class="s">~/.ssh/id_rsa</span> <span class="py">host_key_checking</span> <span class="p">=</span> <span class="s">False</span> <span class="py">retry_files_enabled</span> <span class="p">=</span> <span class="s">False</span> <span class="c"># Faster execution </span><span class="py">gathering</span> <span class="p">=</span> <span class="s">smart</span> <span class="py">fact_caching</span> <span class="p">=</span> <span class="s">jsonfile</span> <span class="py">fact_caching_connection</span> <span class="p">=</span> <span class="s">/tmp/ansible_facts</span> <span class="py">fact_caching_timeout</span> <span class="p">=</span> <span class="s">3600</span> <span class="c"># Better output </span><span class="py">stdout_callback</span> <span class="p">=</span> <span class="s">yaml</span> <span class="py">bin_ansible_callbacks</span> <span class="p">=</span> <span class="s">True</span> <span class="nn">[ssh_connection]</span> <span class="py">pipelining</span> <span class="p">=</span> <span class="s">True</span> </code></pre> </div> <h4> roles/dependencies/tasks/main.yml </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Install required system dependencies</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Update apt cache</span> <span class="na">apt</span><span class="pi">:</span> <span class="na">update_cache</span><span class="pi">:</span> <span class="s">yes</span> <span class="na">cache_valid_time</span><span class="pi">:</span> <span class="m">3600</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install required packages</span> <span class="na">apt</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apt-transport-https</span> <span class="pi">-</span> <span class="s">ca-certificates</span> <span class="pi">-</span> <span class="s">curl</span> <span class="pi">-</span> <span class="s">gnupg</span> <span class="pi">-</span> <span class="s">lsb-release</span> <span class="pi">-</span> <span class="s">python3-pip</span> <span class="pi">-</span> <span class="s">git</span> <span class="pi">-</span> <span class="s">ufw</span> <span class="na">state</span><span class="pi">:</span> <span class="s">present</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Add Docker GPG key</span> <span class="na">apt_key</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://download.docker.com/linux/ubuntu/gpg</span> <span class="na">state</span><span class="pi">:</span> <span class="s">present</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Add Docker repository</span> <span class="na">apt_repository</span><span class="pi">:</span> <span class="na">repo</span><span class="pi">:</span> <span class="s2">"</span><span class="s">deb</span><span class="nv"> </span><span class="s">[arch=amd64]</span><span class="nv"> </span><span class="s">https://download.docker.com/linux/ubuntu</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">ansible_distribution_release</span><span class="nv"> </span><span class="s">}}</span><span class="nv"> </span><span class="s">stable"</span> <span class="na">state</span><span class="pi">:</span> <span class="s">present</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Docker</span> <span class="na">apt</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">docker-ce</span> <span class="pi">-</span> <span class="s">docker-ce-cli</span> <span class="pi">-</span> <span class="s">containerd.io</span> <span class="pi">-</span> <span class="s">docker-buildx-plugin</span> <span class="pi">-</span> <span class="s">docker-compose-plugin</span> <span class="na">state</span><span class="pi">:</span> <span class="s">present</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> <span class="na">notify</span><span class="pi">:</span> <span class="s">Restart Docker</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Add user to docker group</span> <span class="na">user</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">ansible_user</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">groups</span><span class="pi">:</span> <span class="s">docker</span> <span class="na">append</span><span class="pi">:</span> <span class="s">yes</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Docker Compose (standalone)</span> <span class="na">get_url</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://github.com/docker/compose/releases/download/v2.23.0/docker-compose-linux-x86_64"</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">/usr/local/bin/docker-compose</span> <span class="na">mode</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0755'</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure UFW firewall</span> <span class="na">ufw</span><span class="pi">:</span> <span class="na">rule</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">item.rule</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">port</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">item.port</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">proto</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">item.proto</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">loop</span><span class="pi">:</span> <span class="pi">-</span> <span class="pi">{</span> <span class="nv">rule</span><span class="pi">:</span> <span class="s1">'</span><span class="s">allow'</span><span class="pi">,</span> <span class="nv">port</span><span class="pi">:</span> <span class="s1">'</span><span class="s">22'</span><span class="pi">,</span> <span class="nv">proto</span><span class="pi">:</span> <span class="s1">'</span><span class="s">tcp'</span> <span class="pi">}</span> <span class="pi">-</span> <span class="pi">{</span> <span class="nv">rule</span><span class="pi">:</span> <span class="s1">'</span><span class="s">allow'</span><span class="pi">,</span> <span class="nv">port</span><span class="pi">:</span> <span class="s1">'</span><span class="s">80'</span><span class="pi">,</span> <span class="nv">proto</span><span class="pi">:</span> <span class="s1">'</span><span class="s">tcp'</span> <span class="pi">}</span> <span class="pi">-</span> <span class="pi">{</span> <span class="nv">rule</span><span class="pi">:</span> <span class="s1">'</span><span class="s">allow'</span><span class="pi">,</span> <span class="nv">port</span><span class="pi">:</span> <span class="s1">'</span><span class="s">443'</span><span class="pi">,</span> <span class="nv">proto</span><span class="pi">:</span> <span class="s1">'</span><span class="s">tcp'</span> <span class="pi">}</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Enable UFW</span> <span class="na">ufw</span><span class="pi">:</span> <span class="na">state</span><span class="pi">:</span> <span class="s">enabled</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> </code></pre> </div> <h4> roles/dependencies/handlers/main.yml </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Restart Docker</span> <span class="na">systemd</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">docker</span> <span class="na">state</span><span class="pi">:</span> <span class="s">restarted</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">yes</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> </code></pre> </div> <h4> roles/deploy/tasks/main.yml </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1"># Deploy the application</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create application directory</span> <span class="na">file</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/opt/todo-app</span> <span class="na">state</span><span class="pi">:</span> <span class="s">directory</span> <span class="na">owner</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">ansible_user</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">group</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">ansible_user</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">mode</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0755'</span> <span class="na">become</span><span class="pi">:</span> <span class="s">yes</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Clone application repository</span> <span class="na">git</span><span class="pi">:</span> <span class="na">repo</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">app_repo_url</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">/opt/todo-app</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">app_branch</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">default('main')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">force</span><span class="pi">:</span> <span class="s">yes</span> <span class="na">register</span><span class="pi">:</span> <span class="s">git_clone</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create environment file from template</span> <span class="na">template</span><span class="pi">:</span> <span class="na">src</span><span class="pi">:</span> <span class="s">.env.j2</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">/opt/todo-app/.env</span> <span class="na">owner</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">ansible_user</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">mode</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0600'</span> <span class="na">no_log</span><span class="pi">:</span> <span class="s">yes</span> <span class="c1"># Don't log sensitive env vars</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create letsencrypt directory</span> <span class="na">file</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/opt/todo-app/letsencrypt</span> <span class="na">state</span><span class="pi">:</span> <span class="s">directory</span> <span class="na">mode</span><span class="pi">:</span> <span class="s1">'</span><span class="s">0755'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Pull latest Docker images</span> <span class="na">community.docker.docker_compose</span><span class="pi">:</span> <span class="na">project_src</span><span class="pi">:</span> <span class="s">/opt/todo-app</span> <span class="na">pull</span><span class="pi">:</span> <span class="s">yes</span> <span class="na">when</span><span class="pi">:</span> <span class="s">git_clone.changed</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Start application with Docker Compose</span> <span class="na">community.docker.docker_compose</span><span class="pi">:</span> <span class="na">project_src</span><span class="pi">:</span> <span class="s">/opt/todo-app</span> <span class="na">state</span><span class="pi">:</span> <span class="s">present</span> <span class="na">restarted</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">git_clone.changed</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">register</span><span class="pi">:</span> <span class="s">compose_output</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Wait for application to be healthy</span> <span class="na">uri</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://{{</span><span class="nv"> </span><span class="s">domain_name</span><span class="nv"> </span><span class="s">}}/health"</span> <span class="na">status_code</span><span class="pi">:</span> <span class="m">200</span> <span class="na">validate_certs</span><span class="pi">:</span> <span class="s">no</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">10</span> <span class="na">delay</span><span class="pi">:</span> <span class="m">10</span> <span class="na">register</span><span class="pi">:</span> <span class="s">health_check</span> <span class="na">until</span><span class="pi">:</span> <span class="s">health_check.status == </span><span class="m">200</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Display deployment status</span> <span class="na">debug</span><span class="pi">:</span> <span class="na">msg</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Application</span><span class="nv"> </span><span class="s">deployed</span><span class="nv"> </span><span class="s">successfully</span><span class="nv"> </span><span class="s">at</span><span class="nv"> </span><span class="s">https://{{</span><span class="nv"> </span><span class="s">domain_name</span><span class="nv"> </span><span class="s">}}"</span> </code></pre> </div> <h4> roles/deploy/templates/.env.j2 </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Auto-generated by Ansible - DO NOT EDIT MANUALLY # Domain configuration DOMAIN={{ domain_name }} ACME_EMAIL={{ acme_email }} # Database DB_NAME={{ db_name }} DB_USER={{ db_user }} DB_PASSWORD={{ db_password }} # Security JWT_SECRET={{ jwt_secret }} # Application NODE_ENV=production LOG_LEVEL=info </code></pre> </div> <h4> playbook.yml </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy TODO Application</span> <span class="na">hosts</span><span class="pi">:</span> <span class="s">app_servers</span> <span class="na">become</span><span class="pi">:</span> <span class="s">no</span> <span class="na">vars</span><span class="pi">:</span> <span class="na">app_repo_url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://github.com/yourusername/todo-app.git"</span> <span class="na">app_branch</span><span class="pi">:</span> <span class="s2">"</span><span class="s">main"</span> <span class="na">domain_name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('env',</span><span class="nv"> </span><span class="s">'DOMAIN')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">acme_email</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('env',</span><span class="nv"> </span><span class="s">'ACME_EMAIL')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">db_name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('env',</span><span class="nv"> </span><span class="s">'DB_NAME')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">db_user</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('env',</span><span class="nv"> </span><span class="s">'DB_USER')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">db_password</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('env',</span><span class="nv"> </span><span class="s">'DB_PASSWORD')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">jwt_secret</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">lookup('env',</span><span class="nv"> </span><span class="s">'JWT_SECRET')</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">roles</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">dependencies</span> <span class="pi">-</span> <span class="s">deploy</span> <span class="na">post_tasks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Verify deployment</span> <span class="na">uri</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://{{</span><span class="nv"> </span><span class="s">domain_name</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">status_code</span><span class="pi">:</span> <span class="m">200</span> <span class="na">validate_certs</span><span class="pi">:</span> <span class="s">yes</span> <span class="na">delegate_to</span><span class="pi">:</span> <span class="s">localhost</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Display application URL</span> <span class="na">debug</span><span class="pi">:</span> <span class="na">msg</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Application</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">live</span><span class="nv"> </span><span class="s">at</span><span class="nv"> </span><span class="s">https://{{</span><span class="nv"> </span><span class="s">domain_name</span><span class="nv"> </span><span class="s">}}"</span> </code></pre> </div> <h3> Phase 4: CI/CD Pipeline </h3> <p>Now let's automate everything with GitHub Actions.</p> <h4> .github/workflows/infrastructure.yml </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Infrastructure Deployment</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">infra/terraform/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">infra/ansible/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">.github/workflows/infrastructure.yml'</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="c1"># Manual trigger</span> <span class="na">env</span><span class="pi">:</span> <span class="na">TF_VERSION</span><span class="pi">:</span> <span class="s1">'</span><span class="s">1.6.0'</span> <span class="na">AWS_REGION</span><span class="pi">:</span> <span class="s1">'</span><span class="s">us-east-1'</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">terraform-plan</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Plan &amp; Drift Detection</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">outputs</span><span class="pi">:</span> <span class="na">has_changes</span><span class="pi">:</span> <span class="s">${{ steps.plan.outputs.has_changes }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">terraform_version</span><span class="pi">:</span> <span class="s">${{ env.TF_VERSION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">${{ env.AWS_REGION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Init</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cd infra/terraform</span> <span class="s">terraform init</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Plan</span> <span class="na">id</span><span class="pi">:</span> <span class="s">plan</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cd infra/terraform</span> <span class="s">terraform plan -detailed-exitcode -out=tfplan || EXIT_CODE=$?</span> <span class="s">if [ $EXIT_CODE -eq 0 ]; then</span> <span class="s">echo "has_changes=false" &gt;&gt; $GITHUB_OUTPUT</span> <span class="s">echo "✅ No infrastructure changes detected"</span> <span class="s">elif [ $EXIT_CODE -eq 2 ]; then</span> <span class="s">echo "has_changes=true" &gt;&gt; $GITHUB_OUTPUT</span> <span class="s">echo "⚠️ Infrastructure drift detected!"</span> <span class="s">else</span> <span class="s">echo "❌ Terraform plan failed"</span> <span class="s">exit 1</span> <span class="s">fi</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Save plan</span> <span class="na">if</span><span class="pi">:</span> <span class="s">steps.plan.outputs.has_changes == 'true'</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/upload-artifact@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tfplan</span> <span class="na">path</span><span class="pi">:</span> <span class="s">infra/terraform/tfplan</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Send drift alert email</span> <span class="na">if</span><span class="pi">:</span> <span class="s">steps.plan.outputs.has_changes == 'true'</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">dawidd6/action-send-mail@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">server_address</span><span class="pi">:</span> <span class="s">smtp.gmail.com</span> <span class="na">server_port</span><span class="pi">:</span> <span class="m">465</span> <span class="na">username</span><span class="pi">:</span> <span class="s">${{ secrets.MAIL_USERNAME }}</span> <span class="na">password</span><span class="pi">:</span> <span class="s">${{ secrets.MAIL_PASSWORD }}</span> <span class="na">subject</span><span class="pi">:</span> <span class="s">⚠️ Terraform Drift Detected - TODO App</span> <span class="na">to</span><span class="pi">:</span> <span class="s">${{ secrets.ALERT_EMAIL }}</span> <span class="na">from</span><span class="pi">:</span> <span class="s">Terraform CI/CD</span> <span class="na">body</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">Infrastructure drift has been detected!</span> <span class="s">Review the changes and approve the workflow to apply:</span> <span class="s">${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}</span> <span class="na">terraform-apply</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Apply</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">terraform-plan</span> <span class="na">if</span><span class="pi">:</span> <span class="s">needs.terraform-plan.outputs.has_changes == 'true'</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">production</span> <span class="c1"># Requires manual approval</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">terraform_version</span><span class="pi">:</span> <span class="s">${{ env.TF_VERSION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">${{ env.AWS_REGION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Download plan</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/download-artifact@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tfplan</span> <span class="na">path</span><span class="pi">:</span> <span class="s">infra/terraform/</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Init</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cd infra/terraform</span> <span class="s">terraform init</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Apply</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cd infra/terraform</span> <span class="s">terraform apply tfplan</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Save outputs</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cd infra/terraform</span> <span class="s">terraform output -json &gt; outputs.json</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Upload outputs</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/upload-artifact@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">terraform-outputs</span> <span class="na">path</span><span class="pi">:</span> <span class="s">infra/terraform/outputs.json</span> <span class="na">ansible-deploy</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Ansible Deployment</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">terraform-apply</span> <span class="na">if</span><span class="pi">:</span> <span class="s">always() &amp;&amp; (needs.terraform-apply.result == 'success' || needs.terraform-plan.outputs.has_changes == 'false')</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Python</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-python@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">python-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3.11'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Ansible</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">pip install ansible</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup SSH key</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">mkdir -p ~/.ssh</span> <span class="s">echo "${{ secrets.SSH_PRIVATE_KEY }}" &gt; ~/.ssh/id_rsa</span> <span class="s">chmod 600 ~/.ssh/id_rsa</span> <span class="s">ssh-keyscan -H ${{ secrets.SERVER_IP }} &gt;&gt; ~/.ssh/known_hosts</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run Ansible playbook</span> <span class="na">env</span><span class="pi">:</span> <span class="na">DOMAIN</span><span class="pi">:</span> <span class="s">${{ secrets.DOMAIN }}</span> <span class="na">ACME_EMAIL</span><span class="pi">:</span> <span class="s">${{ secrets.ACME_EMAIL }}</span> <span class="na">DB_NAME</span><span class="pi">:</span> <span class="s">${{ secrets.DB_NAME }}</span> <span class="na">DB_USER</span><span class="pi">:</span> <span class="s">${{ secrets.DB_USER }}</span> <span class="na">DB_PASSWORD</span><span class="pi">:</span> <span class="s">${{ secrets.DB_PASSWORD }}</span> <span class="na">JWT_SECRET</span><span class="pi">:</span> <span class="s">${{ secrets.JWT_SECRET }}</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cd infra/ansible</span> <span class="s">ansible-playbook -i inventory/hosts playbook.yml</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Verify deployment</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">sleep 30 # Wait for services to stabilize</span> <span class="s">curl -f https://${{ secrets.DOMAIN }}/health || exit 1</span> <span class="s">echo "✅ Deployment verified!"</span> </code></pre> </div> <h4> .github/workflows/application.yml </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Application Deployment</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">frontend/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">auth-api/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">todos-api/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">users-api/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">log-processor/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">docker-compose.yml'</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy Application</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup SSH key</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">mkdir -p ~/.ssh</span> <span class="s">echo "${{ secrets.SSH_PRIVATE_KEY }}" &gt; ~/.ssh/id_rsa</span> <span class="s">chmod 600 ~/.ssh/id_rsa</span> <span class="s">ssh-keyscan -H ${{ secrets.SERVER_IP }} &gt;&gt; ~/.ssh/known_hosts</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to server</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">ssh ubuntu@${{ secrets.SERVER_IP }} &lt;&lt; 'EOF'</span> <span class="s">cd /opt/todo-app</span> <span class="s">git pull origin main</span> <span class="s">docker-compose pull</span> <span class="s">docker-compose up -d --build</span> <span class="s">EOF</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Wait for deployment</span> <span class="na">run</span><span class="pi">:</span> <span class="s">sleep </span><span class="m">30</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Health check</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">curl -f https://${{ secrets.DOMAIN }}/health || exit 1</span> <span class="s">echo "✅ Application deployed successfully!"</span> </code></pre> </div> <h3> Understanding the CI/CD Flow </h3> <p><strong>Infrastructure changes (Terraform/Ansible):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Push to main ↓ 2. Run terraform plan ↓ 3. Detect drift? → Send email ↓ 4. Pause for manual approval (GitHub Environment protection) ↓ 5. Apply changes ↓ 6. Run Ansible ↓ 7. Verify deployment </code></pre> </div> <p><strong>Application changes:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Push to main ↓ 2. SSH to server ↓ 3. Git pull ↓ 4. docker-compose pull ↓ 5. docker-compose up ↓ 6. Health check </code></pre> </div> <h3> Testing the Complete Setup </h3> <h4> Local Testing </h4> <p><strong>1. Test containers locally:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Start everything</span> docker-compose up <span class="nt">-d</span> <span class="c"># Check status</span> docker-compose ps <span class="c"># View logs</span> docker-compose logs <span class="nt">-f</span> <span class="c"># Test frontend</span> curl http://localhost <span class="c"># Test APIs</span> curl http://localhost/api/auth/health curl http://localhost/api/todos/health curl http://localhost/api/users/health <span class="c"># Stop everything</span> docker-compose down </code></pre> </div> <p><strong>2. Test Terraform:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>infra/terraform <span class="c"># Initialize</span> terraform init <span class="c"># Validate</span> terraform validate <span class="c"># Plan (dry run)</span> terraform plan <span class="c"># Apply (create infrastructure)</span> terraform apply <span class="c"># Show outputs</span> terraform output <span class="c"># Destroy (cleanup)</span> terraform destroy </code></pre> </div> <p><strong>3. Test Ansible:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>infra/ansible <span class="c"># Test connection</span> ansible all <span class="nt">-m</span> ping <span class="c"># Check syntax</span> ansible-playbook playbook.yml <span class="nt">--syntax-check</span> <span class="c"># Dry run</span> ansible-playbook playbook.yml <span class="nt">--check</span> <span class="c"># Run for real</span> ansible-playbook playbook.yml <span class="c"># Run specific role</span> ansible-playbook playbook.yml <span class="nt">--tags</span> deploy </code></pre> </div> <h4> Production Deployment </h4> <p><strong>Complete deployment from scratch:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Clone the repository</span> git clone https://github.com/yourusername/todo-app.git <span class="nb">cd </span>todo-app <span class="c"># 2. Configure secrets</span> <span class="nb">cp</span> .env.example .env <span class="c"># Edit .env with your values</span> <span class="c"># 3. Initialize Terraform</span> <span class="nb">cd </span>infra/terraform terraform init <span class="c"># 4. Create infrastructure</span> terraform plan terraform apply <span class="c"># Wait for Ansible to complete (triggered automatically)</span> <span class="c"># 5. Configure DNS</span> <span class="c"># Point your domain to the Elastic IP shown in terraform outputs</span> <span class="c"># 6. Verify deployment</span> curl https://your-domain.com </code></pre> </div> <p><strong>Expected result:</strong></p> <ul> <li>Login page loads at <a href="https://your-domain.com" rel="noopener noreferrer">https://your-domain.com</a> </li> <li>HTTPS works (automatic certificate from Let's Encrypt)</li> <li>APIs respond at /api/auth, /api/todos, /api/users</li> </ul> <h3> Troubleshooting </h3> <h4> Issue: Terraform fails with "state locked" </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check lock info</span> terraform force-unlock &lt;LOCK_ID&gt; <span class="c"># Or wait for other operation to complete</span> </code></pre> </div> <h4> Issue: Ansible can't connect to server </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test SSH manually</span> ssh <span class="nt">-i</span> ~/.ssh/id_rsa ubuntu@&lt;SERVER_IP&gt; <span class="c"># Check inventory</span> ansible-inventory <span class="nt">--list</span> <span class="nt">-i</span> inventory/hosts <span class="c"># Verbose output</span> ansible-playbook playbook.yml <span class="nt">-vvv</span> </code></pre> </div> <h4> Issue: Containers won't start </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check logs</span> docker-compose logs &lt;service-name&gt; <span class="c"># Check disk space</span> <span class="nb">df</span> <span class="nt">-h</span> <span class="c"># Check memory</span> free <span class="nt">-h</span> <span class="c"># Restart specific service</span> docker-compose restart &lt;service-name&gt; </code></pre> </div> <h4> Issue: HTTPS not working </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check Traefik logs</span> docker logs traefik <span class="c"># Verify DNS points to server</span> dig your-domain.com <span class="c"># Check certificate</span> docker <span class="nb">exec </span>traefik <span class="nb">cat</span> /letsencrypt/acme.json <span class="c"># Force certificate renewal</span> docker-compose down <span class="nb">rm</span> <span class="nt">-rf</span> letsencrypt/acme.json docker-compose up <span class="nt">-d</span> </code></pre> </div> <h2> Key Takeaways </h2> <h3> Blue/Green Deployment Lessons </h3> <ol> <li> <strong>Nginx's <code>backup</code> directive is powerful</strong> - Simple yet effective failover</li> <li> <strong>Tight timeouts enable fast failover</strong> - But tune based on your app</li> <li> <strong>Health checks != failover</strong> - They serve different purposes</li> <li> <strong>Chaos testing is essential</strong> - Test failures before they happen in production</li> <li> <strong>Idempotency prevents surprises</strong> - Re-running should be safe</li> </ol> <h3> Microservices Deployment Lessons </h3> <ol> <li> <strong>Multi-stage Docker builds save space</strong> - 97% reduction possible</li> <li> <strong>Traefik simplifies routing</strong> - Labels replace complex nginx configs</li> <li> <strong>Terraform + Ansible separation works</strong> - Provision vs configure</li> <li> <strong>Drift detection prevents disasters</strong> - Catch manual changes early</li> <li> <strong>CI/CD approval gates add safety</strong> - Human oversight for infrastructure</li> </ol> <h3> Production-Ready Checklist </h3> <p>Before going live, ensure:</p> <p><strong>Security:</strong></p> <ul> <li>[ ] All secrets in environment variables, not code</li> <li>[ ] SSL/TLS configured (Traefik handles this)</li> <li>[ ] Firewall rules in place (UFW + security groups)</li> <li>[ ] Containers run as non-root users</li> <li>[ ] Regular security updates automated</li> </ul> <p><strong>Monitoring:</strong></p> <ul> <li>[ ] Health checks on all services</li> <li>[ ] Centralized logging (consider ELK stack)</li> <li>[ ] Metrics collection (Prometheus)</li> <li>[ ] Alerting configured (PagerDuty, Opsgenie)</li> <li>[ ] Uptime monitoring (UptimeRobot)</li> </ul> <p><strong>Reliability:</strong></p> <ul> <li>[ ] Database backups automated</li> <li>[ ] Disaster recovery plan documented</li> <li>[ ] Rollback procedures tested</li> <li>[ ] Load testing completed</li> <li>[ ] Chaos engineering practiced</li> </ul> <p><strong>Operations:</strong></p> <ul> <li>[ ] Documentation up to date</li> <li>[ ] Runbooks for common issues</li> <li>[ ] On-call rotation defined</li> <li>[ ] Incident response process</li> <li>[ ] Post-mortem template ready</li> </ul> <h2> Next Steps </h2> <h3> Beginner Level </h3> <ol> <li> <p><strong>Set up Project 1 locally</strong></p> <ul> <li>Get familiar with Docker Compose</li> <li>Understand nginx configuration</li> <li>Run the failover tests</li> </ul> </li> <li> <p><strong>Modify the setup</strong></p> <ul> <li>Add a third color (red)</li> <li>Implement weighted load balancing</li> <li>Add custom health check endpoints</li> </ul> </li> </ol> <h3> Intermediate Level </h3> <ol> <li> <p><strong>Implement Project 2</strong></p> <ul> <li>Start with containerization only</li> <li>Add Traefik incrementally</li> <li>Test locally before cloud deployment</li> </ul> </li> <li> <p><strong>Add observability</strong></p> <ul> <li>Integrate Prometheus metrics</li> <li>Set up Grafana dashboards</li> <li>Implement distributed tracing</li> </ul> </li> </ol> <h3> Advanced Level </h3> <ol> <li> <p><strong>Production hardening</strong></p> <ul> <li>Set up multi-region deployment</li> <li>Implement auto-scaling</li> <li>Add CDN (CloudFlare)</li> <li>Configure WAF rules</li> </ul> </li> <li> <p><strong>Advanced automation</strong></p> <ul> <li>GitOps with ArgoCD or Flux</li> <li>Infrastructure testing with Terratest</li> <li>Policy as Code with Open Policy Agent</li> </ul> </li> </ol> <h3> Resources </h3> <p><strong>Official Documentation:</strong></p> <ul> <li><a href="https://docs.docker.com/" rel="noopener noreferrer">Docker Docs</a></li> <li><a href="https://nginx.org/en/docs/" rel="noopener noreferrer">Nginx Docs</a></li> <li><a href="https://registry.terraform.io/" rel="noopener noreferrer">Terraform Registry</a></li> <li><a href="https://galaxy.ansible.com/" rel="noopener noreferrer">Ansible Galaxy</a></li> <li><a href="https://doc.traefik.io/traefik/" rel="noopener noreferrer">Traefik Docs</a></li> </ul> <p><strong>Learning Paths:</strong></p> <ul> <li><a href="https://www.udemy.com/course/docker-mastery/" rel="noopener noreferrer">Docker Mastery Course</a></li> <li><a href="https://www.terraformupandrunning.com/" rel="noopener noreferrer">Terraform Up &amp; Running Book</a></li> <li><a href="https://www.ansiblefordevops.com/" rel="noopener noreferrer">Ansible for DevOps</a></li> </ul> <p><strong>Community:</strong></p> <ul> <li><a href="https://reddit.com/r/devops" rel="noopener noreferrer">DevOps Subreddit</a></li> <li><a href="https://www.docker.com/community/" rel="noopener noreferrer">Docker Community</a></li> <li><a href="https://discuss.hashicorp.com/c/terraform" rel="noopener noreferrer">Terraform Forums</a></li> </ul> <h2> Conclusion </h2> <p>We've covered two comprehensive DevOps projects:</p> <p><strong>Project 1</strong> taught us:</p> <ul> <li>Zero-downtime deployments with blue/green strategy</li> <li>Nginx automatic failover configuration</li> <li>Chaos engineering for resilience testing</li> </ul> <p><strong>Project 2</strong> showed us:</p> <ul> <li>Containerizing multi-language microservices</li> <li>Infrastructure as Code with Terraform</li> <li>Configuration management with Ansible</li> <li>Production-grade CI/CD pipelines</li> <li>Drift detection and alerting</li> </ul> <p>The skills you've learned here form the foundation of modern DevOps practices. Start with the basics, experiment fearlessly, and gradually add complexity as you grow.</p> <p>Remember: the best infrastructure is the one that works reliably, fails gracefully, and lets you sleep peacefully at night.</p> <p>Happy deploying! 🚀</p> <p><em>Questions or feedback? Drop a comment below or reach out on <a href="https://x.com/S_herdeybayor" rel="noopener noreferrer">Twitter</a> / <a href="http://linkedin.com/in/herdeybayor/" rel="noopener noreferrer">LinkedIn</a>.</em></p> <p><em>Found this helpful? Give it a ❤️ and share with fellow developers!</em></p> devops microservices automation tutorial Building Your Own VPC on Linux: A DevOps Love Story 💘🐧 Sherifdeen Adebayo Wed, 12 Nov 2025 20:42:03 +0000 https://dev.to/0xsherifdev/building-your-own-vpc-on-linux-a-devops-love-story-4ca1 https://dev.to/0xsherifdev/building-your-own-vpc-on-linux-a-devops-love-story-4ca1 <p><em>Or: How I Learned to Stop Worrying and Love Network Namespaces</em></p> <h2> Introduction: The Plot Twist Nobody Saw Coming 🎬 </h2> <blockquote> <p>Warning: No AWS bills were harmed in the making of this project! 💸</p> </blockquote> <p>Hey! I'm Sherifdeen Adebayo, and buckle up because I'm about to tell you how I accidentally became best friends with Linux networking (didn't see THAT coming in 2025! 😅).</p> <p>So there I was, staring at the HNG13 Stage 4 DevOps challenge like it was jollof rice without chicken 😭. The task? Build a complete Virtual Private Cloud system on Linux. My networking knowledge at the time? "IP address goes brrr" 🤷‍♂️</p> <p>Spoiler alert: It's not magic. It's just clever use of Linux tools that have been chilling since before TikTok was a thing! (Yes, I'm old enough to remember when we had to <code>ping</code> people to know if they were online 👴)</p> <h2> What I Built (While Consuming Unhealthy Amounts of Coffee ☕️) </h2> <p>I created <code>vpcctl</code> - basically AWS VPC's younger, cooler cousin who lives in Lagos and knows all the shortcuts:</p> <ul> <li>Create isolated virtual networks faster than you can say "subnet mask" 🎯</li> <li>Provision public and private subnets (like VIP and regular sections at Detty December 🎉)</li> <li>Deploy applications without breaking a sweat 💪</li> <li>Control connectivity like a network traffic warden 🚦</li> <li>Apply firewall rules (because we don't trust anybody, not even ourselves 🔐)</li> </ul> <p>Basically, I rebuilt a mini AWS VPC from scratch. And honestly? It was like learning to ride a bike - painful at first, then suddenly you're doing wheelies! 🚴‍♂️</p> <h2> Shopping List: What You'll Need 🛒 </h2> <p>Before we dive into this beautiful mess, grab these:</p> <ul> <li>A Linux machine (Ubuntu 20.04+ - or as I call it, "The Reliable Uncle") 💻</li> <li>Root/sudo access (because we're about to do DANGEROUS things... safely 😎)</li> <li>Basic networking knowledge (if you know what an IP address is, you're 80% there!)</li> <li>Command line skills (copy-paste counts as skills, right? 👀)</li> <li>Patience (LOTS of it - this took me more coffee breaks than I care to admit ☕️☕️☕️)</li> </ul> <h2> The Secret Sauce: Linux Networking Unveiled 🎩✨ </h2> <blockquote> <p>Like suya and yaji, these concepts are better together!</p> </blockquote> <h3> Network Namespaces: The Private Apartments 🏠 </h3> <p>Network namespaces are like giving each subnet its own apartment - complete with:</p> <ul> <li>Its own network interfaces (like having your own Wi-Fi 📡)</li> <li>Personal IP addresses (no sharing with siblings!)</li> <li>Private routing tables (your business is YOUR business 🤫)</li> <li>Custom firewall rules (because boundaries matter!)</li> </ul> <p>It's like having multiple computers on one machine, but without the electricity bill! 💡</p> <h3> veth Pairs: The Virtual Cables 🔌 </h3> <p>Think of veth pairs as virtual LAN cables, but cooler:</p> <ul> <li>They come in pairs (like AirPods, but they never get lost!)</li> <li>What goes in one end, comes out the other (magic? Nope, just Linux! ✨)</li> <li>Perfect for connecting namespaces to bridges</li> <li>No tangling required (looking at you, earphones! 😤)</li> </ul> <p>Pro tip: These are like WhatsApp groups - messages go in, chaos comes out! 📱</p> <h3> Linux Bridges: The Virtual Switch 🎛️ </h3> <p>Bridges are basically the Dangote of networking - they connect EVERYTHING:</p> <ul> <li>Act as virtual switches (think of them as traffic controllers 🚥)</li> <li>Forward packets between interfaces (like a very efficient delivery service 📦)</li> <li>In our VPC, this bad boy is the central router</li> <li>More reliable than NEPA (okay, that's not saying much 😅)</li> </ul> <h3> NAT: The Internet Passport 🛂 </h3> <p>Network Address Translation is like having a bouncer who lets your private IPs into the internet club:</p> <ul> <li>Translates private IPs to public IPs</li> <li>Keeps your internal network safe (like a digital bodyguard 💪)</li> <li>Makes the internet think everything is coming from one place</li> <li>Basically the VPN your parents wish they understood 😂</li> </ul> <h2> The Blueprint: What We're Actually Building 📐 </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Host System (aka "The Mothership" 🚀) ├── VPC (10.0.0.0/16) - The whole village 🏘️ │ ├── Bridge (br-my-vpc) - The town square 🏛️ │ ├── Public Subnet (10.0.1.0/24) - The market 🏪 │ │ ├── Namespace (ns-my-vpc-public) - Individual shops │ │ ├── NAT Gateway (iptables) - The security guard 👮 │ │ └── Application - The goods 📦 │ └── Private Subnet (10.0.2.0/24) - The warehouse 🏭 │ ├── Namespace (ns-my-vpc-private) - Storage rooms │ └── Application - The secret stash 🤐 └── Internet Connection - The outside world 🌍 </code></pre> </div> <h2> Let's Get Our Hands Dirty: Building This Beast 💪 </h2> <blockquote> <p>Fun fact: This section was written at 2 AM with questionable life choices being made!</p> </blockquote> <h3> Step 1: Project Setup (The Boring Part We Must Endure) 😴 </h3> <p>First, let's create our project home:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>vpc-control <span class="c"># AKA "The Beginning of Something Beautiful"</span> <span class="nb">cd </span>vpc-control <span class="nb">mkdir</span> <span class="nt">-p</span> lib policies tests logs <span class="c"># Creating our empire, one folder at a time</span> </code></pre> </div> <h3> Step 2: The Brain - Core CLI Tool 🧠 </h3> <p>Create the main <code>vpcctl</code> script. This is our Jarvis, our Friday, our... you get it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span><span class="sh">"""</span><span class="s"> vpcctl - Virtual Private Cloud Control CLI AKA </span><span class="sh">"</span><span class="s">The Magic Wand of Networking</span><span class="sh">"</span><span class="s"> 🪄 </span><span class="sh">"""</span> <span class="kn">import</span> <span class="n">argparse</span> <span class="kn">import</span> <span class="n">sys</span> <span class="kn">import</span> <span class="n">os</span> <span class="c1"># This bad boy handles: # - create-vpc (Birth of a network 🐣) # - create-subnet (Subdivision time! 🏘️) # - deploy-app (App goes brrr 🚀) # - peer-vpcs (Making friends across borders 🤝) # - apply-policy (Because we need rules, apparently 📜) # And more cool stuff that'll make your DevOps heart sing! 🎵 </span></code></pre> </div> <p>The full implementation includes these MVPs:</p> <ul> <li> <code>vpc_manager.py</code> - The VPC whisperer 🗣️</li> <li> <code>subnet_manager.py</code> - Subnet sensei 🥋</li> <li> <code>nat_manager.py</code> - Internet access enabler (the real MVP) 🌐</li> <li> <code>peering_manager.py</code> - The matchmaker 💑</li> <li> <code>firewall_manager.py</code> - The bouncer 🚪</li> </ul> <h3> Step 3: Birth of a VPC (It's Alive! ⚡️) </h3> <p>Here's what happens when you unleash the beast:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> ./vpcctl create-vpc <span class="nt">--name</span> my-vpc <span class="nt">--cidr</span> 10.0.0.0/16 <span class="c"># Translation: "Let there be network!" 🌟</span> </code></pre> </div> <p>Under the hood (this is where the magic happens ✨):</p> <ol> <li>Creates a Linux bridge: <code>ip link add br-my-vpc type bridge</code> <ul> <li><em>Like building a roundabout in Lagos (but this one actually works!)</em></li> </ul> </li> <li>Brings it up: <code>ip link set br-my-vpc up</code> <ul> <li><em>"Hello world!" but for networks</em></li> </ul> </li> <li>Stores config in state file <ul> <li><em>Because elephants aren't the only ones who remember</em></li> </ul> </li> </ol> <p>The bridge is basically your VPC's brain 🧠. Treat it well!</p> <h3> Step 4: Subnet Mania (Where Things Get Spicy 🌶️) </h3> <p>Subnets = Network namespaces = Mini isolated networks. Mind = Blown 🤯<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> ./vpcctl create-subnet <span class="nt">--vpc</span> my-vpc <span class="nt">--name</span> public <span class="nt">--cidr</span> 10.0.1.0/24 <span class="nt">--type</span> public <span class="c"># AKA "Creating the VIP section" 😎</span> </code></pre> </div> <p>Behind the curtains (drum roll please 🥁):</p> <ol> <li>Create namespace: <code>ip netns add ns-my-vpc-public</code> <ul> <li><em>Apartment building, meet your new tenant!</em></li> </ul> </li> <li>Create veth pair: <code>ip link add veth-public type veth peer name eth0</code> <ul> <li><em>Virtual cables, assemble!</em></li> </ul> </li> <li>Move one end to namespace: <code>ip link set eth0 netns ns-my-vpc-public</code> <ul> <li><em>"Welcome to your new home!" 🏠</em></li> </ul> </li> <li>Attach other end to bridge: <code>ip link set veth-public master br-my-vpc</code> <ul> <li><em>"Now kiss!" (the bridge and the interface, not you and your computer)</em></li> </ul> </li> <li>Configure IP address <ul> <li><em>Every subnet needs an identity!</em></li> </ul> </li> <li>Set up routing <ul> <li><em>GPS for packets 🗺️</em></li> </ul> </li> </ol> <p>For public subnets, we add the secret sauce (NAT):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Enable IP forwarding (because sharing is caring 💝)</span> sysctl <span class="nt">-w</span> net.ipv4.ip_forward<span class="o">=</span>1 <span class="c"># Add NAT rule (the bouncer at the internet club 🎭)</span> iptables <span class="nt">-t</span> nat <span class="nt">-A</span> POSTROUTING <span class="nt">-s</span> 10.0.1.0/24 <span class="nt">-o</span> eth0 <span class="nt">-j</span> MASQUERADE </code></pre> </div> <p><strong>Pro tip</strong>: This took me 2 hours and 3 cups of coffee to debug. Save yourself the pain - copy paste is not just a skill, it's a lifestyle! ☕️😅</p> <h3> Step 5: Deploy ALL The Apps! 🚀 </h3> <p>Time to make your subnet actually DO something:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> ./vpcctl deploy-app <span class="nt">--vpc</span> my-vpc <span class="nt">--subnet</span> public <span class="nt">--port</span> 8080 <span class="c"># Translation: "Let's get this party started!" 🎊</span> </code></pre> </div> <p>This creates a Python HTTP server that's more reliable than your ISP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">http.server</span> <span class="kn">import</span> <span class="n">socketserver</span> <span class="n">PORT</span> <span class="o">=</span> <span class="mi">8080</span> <span class="c1"># The magic number (or any port you fancy) # Serving web pages like it's hot! 🔥 </span><span class="k">with</span> <span class="n">socketserver</span><span class="p">.</span><span class="nc">TCPServer</span><span class="p">((</span><span class="sh">""</span><span class="p">,</span> <span class="n">PORT</span><span class="p">),</span> <span class="n">http</span><span class="p">.</span><span class="n">server</span><span class="p">.</span><span class="n">SimpleHTTPRequestHandler</span><span class="p">)</span> <span class="k">as</span> <span class="n">httpd</span><span class="p">:</span> <span class="n">httpd</span><span class="p">.</span><span class="nf">serve_forever</span><span class="p">()</span> <span class="c1"># Forever ever? Forever ever! </span></code></pre> </div> <h3> Step 6: VPC Isolation (Trust Issues Much? 🚧) </h3> <p>By default, VPCs don't talk to each other. It's like having separate WhatsApp groups for work and family - necessary for sanity! 😌<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> ./vpcctl create-vpc <span class="nt">--name</span> dev-vpc <span class="nt">--cidr</span> 10.1.0.0/16 <span class="nb">sudo</span> ./vpcctl create-subnet <span class="nt">--vpc</span> dev-vpc <span class="nt">--name</span> public <span class="nt">--cidr</span> 10.1.1.0/24 <span class="nt">--type</span> public <span class="c"># Creating parallel universes, one VPC at a time! 🌌</span> </code></pre> </div> <p>Try to ping from one VPC to another - DENIED! 🚫 This is isolation working as intended. Your subnets are safer than money in your mom's purse! 💰</p> <h3> Step 7: VPC Peering (Now They're BFFs! 👯‍♀️) </h3> <p>Want your VPCs to be friends? Let's introduce them properly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> ./vpcctl peer-vpcs <span class="nt">--vpc1</span> my-vpc <span class="nt">--vpc2</span> dev-vpc <span class="c"># "Meet cute" but for networks! 💕</span> </code></pre> </div> <p>What this does (it's actually pretty cool):</p> <ol> <li>Creates a veth pair connecting both bridges <ul> <li><em>Building bridges, literally!</em></li> </ul> </li> <li>Adds routes so they can find each other <ul> <li><em>Like sharing locations on WhatsApp 📍</em></li> </ul> </li> </ol> <p>Now they can communicate! It's like when your crush finally texts back! 📱✨</p> <h3> Step 8: Firewall Policies (The Rulebook 📖) </h3> <p>Create a JSON policy file (fancy way of saying "The Law"):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"subnet"</span><span class="p">:</span><span class="w"> </span><span class="s2">"10.0.1.0/24"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ingress"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"port"</span><span class="p">:</span><span class="w"> </span><span class="mi">80</span><span class="p">,</span><span class="w"> </span><span class="nl">"protocol"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tcp"</span><span class="p">,</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"allow"</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Come</span><span class="w"> </span><span class="err">on</span><span class="w"> </span><span class="err">in</span><span class="p">,</span><span class="w"> </span><span class="err">HTTP!</span><span class="w"> </span><span class="err">🚪</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"port"</span><span class="p">:</span><span class="w"> </span><span class="mi">22</span><span class="p">,</span><span class="w"> </span><span class="nl">"protocol"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tcp"</span><span class="p">,</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"deny"</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">SSH?</span><span class="w"> </span><span class="err">We</span><span class="w"> </span><span class="err">don't</span><span class="w"> </span><span class="err">know</span><span class="w"> </span><span class="err">her!</span><span class="w"> </span><span class="err">🙅‍♂️</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Apply it like a boss:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> ./vpcctl apply-policy <span class="nt">--vpc</span> my-vpc <span class="nt">--subnet</span> public <span class="nt">--policy</span> policy.json <span class="c"># "These are the rules, and yes, I made them up!" 😤</span> </code></pre> </div> <p>This translates to iptables magic (don't worry about understanding it, even I Google it sometimes 🤫):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>iptables <span class="nt">-A</span> INPUT <span class="nt">-p</span> tcp <span class="nt">--dport</span> 80 <span class="nt">-j</span> ACCEPT <span class="c"># Welcome!</span> iptables <span class="nt">-A</span> INPUT <span class="nt">-p</span> tcp <span class="nt">--dport</span> 22 <span class="nt">-j</span> DROP <span class="c"># Nope!</span> </code></pre> </div> <h2> Testing Your Masterpiece 🧪 </h2> <blockquote> <p>If you're not testing, you're just hoping. And hope is NOT a strategy!</p> </blockquote> <h3> Test 1: Intra-VPC Love Connection 💘 </h3> <p>Subnets within the same VPC should talk like old friends:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> ./vpcctl test-connectivity <span class="nt">--vpc</span> my-vpc <span class="nt">--from-subnet</span> public <span class="nt">--to-subnet</span> private <span class="c"># Expected: ✓ Connectivity test PASSED</span> <span class="c"># If it fails: Time for more coffee! ☕️</span> </code></pre> </div> <h3> Test 2: VPC Cold Shoulder 🥶 </h3> <p>Different VPCs without peering should ignore each other like exes at a party:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Get the deets</span> <span class="nv">NS1</span><span class="o">=</span><span class="s2">"ns-my-vpc-public"</span> <span class="nv">IP2</span><span class="o">=</span><span class="s2">"10.1.1.2"</span> <span class="c"># IP from dev-vpc (the stranger danger)</span> <span class="c"># Try to ping (spoiler: it won't work)</span> <span class="nb">sudo </span>ip netns <span class="nb">exec</span> <span class="nv">$NS1</span> ping <span class="nt">-c</span> 2 <span class="nv">$IP2</span> <span class="c"># Result: Network unreachable ✓</span> <span class="c"># Translation: "New phone, who dis?" 📱</span> </code></pre> </div> <h3> Test 3: Internet Access Check 🌐 </h3> <p>Public subnets flexing their internet access:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-my-vpc-public ping <span class="nt">-c</span> 3 8.8.8.8 <span class="c"># Result: Success ✓ (Google DNS says hello!)</span> </code></pre> </div> <p>Private subnets staying humble and offline:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-my-vpc-private ping <span class="nt">-c</span> 3 8.8.8.8 <span class="c"># Result: Network unreachable ✓</span> <span class="c"># They're focused on the grind, no distractions! 💪</span> </code></pre> </div> <h3> Test 4: Peering Power-Up 🔌 </h3> <p>After peering, VPCs become besties:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> ./vpcctl peer-vpcs <span class="nt">--vpc1</span> my-vpc <span class="nt">--vpc2</span> dev-vpc <span class="nb">sudo </span>ip netns <span class="nb">exec </span>ns-my-vpc-public ping <span class="nt">-c</span> 2 10.1.1.2 <span class="c"># Result: Success ✓</span> <span class="c"># They're texting now! 📱💕</span> </code></pre> </div> <h2> When Things Go Wrong (And They Will! 😅) </h2> <blockquote> <p>Debugging is like being a detective in a crime movie where you're also the murderer!</p> </blockquote> <h3> Issue 1: "Operation not permitted" 🚫 </h3> <p><strong>Problem</strong>: Forgot to use sudo (we've ALL been there!)</p> <p><strong>Solution</strong>: Channel your inner admin:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> ./vpcctl create-vpc <span class="nt">--name</span> <span class="nb">test</span> <span class="nt">--cidr</span> 10.0.0.0/16 <span class="c"># Remember: With great power comes great sudo! 🦸‍♂️</span> </code></pre> </div> <h3> Issue 2: "Bridge already exists" 🌉 </h3> <p><strong>Problem</strong>: You tried to create what already exists (philosophers hate this trick!)</p> <p><strong>Solution</strong>: Clear the slate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> ./cleanup.sh <span class="c"># When in doubt, nuke it out! 💥</span> </code></pre> </div> <h3> Issue 3: "No internet connectivity" 📡 </h3> <p><strong>Problem</strong>: This one haunted my dreams for 2 hours! 😭</p> <p><strong>Solution</strong>: This got me! I spent like 30 minutes debugging before realizing IP forwarding was disabled. Check it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>sysctl net.ipv4.ip_forward <span class="c"># If it's 0, you need to flip that switch!</span> <span class="nb">sudo </span>sysctl <span class="nt">-w</span> net.ipv4.ip_forward<span class="o">=</span>1 <span class="c"># The magic command ✨</span> </code></pre> </div> <p>Other things to check (because I'm nice like that):</p> <ul> <li>Interface name might be ens33 instead of eth0 (Linux is creative with naming!)</li> <li>iptables rules might be blocking you (check with <code>sudo iptables -t nat -L</code>)</li> <li>Your coffee might be empty (this is CRITICAL! ☕️)</li> </ul> <h2> Cleanup: Leaving No Trace 🧹 </h2> <p>Always clean up after yourself (your mom taught you this!):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Delete specific VPC (the gentle approach)</span> <span class="nb">sudo</span> ./vpcctl delete-vpc <span class="nt">--name</span> my-vpc <span class="c"># Delete EVERYTHING (the "I need a fresh start" approach)</span> <span class="nb">sudo</span> ./vpcctl cleanup-all <span class="c"># Or use the cleanup script (the "I trust this more" approach)</span> <span class="nb">sudo</span> ./cleanup.sh <span class="c"># Thanos would be proud! 🫰✨</span> </code></pre> </div> <p>This removes (THE COMPLETE PURGE):</p> <ul> <li>All network namespaces 🗑️</li> <li>All bridges 🌉</li> <li>All veth pairs 🔌</li> <li>All iptables rules 🔥</li> <li>State files 📁</li> <li>Your mistakes (we all need this sometimes!) 😌</li> </ul> <h2> The Victory Lap: Full Test Suite 🏁 </h2> <p>The project includes tests more comprehensive than your mom's questions when you get home late:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>make <span class="nb">test</span> <span class="c"># Sit back, relax, and watch the magic happen! ✨</span> </code></pre> </div> <p>This validates (EVERYTHING):</p> <ul> <li>✅ VPC creation and deletion (Birth and... well, you know)</li> <li>✅ Subnet management (The subdivision saga)</li> <li>✅ Application deployment (App goes live!)</li> <li>✅ Connectivity (Can we talk?)</li> <li>✅ Isolation (Stay in your lane!)</li> <li>✅ Peering (Making friends!)</li> <li>✅ Firewall policies (The rules of engagement)</li> <li>✅ NAT gateway (Internet access for all!)</li> <li>✅ Cleanup (Leaving it better than we found it)</li> </ul> <h2> What You Just Became an Expert In 🎓 </h2> <p>Congratulations! You now understand:</p> <ol> <li> <strong>Linux Network Namespaces</strong>: Like apartments for network stacks 🏠</li> <li> <strong>Virtual Networking</strong>: The art of making cables out of thin air 🎨</li> <li> <strong>Routing</strong>: GPS for packets, but actually reliable 🗺️</li> <li> <strong>NAT</strong>: The passport office of networking 🛂</li> <li> <strong>iptables</strong>: The bouncer who decides who gets in 💪</li> <li> <strong>VPC Architecture</strong>: How AWS does it (but now YOU can do it too!) 😎</li> <li> <strong>Infrastructure as Code</strong>: Because clicking buttons is so 2010 🖱️</li> </ol> <h2> Where This Knowledge Pays Rent 💰 </h2> <p>These concepts show up EVERYWHERE:</p> <ul> <li> <strong>Docker</strong>: Uses network namespaces (you're basically a Docker expert now! 🐳)</li> <li> <strong>Kubernetes</strong>: Pod networking is just fancy namespace usage (k8s who? We know them! ☸️)</li> <li> <strong>Cloud VPCs</strong>: AWS VPC, Azure VNet, Google VPC (all doing what you just did!) ☁️</li> <li> <strong>SD-WAN</strong>: Software-defined networking (fancy name, same concepts) 🌐</li> <li> <strong>Job Interviews</strong>: "So tell me about network namespaces..." (You: <em>cracks knuckles</em> 😏)</li> </ul> <h2> Next Level Moves (When You're Feeling Adventurous) 🚀 </h2> <p>Want to take this further? Here are some ideas:</p> <ol> <li>Add custom DHCP (automatic IP assignment, fancy!)</li> <li>Implement load balancing (spread the load like butter 🧈)</li> <li>Add VPN gateway (secure connections ftw! 🔐)</li> <li>Create a web dashboard (because CLI is cool but GUI is prettier 🎨)</li> <li>Support IPv6 (future-proofing like a boss! 🔮)</li> <li>Container runtime integration (Docker + Your VPC = 💕)</li> </ol> <h2> The Grand Finale: What Did We Learn Today? 🎬 </h2> <p>So that's it! I went from "network namespace what?" to building a full VPC system that would make AWS nervous (okay, maybe not nervous, but they'd def give a nod of respect 🫡).</p> <p><strong>Key takeaways</strong> (write these down, there might be a test):</p> <ol> <li>VPCs aren't magical - they're just namespaces + bridges + routing (and A LOT of coffee ☕️)</li> <li>The <code>onlink</code> flag is a LIFESAVER (seriously, I almost named my firstborn "Onlink")</li> <li>Always enable IP forwarding BEFORE testing NAT (learn from my pain!)</li> <li>Interface names have a 15-character limit (learned THAT one the expensive way - 2 hours I'll never get back! ⏰)</li> <li>When in doubt, check the logs (they never lie, unlike my "5 minutes left" estimates)</li> <li>Google is your friend (so is Stack Overflow, so is that random blog from 2012)</li> </ol> <p>The complete code is available in the repository. Try it out, break it (you will!), fix it (you can!), and most importantly - understand how every piece works together like a well-oiled machine! 🛠️</p> <h2> Additional Resources (For the Overachievers 📚) </h2> <p>Want to go deeper? Check these out:</p> <ul> <li>Linux Network Namespaces: <code>man ip-netns</code> (bedtime reading? 😴)</li> <li>iptables Documentation: <code>man iptables</code> (thriller novel alternative!)</li> <li>Linux Bridge: <code>man bridge</code> (surprisingly less boring than expected!)</li> <li>iproute2 Documentation: <code>man ip</code> (for when Netflix isn't enough!)</li> <li>My GitHub: <a href="https://github.com/herdeybayor/hng13-stage4-devops" rel="noopener noreferrer">hng13-stage4-devops</a> (shameless plug! 😎)</li> </ul> <h2> Installation Speedrun 🏃‍♂️💨 </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/herdeybayor/hng13-stage4-devops <span class="nb">cd </span>hng13-stage4-devops make <span class="nb">install</span> <span class="c"># One command to rule them all!</span> <span class="nb">sudo</span> ./vpcctl <span class="nt">--help</span> <span class="c"># Your journey begins here! 🗺️</span> </code></pre> </div> <h2> Quick Start (For the Impatient Ones) ⚡️ </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a VPC (you're basically a cloud provider now!)</span> <span class="nb">sudo</span> ./vpcctl create-vpc <span class="nt">--name</span> demo <span class="nt">--cidr</span> 10.0.0.0/16 <span class="c"># Add a public subnet (VIP section activated!)</span> <span class="nb">sudo</span> ./vpcctl create-subnet <span class="nt">--vpc</span> demo <span class="nt">--name</span> web <span class="nt">--cidr</span> 10.0.1.0/24 <span class="nt">--type</span> public <span class="c"># Deploy an app (hello world, but make it network-y!)</span> <span class="nb">sudo</span> ./vpcctl deploy-app <span class="nt">--vpc</span> demo <span class="nt">--subnet</span> web <span class="nt">--port</span> 8080 <span class="c"># View your empire</span> <span class="nb">sudo</span> ./vpcctl list-vpcs <span class="c"># Look at what you built! 🏰</span> <span class="c"># Clean up (responsible developer energy!)</span> <span class="nb">sudo</span> ./vpcctl delete-vpc <span class="nt">--name</span> demo </code></pre> </div> <h2> Connect With Me! 🤝 </h2> <p>If you're working on something similar, or if this helped you, or if you just want to chat about networking over virtual jollof rice, hit me up!</p> <ul> <li>🌐 Portfolio: <a href="https://sherifdeenadebayo.com" rel="noopener noreferrer">sherifdeenadebayo.com</a> (check out my other projects!)</li> <li>💼 LinkedIn: <a href="https://www.linkedin.com/in/herdeybayor/" rel="noopener noreferrer">@herdeybayor</a> (let's connect professionally!)</li> <li>💻 GitHub: <a href="https://github.com/herdeybayor" rel="noopener noreferrer">@herdeybayor</a> (where the code lives!)</li> <li>✍️ DEV.to: Where I write stuff like this when caffeine levels are optimal ☕️</li> <li>📧 Questions? Create an issue! I promise I read them (eventually 😅)</li> </ul> <p><strong>Sherifdeen Adebayo</strong><br><br> DevOps Engineer | Professional Coffee Consumer | Network Namespace Whisperer<br><br> Built for HNG13 Stage 4 Challenge - November 2025<br><br> <em>Powered by determination, late nights, and an unhealthy amount of Stack Overflow! 💻</em></p> <p><strong>P.S.</strong> - If you're doing the HNG challenge too, you got this! 💪 This stage kicked my butt multiple times, but look - we both made it! If I can build this while Googling "what is a network namespace" every 5 minutes, you can too!</p> <p><strong>P.P.S.</strong> - Special shoutout to coffee, without which this project would still be "TODO: Figure out networking" 😂</p> <p><strong>P.P.P.S.</strong> - Yes, the interface naming bug took me 2 hours. Yes, I cried a little. Yes, it was just a 15-character limit. We don't talk about it. 🙈</p> <p>Remember: In software development, like in life, sometimes you just gotta <code>sudo</code> your way through! 🚀✨</p> <p><em>Written while simultaneously debugging, eating chin-chin, and questioning my career choices (in the best way possible!)</em> 🌟</p> <p><em>If this code works on your machine, you're welcome! If it doesn't... did you try turning it off and on again?</em> 😉</p> devops linux networking hng13 The Holy Grail of Payment Integration: A React Native Safari 🎢 Sherifdeen Adebayo Sat, 08 Mar 2025 10:05:32 +0000 https://dev.to/0xsherifdev/the-holy-grail-of-payment-integration-a-react-native-safari-1com https://dev.to/0xsherifdev/the-holy-grail-of-payment-integration-a-react-native-safari-1com <p><em>Bismillah! As we journey through Ramadan (yes, we're fasting AND coding 😅), let's dive into the world of payment gateways. Don't worry, this implementation is easier than resisting samosas at iftar!</em></p> <h2> The Batman and Robin of Web Development 🦹‍♂️ </h2> <blockquote> <p>Ever wondered why frontend and backend developers are like hot suya and yaji? They're better together! </p> </blockquote> <p>Just like how Batman needs Robin (or how developers need coffee ☕️), our frontend needs the backend for payment processing. The backend is like that friend who keeps all your secrets safe (API keys, we're looking at you 👀), while the frontend is the charming face that users actually see.</p> <h2> Backend Magic: Where Money Goes to Party 🎉 </h2> <blockquote> <p>Warning: No actual money was harmed during the writing of this code!</p> </blockquote> <p>Remember when your mom said "money doesn't grow on trees"? Well, it now flows through APIs! We've got payment gateways galore:</p> <ul> <li> <a href="https://stripe.com/" rel="noopener noreferrer">Stripe</a> (for the fancy folks 🎩)</li> <li> <a href="https://paystack.com/" rel="noopener noreferrer">Paystack</a> (African excellence 🌍)</li> <li> <a href="https://flutterwave.com/" rel="noopener noreferrer">Flutterwave</a> (making waves, get it? 🌊)</li> <li> <a href="https://squadco.com/" rel="noopener noreferrer">Squad</a> (not related to Suicide Squad, promise! 😅)</li> </ul> <p>Here's our magical money-moving endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// POST /api/wallet/top-up </span> <span class="c1">// AKA "The Money Maker" 💸</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">amount</span><span class="dl">"</span><span class="p">:</span> <span class="mi">2000</span><span class="p">,</span> <span class="c1">// Your wallet's workout plan</span> <span class="dl">"</span><span class="s2">redirect_url</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">https://example.com?amount=200&amp;foo=bar</span><span class="dl">"</span> <span class="c1">// Where money goes to rest</span> <span class="p">}</span> </code></pre> </div> <p>The response (if the money gods are pleased 🙏):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="p">{</span> <span class="dl">"</span><span class="s2">message</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Topup initialized</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// fancy way of saying "We're cooking!"</span> <span class="dl">"</span><span class="s2">data</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">link</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">https://checkout-v2.dev-flutterwave.com/...</span><span class="dl">"</span> <span class="c1">// The golden ticket 🎫</span> <span class="p">},</span> <span class="dl">"</span><span class="s2">success</span><span class="dl">"</span><span class="p">:</span> <span class="kc">true</span> <span class="c1">// Alhamdulillah! </span> <span class="p">}</span> </code></pre> </div> <h2> Frontend Shenanigans: Where The Magic Happens ✨ </h2> <blockquote> <p>Fun fact: This code was written while dreaming about iftar buffets!</p> </blockquote> <h3> Configuration: The Boring-But-Important Part 🥱 </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">CONFIGS</span> <span class="o">=</span> <span class="p">{</span> <span class="na">APP_ENV</span><span class="p">:</span> <span class="dl">"</span><span class="s2">development</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// AKA "Please don't break in production"</span> <span class="na">PAYMENTS_CALLBACK_URL</span><span class="p">:</span> <span class="dl">"</span><span class="s2">https://example.com?foo=bar</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// The comeback kid</span> <span class="p">};</span> </code></pre> </div> <h3> The Wallet Component: Money's Best Friend 💰 </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// This function is like a waiter at a fancy restaurant</span> <span class="c1">// It takes your order (amount) and brings back a payment link</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">fetchPaymentLink</span><span class="p">({</span> <span class="nx">amount</span> <span class="p">})</span> <span class="p">{</span> <span class="c1">// Magic happens here... or at least we hope so 🎩✨</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`/api/wallet/top-up`</span><span class="p">...);</span> <span class="k">return</span> <span class="nx">data</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">link</span><span class="p">;</span> <span class="c1">// The golden ticket to happiness</span> <span class="p">}</span> <span class="c1">// The component that makes your wallet cry tears of joy</span> <span class="kd">function</span> <span class="nf">WalletCardComponent</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">balance</span> <span class="o">=</span> <span class="mi">1000</span><span class="p">;</span> <span class="c1">// Probably more than my actual bank account 😭</span> <span class="kd">const</span> <span class="nx">handleTopUp</span> <span class="o">=</span> <span class="nf">useCallback</span><span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Time to make it rain! 💸</span> <span class="kd">const</span> <span class="nx">paymentLink</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetchPaymentLink</span><span class="p">({</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">2000</span> <span class="p">});</span> <span class="nx">router</span><span class="p">.</span><span class="nf">replace</span><span class="p">({</span><span class="cm">/*... navigation magic ...*/</span><span class="p">});</span> <span class="c1">// HINT: You can pass the nextPath as a query param or a pathname</span> <span class="c1">// router.replace({ pathname: "/wallet/payment", params: { link: paymentLink, nextPath: "/wallet" } });</span> <span class="c1">// router.replace(`/wallet/payment?link=${paymentLink}&amp;nextPath=/wallet`)</span> <span class="p">},</span> <span class="p">[]);</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">View</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">Text</span><span class="o">&gt;</span><span class="nx">Wallet</span> <span class="o">-</span> <span class="p">{</span><span class="nx">balance</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/Text</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">Button</span> <span class="nx">title</span><span class="o">=</span><span class="dl">"</span><span class="s2">Make Money Disappear</span><span class="dl">"</span> <span class="nx">onPress</span><span class="o">=</span><span class="p">{</span><span class="nx">handleTopUp</span><span class="p">}</span> <span class="sr">/</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/View</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> The WebView: Where Dreams (and Transactions) Come True 🌈 </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">PaymentScreen</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// More params than a Hollywood movie</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">link</span><span class="p">,</span> <span class="nx">nextPath</span><span class="p">,</span> <span class="nx">amount</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useLocalSearchParams</span><span class="p">();</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">WebView</span> <span class="nx">source</span><span class="o">=</span><span class="p">{{</span> <span class="na">uri</span><span class="p">:</span> <span class="nx">link</span> <span class="p">}}</span> <span class="c1">// The gateway to emptying your wallet</span> <span class="nx">startInLoadingState</span> <span class="nx">renderLoading</span><span class="o">=</span><span class="p">{()</span> <span class="o">=&gt;</span> <span class="o">&lt;</span><span class="nx">ShowLoadingScreen</span> <span class="o">/&gt;</span><span class="p">}</span> <span class="c1">// The "please wait" dance</span> <span class="nx">onNavigationStateChange</span><span class="o">=</span><span class="p">{({</span> <span class="nx">url</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">url</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">"</span><span class="s2">cancelled</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// When the user chickens out 🐔</span> <span class="nx">toast</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Your money is still safe with you!</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">url</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">"</span><span class="s2">success</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// Time to celebrate! 🎉</span> <span class="nx">toast</span><span class="p">.</span><span class="nf">success</span><span class="p">(</span><span class="s2">`Successfully made money disappear! ✨`</span><span class="p">);</span> <span class="c1">// HINT: you can redirect to the nextPath (Blessed flow 👼🏻) or reload the entire app (Ibliss 🔪👺)</span> <span class="c1">// router.replace(nextPath...)</span> <span class="p">}</span> <span class="p">}}</span> <span class="sr">/</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Conclusion: The End of Our Money Adventure 🎬 </h2> <blockquote> <p>Like breaking fast with dates, every good implementation needs a sweet ending!</p> </blockquote> <p>As we navigate through Ramadan (trying not to think about food while coding 😅), remember that implementing payments is like fasting - it requires patience, attention to detail, and a good sense of humor when things go wrong!</p> <p>May your transactions be successful, your bugs be minimal, and your iftar be delicious! 🙏</p> <p><em>Written while dreaming about iftar, powered by dates and coffee (not at the same time, obviously!)</em> 🌙 </p> <p>P.S. If this code works, congratulations! If it doesn't, well... there's always next Ramadan! 😉</p> <p><em>Remember: In software development, like in Ramadan, patience is not just a virtue - it's a requirement!</em> 💫</p> reactnative mobile programming ramadancoding