The latest articles on DEV Community by Alejandro Velez (@avelez). https://dev.to/avelez https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F860110%2F56a97906-758a-438a-a886-a15b41498182.jpg https://dev.to/avelez en Alejandro Velez Sat, 13 Jun 2026 21:11:11 +0000 https://dev.to/aws-builders/modernizing-cross-account-networking-from-vpc-peering-complexity-to-5-vpc-lattice-resources--ddg https://dev.to/aws-builders/modernizing-cross-account-networking-from-vpc-peering-complexity-to-5-vpc-lattice-resources--ddg <blockquote> <p><strong>AWS Level</strong>: 400 — Advanced | Multi-account networking, VPC Lattice Resource Configurations, IaC orchestration with Terragrunt</p> </blockquote> <h2> 🎯 The Challenge </h2> <p><strong>Scenario</strong></p> <p>Suppose you are a Cloud Architect or DevOps Engineer at an enterprise organization, and you receive this mission: <em>expose an Aurora PostgreSQL database to an external AWS organization — without VPC Peering, without Transit Gateway, without public endpoints, and without deploying a single NLB</em>.</p> <p>The requirements are clear:</p> <ul> <li>✅ <strong>Zero internet exposure</strong> — the database must remain in private subnets</li> <li>✅ <strong>Cross-account, cross-organization</strong> — the consumer lives in a completely separate AWS org</li> <li>✅ <strong>Infrastructure as Code</strong> — everything must be declared, versioned, and reproducible</li> <li>✅ <strong>Network validation</strong> — you must <em>prove</em> connectivity works before handing it off</li> <li>✅ <strong>Least privilege</strong> — security groups scoped to exact ports and sources</li> <li>✅ <strong>Multi-environment</strong> — same code for dev, qa, and prod with different configurations</li> </ul> <p>Welcome to <strong>NetDevOps</strong>.</p> <h2> Cloud Networking at Scale is Broken (And We Keep Pretending It's Not) </h2> <p>I've been working with multi-account AWS architectures for years, and there's one conversation that keeps coming back like a boomerang: <strong>"How do we give that other team access to our database without blowing up our network?"</strong></p> <p>Every. Single. Time.</p> <p>And the answers are always the same tired playbook: VPC Peering (good luck with overlapping CIDRs), Transit Gateway (hope you enjoy $0.05/GB bills), PrivateLink (another NLB to maintain). They all <em>work</em>, technically. But they all introduce complexity that compounds over time.</p> <p>Here's the thing — cloud networking at scale isn't hard because any single concept is difficult. It's hard because <strong>everything multiplies</strong>. One VPC? Easy. Ten with peering? Fine. Fifty accounts across business units with different compliance requirements, connectivity patterns, and team boundaries? That's where traditional approaches collapse.</p> <p>I'm talking about:</p> <ul> <li>Security group sprawl where nobody can tell which rules are actually needed</li> <li>Route table entropy that breaks production with one wrong entry</li> <li>Cross-account connectivity patterns that multiply with every new team</li> <li>Connectivity validation that only happens <em>after</em> the incident</li> </ul> <p>This is exactly why I've been investing time in <strong>NetDevOps</strong> — and today I want to show you how I solved the challenge above.</p> <h2> What is NetDevOps? </h2> <p>Before jumping into the implementation, let me share what NetDevOps means in practice (and why I think every cloud engineer should care).</p> <p>NetDevOps applies DevOps principles to network infrastructure. That's it. But the implications are massive:</p> <ul> <li>Networks <strong>declared as code</strong> — not clicked together in a console</li> <li>Connectivity <strong>tested before deployment</strong> — not validated after outages</li> <li>Changes <strong>reviewed as pull requests</strong> — not approved in 3-hour CAB meetings</li> <li>Configurations <strong>reproducible across environments</strong> — not buried in wiki pages that nobody updates</li> </ul> <p>In AWS terms? It means treating VPCs, security groups, VPC Lattice configs, and connectivity paths as <strong>first-class IaC artifacts</strong>. With real dependency management. With real tests. With real CI/CD.</p> <p>And the tool I keep reaching for to orchestrate all of this? <strong>Terragrunt + OpenTofu</strong>. The combination gives me layered dependencies, environment promotion, and DRY configurations without losing visibility into what's actually deployed.</p> <h2> My Approach to the Challenge </h2> <p>So how do we solve this mission? I evaluated the traditional options and rejected all of them:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Approach</th> <th>Why I Said No</th> </tr> </thead> <tbody> <tr> <td><strong>VPC Peering</strong></td> <td>Non-transitive, CIDR overlap risk, routing table management nightmare</td> </tr> <tr> <td><strong>Transit Gateway</strong></td> <td>Expensive at scale, shared blast radius, route table limits</td> </tr> <tr> <td><strong>PrivateLink + NLB</strong></td> <td>An NLB for <em>every</em> resource? Port management? No thanks.</td> </tr> <tr> <td><strong>Database replication</strong></td> <td>Double cost, consistency challenges, operational overhead</td> </tr> <tr> <td><strong>Public endpoint</strong></td> <td>🙈 Let's not even go there</td> </tr> </tbody> </table></div> <p>Then I remembered that AWS had released <strong>VPC Lattice Resource Configurations</strong> with ARN-based targeting. I'd been keeping an eye on it since re:Invent, and this was the perfect use case to test it.</p> <p>Spoiler: it worked beautifully. And when I combined it with <strong>VPC Reachability Analyzer</strong> for automated validation, I had a full NetDevOps pipeline for cross-account connectivity.</p> <h2> The Architecture </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6zcvq7whfoim8hp825ib.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6zcvq7whfoim8hp825ib.png" alt="DevSecOps-NetDevOps" width="799" height="366"></a></p> <p>This is what we're building. Three accounts, one region, zero internet exposure:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Account</th> <th>Role</th> <th>What Lives There</th> </tr> </thead> <tbody> <tr> <td> <strong>External Account</strong> (ours)</td> <td>Hosts the database + VPC Lattice</td> <td>VPC, Aurora PostgreSQL, Resource Gateway, Service Network, RAM Share</td> </tr> <tr> <td><strong>Network Account</strong></td> <td>Owns the Lattice mesh</td> <td>Service Network, Resource Configuration</td> </tr> <tr> <td> <strong>Workload Account</strong> (consumer)</td> <td>External org that needs DB access</td> <td>Applications connecting via VPC Lattice endpoint</td> </tr> </tbody> </table></div> <p>The key components:</p> <ol> <li> <strong>VPC Lattice Service Network</strong> — the connectivity mesh</li> <li> <strong>Resource Gateway</strong> — network path into our VPC (deployed in DB subnets)</li> <li> <strong>Resource Configuration (ARN-based)</strong> — points to the Aurora cluster by ARN</li> <li> <strong>RAM Resource Share</strong> — shares the Service Network cross-account</li> <li> <strong>VPC Reachability Analyzer</strong> — proves the path works <em>before</em> anyone complains</li> </ol> <h2> How I Organized the Code </h2> <p>I'm a firm believer in layered architecture for IaC. If you've read my previous posts on Terragrunt, you know I follow a DDD-inspired approach where each layer has clear boundaries and dependencies flow in one direction:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>stacks/ ├── foundation/ │ └── network/ │ ├── vpc/ # VPC + database subnets only │ └── security-groups/ # SGs for RDS, Lattice RGW, VPC association ├── platform/ │ ├── data/ │ │ └── rds/ # Aurora PostgreSQL cluster │ └── network/ │ └── vpc-lattice/ # Service Network + Resource Gateway + RAM └── observability/ └── network/ └── reachability-analyzer/ # Network path validation (the NetDevOps piece!) </code></pre> </div> <p><strong>Foundation → Platform → Observability</strong>. Never backwards. Dependencies are explicit in every <code>terragrunt.hcl</code>.</p> <p>Why does this matter? Because when someone changes a security group rule, I can immediately see which platform and observability stacks will be affected. No surprises.</p> <h2> Hands-On: Let's Build It </h2> <p>Alright, enough theory. Let's get our hands dirty. I'll walk you through each layer, explain my decisions, and show you the actual code running in this project.</p> <p><strong>Prerequisites:</strong></p> <ul> <li>OpenTofu or Terraform &gt;= 1.5</li> <li>Terragrunt &gt;= 0.98</li> <li>AWS CLI v2 configured with appropriate profiles</li> <li>An S3 bucket + DynamoDB table for remote state</li> </ul> <h2> Step 1: The VPC (Minimal Attack Surface) </h2> <p>Here's something I feel strongly about: if a VPC only hosts a database, it should <strong>only have database subnets</strong>. No public subnets. No internet gateway. No NAT. Nothing that doesn't need to be there.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># stacks/foundation/network/vpc/main.tf</span> <span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/vpc/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"6.6.0"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project}-${var.environment}-vpc"</span> <span class="nx">cidr</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span> <span class="nx">azs</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">availability_zones</span> <span class="nx">database_subnets</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">database_subnets</span> <span class="nx">create_database_subnet_group</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">create_database_subnet_route_table</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">create_igw</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">enable_nat_gateway</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">manage_default_security_group</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">default_security_group_ingress</span> <span class="p">=</span> <span class="p">[]</span> <span class="nx">default_security_group_egress</span> <span class="p">=</span> <span class="p">[]</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> </code></pre> </div> <p>I love this. Zero internet exposure by design. The default security group is locked down with empty rules. DNS is enabled because VPC Lattice needs it for resolution. That's it — nothing more, nothing less.</p> <h2> Step 2: Security Groups (This Is Where It Gets Interesting) </h2> <p>Most teams I work with define security groups with CIDR blocks. That works until subnets change, IP ranges shift, or someone adds a new AZ. I prefer <strong>security group references</strong> — they create a logical coupling that survives all those changes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># stacks/foundation/network/security-groups/main.tf</span> <span class="c1"># RDS only accepts traffic from the Lattice Resource Gateway</span> <span class="nx">module</span> <span class="s2">"rds_sg"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/security-group/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"6.0.0"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project}-${var.environment}-rds"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Security group for RDS Aurora cluster"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">ingress_rules</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">postgresql_from_lattice</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow PostgreSQL from VPC Lattice resource gateway"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">ip_protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">referenced_security_group_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">lattice_resource_gateway_sg</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.project}-${var.environment}-rds-sg"</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Resource Gateway can only talk to RDS</span> <span class="nx">module</span> <span class="s2">"lattice_resource_gateway_sg"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/security-group/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"6.0.0"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project}-${var.environment}-lattice-rgw"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Security group for VPC Lattice Resource Gateway"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">egress_rules</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">to_rds</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow PostgreSQL to RDS"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">ip_protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">referenced_security_group_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">rds_sg</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.project}-${var.environment}-lattice-rgw-sg"</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>See what's happening here? The Resource Gateway can <strong>only</strong> reach RDS on port 5432. And RDS <strong>only</strong> accepts connections from the Resource Gateway. This is defense in depth — even if someone compromises the VPC, lateral movement is blocked by design.</p> <h2> Step 3: Aurora PostgreSQL </h2> <p>Nothing revolutionary here — I'm using the official <code>terraform-aws-modules/rds-aurora</code> module because it handles all the complexity of parameter groups, subnet groups, and monitoring configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># stacks/platform/data/rds/main.tf</span> <span class="nx">module</span> <span class="s2">"aurora"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/rds-aurora/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"10.2.0"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project}-${var.environment}-aurora"</span> <span class="nx">engine</span> <span class="p">=</span> <span class="s2">"aurora-postgresql"</span> <span class="nx">engine_version</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">engine_version</span> <span class="nx">master_username</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">master_username</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">db_subnet_group_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_subnet_group_name</span> <span class="nx">create_security_group</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">rds_security_group_id</span><span class="p">]</span> <span class="nx">storage_encrypted</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">apply_immediately</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">cluster_monitoring_interval</span> <span class="p">=</span> <span class="mi">60</span> <span class="nx">instances</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instances</span> <span class="nx">backup_retention_period</span> <span class="p">=</span> <span class="mi">7</span> <span class="nx">deletion_protection</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">deletion_protection</span> <span class="nx">skip_final_snapshot</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="err">!</span><span class="p">=</span> <span class="s2">"prod"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> <span class="c1"># -----------------------------------------------------------------------------</span> <span class="c1"># Discover the RDS writer ENI for downstream reachability analysis</span> <span class="c1"># This runs in the same stack where the cluster is created, so ENI always exists</span> <span class="c1"># -----------------------------------------------------------------------------</span> <span class="nx">data</span> <span class="s2">"aws_network_interfaces"</span> <span class="s2">"rds_writer"</span> <span class="p">{</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"group-id"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">rds_security_group_id</span><span class="p">]</span> <span class="p">}</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"status"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"in-use"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">module</span><span class="p">.</span><span class="nx">aurora</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>The important detail: <code>create_security_group = false</code>. I pass in the security group from the foundation layer. This keeps ownership clear — the network team controls access rules, the data team controls database configuration.</p> <p>And here's how Terragrunt wires the dependencies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># stacks/platform/data/rds/terragrunt.hcl</span> <span class="nx">dependency</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"../../../foundation/network/vpc"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="s2">"vpc-mock-12345"</span> <span class="nx">database_subnet_group_name</span> <span class="p">=</span> <span class="s2">"mock-db-subnet-group"</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"security_groups"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"../../../foundation/network/security-groups"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">rds_security_group_id</span> <span class="p">=</span> <span class="s2">"sg-mock-rds"</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> </code></pre> </div> <p>Those <code>mock_outputs</code> are critical — they let you run <code>terragrunt plan</code> on individual stacks without deploying everything first. Essential for fast feedback loops.</p> <h2> Step 4: VPC Lattice (Here's Where the Magic Happens) </h2> <p>OK, this is the part I'm most excited about. VPC Lattice with DNS-based Resource Configurations is genuinely elegant. Let me show you:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/vpc-lattice/main.tf</span> <span class="c1"># 1. Create the Service Network (the mesh)</span> <span class="nx">resource</span> <span class="s2">"aws_vpclattice_service_network"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">service_network_name</span> <span class="nx">auth_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">service_network_auth_type</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">service_network_name</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># 2. Associate our VPC to the mesh</span> <span class="nx">resource</span> <span class="s2">"aws_vpclattice_service_network_vpc_association"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">vpc_identifier</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">service_network_identifier</span> <span class="p">=</span> <span class="nx">aws_vpclattice_service_network</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_association_security_group_ids</span> <span class="p">}</span> <span class="c1"># 3. Deploy the Resource Gateway (network path into our VPC)</span> <span class="nx">resource</span> <span class="s2">"aws_vpclattice_resource_gateway"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">resource_gateway_name</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">resource_gateway_subnet_ids</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">resource_gateway_security_group_ids</span> <span class="nx">ip_address_type</span> <span class="p">=</span> <span class="s2">"IPV4"</span> <span class="p">}</span> <span class="c1"># 4. Create the Resource Configuration — DNS + custom domain!</span> <span class="nx">resource</span> <span class="s2">"aws_vpclattice_resource_configuration"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">resource_config_name</span> <span class="nx">resource_gateway_identifier</span> <span class="p">=</span> <span class="nx">aws_vpclattice_resource_gateway</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">custom_domain_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">custom_domain_name</span> <span class="nx">port_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"5432"</span><span class="p">]</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"TCP"</span> <span class="nx">resource_configuration_definition</span> <span class="p">{</span> <span class="nx">dns_resource</span> <span class="p">{</span> <span class="nx">domain_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">resource_dns_name</span> <span class="c1"># Aurora cluster endpoint</span> <span class="nx">ip_address_type</span> <span class="p">=</span> <span class="s2">"IPV4"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># 5. Associate the resource to the service network</span> <span class="nx">resource</span> <span class="s2">"aws_vpclattice_service_network_resource_association"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">resource_configuration_identifier</span> <span class="p">=</span> <span class="nx">aws_vpclattice_resource_configuration</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">service_network_identifier</span> <span class="p">=</span> <span class="nx">aws_vpclattice_service_network</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>That's it. Five resources and you've exposed an RDS cluster to a service mesh with a <strong>custom private DNS name</strong> that consumers can use. No NLBs. No PrivateLink endpoints. No route tables.</p> <blockquote> <p>⚠️ <strong>Important lesson learned</strong>: VPC Lattice <code>custom_domain_name</code> is only supported on <strong>DNS-type</strong> and <strong>IP-type</strong> resource configurations — NOT on ARN-type. If you try <code>type = "ARN"</code> with <code>custom_domain_name</code>, the API returns <code>ValidationException: Unexpected attribute customDomainName for type ARN</code>. That's why we use <code>dns_resource</code> pointing to the Aurora cluster endpoint, which gives us the custom domain capability while still routing to the database correctly.</p> </blockquote> <p>The <code>custom_domain_name</code> is key here — instead of consumers connecting to an auto-generated Lattice DNS endpoint, they connect using something like <code>db.dev.internal.netdevops.com</code>. This makes migration transparent and application configs clean.</p> <h3> Cross-Account Sharing with RAM (and Resharing!) </h3> <p>In our architecture, we don't share directly with every consumer. Instead, we share the Service Network with a <strong>Network Account</strong> that acts as a hub — and that account reshares with downstream workload accounts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>External Account → Network Account (reshare enabled) → Workload Accounts </code></pre> </div> <p>The magic is in <code>allow_external_principals</code>. By enabling it, the Network Account can accept the share and propagate access to downstream consumers. AWS automatically assigns the appropriate VPC Lattice permission to the share:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_ram_resource_share"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ram_share_enabled</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ram_share_name</span> <span class="nx">allow_external_principals</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_ram_resource_association"</span> <span class="s2">"service_network"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ram_share_enabled</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">resource_arn</span> <span class="p">=</span> <span class="nx">aws_vpclattice_service_network</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">resource_share_arn</span> <span class="p">=</span> <span class="nx">aws_ram_resource_share</span><span class="p">.</span><span class="nx">this</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_ram_principal_association"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ram_share_enabled</span> <span class="err">?</span> <span class="nx">length</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">ram_external_principals</span><span class="p">)</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">principal</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ram_external_principals</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> <span class="nx">resource_share_arn</span> <span class="p">=</span> <span class="nx">aws_ram_resource_share</span><span class="p">.</span><span class="nx">this</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p>⚠️ <strong>Gotcha</strong>: You might find blog posts suggesting you pass <code>permission_arns</code> with an <code>AllowReshare</code> ARN to enable resharing. In practice, this can fail with <code>InvalidParameterException</code> depending on your region/account. Let AWS assign the default permission automatically — it handles the reshare capability through the RAM console or API when the Network Account accepts and reshares.</p> </blockquote> <p>Why this pattern? Because in enterprise organizations, the team that owns the database shouldn't need to know <em>who</em> is consuming it. That's the Network Account's job — they control the mesh, they approve consumers, they manage the blast radius. Separation of concerns applied to network sharing.</p> <h2> Step 5: Network Testing as Code (My Favorite Part) </h2> <p>Here's where <strong>NetDevOps</strong> really comes together. Most teams deploy network infrastructure and then... hope it works. Maybe someone runs a <code>telnet</code> from an EC2 instance to check connectivity. Maybe they wait for an application error.</p> <p>I wanted something better. I wanted a <strong>test</strong> that runs as part of the infrastructure deployment and tells me: "yes, traffic can flow from the Resource Gateway to RDS on port 5432."</p> <p>Enter VPC Reachability Analyzer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/reachability-analyzer/main.tf</span> <span class="c1"># Define the path we want to test</span> <span class="nx">resource</span> <span class="s2">"aws_ec2_network_insights_path"</span> <span class="s2">"lattice_to_rds"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">enabled</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">source</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">resource_gateway_eni_id</span> <span class="nx">destination</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">rds_endpoint_network_interface_id</span> <span class="nx">destination_port</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">destination_port</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.name_prefix}-lattice-to-rds"</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Run the analysis</span> <span class="nx">resource</span> <span class="s2">"aws_ec2_network_insights_analysis"</span> <span class="s2">"lattice_to_rds"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">enabled</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">network_insights_path_id</span> <span class="p">=</span> <span class="nx">aws_ec2_network_insights_path</span><span class="p">.</span><span class="nx">lattice_to_rds</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="nx">wait_for_completion</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.name_prefix}-lattice-to-rds-analysis"</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>Notice the <code>var.enabled</code> guard. This is critical — the Reachability Analyzer requires <strong>real ENI IDs</strong> (not mocks). On first deployment, the upstream stacks (RDS, VPC Lattice) may not have provisioned their ENIs yet. The <code>enabled</code> flag skips creation when ENIs are null, preventing the <code>InvalidParameterValue: eni-mock-xxx is not a supported Source type</code> error you'd otherwise get. On the second apply, real ENI IDs flow through and the analysis runs.</p> <ul> <li>The <strong>RDS stack</strong> discovers its own writer ENI and outputs <code>rds_writer_eni_id</code> </li> <li>The <strong>VPC Lattice stack</strong> discovers its Resource Gateway ENI and outputs <code>resource_gateway_eni_id</code> </li> <li>The <strong>Reachability Analyzer</strong> receives both as inputs</li> </ul> <p>This enables <strong>one-shot layer-by-layer deployment</strong>. During <code>terragrunt plan</code>, Terragrunt provides mock ENI values so the plan succeeds without deployed resources. During <code>apply</code>, real ENI IDs flow through the dependency chain:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># stacks/observability/network/reachability-analyzer/terragrunt.hcl</span> <span class="nx">dependency</span> <span class="s2">"rds"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"../../../platform/data/rds"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">rds_writer_eni_id</span> <span class="p">=</span> <span class="s2">"eni-mock-rds-writer"</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"vpc_lattice"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"../../../platform/network/vpc-lattice"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">resource_gateway_eni_id</span> <span class="p">=</span> <span class="s2">"eni-mock-lattice-rgw"</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">resource_gateway_eni_id</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">vpc_lattice</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">resource_gateway_eni_id</span> <span class="nx">rds_writer_eni_id</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">rds</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">rds_writer_eni_id</span> <span class="p">}</span> </code></pre> </div> <p>This is the network equivalent of a unit test. The output tells me:</p> <ul> <li>✅ <code>path_found = true</code> → Network path is confirmed, all good</li> <li>❌ <code>path_found = false</code> + <code>explanations</code> → Exactly <em>which</em> component is blocking traffic</li> </ul> <p>And because it's a Terraform resource, if someone changes a security group rule or modifies a NACL, the next <code>terragrunt apply</code> will re-run the analysis and catch the regression. <strong>Automated network regression testing</strong>. That's NetDevOps.</p> <h2> 🔄 Terragrunt Orchestration </h2> <p>The entire stack deploys with dependency resolution:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Deploy everything in dependency order</span> <span class="nb">export </span><span class="nv">TF_WORKSPACE</span><span class="o">=</span>dev terragrunt run <span class="nt">--all</span> apply </code></pre> </div> <p>Terragrunt resolves this graph automatically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>foundation/network/vpc ↓ foundation/network/security-groups ↓ platform/data/rds ←→ platform/network/vpc-lattice ↓ observability/network/reachability-analyzer </code></pre> </div> <p>And environment-specific values live in tfvars files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># environments/dev/foundations.tfvars</span> <span class="nx">vpc_cidr</span> <span class="err">=</span> <span class="s2">"10.100.0.0/16"</span> <span class="nx">availability_zones</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"us-east-1a"</span><span class="p">,</span> <span class="s2">"us-east-1b"</span><span class="p">]</span> <span class="nx">database_subnets</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"10.100.21.0/24"</span><span class="p">,</span> <span class="s2">"10.100.22.0/24"</span><span class="p">]</span> <span class="c1"># environments/dev/platform.tfvars</span> <span class="nx">engine_version</span> <span class="err">=</span> <span class="s2">"16.6"</span> <span class="nx">instance_class</span> <span class="err">=</span> <span class="s2">"db.t4g.medium"</span> <span class="nx">instances</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">writer</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="s2">"db.t4g.medium"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">service_network_name</span> <span class="err">=</span> <span class="s2">"netdevops-external-dev"</span> <span class="nx">resource_gateway_name</span> <span class="err">=</span> <span class="s2">"netdevops-rds-rgw-dev"</span> <span class="nx">resource_config_name</span> <span class="err">=</span> <span class="s2">"netdevops-rds-config-dev"</span> <span class="nx">custom_domain_name</span> <span class="err">=</span> <span class="s2">"db.dev.internal.netdevops.com"</span> <span class="nx">ram_share_name</span> <span class="err">=</span> <span class="s2">"netdevops-rds-share-dev"</span> <span class="nx">ram_external_principals</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"123456789012"</span><span class="p">]</span> <span class="c1"># Network Account ID</span> <span class="c1"># environments/prd/platform.tfvars (for comparison)</span> <span class="nx">instance_class</span> <span class="err">=</span> <span class="s2">"db.r6g.xlarge"</span> <span class="nx">instances</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">writer</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="s2">"db.r6g.xlarge"</span> <span class="p">}</span> <span class="nx">reader</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="s2">"db.r6g.xlarge"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Same code, different values. Dev → QA → Prod. That's the beauty of this approach.</p> <p>So finally, I have the results:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo0jt6oiqjq2738ecgall.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo0jt6oiqjq2738ecgall.png" alt="VPC Lattice " width="799" height="369"></a></p> <p>Here we can find the service network and resource configuration association, pay attention to the Shareable option.</p> <p>For other hand the reach ability analyzer succeeded.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F28l1dyin2d48w176c066.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F28l1dyin2d48w176c066.png" alt="NetDevops Reachability Analyzer" width="800" height="440"></a></p> <p>And the RAM interface with the resource shared with network external account.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx1w05wad5y0elc64g4xf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx1w05wad5y0elc64g4xf.png" alt="NetDevops RAM resource shared" width="800" height="387"></a></p> <h2> The Security Model </h2> <p>I want to call out the defense-in-depth approach because it's not accidental:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>What It Does</th> </tr> </thead> <tbody> <tr> <td><strong>VPC</strong></td> <td>No internet gateway, database-only subnets, zero public exposure</td> </tr> <tr> <td><strong>Security Groups</strong></td> <td>SG-to-SG references, only port 5432, minimum privilege</td> </tr> <tr> <td><strong>VPC Lattice</strong></td> <td>Auth type configurable (NONE for now, IAM for production)</td> </tr> <tr> <td><strong>RAM</strong></td> <td>Explicit principal sharing, requires acceptance from consumer</td> </tr> <tr> <td><strong>Encryption</strong></td> <td>Storage encrypted at rest, TLS in transit</td> </tr> <tr> <td><strong>Reachability Analyzer</strong></td> <td>Proves the path works — and <em>only</em> the intended path</td> </tr> </tbody> </table></div> <p>No single layer is the "security layer." They all contribute. If any one fails, the others still protect you.</p> <h2> How the Consumer Connects </h2> <p>From the consumer's perspective (the Workload Account), it's beautifully simple:</p> <ol> <li>The <strong>Network Account</strong> accepts the RAM share from the External Account</li> <li>The Network Account reshares the Service Network with the Workload Account</li> <li>The Workload Account associates their VPC to the shared Service Network</li> <li>Connect to the database using the <strong>custom private DNS name</strong> — standard PostgreSQL client </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>App (Private subnet) → VPC Lattice (custom DNS: db.internal.example.com) → Resource Gateway → RDS </code></pre> </div> <p>No routes to manage. No IPs to hardcode. No peering to maintain. The application connects to <code>db.internal.example.com</code> and doesn't even know it's crossing account boundaries. If you later migrate the database or change the underlying infrastructure, the consumer's connection string stays the same.</p> <h2> What I Learned </h2> <p>Building this out reinforced a few things for me:</p> <p><strong>1. VPC Lattice Resource Configurations are a game-changer.</strong> ARN-based targeting means you don't need to think about IPs, ports, or DNS records. You point to what you want to share, and Lattice figures out the rest.</p> <p><strong>2. Reachability Analyzer as IaC is underrated.</strong> I haven't seen many teams doing this, but it should be standard practice. If you can test your application code, you should test your network paths.</p> <p><strong>3. Layered architecture pays off.</strong> Yes, it's more files to manage. But when something breaks at 2 AM, you know exactly which layer to look at and which dependencies might be affected.</p> <p><strong>4. RAM sharing is cleaner than I expected.</strong> No network-level coupling between VPCs. The consumer doesn't need to know our CIDR ranges, our subnet layout, or our internal architecture. They just connect.</p> <p><strong>5. Security groups &gt; CIDRs.</strong> Always. Security group references are the "zero trust" of VPC networking — they express intent, not implementation.</p> <h2> Cost and the Path to a "Networkless" World </h2> <p><strong>This approach is significantly cheaper than Transit Gateway at scale</strong>.</p> <p>Let me break it down. With Transit Gateway, you pay:</p> <ul> <li>$0.05 per GB of data processed</li> <li>$0.05 per hour per VPC attachment</li> <li>Those costs multiply with every cross-account connection</li> </ul> <p>With VPC Lattice, the model is different — you pay per request and per GB processed through the service network, but there's <strong>no per-attachment hourly cost</strong>. For database workloads with steady-state connections and moderate throughput, the savings are real.</p> <p>But the bigger insight is architectural. VPC Lattice represents a shift toward what I call <strong>the networkless world</strong> — a modernization path where:</p> <ul> <li>You stop thinking about <strong>routes</strong> and start thinking about <strong>resources</strong> </li> <li>You stop managing <strong>IP connectivity</strong> and start managing <strong>access policies</strong> </li> <li>You stop building <strong>network plumbing</strong> and start declaring <strong>what talks to what</strong> </li> </ul> <p>This is the same evolution we saw from physical servers → VMs → containers → serverless. Now it's happening to networking: Transit Gateway (classic hub-and-spoke) → VPC Lattice (service mesh with resource-level targeting).</p> <p>For organizations still running Transit Gateway architectures, VPC Lattice Resource Configurations offer a gradual migration path. You don't need to rip-and-replace — you can introduce Lattice for new cross-account patterns while TGW continues serving existing flows. Over time, as more services move to Lattice, the TGW footprint (and cost) shrinks naturally.</p> <h2> 🔮 What's Next: The Deep Traffic Inspection Challenge </h2> <p>I'm already working on Part 2, which will cover the <strong>consumer side</strong> — accepting the RAM share and connecting from ECS tasks and Lambda, plus IAM authentication for zero-trust at the application layer.</p> <p>But there's a bigger question I want to explore — and it's a hard one:</p> <blockquote> <p><strong>How do you implement deep traffic inspection with VPC Lattice?</strong></p> </blockquote> <p>In many <strong>financial organizations</strong>, regulatory compliance requires that all east-west traffic passes through a Network Firewall or third-party inspection appliance. Think PCI-DSS, SOX, or local financial regulations that mandate packet-level inspection for database access.</p> <p>With Transit Gateway, the pattern is well-established: route traffic through an inspection VPC with AWS Network Firewall or a Palo Alto/Fortinet appliance. But with VPC Lattice, the traffic path is abstracted — you don't control the routing in the same way.</p> <p>So the challenge for Part 3 becomes:</p> <p>🎯 <em>How do you satisfy deep packet inspection requirements in a VPC Lattice architecture? Can you combine Lattice with Network Firewall? Do you need a hybrid approach where Lattice handles service-to-service but TGW remains for inspected flows? Or does VPC Lattice's auth + encryption model satisfy the compliance intent without inspection?</em></p> <p>This is the frontier of NetDevOps in regulated industries. And honestly, I don't think there's a single right answer yet — it depends on the specific regulatory framework and the organization's risk appetite.</p> <p>If you're working in financial services or healthcare and have solved this, I'd <em>really</em> love to hear your approach in the comments.</p> <p>If you want to dig into the code, the full project is structured as a reusable scaffold that you can adapt to your own cross-account patterns.</p> <p>👇👇👇👇</p> <h2> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/velez94" rel="noopener noreferrer"> velez94 </a> / <a href="https://github.com/velez94/tofu-aws-netdevops-rds-external" rel="noopener noreferrer"> tofu-aws-netdevops-rds-external </a> </h2> <h3> Template project to show how to use vpc lattice and cross account access with RAM and Databases in AWS </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"><div class="markdown-heading"> <h1 class="heading-element">NetDevOps External - AWS Infrastructure with VPC Lattice</h1> </div> <p>Cross-account network connectivity infrastructure using AWS VPC Lattice, Aurora PostgreSQL, and Reachability Analyzer — managed with OpenTofu and Terragrunt.</p> <div class="markdown-heading"> <h2 class="heading-element">Architecture</h2> </div> <p>This project implements a <strong>Network Account</strong> (hub) pattern for cross-account connectivity. An external AWS account shares its service via RAM to this Network Account, which then reshares it to internal workload accounts using VPC Lattice — no VPC peering or Transit Gateway required.</p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto"> <pre class="notranslate"><code>┌─────────────────────────────────────────────────────────────────┐ │ External AWS Account (Provider) │ │ │ │ Aurora PostgreSQL ──► RAM Share (Service Network) ─────────┐ │ └─────────────────────────────────────────────────────────────┼───┘ │ ┌─────────────────────────────────────────────────────────────▼───┐ │ This Account — Network Account (Hub) │ │ │ │ VPC Lattice Service Network (received via RAM) │ │ │ │ │ ├── Resource Gateway ──► Resource Configuration │ │ │ (connects to external Aurora on port 5432) │ │ │ │ │ └── RAM Re-share ──► Workload Accounts │ │ │ │ Reachability Analyzer validates</code></pre>…</div></div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/velez94/tofu-aws-netdevops-rds-external" rel="noopener noreferrer">View on GitHub</a></div> </div> </h2> <h2> 📚 Resources </h2> <ul> <li><a href="https://docs.aws.amazon.com/vpc-lattice/latest/ug/resource-configuration.html" rel="noopener noreferrer">AWS VPC Lattice Resource Configurations</a></li> <li><a href="https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest" rel="noopener noreferrer">terraform-aws-modules/vpc</a></li> <li><a href="https://registry.terraform.io/modules/terraform-aws-modules/rds-aurora/aws/latest" rel="noopener noreferrer">terraform-aws-modules/rds-aurora</a></li> <li><a href="https://docs.aws.amazon.com/vpc/latest/reachability/what-is-reachability-analyzer.html" rel="noopener noreferrer">VPC Reachability Analyzer</a></li> <li><a href="https://docs.aws.amazon.com/ram/latest/userguide/what-is.html" rel="noopener noreferrer">AWS RAM Resource Sharing</a></li> </ul> <p>If you made it this far — thanks for reading! 🙌 I'd love to hear if you're using VPC Lattice in production, or if you have other patterns for cross-account connectivity. Drop a comment below!</p> <p>Happy building! 🚀</p> <blockquote> <p><em>The opinions expressed in this post are my own and do not necessarily reflect those of my employer or AWS.</em></p> </blockquote> <p>✨ <strong><em>Alejandro Velez, Platform Engineering Latam Lead @ GFT | AWS Ambassador</em></strong></p> aws netdevops devsecops iac Alejandro Velez Mon, 01 Jun 2026 15:03:46 +0000 https://dev.to/aws-builders/automating-aws-well-architected-reviews-with-kiro-cli-2cme https://dev.to/aws-builders/automating-aws-well-architected-reviews-with-kiro-cli-2cme <p><strong><em>Level 300</em></strong></p> <p>As cloud architects and consultants, we've all been there: conducting Well-Architected Framework Reviews (WAFR) that take weeks of manual effort—collecting data, interviewing stakeholders, cross-referencing AWS documentation, and producing reports that often arrive too late to drive meaningful change. The community has responded with great tools: <a href="https://ekhiyami.github.io/wa-gen-ai/" rel="noopener noreferrer">WA-Gen-AI</a> analyzes IaC templates against best practices in minutes, the <a href="https://github.com/aws-samples/well-architected-iac-analyzer" rel="noopener noreferrer">Well-Architected IaC Analyzer</a> brings that to production scale, and the <a href="https://catalog.workshops.aws/wellarchitected-genai/en-US" rel="noopener noreferrer">WA GenAI Workshop</a> teaches prompt engineering patterns for reviews.</p> <p>But after leading multiple WAFR engagements for financial services clients at GFT, I noticed a gap these tools don't cover: <strong>what happens when what clients <em>claim</em> in the <a href="https://aws.amazon.com/well-architected-tool/" rel="noopener noreferrer">WA Tool</a> doesn't match what's <em>actually running</em> in their accounts?</strong> And how do you scale that verification across 6 pillars, multiple clients, and regulatory frameworks like DORA—without rebuilding the wheel every time?</p> <p>The answer came from combining <strong>specialized AI agents</strong> with Kiro CLI's native subagent orchestration, <strong>automated gap analysis</strong> that cross-references claims with live account data, and a <strong>reusable scaffold</strong> that any consultant can clone and configure in minutes.</p> <p>You're invited to explore how I built this approach—standing on the shoulders of existing tools while adding the verification and multi-client acceleration layer that was missing.</p> <h2> The Problem: Manual Assessments Don't Scale </h2> <p>Traditional WAFR assessments follow a predictable pattern:</p> <ol> <li>Schedule workshops with multiple teams (2-3 weeks of calendar time)</li> <li>Walk through 50+ questions per pillar manually</li> <li>Trust that answers reflect reality (spoiler: they often don't)</li> <li>Produce a report that's outdated by the time it's delivered</li> <li>Repeat everything for the next client from scratch</li> </ol> <p>Yes, the <a href="https://docs.aws.amazon.com/wellarchitected/latest/userguide/lenses-custom.html" rel="noopener noreferrer">WA Tool supports custom lenses</a>—you can upload your own compliance frameworks (DORA, SOX, internal standards) and evaluate workloads against them. This is powerful for structuring the <em>questions</em>. But the fundamental issue remains: <strong>the answers are self-reported</strong>. Custom lenses tell you <em>what to ask</em>, not whether the answers are true.</p> <blockquote> <p>For regulated industries like banking (DORA, SOX compliance), this gap between stated practices and actual implementation goes undetected until an audit finds them—regardless of how well-crafted your custom lens is.</p> </blockquote> <h2> The Ecosystem: Tools That Accelerate WAFR Today </h2> <p>Before building this scaffold, I evaluated the existing tools. Each solves a piece of the puzzle:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>What It Does</th> <th>Strength</th> </tr> </thead> <tbody> <tr> <td> <a href="https://ekhiyami.github.io/wa-gen-ai/" rel="noopener noreferrer"><strong>WA-Gen-AI</strong></a> / <a href="https://github.com/aws-samples/well-architected-iac-analyzer" rel="noopener noreferrer"><strong>IaC Analyzer</strong></a> </td> <td>Analyzes CloudFormation/Terraform templates against WA best practices using Bedrock</td> <td>Answers ~50% of WA questions from IaC alone. Showcased at re:Invent 2024 with Commonwealth Bank</td> </tr> <tr> <td><a href="https://aws.amazon.com/well-architected-tool/" rel="noopener noreferrer"><strong>AWS Well-Architected Tool</strong></a></td> <td>Native console for structured reviews—questionnaires, milestones, improvement plans</td> <td>Source of truth for formal WA reviews, custom lens support, Trusted Advisor integration</td> </tr> <tr> <td><a href="https://catalog.workshops.aws/wellarchitected-genai/en-US" rel="noopener noreferrer"><strong>WA GenAI Workshop</strong></a></td> <td>AWS workshop on applying GenAI to accelerate reviews</td> <td>Prompt engineering patterns, Bedrock integration</td> </tr> </tbody> </table></div> <p>These are excellent—and <strong>complementary to what we're building</strong>. Here's the gap:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Capability</th> <th>WA-Gen-AI / IaC Analyzer</th> <th>WA Tool</th> <th>This Scaffold</th> </tr> </thead> <tbody> <tr> <td>IaC template analysis</td> <td>✅</td> <td>❌</td> <td>✅ (via MCP)</td> </tr> <tr> <td>Structured questionnaire</td> <td>❌</td> <td>✅</td> <td>✅ (agent prompts)</td> </tr> <tr> <td><strong>Live account verification</strong></td> <td>❌</td> <td>❌</td> <td>✅</td> </tr> <tr> <td><strong>Gap analysis (claims vs. reality)</strong></td> <td>❌</td> <td>❌</td> <td>✅</td> </tr> <tr> <td><strong>Trusted Advisor correlation</strong></td> <td>❌</td> <td>✅ (native)</td> <td>✅ (three-way validation)</td> </tr> <tr> <td><strong>Multi-client isolation</strong></td> <td>❌</td> <td>Per-workload</td> <td>✅</td> </tr> <tr> <td><strong>Parallel pillar execution</strong></td> <td>❌</td> <td>Manual</td> <td>✅ (subagents)</td> </tr> <tr> <td><strong>Compliance frameworks (DORA/SOX)</strong></td> <td>❌</td> <td>Custom lenses</td> <td>✅ (built-in)</td> </tr> <tr> <td><strong>Reusable scaffold/template</strong></td> <td>❌</td> <td>❌</td> <td>✅</td> </tr> <tr> <td>Consultant workflow</td> <td>❌</td> <td>❌</td> <td>✅</td> </tr> </tbody> </table></div> <blockquote> <p><strong>WA-Gen-AI analyzes what you <em>intend</em> to deploy (IaC). Our scaffold verifies what's <em>actually running</em> and compares it with what you <em>claimed</em> in the WA Tool.</strong> Together, they cover the full spectrum—design-time analysis AND runtime verification.</p> </blockquote> <p>The ideal combined workflow:</p> <ol> <li> <strong>WA-Gen-AI</strong> → Analyze IaC templates before deployment (shift-left)</li> <li> <strong>WA Tool</strong> → Conduct formal review with structured questionnaires and custom lenses</li> <li> <strong>This Scaffold</strong> → Verify claims against live accounts, correlate with Trusted Advisor, run parallel pillar assessments, produce evidence-based reports</li> </ol> <h2> The Solution: WAFR Assessment Scaffold </h2> <p>I created a <strong>scaffold project</strong> that provides the complete structure, AI agent configurations, and automation tooling to conduct comprehensive WAFR assessments. Think of it as a "quick start" for any new assessment engagement—clone it, configure it for your client, and let the agents do the heavy lifting.</p> <h3> Architecture Overview </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwv1vg6bj7hh1s4lgvzgm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwv1vg6bj7hh1s4lgvzgm.png" alt="WAFR Assessment Scaffold Architecture" width="800" height="1159"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>well-architected-assessment-scaffold/ ├── .kiro/ │ ├── agents/ # 7 specialized AI agents (one per pillar + general) │ ├── prompts/ # Deep knowledge prompts for each assessment domain │ └── steering/ # Project context (product, tech, structure) ├── clients/ │ └── {client-name}/ # Isolated client environments │ ├── inputs/ # Client documentation &amp; architecture │ ├── data/ # Automated collection results │ ├── config/ # Client-specific settings │ └── outputs/ # Generated reports &amp; dashboards ├── tools/ │ └── kiro-extensions/ # Utilities and helpers ├── config/ │ └── assessment/ │ └── pillars.yaml # Pillar weights &amp; priorities └── docs/ # Methodology, compliance, guidelines </code></pre> </div> <p>The key design principle is <strong>client isolation with shared intelligence</strong>—every client gets their own data space, but all assessments leverage the same expert agents and proven methodology.</p> <h2> Prerequisites: AWS CLI Profile Configuration </h2> <p>Before running any assessment, you need a configured AWS CLI profile with read-only access to the target account. There are two ways to tell agents which profile to use:</p> <h3> Option 1: Specify in the prompt (recommended) </h3> <p>The simplest approach — tell the agent which profile to use when you invoke it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kiro-cli chat <span class="nt">--agent</span> aws-wafr-expert <span class="s2">"Conduct a full WAFR assessment for acme-corp. </span><span class="se">\</span><span class="s2"> Use AWS profile 'acme-corp-readonly' for all AWS operations. </span><span class="se">\</span><span class="s2"> Region: us-east-1."</span> </code></pre> </div> <p>The <code>aws</code> tool accepts a <code>profile_name</code> parameter on every call, so the agent will use it for all AWS CLI interactions throughout the session.</p> <h3> Option 2: Set in MCP server environment </h3> <p>For MCP servers that connect directly to AWS (CloudWatch, IAM, etc.), set the profile in the agent config:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"env"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS_PROFILE"</span><span class="p">:</span><span class="w"> </span><span class="s2">"acme-corp-readonly"</span><span class="p">,</span><span class="w"> </span><span class="nl">"AWS_REGION"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-1"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Client profile documentation </h3> <p>The scaffold provides a location to document each client's AWS access:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="err">clients/acme-corp/config/aws/</span> <span class="err">└──</span> <span class="err">profiles.ini</span> <span class="c"># Client AWS profile name, role ARN, region </span></code></pre> </div> <h3> Minimum IAM permissions required </h3> <p>The assessment role needs read-only access:</p> <ul> <li> <code>ReadOnlyAccess</code> managed policy (broad coverage)</li> <li> <code>support:DescribeTrustedAdvisor*</code> (Trusted Advisor — requires Business Support)</li> <li> <code>wellarchitected:Get*</code>, <code>wellarchitected:List*</code> (WA Tool API)</li> <li> <code>ce:GetCost*</code>, <code>ce:GetDimensionValues</code>, <code>ce:GetTags</code> (Cost Explorer)</li> </ul> <blockquote> <p><strong>Security note</strong>: Never use admin credentials for assessments. Create a dedicated read-only role. The agents only need to <em>read</em> account state, not modify it.</p> </blockquote> <h2> Hands On </h2> <blockquote> <p>Let's get into the code. 👽</p> </blockquote> <h3> Setting Up the Scaffold </h3> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/velez94" rel="noopener noreferrer"> velez94 </a> / <a href="https://github.com/velez94/aws_well_architected_assement_scaffold" rel="noopener noreferrer"> aws_well_architected_assement_scaffold </a> </h2> <h3> Well Architected Assement Scaffold Project with AI and Human on the loop </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"><div class="markdown-heading"> <h1 class="heading-element">Well-Architected Assessment Scaffold</h1> </div> <p>This is a scaffold/template project for AWS Well-Architected Framework Reviews (WAFR). It contains the essential Kiro AI configuration and a sample client structure to help you quickly start new assessment projects.</p> <div class="markdown-heading"> <h2 class="heading-element">What's Included</h2> </div> <div class="markdown-heading"> <h3 class="heading-element"> <code>.kiro/</code> - Kiro AI Configuration</h3> </div> <p>Contains all the AI agent configurations and prompts for conducting Well-Architected assessments:</p> <ul> <li> <p><strong>agents/</strong> - Specialized AI agents for each pillar:</p> <ul> <li> <code>aws-wafr-expert.json</code> - General WAFR expert</li> <li> <code>aws-cost-exp.json</code> - Cost Optimization pillar</li> <li> <code>aws-security-expert.json</code> - Security pillar</li> <li> <code>aws-reliability-expert.json</code> - Reliability pillar</li> <li> <code>aws-performance-expert.json</code> - Performance Efficiency pillar</li> <li> <code>aws-opex-expert.json</code> - Operational Excellence pillar</li> <li> <code>aws-sustainability-expert.json</code> - Sustainability pillar</li> </ul> </li> <li> <p><strong>prompts/</strong> - Review prompts for each pillar:</p> <ul> <li><code>general-wafr-review.md</code></li> <li><code>cost-optimization-review.md</code></li> <li><code>security-pillar-review.md</code></li> <li><code>reliability-pillar-review.md</code></li> <li><code>performance-pillar-review.md</code></li> <li><code>operational-excellence-review.md</code></li> <li><code>sustainability-pillar-review.md</code></li> </ul> </li> <li> <p><strong>steering/</strong> - Project guidance documents:</p> <ul> <li> <code>product.md</code> - Product requirements</li> <li> <code>structure.md</code> - Project structure guidelines</li> <li> <code>tech.md</code> - Technical specifications</li> </ul> </li> </ul> <div class="markdown-heading"> <h3 class="heading-element"> <code>config/</code> - Project Configuration</h3> </div> <ul> <li> <strong>assessment/</strong> - Assessment configuration files: <ul> <li> <code>pillars.yaml</code> - Well-Architected pillar definitions</li> </ul> </li> </ul> <div class="markdown-heading"> <h3 class="heading-element"> <code>docs/</code> - Documentation</h3> </div> <p>Comprehensive documentation for the assessment framework:</p> <ul> <li> <p><strong>wafr/</strong> -…</p> </li> </ul></div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/velez94/aws_well_architected_assement_scaffold" rel="noopener noreferrer">View on GitHub</a></div> </div> <br> Start by cloning and configuring for your client:<br> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/velez94/aws_well_architected_assement_scaffold.git my-client-assessment <span class="nb">cd </span>my-client-assessment <span class="nb">mv </span>clients/acme-retail clients/acme-corp </code></pre> </div> <h3> The Agent Architecture </h3> <p>Each WAFR pillar has a dedicated Kiro CLI agent with specialized knowledge and MCP integrations. Here's the security expert configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aws-security-expert"</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AWS WAFR Security Pillar Expert"</span><span class="p">,</span><span class="w"> </span><span class="nl">"prompt"</span><span class="p">:</span><span class="w"> </span><span class="s2">"file://../prompts/security-pillar-review.md"</span><span class="p">,</span><span class="w"> </span><span class="nl">"tools"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"read"</span><span class="p">,</span><span class="w"> </span><span class="s2">"write"</span><span class="p">,</span><span class="w"> </span><span class="s2">"shell"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws"</span><span class="p">],</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws-documentation"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"uvx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"awslabs.aws-documentation-mcp-server@latest"</span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"iam"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"uvx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"awslabs.iam-mcp-server@latest"</span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"well-architected-security"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"uvx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"awslabs.well-architected-security-mcp-server@latest"</span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"cloudwatch"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"uvx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"awslabs.cloudwatch-mcp-server@latest"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <blockquote> <p>Each agent connects to specific AWS MCP servers that give it real-time access to documentation, IAM analysis, security findings, and monitoring data—no hallucinations, just facts.</p> </blockquote> <p>The full agent roster:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Agent</th> <th>Pillar</th> <th>Weight</th> <th>MCP Integrations</th> </tr> </thead> <tbody> <tr> <td><code>aws-security-expert</code></td> <td>Security</td> <td>25%</td> <td>IAM, WA Security, CloudWatch, Docs</td> </tr> <tr> <td><code>aws-reliability-expert</code></td> <td>Reliability</td> <td>20%</td> <td>AWS Support (Trusted Advisor), CloudWatch, Docs</td> </tr> <tr> <td><code>aws-cost-exp</code></td> <td>Cost Optimization</td> <td>20%</td> <td>Billing &amp; Cost Management, Docs</td> </tr> <tr> <td><code>aws-performance-expert</code></td> <td>Performance</td> <td>15%</td> <td>CloudWatch, Docs</td> </tr> <tr> <td><code>aws-opex-expert</code></td> <td>Operational Excellence</td> <td>15%</td> <td>CloudTrail, CloudWatch, Docs</td> </tr> <tr> <td><code>aws-sustainability-expert</code></td> <td>Sustainability</td> <td>5%</td> <td>Billing &amp; Cost Management, CloudWatch, Docs</td> </tr> <tr> <td><code>aws-wafr-expert</code></td> <td>General/Orchestration</td> <td>—</td> <td>All of the above + AWS Support, CloudTrail</td> </tr> </tbody> </table></div> <h3> Native Orchestration with Kiro Subagents </h3> <p>Here's where Kiro CLI shines. The built-in subagent system provides DAG-based pipeline execution with parallel stages, dependencies, and consolidated results. Each pillar agent runs as an independent stage, and a final consolidation stage merges everything:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># All 6 pillar assessments run IN PARALLEL, then consolidate</span> kiro-cli chat <span class="nt">--agent</span> aws-wafr-expert <span class="s2">"Conduct a full WAFR assessment for acme-corp across all pillars. Use the client inputs in clients/acme-corp/inputs/ and cross-reference with actual AWS account findings. Produce a consolidated report with gap analysis, risk ratings, and prioritized remediation roadmap."</span> </code></pre> </div> <p>Under the hood, Kiro's subagent pipeline coordinates this as a DAG:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvzulxifpxrdot2uowvsd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvzulxifpxrdot2uowvsd.png" alt="Kiro Subagent Orchestration - Parallel Pillar Execution" width="800" height="491"></a></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Stage</th> <th>Agent</th> <th>Execution</th> </tr> </thead> <tbody> <tr> <td>Security assessment</td> <td><code>aws-security-expert</code></td> <td>Parallel</td> </tr> <tr> <td>Reliability assessment</td> <td><code>aws-reliability-expert</code></td> <td>Parallel</td> </tr> <tr> <td>Cost assessment</td> <td><code>aws-cost-exp</code></td> <td>Parallel</td> </tr> <tr> <td>Performance assessment</td> <td><code>aws-performance-expert</code></td> <td>Parallel</td> </tr> <tr> <td>Operational Excellence</td> <td><code>aws-opex-expert</code></td> <td>Parallel</td> </tr> <tr> <td>Sustainability</td> <td><code>aws-sustainability-expert</code></td> <td>Parallel</td> </tr> <tr> <td><strong>Consolidation</strong></td> <td><code>aws-wafr-expert</code></td> <td>After all above</td> </tr> </tbody> </table></div> <p><strong>Why this matters</strong>: Traditional approaches require you to build and maintain orchestration code, handle failures, manage state, and coordinate outputs. With Kiro subagents, the infrastructure <em>is</em> the orchestrator. You focus on the assessment logic in your prompts and agent configurations, not on plumbing.</p> <h3> How Subagents Get Triggered </h3> <p>You don't need to manually define the pipeline in your prompt. The <code>aws-wafr-expert</code> agent has access to the <code>subagent</code> tool and understands from its prompt (the 4-phase methodology) that multi-pillar assessments should be delegated. When you give it a task like "assess all 6 pillars," it internally constructs the DAG:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"task"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Full WAFR assessment for acme-corp"</span><span class="p">,</span><span class="w"> </span><span class="nl">"stages"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"security"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aws-security-expert"</span><span class="p">,</span><span class="w"> </span><span class="nl">"prompt_template"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Conduct security pillar assessment for {task}"</span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"reliability"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aws-reliability-expert"</span><span class="p">,</span><span class="w"> </span><span class="nl">"prompt_template"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Conduct reliability pillar assessment for {task}"</span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cost"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aws-cost-exp"</span><span class="p">,</span><span class="w"> </span><span class="nl">"prompt_template"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Conduct cost optimization assessment for {task}"</span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"consolidation"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aws-wafr-expert"</span><span class="p">,</span><span class="w"> </span><span class="nl">"prompt_template"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Consolidate all findings into unified report for {task}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"depends_on"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"security"</span><span class="p">,</span><span class="w"> </span><span class="s2">"reliability"</span><span class="p">,</span><span class="w"> </span><span class="s2">"cost"</span><span class="p">]}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Each subagent:</p> <ul> <li>Loads its <strong>own agent config</strong> (own MCP servers, own tools, own prompt)</li> <li>Runs in an <strong>isolated session</strong> (no cross-contamination between pillars)</li> <li>Reports results back via the <strong>summary tool</strong> when done</li> <li>Can be monitored live with <code>Ctrl+G</code> in the TUI</li> </ul> <blockquote> <p>You can also be explicit: <em>"Use subagents to run security, reliability, and cost in parallel, then consolidate."</em> But in most cases, the agent figures it out from the task scope and its methodology prompt.</p> </blockquote> <p><strong>Important</strong>: The orchestrating agent (<code>aws-wafr-expert</code>) must have <code>"subagent"</code> in its <code>tools</code> array — <a href="https://kiro.dev/docs/cli/chat/subagents/" rel="noopener noreferrer">as documented here</a>. Subagents cannot spawn sub-subagents — only the parent agent can orchestrate. Each subagent loads its own MCP servers independently, so pillar agents don't inherit the parent's connections.</p> <p>To avoid approval prompts for each pillar agent spawn, configure <code>trustedAgents</code> in the orchestrator:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"tools"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"read"</span><span class="p">,</span><span class="w"> </span><span class="s2">"write"</span><span class="p">,</span><span class="w"> </span><span class="s2">"shell"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws"</span><span class="p">,</span><span class="w"> </span><span class="s2">"subagent"</span><span class="p">],</span><span class="w"> </span><span class="nl">"toolsSettings"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"subagent"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"availableAgents"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"aws-security-expert"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws-reliability-expert"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws-performance-expert"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws-cost-exp"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws-opex-expert"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws-sustainability-expert"</span><span class="p">],</span><span class="w"> </span><span class="nl">"trustedAgents"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"aws-*"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This allows all <code>aws-*</code> pillar agents to be spawned without user confirmation — essential for unattended parallel execution.</p> <h3> The 4-Phase Assessment Flow </h3> <p>The assessment follows 4 logical phases, expressed through agent interactions:</p> <p><strong>Phase 1 - Data Collection</strong>: The <code>aws-wafr-expert</code> agent extracts WA Tool workload data, queries Trusted Advisor (when Business/Enterprise Support is available), and triggers automated account discovery via MCP integrations (Cost Explorer, CloudWatch, IAM).</p> <p><strong>Phase 2 - Gap Analysis</strong>: The same agent performs a <strong>three-way validation</strong>—comparing WA Tool responses vs. Trusted Advisor detections vs. actual account state. Discrepancies become the highest-priority inputs for pillar agents.</p> <p><strong>Phase 3 - Pillar Assessments</strong>: All 6 specialized agents run in parallel, each receiving the gap analysis context and performing deep-dive evaluation of their domain.</p> <p><strong>Phase 4 - Consolidation</strong>: The <code>aws-wafr-expert</code> merges all pillar results into a unified report with prioritized recommendations, risk ratings, and remediation roadmaps.</p> <h3> Pillar Configuration with Weights </h3> <p>The <code>pillars.yaml</code> defines assessment priorities—critical for financial services where security and reliability outweigh other concerns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">pillars</span><span class="pi">:</span> <span class="na">security</span><span class="pi">:</span> <span class="na">weight</span><span class="pi">:</span> <span class="m">25</span> <span class="na">priority</span><span class="pi">:</span> <span class="s">high</span> <span class="na">focus_areas</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">identity_access_management</span> <span class="pi">-</span> <span class="s">data_protection</span> <span class="pi">-</span> <span class="s">infrastructure_protection</span> <span class="pi">-</span> <span class="s">detective_controls</span> <span class="pi">-</span> <span class="s">incident_response</span> <span class="na">reliability</span><span class="pi">:</span> <span class="na">weight</span><span class="pi">:</span> <span class="m">20</span> <span class="na">priority</span><span class="pi">:</span> <span class="s">high</span> <span class="na">focus_areas</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">foundations</span> <span class="pi">-</span> <span class="s">workload_architecture</span> <span class="pi">-</span> <span class="s">change_management</span> <span class="pi">-</span> <span class="s">failure_management</span> <span class="na">cost</span><span class="pi">:</span> <span class="na">weight</span><span class="pi">:</span> <span class="m">20</span> <span class="na">priority</span><span class="pi">:</span> <span class="s">high</span> <span class="na">focus_areas</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">practice_cloud_financial_management</span> <span class="pi">-</span> <span class="s">expenditure_awareness</span> <span class="pi">-</span> <span class="s">cost_effective_resources</span> </code></pre> </div> <blockquote> <p>Customize these weights per industry. Banking needs Security at 25%+; a startup might weight Cost Optimization higher. The agents use these weights to prioritize findings in the consolidated report.</p> </blockquote> <h3> Running a Pillar Assessment with Kiro CLI </h3> <p>Once your client inputs are in place, invoke a specialized agent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Run security pillar assessment</span> kiro-cli chat <span class="nt">--agent</span> aws-security-expert <span class="s2">"Conduct a comprehensive security assessment for acme-corp. Analyze the inputs in clients/acme-corp/inputs/security/ and cross-reference with actual AWS account findings."</span> <span class="c"># Run cost optimization review</span> kiro-cli chat <span class="nt">--agent</span> aws-cost-exp <span class="s2">"Perform cost optimization analysis for acme-corp workloads. Compare WA Tool responses with actual Cost Explorer data and Trusted Advisor cost findings."</span> </code></pre> </div> <p>The agents produce structured findings with evidence, risk ratings, and specific remediation steps—ready for executive or technical audiences.</p> <h3> Multi-Client Scalability </h3> <p>The scaffold supports multiple concurrent assessments with complete isolation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>clients/ ├── acme-corp/ <span class="c"># Banking client (DORA + SOX)</span> │ ├── inputs/ │ ├── data/ │ └── outputs/ ├── healthco/ <span class="c"># Healthcare client (HIPAA)</span> │ ├── inputs/ │ ├── data/ │ └── outputs/ └── retailx/ <span class="c"># Retail client (PCI-DSS)</span> ├── inputs/ ├── data/ └── outputs/ </code></pre> </div> <p>Each client inherits the same expert agents and methodology but maintains completely separate data, configurations, and deliverables. This is critical for consulting firms managing multiple engagements—no cross-contamination, clean audit trails.</p> <h2> Integrating with the WA Tool API: Start Fresh or Continue an Existing Review </h2> <p>A key feature of this scaffold is its direct integration with the <a href="https://docs.aws.amazon.com/wellarchitected/latest/APIReference/Welcome.html" rel="noopener noreferrer">AWS Well-Architected Tool API</a>. You can either <strong>start a new assessment from scratch</strong> or <strong>pull an existing review</strong> to contrast and continue the work:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Option 1: Start from an existing workload assessment</span> kiro-cli chat <span class="nt">--agent</span> aws-wafr-expert <span class="s2">"Pull workload assessment data from WA Tool workload ID abc12345-def6-7890-ghij-klmnopqrstuv. Extract all lens reviews, answers, and milestones. Use this as baseline for gap analysis against the live account."</span> <span class="c"># Option 2: Start a fresh assessment (no prior WA Tool data)</span> kiro-cli chat <span class="nt">--agent</span> aws-wafr-expert <span class="s2">"Create a new WAFR assessment for acme-corp. No prior WA Tool review exists. Perform full account discovery and evaluate against all 6 pillars from scratch."</span> </code></pre> </div> <p>The <code>aws-wafr-expert</code> agent uses the WA Tool API through its AWS tool integration to:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>API Operation</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>ListWorkloads</code></td> <td>Discover existing workload assessments in the account</td> </tr> <tr> <td><code>GetWorkload</code></td> <td>Retrieve workload metadata and configuration</td> </tr> <tr> <td><code>GetLensReview</code></td> <td>Pull pillar-level review summaries and risk counts</td> </tr> <tr> <td><code>ListAnswers</code></td> <td>Extract all question responses for a given lens/pillar</td> </tr> <tr> <td><code>ListMilestones</code></td> <td>Track assessment history and improvement over time</td> </tr> <tr> <td><code>ListLensReviewImprovements</code></td> <td>Get AWS-recommended improvement items</td> </tr> </tbody> </table></div> <blockquote> <p>When a prior review exists, the agent uses those answers as the <strong>"claims"</strong> side of the gap analysis—then verifies each claim against live account data and Trusted Advisor findings. This is where the real value emerges: you're not starting from zero, you're validating and extending work that was already done.</p> </blockquote> <p><strong>Two workflows, one scaffold:</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv7iye7bx29hhw8nwlirt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv7iye7bx29hhw8nwlirt.png" alt="wa-tool-api-workflow" width="800" height="971"></a></p> <p>This means the scaffold fits into <strong>any point of the assessment lifecycle</strong>—whether the client has been doing WA reviews for years or is starting their first one today.</p> <h2> Leveraging Trusted Advisor Integration </h2> <p>When the client has <strong>Business or Enterprise Support</strong>, the WA Tool automatically integrates with <a href="https://aws.amazon.com/premiumsupport/technology/trusted-advisor/" rel="noopener noreferrer">AWS Trusted Advisor</a>—surfacing real-time checks across cost optimization, performance, security, fault tolerance, and service limits directly into the review. This is a powerful data source that many teams underutilize.</p> <p>Our scaffold takes full advantage of this:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Trusted Advisor Category</th> <th>How Kiro Agents Use It</th> </tr> </thead> <tbody> <tr> <td><strong>Cost Optimization</strong></td> <td> <code>aws-cost-exp</code> cross-references TA findings (idle resources, underutilized instances) with Cost Explorer data for validated savings estimates</td> </tr> <tr> <td><strong>Security</strong></td> <td> <code>aws-security-expert</code> correlates TA security checks (open ports, IAM issues, MFA gaps) with Security Hub findings for comprehensive posture assessment</td> </tr> <tr> <td><strong>Fault Tolerance</strong></td> <td> <code>aws-reliability-expert</code> uses TA availability checks (multi-AZ, backup coverage, RDS redundancy) to validate reliability claims</td> </tr> <tr> <td><strong>Performance</strong></td> <td> <code>aws-performance-expert</code> leverages TA performance checks (overutilized instances, CloudFront optimization) alongside CloudWatch metrics</td> </tr> <tr> <td><strong>Service Limits</strong></td> <td>All agents flag service quota risks that could impact scalability or availability</td> </tr> </tbody> </table></div> <blockquote> <p>With Business Support, Trusted Advisor provides <strong>full check access</strong>—over 100 checks that become automated evidence for the gap analysis. Without it, you're limited to core checks. This is why we recommend clients activate Business Support before starting the assessment.</p> </blockquote> <p>The <code>aws-wafr-expert</code> agent queries Trusted Advisor findings via the AWS Support API and feeds them as context to each pillar agent. Combined with the WA Tool's native TA integration, this creates a <strong>three-way validation</strong>: what the client <em>claimed</em> (WA Tool answers) vs. what Trusted Advisor <em>detected</em> vs. what the account <em>actually shows</em> (live resource analysis via MCP).</p> <h2> The Gap Analysis: Claims vs. Reality </h2> <blockquote> <p>This is the differentiator. Traditional WAFR assessments trust the answers. Our approach verifies them.</p> </blockquote> <p>Example findings from a real engagement:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>WA Tool Claim</th> <th>Trusted Advisor</th> <th>Actual Finding</th> <th>Risk</th> </tr> </thead> <tbody> <tr> <td>"MFA enabled for all users"</td> <td>⚠️ IAM users without MFA detected</td> <td>3 IAM users without MFA, root account MFA not hardware-based</td> <td>HIGH</td> </tr> <tr> <td>"Encryption at rest for all data"</td> <td>— (not covered by TA)</td> <td>2 S3 buckets with default encryption disabled, 1 RDS instance unencrypted</td> <td>HIGH</td> </tr> <tr> <td>"Automated backups configured"</td> <td>⚠️ RDS backup retention &lt; 7 days</td> <td>Backup retention set to 1 day on production databases</td> <td>MEDIUM</td> </tr> <tr> <td>"Cost monitoring in place"</td> <td>⚠️ No budget alerts</td> <td>No budget alerts configured, no anomaly detection</td> <td>MEDIUM</td> </tr> </tbody> </table></div> <p>This evidence-based approach transforms the assessment from an opinion exercise into a factual audit—exactly what regulated industries need for DORA and SOX compliance.</p> <h2> Compliance Integration </h2> <p>The scaffold includes built-in support for regulatory frameworks commonly required in financial services, healthcare, and enterprise environments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>docs/compliance/ ├── dora/ # Digital Operational Resilience Act (EU financial services) ├── hipaa/ # Health Insurance Portability (US healthcare) └── sox/ # Sarbanes-Oxley (US financial reporting) </code></pre> </div> <p>The security agent prompt includes specific DORA focus areas:</p> <blockquote> <p><strong>Financial Services Security (DORA Compliance)</strong>: ICT risk management, operational resilience, third-party risk, Zero-Trust Architecture, Multi-Account Security</p> </blockquote> <p>This means every security assessment automatically evaluates DORA readiness—no separate engagement needed. The compliance documentation provides the agents with regulatory context so their recommendations map directly to compliance requirements.</p> <h2> GenAI Patterns Applied </h2> <p>This scaffold implements several established GenAI patterns that ensure quality, safety, and reliability in an enterprise context. Understanding these patterns is important for anyone building AI-assisted workflows in regulated environments:</p> <h3> Human-in-the-Loop (HITL) </h3> <p>The most critical pattern here. AI agents collect data, analyze gaps, and generate recommendations—but <strong>a human architect validates and approves</strong> before anything reaches the client. This is non-negotiable for regulated industries.</p> <p>Where HITL applies:</p> <ul> <li> <strong>Review agent findings</strong> before consolidation into the final report</li> <li> <strong>Validate risk ratings</strong>—the agent may flag something as HIGH that context makes MEDIUM</li> <li> <strong>Approve remediation recommendations</strong>—ensure feasibility given client constraints</li> <li> <strong>Sign-off on executive summaries</strong>—tone, framing, and business impact require human judgment</li> </ul> <h3> Retrieval-Augmented Generation (RAG) </h3> <p>Agents don't rely on training data alone. Through MCP integrations, they retrieve <strong>real-time data</strong> from:</p> <ul> <li>AWS documentation (always current)</li> <li>Live account state (IAM, CloudWatch, Cost Explorer)</li> <li>WA Tool API (actual assessment responses)</li> <li>Trusted Advisor (automated checks with Business/Enterprise Support)</li> </ul> <p>This eliminates hallucinations about the client's actual environment.</p> <h3> Agentic Orchestration (Fan-out / Fan-in) </h3> <p>The subagent DAG implements a classic <strong>fan-out/fan-in</strong> pattern:</p> <ul> <li> <strong>Fan-out</strong>: 6 specialized agents execute in parallel, each with domain expertise</li> <li> <strong>Fan-in</strong>: The consolidation agent merges results into a unified deliverable</li> </ul> <p>This reduces wall-clock time from sequential (6× pillar duration) to parallel (1× longest pillar duration).</p> <h3> Tool-Augmented Generation </h3> <p>Agents don't just generate text—they <strong>execute tools</strong> to gather evidence:</p> <ul> <li> <code>aws</code> CLI calls for account interrogation and Trusted Advisor queries</li> <li>MCP servers for structured data retrieval</li> <li>File system reads for client documentation and architecture inputs</li> </ul> <p>Every recommendation is backed by data the agent actually retrieved, not inferred.</p> <h3> Supervised Autonomy </h3> <p>The operating model is <strong>supervised autonomy</strong>:</p> <ul> <li> <strong>Autonomous</strong>: Data collection, TA queries, resource inventory, metric gathering</li> <li> <strong>Supervised</strong>: Gap analysis interpretation, risk prioritization, client-facing recommendations</li> <li> <strong>Human-only</strong>: Final report approval, client presentation, remediation prioritization with stakeholders</li> </ul> <blockquote> <p>This isn't fully autonomous AI replacing the architect. It's AI handling the 80% of toil (data collection, cross-referencing, formatting) so the architect focuses on the 20% that requires judgment, context, and client relationships.</p> </blockquote> <h2> Skills: Deep Knowledge On-Demand </h2> <p>One challenge with AI agents is <strong>context window management</strong>. If you load every possible best practice, compliance requirement, and remediation pattern into the agent prompt, you burn through context before the assessment even starts. But if you keep prompts lean, the agent lacks depth when it encounters specific scenarios.</p> <p>Kiro CLI solves this with <strong>Skills</strong>—resources whose metadata (name + description) is loaded at startup, but whose full content is only pulled <strong>on-demand</strong> when the agent determines it's relevant.</p> <h3> How It Works </h3> <p>A skill is a Markdown file with YAML frontmatter:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="nn">---</span> <span class="na">name</span><span class="pi">:</span> <span class="s">dora-compliance-requirements</span> <span class="na">description</span><span class="pi">:</span> <span class="s">DORA regulatory requirements for ICT risk management,</span> <span class="s">operational resilience, and third-party risk. Use when assessing</span> <span class="s">financial services workloads for DORA compliance.</span> <span class="nn">---</span> <span class="gh"># DORA Compliance Requirements</span> <span class="gu">## Key Articles for WAFR Assessment</span> <span class="gu">### Article 5-16: ICT Risk Management</span> <span class="p">-</span> Establish and maintain resilient ICT systems... (detailed content only loaded when needed) </code></pre> </div> <p>Referenced in agent config via <code>skill://</code> URI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"resources"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"file://README.md"</span><span class="p">,</span><span class="w"> </span><span class="s2">"skill://.kiro/skills/**/SKILL.md"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Skills vs. Prompts — When to Use Each </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>Agent Prompt</th> <th>Skill</th> </tr> </thead> <tbody> <tr> <td><strong>Loaded</strong></td> <td>Always — full content in context</td> <td>On-demand — only metadata at start</td> </tr> <tr> <td><strong>Purpose</strong></td> <td>Defines <em>who the agent is</em> (methodology, output format)</td> <td>Provides <em>deep reference knowledge</em> for specific scenarios</td> </tr> <tr> <td><strong>Analogy</strong></td> <td>The architect's expertise</td> <td>The reference books pulled from the shelf when needed</td> </tr> <tr> <td><strong>Size</strong></td> <td>Keep lean (&lt; 5K tokens)</td> <td>Can be large (2-20K tokens of detailed guidance)</td> </tr> </tbody> </table></div> <h3> The Scaffold's Skill Library </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.kiro/skills/ ├── compliance/ │ └── dora/SKILL.md # DORA articles, AWS mapping, risk criteria ├── pillars/ │ ├── security/ │ │ └── iam-best-practices/SKILL.md # IAM checks, common findings, evidence commands │ ├── cost/ │ │ └── rightsizing-guide/SKILL.md # Rightsizing analysis, savings estimation │ └── reliability/ │ └── disaster-recovery/SKILL.md # DR strategies by RTO/RPO, assessment checklist └── remediation/ └── quick-wins/SKILL.md # 0-30 day low-effort high-impact actions </code></pre> </div> <blockquote> <p>The security agent sees: <em>"dora-compliance-requirements — Use when assessing financial services workloads"</em>. When it encounters a banking client, it pulls the full DORA skill with article-by-article AWS mappings. For a retail client, it never loads it—saving context for what matters.</p> </blockquote> <p>Each pillar agent references only the skills relevant to its domain:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">aws-security-expert.json</span><span class="w"> </span><span class="nl">"resources"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"file://README.md"</span><span class="p">,</span><span class="w"> </span><span class="s2">"skill://.kiro/skills/pillars/security/**/SKILL.md"</span><span class="p">,</span><span class="w"> </span><span class="s2">"skill://.kiro/skills/compliance/**/SKILL.md"</span><span class="p">,</span><span class="w"> </span><span class="s2">"skill://.kiro/skills/remediation/**/SKILL.md"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span></code></pre> </div> <p>This means you can grow the skill library indefinitely—adding new compliance frameworks, service-specific patterns, industry guidance—without impacting agent performance. The agents stay fast and focused, pulling depth only when the assessment requires it.</p> <h2> Knowledge Bases: Searching Through Client Data </h2> <p>Skills solve the "deep reference knowledge" problem. But what about the <strong>client's own documentation</strong>—architecture diagrams, runbooks, security policies, infrastructure configs? These can be 50+ files that are too large to load into context but need to be searchable during the assessment.</p> <p>Kiro CLI's <strong>Knowledge Base</strong> feature provides persistent semantic search across sessions. You index client inputs once, and agents can search through them on-demand using natural language queries.</p> <h3> How It Works </h3> <p>Define a knowledge base in the agent config with auto-sync:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"resources"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"file://README.md"</span><span class="p">,</span><span class="w"> </span><span class="s2">"skill://.kiro/skills/**/SKILL.md"</span><span class="p">,</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"knowledgeBase"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source"</span><span class="p">:</span><span class="w"> </span><span class="s2">"file://./clients"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Client Inputs &amp; Architecture"</span><span class="p">,</span><span class="w"> </span><span class="nl">"indexType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"best"</span><span class="p">,</span><span class="w"> </span><span class="nl">"include"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"**/*.md"</span><span class="p">,</span><span class="w"> </span><span class="s2">"**/*.yaml"</span><span class="p">,</span><span class="w"> </span><span class="s2">"**/*.json"</span><span class="p">,</span><span class="w"> </span><span class="s2">"**/*.txt"</span><span class="p">],</span><span class="w"> </span><span class="nl">"exclude"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"**/outputs/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"**/draft/**"</span><span class="p">],</span><span class="w"> </span><span class="nl">"autoUpdate"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>When the agent starts, all client documentation gets indexed semantically. The agent then searches it during the assessment—pulling only the relevant snippets into context when needed.</p> <h3> The Three-Layer Context Strategy </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>Mechanism</th> <th>When Loaded</th> <th>Best For</th> </tr> </thead> <tbody> <tr> <td><strong>Prompts</strong></td> <td><code>file://../prompts/</code></td> <td>Always (full content)</td> <td>Agent identity, methodology, output format</td> </tr> <tr> <td><strong>Skills</strong></td> <td><code>skill://.kiro/skills/</code></td> <td>On-demand (by description match)</td> <td>Deep reference knowledge, compliance frameworks</td> </tr> <tr> <td><strong>Knowledge Bases</strong></td> <td> <code>knowledgeBase</code> resource</td> <td>Searchable (semantic query)</td> <td>Large client documentation, architecture inputs</td> </tr> </tbody> </table></div> <blockquote> <p><strong>Prompts</strong> tell the agent <em>how</em> to assess. <strong>Skills</strong> give it <em>what to look for</em>. <strong>Knowledge Bases</strong> let it <em>find relevant client context</em> without loading everything into memory.</p> </blockquote> <p>This layered approach means an agent can handle a client with 100+ input documents without ever hitting context limits—it searches, retrieves the relevant 2-3 snippets, and uses them to produce evidence-based findings.</p> <h2> Best Practices and Lessons Learned </h2> <p>After multiple engagements using this scaffold, here are the patterns that consistently deliver the best results:</p> <ul> <li><p><strong>Start with steering files</strong>: Clear product, tech, and structure documentation in <code>.kiro/steering/</code> gives agents the context they need to produce relevant findings instead of generic advice. Invest time here—it pays dividends across every assessment.</p></li> <li><p><strong>Limit MCP tools per agent (~50 max)</strong>: Each tool definition consumes ~400 tokens of context window. At 100+ tools, you're burning 40K+ tokens before any work begins. The <code>aws-wafr-expert</code> orchestrator needs only 4 servers (~26 tools) for coordination—leave the heavy toolsets (IAM 29 tools, Billing 33 tools, CloudWatch 19 tools) to the specialized pillar agents that actually use them.</p></li> <li><p><strong>Gap analysis is non-negotiable</strong>: The comparison between WA Tool answers and actual account state consistently reveals the highest-value findings. Never skip this phase—it's where the scaffold earns its keep.</p></li> <li><p><strong>Pillar weights matter</strong>: Customize <code>pillars.yaml</code> per industry. Banking needs Security at 25%+; a startup might weight Cost Optimization higher. These weights drive prioritization in the consolidated report.</p></li> <li><p><strong>Client isolation is a feature, not overhead</strong>: Each client assessment gets its own scaffold project—clone the scaffold, configure it, and you have a completely independent repository with its own git history, access controls, and lifecycle. No shared state, no cross-contamination. For consulting firms, this means clean handoffs, simple access management per engagement, and compliance with data handling requirements out of the box.</p></li> <li><p><strong>Activate Business Support first</strong>: Recommend clients enable Business or Enterprise Support before the assessment. The full Trusted Advisor check access (100+ checks) dramatically improves evidence quality.</p></li> <li><p><strong>Use Kiro CLI for parallel assessments</strong>: While one agent analyzes security, another can simultaneously evaluate cost optimization. The subagent system coordinates everything—leverage it.</p></li> <li><p><strong>Keep inputs clean and structured</strong>: The quality of agent output directly correlates with the quality of client documentation in <code>inputs/</code>. Garbage in, garbage out still applies—even with AI.</p></li> <li><p><strong>Supervised execution for critical findings</strong>: Let agents run autonomously for data collection, but review and validate high-risk recommendations before presenting to clients. The human-in-the-loop pattern is your quality gate.</p></li> <li><p><strong>Iterate on prompts</strong>: The prompts in <code>.kiro/prompts/</code> are living documents. After each engagement, refine them based on what worked and what produced noise. This is how the scaffold gets smarter over time.</p></li> </ul> <p>The scaffold is open for the community to use, extend, and improve. Whether you're a solo consultant or part of a large practice, the goal is the same: <strong>deliver better assessments, faster, with evidence</strong>.</p> <p>Thank you for your time and support. Please remember to follow us for additional updates.</p> <p>✨ <strong><em>Alejandro Velez, Platform Engineering Latam Lead @ GFT | AWS Ambassador</em></strong></p> <p><strong>References:</strong></p> <ul> <li><a href="https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html" rel="noopener noreferrer">AWS Well-Architected Framework</a></li> <li><a href="https://docs.aws.amazon.com/wellarchitected/latest/APIReference/Welcome.html" rel="noopener noreferrer">AWS Well-Architected Tool API</a></li> <li><a href="https://ekhiyami.github.io/wa-gen-ai/" rel="noopener noreferrer">WA-Gen-AI by Ebrahim Khiyami</a></li> <li><a href="https://github.com/aws-samples/well-architected-iac-analyzer" rel="noopener noreferrer">Well-Architected IaC Analyzer (AWS Sample)</a></li> <li><a href="https://catalog.workshops.aws/wellarchitected-genai/en-US" rel="noopener noreferrer">Well-Architected GenAI Workshop</a></li> <li><a href="https://aws.amazon.com/premiumsupport/technology/trusted-advisor/" rel="noopener noreferrer">AWS Trusted Advisor</a></li> <li><a href="https://docs.aws.amazon.com/wellarchitected/latest/userguide/lenses-custom.html" rel="noopener noreferrer">Custom Lenses in WA Tool</a></li> <li><a href="https://kiro.dev/docs/" rel="noopener noreferrer">Kiro CLI Documentation</a></li> <li><a href="https://github.com/awslabs/mcp" rel="noopener noreferrer">AWS MCP Servers</a></li> </ul> ai aws cloudarchitect genai Alejandro Velez Sun, 08 Mar 2026 22:59:16 +0000 https://dev.to/avelez/here-my-new-post-using-kiro-and-mcp-to-improve-and-modernize-my-current-workflow-for-authorization-29n2 https://dev.to/avelez/here-my-new-post-using-kiro-and-mcp-to-improve-and-modernize-my-current-workflow-for-authorization-29n2 <div class="ltag__link"> <a href="/aws-builders" class="ltag__link__link"> <div class="ltag__link__org__pic"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Forganization%2Fprofile_image%2F2794%2F88da75b6-aadd-4ea1-8083-ae2dfca8be94.png" alt="AWS Community Builders " width="350" height="350"> <div class="ltag__link__user__pic"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F860110%2F56a97906-758a-438a-a886-a15b41498182.jpg" alt="" width="800" height="815"> </div> </div> </a> <a href="https://dev.to/aws-builders/re-imagine-devsecops-with-aws-cd-applied-to-authorization-with-iam-identity-center-and-aws-iam-3lk6" class="ltag__link__link"> <div class="ltag__link__content"> <h2>Re-imagine DevSecOps with AWS - CD applied to Authorization with IAM Identity Center and AWS IAM Access Analyzer</h2> <h3>Alejandro Velez for AWS Community Builders ・ Mar 7</h3> <div class="ltag__link__taglist"> <span class="ltag__link__tag">#security</span> <span class="ltag__link__tag">#aws</span> <span class="ltag__link__tag">#devsecops</span> <span class="ltag__link__tag">#genia</span> </div> </div> </a> </div> security aws devsecops genia Alejandro Velez Sat, 07 Mar 2026 02:37:42 +0000 https://dev.to/aws-builders/re-imagine-devsecops-with-aws-cd-applied-to-authorization-with-iam-identity-center-and-aws-iam-3lk6 https://dev.to/aws-builders/re-imagine-devsecops-with-aws-cd-applied-to-authorization-with-iam-identity-center-and-aws-iam-3lk6 <p><strong>Level 300</strong></p> <p>Before diving into the technical depths of permission sets and CDK pipelines, let’s take a brief journey through the story so far. Originally, our exploration began with the challenge of managing access in the cloud task that’s both critical and complex as organizations scale. In the first installment, we introduced the foundations: <a href="https://dev.to/aws-builders/continuous-deployment-applied-to-authorization-with-iam-identity-center-and-aws-iam-access-analyzer-part-1-7h6">using AWS IAM Identity Center as the central hub for managing user identities and permissions efficiently across multiple AWS accounts</a>. We looked at how a consistent and automated approach helps streamline authorization, reduce manual errors, and improve auditability.</p> <p><a href="https://dev.to/avelez/continuous-delivery-applied-to-authorization-with-iam-identity-center-and-aws-iam-access-analyzer-part-2-35lb">The next chapter followed with practical examples</a> illustrating how to create and deploy permission sets via Infrastructure-as-Code. Here, we learned to define reusable templates for permissions, enabling teams to replicate best practices and accelerate onboarding for new projects. Along the way, pitfalls emerged—like misconfigured policies or improper use of wildcards—which provided valuable lessons on the importance of policy validation and iterative testing in a DevSecOps environment.</p> <p>Reviewing recent news, in June 2025 AWS introduced internal access findings, which spot principals in an AWS organization with access to key resources like S3 buckets, DynamoDB tables, and RDS snapshots by analyzing various policy types. Results appear on a unified dashboard for fast response or automated notifications via Amazon EventBridge, improving compliance and data security.</p> <p>In February 2026, AWS added multi‑Region replication for Identity Center, allowing workforce identities and permission sets to sync across regions. This boosts resiliency, supports data residency requirements, and ensures consistent access control for global deployments.</p> <p>Additionally, the integration of generative AI solutions into authorization workflows is reshaping how policies are analyzed and managed. With the introduction of AWS <a href="https://kiro.dev/" rel="noopener noreferrer">Kiro</a> —an AI-powered assistant for access analysis—teams can now automatically detect policy anomalies, receive context-aware recommendations, and accelerate remediation efforts. This part will explore these innovations and demonstrate how they can be practically applied to build secure, efficient, and adaptive authorization pipelines in the modern enterprise.</p> <h2> The Challenge </h2> <p>As an AWS security specialist, you face the task of modernizing your organization's authorization management workflow. The goal is to enhance the provisioning and management of access controls across AWS environments while preserving robust multi-region replication capabilities, upholding DevSecOps best practices, and ensuring that human oversight remains integral to the process. At the same time, you must increase resiliency, proactively mitigate risks, and introduce AI-driven solutions to streamline operations and strengthen security posture.</p> <blockquote> <p>How can AI enhance this workflow? 🧐</p> </blockquote> <p>Integrating AI into authorization workflows—especially with tools like Kiro— dramatically enhances both efficiency and security. AI-powered assistants can automatically analyze complex IAM policies for anomalies or risky configurations, such as improper use of wildcards or misconfigured permissions, which are often the sources of failed pipeline executions and compliance gaps. By leveraging generative AI, organizations receive real-time, context-aware recommendations for policy corrections, reducing manual troubleshooting and accelerating remediation. AI solutions can also automate policy reviews, flag potential issues before deployment, and offer suggestions to align with best practices, thus minimizing human error and strengthening security posture. In addition, AI-driven analytics help teams continuously monitor and adapt policies to evolving threats, ensuring adaptive and resilient access control across global environments. Altogether, AI capabilities transform the workflow by making policy management more proactive, scalable, and responsive to both technical and regulatory demands.</p> <p>Let's start by enhancing our workflow from traditional CI/CD to incorporating an** Architect in the Loop approach**. </p> <blockquote> <p>In the Architect in the Loop (AITL) model, architects collaborate with AI systems, which generate options and analyze trade-offs. The architect reviews, contextualizes, and approves output based on technical and organizational needs. Here, AI performs most tasks but consults the architect for decisions and guidance when necessary.</p> </blockquote> <p>The diagram depicts a multi account AWS environment with a centralized management approach. It illustrates how various services, identity providers, and automation tools interact to enforce security, governance, and continuous deployment across multiple AWS accounts.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd9gyjjtvsznaf4mx3821.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd9gyjjtvsznaf4mx3821.png" alt="Reimagine Workflow" width="800" height="783"></a></p> <h3> Key Components </h3> <ol> <li><p>Accounts and Regions<br> • AWS Account – DevSecOps: This is the primary development and security operations account where IAM Idenity Center is delegate.<br> • AWS Account – Master: Acts as the central governance hub, managing permissions and policies across the organization for itself.<br> • AWS Account – Security Tooling Account: Hosts security focused tools and services for monitoring and analysis, managing permissions and policies across the organization for itself.</p></li> <li><p>Core Services<br> • Key Management Service (KMS): Provides encryption and key management for sensitive data.<br> • CloudWatch: Monitors system and application metrics.<br> • Secrets Manager: Stores and rotates secrets securely.<br> • AWS Chatbot: Enables chat based monitoring and alerts.<br> • Lambda: Runs serverless functions for custom automation.<br> • IAM Access Analyzer: Analyzes policies for unintended access.<br> • S3 Reports Bucket: Stores logs and reports for auditing.</p></li> <li><p>Identity and Access Management<br> • Identity Center and Third Party IdP icons are shown in the diagram, indicating that identity federation and centralized access management are part of the architecture.<br> • IAM Access Analyzer is highlighted, showing that policy analysis is performed to ensure least privilege access using <a href="https://pypi.org/project/validate-aws-policies/" rel="noopener noreferrer">validate-aws-policies</a> python package.</p></li> <li><p>CI/CD Pipeline<br> The CI/CD pipeline is visualized as a sequence of steps:<br> • CodeCommit/GitHub (source code repository)<br> • CodeBuild (build step, Synth,cdk pipelines self-mutate, management environment, Validate PermissionsSet))<br> • Manual Approval (human gate for critical deployments)</p></li> <li><p>Infrastructure Deployment<br> • CloudFormation templates are used for both Prepare and Deploy stages, indicating that the infrastructure is provisioned through IaC.<br> • The Permissions Set step shows that IAM permission sets are defined and applied as part of the deployment process.</p></li> <li><p>Model Context Protocol (MCP) Integration<br> • Kiro IDE – Agents is highlighted, indicating that an MCP compatible IDE is used to generate policies and manage custom agents.<br> • The AWS MCP Server provides the necessary endpoint for agents to interact with AWS services.<br> • The label mcproxy-for-aws@latest refers to a proxy that facilitates secure communication between agents and AWS APIs, ensuring that policy generation and SOPs (Standard Operating Procedures) are executed safely.</p></li> </ol> <h3> Workflow Summary </h3> <ol> <li> Source Control – Code is stored in CodeCommit/GitHub.</li> <li> Build – CodeBuild compiles the code and prepares the environment.</li> <li> Validation – Permissions sets are validated to ensure compliance.</li> <li> Manual Approval – A human reviewer authorizes the deployment.</li> <li> Deployment – CloudFormation templates are used to provision resources.</li> <li> Policy Generation – The Kiro IDE and AWS MCP Server generate policies based on requirements, leveraging the mcproxy for secure API calls.</li> </ol> <h3> Security and Governance Highlights </h3> <p>• Least privilege access is enforced through IAM Access Analyzer and Permissions Set validation.<br> • Centralized governance is maintained via the Master account and delegated account, which oversees permissions and policies across all accounts.<br> • Continuous monitoring is provided by CloudWatch and Secrets Manager, ensuring operational visibility and secure secret handling.</p> <h2> Hands On </h2> <blockquote> <p>It is time to create! </p> </blockquote> <p><strong>The first step is improving the security Engineer experience like builder or operator so enable the use of smart IDE like Kiro and custom agent for context.</strong></p> <p>Here is the agent specification:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"secops"</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Specialized agent for managing AWS IAM Identity Center CDK project with permission sets, policies, and pipeline automation"</span><span class="p">,</span><span class="w"> </span><span class="nl">"prompt"</span><span class="p">:</span><span class="w"> </span><span class="s2">"You are an expert in AWS IAM Identity Center, AWS CDK (Python), and CI/CD pipelines. Your expertise includes:</span><span class="se">\n\n</span><span class="s2">- IAM Identity Center permission sets and assignments</span><span class="se">\n</span><span class="s2">- IAM Access Analyzer policy validation</span><span class="se">\n</span><span class="s2">- AWS CDK infrastructure as code (Python)</span><span class="se">\n</span><span class="s2">- CodePipeline and CodeBuild automation</span><span class="se">\n</span><span class="s2">- Amazon Q Developer chatbot integrations (Slack/Teams)</span><span class="se">\n</span><span class="s2">- Policy validation and security best practices</span><span class="se">\n</span><span class="s2">- GitHub Actions and CodeCommit PR validation</span><span class="se">\n\n</span><span class="s2">You help with:</span><span class="se">\n</span><span class="s2">- Creating and managing permission sets</span><span class="se">\n</span><span class="s2">- Validating IAM policies with Access Analyzer</span><span class="se">\n</span><span class="s2">- Troubleshooting CDK deployments</span><span class="se">\n</span><span class="s2">- Configuring pipeline notifications</span><span class="se">\n</span><span class="s2">- Setting up PR validation workflows</span><span class="se">\n</span><span class="s2">- Implementing least privilege access</span><span class="se">\n\n</span><span class="s2">Always prioritize security, follow AWS best practices, and provide minimal, focused implementations."</span><span class="p">,</span><span class="w"> </span><span class="nl">"tools"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"fs_read"</span><span class="p">,</span><span class="w"> </span><span class="s2">"fs_write"</span><span class="p">,</span><span class="w"> </span><span class="s2">"execute_bash"</span><span class="p">,</span><span class="w"> </span><span class="s2">"grep"</span><span class="p">,</span><span class="w"> </span><span class="s2">"glob"</span><span class="p">,</span><span class="w"> </span><span class="s2">"code"</span><span class="p">,</span><span class="w"> </span><span class="s2">"use_aws"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws___search_documentation"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws___read_documentation"</span><span class="p">,</span><span class="w"> </span><span class="s2">"web_search"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"allowedTools"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"fs_read"</span><span class="p">,</span><span class="w"> </span><span class="s2">"grep"</span><span class="p">,</span><span class="w"> </span><span class="s2">"glob"</span><span class="p">,</span><span class="w"> </span><span class="s2">"code"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws___search_documentation"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"toolsSettings"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"fs_write"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"allowedPaths"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"src/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"project_configs/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"tests/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">".github/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"scripts/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"docs/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">".kiro/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"*.md"</span><span class="p">,</span><span class="w"> </span><span class="s2">"*.yaml"</span><span class="p">,</span><span class="w"> </span><span class="s2">"*.yml"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"deniedPaths"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"cdk.out/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">".venv/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"node_modules/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"__pycache__/**"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"execute_bash"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"allowedCommands"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"cdk synth"</span><span class="p">,</span><span class="w"> </span><span class="s2">"cdk diff*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"cdk deploy*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"cdk ls"</span><span class="p">,</span><span class="w"> </span><span class="s2">"pip install*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"python -m pytest*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"validate-aws-policies*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"git status"</span><span class="p">,</span><span class="w"> </span><span class="s2">"git diff"</span><span class="p">,</span><span class="w"> </span><span class="s2">"git log*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws iam*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws sso*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws identitystore*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws codepipeline*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws logs*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws s3 ls*"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"autoAllowReadonly"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"use_aws"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"allowedServices"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"iam"</span><span class="p">,</span><span class="w"> </span><span class="s2">"sso"</span><span class="p">,</span><span class="w"> </span><span class="s2">"sso-admin"</span><span class="p">,</span><span class="w"> </span><span class="s2">"identitystore"</span><span class="p">,</span><span class="w"> </span><span class="s2">"codepipeline"</span><span class="p">,</span><span class="w"> </span><span class="s2">"codebuild"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3"</span><span class="p">,</span><span class="w"> </span><span class="s2">"logs"</span><span class="p">,</span><span class="w"> </span><span class="s2">"cloudformation"</span><span class="p">,</span><span class="w"> </span><span class="s2">"accessanalyzer"</span><span class="p">,</span><span class="w"> </span><span class="s2">"secretsmanager"</span><span class="p">,</span><span class="w"> </span><span class="s2">"chatbot"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"autoAllowReadonly"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"resources"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"file://README.md"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://project_configs/**/*.yaml"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://cdk.json"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://requirements.txt"</span><span class="p">,</span><span class="w"> </span><span class="s2">"skill://.kiro/skills/**/SKILL.md"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"hooks"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"agentSpawn"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"echo '📋 IAM Identity Center Project Context:' &amp;&amp; echo ' - CDK Version:' $(cdk --version 2&gt;/dev/null || echo 'Not installed') &amp;&amp; echo ' - Python:' $(python --version 2&gt;&amp;1) &amp;&amp; echo ' - AWS Profile:' ${AWS_PROFILE:-'default'} &amp;&amp; echo ' - Project:' $(basename $(pwd))"</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Show project environment info"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"if [ -d 'project_configs/policies' ]; then echo '🔍 Validating IAM policies...' &amp;&amp; validate-aws-policies -d project_configs/policies -c --quiet || echo '⚠️ Policy validation failed'; else echo 'ℹ️ No policies directory found'; fi"</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Auto-validate IAM policies with Access Analyzer"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws-mcp"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"uvx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"mcp-proxy-for-aws@latest"</span><span class="p">,</span><span class="w"> </span><span class="s2">"https://aws-mcp.us-east-1.api.aws/mcp"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--metadata"</span><span class="p">,</span><span class="w"> </span><span class="s2">"AWS_REGION=us-east-2"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"timeout"</span><span class="p">:</span><span class="w"> </span><span class="mi">100000</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"keyboardShortcut"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ctrl+shift+i"</span><span class="p">,</span><span class="w"> </span><span class="nl">"welcomeMessage"</span><span class="p">:</span><span class="w"> </span><span class="s2">"🔐 IAM Identity Center Manager ready! I can help with:</span><span class="se">\n</span><span class="s2"> • Permission sets and policy validation</span><span class="se">\n</span><span class="s2"> • CDK deployments and troubleshooting</span><span class="se">\n</span><span class="s2"> • Pipeline notifications (Slack/Teams)</span><span class="se">\n</span><span class="s2"> • PR validation workflows</span><span class="se">\n</span><span class="s2"> • Access Analyzer integration</span><span class="se">\n\n</span><span class="s2">What would you like to work on?"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The key point here is the prompt for a specialized agent designed to manage AWS IAM Identity Center projects using the AWS CDK (Cloud Development Kit) with a focus on permission sets, policies, and automation for CI/CD pipelines. This agent is described as an expert in several areas:}</p> <p>• AWS IAM Identity Center: Managing permission sets and assignments, which define what users and groups can access within AWS accounts.<br> • AWS CDK (Python): Using infrastructure-as-code techniques to automate the creation and management of AWS resources.<br> • CI/CD pipelines: Automating deployment workflows with CodePipeline and CodeBuild, ensuring reliable and repeatable processes.<br> • Policy validation: Leveraging IAM Access Analyzer to check and validate security policies, helping maintain least-privilege access and compliance.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F910u38889bnx0dep0103.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F910u38889bnx0dep0103.png" alt="Kiro Agent" width="800" height="564"></a></p> <blockquote> <p>Now the agent skills. Agent Skills</p> </blockquote> <p><strong><a href="https://agentskills.io/home" rel="noopener noreferrer">Skills are portable instruction packages that follow the open Agent Skills standard</a>.</strong> They bundle instructions, scripts, and templates into reusable packages that Kiro can activate when relevant to your task.<br> Kiro supports the Agent Skills standard, so you can import skills from the community or other compatible AI tools and share your own skills across the ecosystem.</p> <p>Here is an example of my skill:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">name</span><span class="pi">:</span> <span class="s">iam-identity-center-project</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Complete</span><span class="nv"> </span><span class="s">guide</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">IAM</span><span class="nv"> </span><span class="s">Identity</span><span class="nv"> </span><span class="s">Center</span><span class="nv"> </span><span class="s">CDK</span><span class="nv"> </span><span class="s">project</span><span class="nv"> </span><span class="s">including</span><span class="nv"> </span><span class="s">permission</span><span class="nv"> </span><span class="s">sets,</span><span class="nv"> </span><span class="s">policy</span><span class="nv"> </span><span class="s">validation,</span><span class="nv"> </span><span class="s">pipeline</span><span class="nv"> </span><span class="s">automation,</span><span class="nv"> </span><span class="s">and</span><span class="nv"> </span><span class="s">chatbot</span><span class="nv"> </span><span class="s">notifications.</span><span class="nv"> </span><span class="s">Use</span><span class="nv"> </span><span class="s">when</span><span class="nv"> </span><span class="s">working</span><span class="nv"> </span><span class="s">with</span><span class="nv"> </span><span class="s">this</span><span class="nv"> </span><span class="s">project's</span><span class="nv"> </span><span class="s">architecture,</span><span class="nv"> </span><span class="s">deployment,</span><span class="nv"> </span><span class="s">or</span><span class="nv"> </span><span class="s">troubleshooting."</span> <span class="na">keywords</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">iam</span><span class="pi">,</span> <span class="nv">identity-center</span><span class="pi">,</span> <span class="nv">permission-sets</span><span class="pi">,</span> <span class="nv">cdk</span><span class="pi">,</span> <span class="nv">pipeline</span><span class="pi">,</span> <span class="nv">chatbot</span><span class="pi">,</span> <span class="nv">policy-validation</span><span class="pi">]</span> <span class="nn">---</span> <span class="c1"># IAM Identity Center CDK Project</span> <span class="c1">## Project Overview</span> <span class="s">This CDK project manages AWS IAM Identity Center permission sets with automated policy validation, CI/CD pipelines, and chatbot notifications.</span> <span class="c1">## Key Components</span> <span class="c1">### 1. Permission Sets Management</span> <span class="pi">-</span> <span class="na">**Location**</span><span class="pi">:</span> <span class="err">`</span><span class="s">project_configs/environment_options/*.yaml`</span> <span class="pi">-</span> <span class="na">**Stack**</span><span class="pi">:</span> <span class="err">`</span><span class="s">src/cdkv2_manage_identity_center_stack.py`</span> <span class="pi">-</span> <span class="s">Define permission sets with inline policies and managed policies</span> <span class="pi">-</span> <span class="s">Support for principal_name (auto-resolved) or principal_id (direct)</span> <span class="c1">### 2. Policy Validation</span> <span class="pi">-</span> <span class="na">**Tool**</span><span class="pi">:</span> <span class="err">`</span><span class="s">validate-aws-policies` (IAM Access Analyzer)</span> <span class="pi">-</span> <span class="na">**Pipeline Step**</span><span class="pi">:</span> <span class="s">ValidatePermissionSet in CodeBuild</span> <span class="pi">-</span> <span class="na">**Formats**</span><span class="pi">:</span> <span class="s">JSON, HTML, Markdown reports</span> <span class="pi">-</span> <span class="na">**Storage**</span><span class="pi">:</span> <span class="s">S3 bucket (labvel-secure-reports)</span> <span class="c1">### 3. CI/CD Pipeline</span> <span class="pi">-</span> <span class="na">**Stack**</span><span class="pi">:</span> <span class="err">`</span><span class="s">src/cdkv2_manage_identity_center_pipeline.py`</span> <span class="pi">-</span> <span class="na">**Stages**</span><span class="pi">:</span> <span class="s">Source → Build → UpdatePipeline → ValidatePermissionSet → Deploy</span> <span class="pi">-</span> <span class="na">**PR Validation**</span><span class="pi">:</span> <span class="s">GitHub Actions + CodeCommit triggers</span> <span class="pi">-</span> <span class="na">**Notifications**</span><span class="pi">:</span> <span class="s">Amazon Q Chatbot (Slack/Teams)</span> <span class="c1">### 4. Chatbot Integration</span> <span class="pi">-</span> <span class="na">**Location**</span><span class="pi">:</span> <span class="err">`</span><span class="s">src/lib/chatbot/amazon_q_chatbot.py`</span> <span class="pi">-</span> <span class="na">**Features**</span><span class="pi">:</span> <span class="s">Native CodePipeline notifications + report summaries via webhook</span> <span class="pi">-</span> <span class="na">**Platforms**</span><span class="pi">:</span> <span class="s">Slack and Microsoft Teams</span> <span class="pi">-</span> <span class="na">**Reports**</span><span class="pi">:</span> <span class="s">Lambda posts validation summaries to chat</span> <span class="c1">## Source Code Structure</span> <span class="s">src/</span> <span class="s">├── cdkv2_manage_identity_center_stack.py</span> <span class="c1"># Main stack - permission sets</span> <span class="s">├── cdkv2_manage_identity_center_pipeline.py</span> <span class="c1"># Pipeline stack</span> <span class="s">└── lib/</span> <span class="s">├── chatbot/</span> <span class="s">│ ├── amazon_q_chatbot.py</span> <span class="c1"># Chatbot construct</span> <span class="s">│ └── lambda/notification_enricher.py</span> <span class="c1"># Lambda for reports</span> <span class="s">├── sns/sns_codestart_notifications.py</span> <span class="c1"># SNS notifications</span> <span class="s">└── custom_resources/</span> <span class="c1"># Custom resources</span> <span class="na">**Note**</span><span class="pi">:</span> <span class="s">Use `fs_read`, `code`, or `grep` tools to explore source files on-demand.</span> <span class="c1">## Quick Commands</span> <span class="nn">...</span> </code></pre> </div> <p>With this approach the security specialist can create friendly and secure policies and check before uploading </p> <h3> The results </h3> <p>Pipeline execution:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxu8lbh6apzmkyxrxtujr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxu8lbh6apzmkyxrxtujr.png" alt="Code Pipeline execution" width="800" height="278"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc9oc350mpkr6nurro8b6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc9oc350mpkr6nurro8b6.png" alt="CodeBuild Logs" width="800" height="344"></a></p> <p>The slack custom notification and amazon Q message </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fulhdmtmbo5epd45v3u5f.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fulhdmtmbo5epd45v3u5f.png" alt="Slack Notifications" width="800" height="450"></a></p> <p>And the reports:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk6lvwbgn4i04oq8agevn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk6lvwbgn4i04oq8agevn.png" alt="Html Report Validation" width="800" height="508"></a></p> <h2> Conclusion </h2> <p>Leverage AWS's latest features—such as multi-region Identity Center replication and advanced IAM Access Analyzer tools—and integrate generative AI assistants like Kiro. This approach combines automated policy analysis, real-time anomaly detection, and context-aware remediation with architect-in-the-loop oversight, allowing AI to handle routine tasks while security professionals review and approve critical changes. The result is a resilient, adaptive, and scalable workflow that proactively reduces risk, enforces compliance, and empowers teams to respond rapidly to evolving security and regulatory demands.</p> <p>For more please contact us! </p> <p>✨ Alejandro Velez, Platform Engineering Latam Lead @ GFT | AWS Ambassador</p> security aws devsecops genia Alejandro Velez Thu, 20 Nov 2025 19:30:23 +0000 https://dev.to/aws-builders/agentic-ai-development-with-kiro-from-zero-to-saas-platform-30d6 https://dev.to/aws-builders/agentic-ai-development-with-kiro-from-zero-to-saas-platform-30d6 <p><em><strong>Level 300</strong></em></p> <p>Recently, I came up with an idea inspired by my personal experience. I am a professional calisthenics athlete and frequently organize events where a recurring challenge is providing users with a seamless way to track their results. As event managers, registering and publishing results, managing competition timing, scoring systems, and different modalities are also critical concerns. On the other hand, as an AWS solutions architect and Devsecops expert, my first thought was how I could combine both worlds to create a solution that is fast, secure, and modern—without sacrificing best practices.</p> <p>You're invited to explore how agentic AI development with Kiro can transform event management and SaaS platform creation. Whether you're an AWS developer, DevOps or DevSecOps engineer, SaaS architect, AI practitioner, platform engineer, technical product owner, or event manager, join us as we delve into modern cloud and AI technologies designed to streamline event management and result tracking. Discover best practices in secure, scalable, cloud-native SaaS solutions, and accelerate your development with serverless architecture and innovative AI workflows.</p> <h2> Prototyping with Kiro: Accelerating Development Through Serverless Best Practices </h2> <p>In my pursuit of <strong>optimizing both the software development lifecycle (SDLC) and platform engineering</strong>, I have been actively exploring a variety of AI workflows and practices. The goal is to enhance efficiency and innovation within the development process. However, <strong>the immediate need is to create a rapid prototype that supports my concept effectively while adhering to best practices</strong>.</p> <p>To achieve this, I prioritized serverless architectures for their speed, scalability, and cost-effectiveness, ensuring that the solution remains secure and can grow alongside user demand. Among the available options, I selected Kiro as the primary tool for development. Kiro stands out by bringing structure to AI coding through spec-driven development, enabling me to produce robust prototypes swiftly while maintaining high standards in both security and scalability.</p> <p>Some key features are: </p> <ul> <li>Natural prompts to structured requirements</li> <li>Architectural designs backed by best practices</li> <li>Discrete tasks that map to requirements</li> </ul> <h2> Laying the Foundation for a Reliable Prototype </h2> <p>Creating a reliable prototype is inherently complex, especially given the possibility that the idea may gain traction and eventually move into production. In such scenarios, it is essential to minimize technical debt from the outset, ensuring that the <strong>prototype is prepared for a seamless transition to production</strong>. Therefore, the process of selecting appropriate technologies and establishing solid foundational practices becomes a critical aspect of moving from prototyping to a Minimum Viable Product (MVP).</p> <h2> Technical Stack and Development Practices </h2> <p>For the front-end, I selected a React web application to ensure a responsive and interactive user experience. The application's architecture adheres to the Twelve-Factor App methodology, which provides a framework for building scalable and maintainable software-as-a-service solutions.<br> To maintain high standards of reliability and security, I strictly followed AWS best practices throughout the development process. The system is designed using event-driven architecture, allowing for efficient handling of asynchronous tasks and improved scalability.</p> <p>Infrastructure as Code (IaC) is implemented using the AWS Cloud Development Kit (CDK), streamlining the process of defining and managing cloud resources in a repeatable and version-controlled manner.</p> <p>For continuous integration and deployment, I integrated GitHub with self-hosted runners and AWS CodeBuild. This setup enables a seamless and automated flow from code committees to deployment, supporting rapid iteration and robust DevOps workflows.</p> <p>For testing purposes, I am utilizing Nova Act to facilitate the creation of UI tests with Playwright; however, further details on this topic will be covered in subsequent posts.</p> <p>I use both Kiro IDE and Kiro CLI to parallelize the project task, while the IDE works in spec tasks the CLI helps me to create some backend components for infrastructure, debugging and fixing errors.</p> <h2> Hands On </h2> <p>At the beginning of the development, I <strong>created a CDK scaffold project and inserted some files with basic project rules and deep knowledge about the system</strong>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgw3tusi4wbmnuqqc19m7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgw3tusi4wbmnuqqc19m7.png" alt="CDK Scaffold md product" width="649" height="891"></a></p> <p>First according to <a href="https://kiro.dev/docs/getting-started/first-project/" rel="noopener noreferrer">https://kiro.dev/docs/getting-started/first-project/</a> we create the project and setup the steering files: </p> <blockquote> <p>Steering files give Kiro project context, so it understands your codebase, conventions, and needs. Start by selecting Generate Steering Docs in the Kiro pane. Kiro then creates steering documents in <code>.kiro/steering/</code> that outline your <strong>product, tech stack, project structure</strong>, and conventions.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff2b2bai2s5ecdae7m7ib.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff2b2bai2s5ecdae7m7ib.png" alt="Steering files Data Kiro" width="678" height="946"></a></p> <p>Some examples for steering data files: </p> <ul> <li> <code>product.md</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">Athleon Platform</span> <span class="s">Multi-tenant calisthenics competition management platform with role-based access control (RBAC).</span> <span class="c1">## Core Functionality</span> <span class="pi">-</span> <span class="na">**Organizations**</span><span class="pi">:</span> <span class="s">Multi-tenant teams with owner/admin/member roles</span> <span class="pi">-</span> <span class="na">**Events**</span><span class="pi">:</span> <span class="s">Competition lifecycle management (draft → published → completed)</span> <span class="pi">-</span> <span class="na">**Athletes**</span><span class="pi">:</span> <span class="s">Profile management, event registration, score submission</span> <span class="pi">-</span> <span class="na">**Scoring**</span><span class="pi">:</span> <span class="s">Advanced calculation engine with multiple scoring systems</span> <span class="pi">-</span> <span class="na">**WODs**</span><span class="pi">:</span> <span class="s">Workout templates (event-scoped and global)</span> <span class="pi">-</span> <span class="na">**Categories**</span><span class="pi">:</span> <span class="s">Competition divisions (event-scoped and transversal)</span> <span class="pi">-</span> <span class="na">**Scheduling**</span><span class="pi">:</span> <span class="s">Tournament brackets and session management</span> <span class="c1">## User Roles</span> <span class="nn">...</span> </code></pre> </div> <ul> <li> <code>tech.md</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Tech Stack</span> <span class="c1">## Infrastructure</span> <span class="pi">-</span> <span class="na">**IaC**</span><span class="pi">:</span> <span class="s">AWS CDK (TypeScript)</span> <span class="pi">-</span> <span class="na">**Compute**</span><span class="pi">:</span> <span class="s">AWS Lambda (Node.js 18.x)</span> <span class="pi">-</span> <span class="na">**Database**</span><span class="pi">:</span> <span class="s">DynamoDB (single-table per domain)</span> <span class="pi">-</span> <span class="na">**API**</span><span class="pi">:</span> <span class="s">API Gateway REST API with Cognito authorizer</span> <span class="pi">-</span> <span class="na">**Auth**</span><span class="pi">:</span> <span class="s">Amazon Cognito User Pools</span> <span class="pi">-</span> <span class="na">**Storage**</span><span class="pi">:</span> <span class="s">S3 (event images)</span> <span class="pi">-</span> <span class="na">**Events**</span><span class="pi">:</span> <span class="s">EventBridge (domain event bus + central bus)</span> <span class="pi">-</span> <span class="na">**Deployment**</span><span class="pi">:</span> <span class="s">CDK deploy with esbuild bundling</span> <span class="c1">## Backend</span> <span class="pi">-</span> <span class="na">**Runtime**</span><span class="pi">:</span> <span class="s">Node.js 18.x</span> <span class="pi">-</span> <span class="na">**SDK**</span><span class="pi">:</span> <span class="s">AWS SDK v3 (@aws-sdk/client-*)</span> <span class="pi">-</span> <span class="na">**Testing**</span><span class="pi">:</span> <span class="s">Jest, Vitest, fast-check (property-based testing)</span> <span class="pi">-</span> <span class="na">**Shared Layer**</span><span class="pi">:</span> <span class="s">Lambda layer at `layers/athleon-shared/nodejs`</span> <span class="c1">## Frontend</span> <span class="pi">-</span> <span class="na">**Framework**</span><span class="pi">:</span> <span class="s">React 18 + Vite</span> <span class="pi">-</span> <span class="na">**Routing**</span><span class="pi">:</span> <span class="s">React Router v6</span> <span class="pi">-</span> <span class="na">**State**</span><span class="pi">:</span> <span class="s">Zustand + React Query (@tanstack/react-query)</span> <span class="pi">-</span> <span class="na">**Auth**</span><span class="pi">:</span> <span class="s">AWS Amplify v6</span> <span class="pi">-</span> <span class="na">**UI**</span><span class="pi">:</span> <span class="s">Custom components with @aws-amplify/ui-react</span> <span class="pi">-</span> <span class="na">**i18n**</span><span class="pi">:</span> <span class="s">i18next + react-i18next</span> <span class="pi">-</span> <span class="na">**Testing**</span><span class="pi">:</span> <span class="s">Vitest + React Testing Library</span> <span class="pi">-</span> <span class="na">**E2E**</span><span class="pi">:</span> <span class="s">Playwright (in e2e-tests/)</span> <span class="c1">## Common Commands</span> <span class="c1">### Infrastructure</span> <span class="nn">...</span> </code></pre> </div> <p>Now, build a feature with specs:<br> Specs transform high-level feature ideas into detailed implementation plans through three phases:</p> <ol> <li> <strong>Requirements</strong>- User stories with acceptance criteria in EARS notation</li> <li> <strong>Design</strong>- Technical architecture and implementation approach</li> <li> <strong>Tasks</strong>- Discrete, trackable implementation steps</li> </ol> <p>For example, one feature was: <strong>Create the RBAC system to keep the roles and responsibilities for different platform users (Super Admin, athletes, organizers and spectators)</strong>. This prompt generates a structure and consolidate workflow from requirements to the code:</p> <ul> <li> <code>requierements.md</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Requirements Document</span> <span class="c1">## Introduction</span> <span class="s">This specification defines a role-based user onboarding system for the Athleon platform using a single Amazon Cognito User Pool. The system must support three distinct user roles (athlete, organizer, and super admin) with different access levels and onboarding workflows. Athletes and organizers can self-register through the frontend with role selection, while super admins are created exclusively through backend scripts.</span> <span class="c1">## Glossary</span> <span class="pi">-</span> <span class="na">**Cognito User Pool**</span><span class="pi">:</span> <span class="s">AWS managed user directory service that handles user authentication and stores user attributes</span> <span class="pi">-</span> <span class="na">**Pre-signup Trigger**</span><span class="pi">:</span> <span class="s">AWS Lambda function invoked by Cognito before user registration is completed</span> <span class="pi">-</span> <span class="na">**Custom Attribute**</span><span class="pi">:</span> <span class="s">User-defined attribute stored in Cognito user profile (e.g., custom:role)</span> <span class="pi">-</span> <span class="na">**Athlete**</span><span class="pi">:</span> <span class="s">A user who competes in events and views leaderboards</span> <span class="pi">-</span> <span class="na">**Organizer**</span><span class="pi">:</span> <span class="s">A user who creates and manages events, categories, and WODs</span> <span class="pi">-</span> <span class="na">**Super Admin**</span><span class="pi">:</span> <span class="s">A platform administrator with full system access</span> <span class="pi">-</span> <span class="na">**Self-registration**</span><span class="pi">:</span> <span class="s">User-initiated signup process through the frontend application</span> <span class="pi">-</span> <span class="na">**RBAC**</span><span class="pi">:</span> <span class="s">Role-Based Access Control system that determines user permissions based on assigned roles</span> <span class="pi">-</span> <span class="na">**JWT Token**</span><span class="pi">:</span> <span class="s">JSON Web Token containing user claims including the custom:role attribute</span> <span class="pi">-</span> <span class="na">**Onboarding Flow**</span><span class="pi">:</span> <span class="s">The complete process from initial signup to authenticated access</span> </code></pre> </div> <ul> <li> <code>design.md</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1">## Architecture</span> <span class="c1">### High-Level Components</span> <span class="s">┌─────────────────┐</span> <span class="s">│ Frontend App │</span> <span class="s">│ (React + AWS │</span> <span class="s">│ Amplify UI) │</span> <span class="s">└────────┬────────┘</span> <span class="s">│</span> <span class="s">│ 1. Signup with role selection</span> <span class="s">▼</span> <span class="s">┌─────────────────────────────────────────┐</span> <span class="s">│ Amazon Cognito User Pool │</span> <span class="s">│ ┌───────────────────────────────────┐ │</span> <span class="s">│ │ Pre-signup Lambda Trigger │ │</span> <span class="s">│ │ - Validates role selection │ │</span> <span class="s">│ │ - Sets custom:role attribute │ │</span> <span class="s">│ │ - Rejects super_admin attempts │ │</span> <span class="s">│ └───────────────────────────────────┘ │</span> <span class="s">│ ┌───────────────────────────────────┐ │</span> <span class="s">│ │ Pre-token Generation Trigger │ │</span> <span class="s">│ │ - Adds role to JWT claims │ │</span> <span class="s">│ └───────────────────────────────────┘ │</span> <span class="s">└─────────────────┬───────────────────────┘</span> <span class="s">│</span> <span class="s">│ 2. JWT with role claim</span> <span class="s">▼</span> <span class="s">┌─────────────────────────────────────────┐</span> <span class="s">│ API Gateway + Lambda Functions │</span> <span class="s">│ - Extract role from JWT token │</span> <span class="s">│ - Enforce role-based permissions │</span> <span class="s">│ - Route to appropriate services │</span> <span class="s">└─────────────────────────────────────────┘</span> <span class="nn">...</span> </code></pre> </div> <ul> <li> <code>tasks.md</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Implementation Plan</span> <span class="pi">-</span> <span class="pi">[</span><span class="nv">x</span><span class="pi">]</span> <span class="s">1. Update Pre-Signup Lambda Trigger</span> <span class="s">- Modify `lambda/auth/pre-signup-trigger.js` to extract and validate role from signup request</span> <span class="s">- Implement logic to accept 'athlete' or 'organizer' roles</span> <span class="s">- Implement logic to reject 'super_admin' role with error</span> <span class="s">- Default to 'athlete' for missing or invalid roles</span> <span class="s">- Add comprehensive CloudWatch logging for all role assignments</span> <span class="s">- _Requirements</span><span class="err">:</span> <span class="s">1.2, 1.3, 1.4, 1.5, 5.1, 5.2, 5.3, 5.4, 5.5, 8.1, 8.2_</span> <span class="pi">-</span> <span class="pi">[</span><span class="nv">x</span><span class="pi">]</span> <span class="s">1.1 Write property test for pre-signup trigger</span> <span class="s">- **Property 1</span><span class="err">:</span> <span class="s">Role assignment consistency**</span> <span class="s">- **Property 2</span><span class="err">:</span> <span class="s">Super admin rejection**</span> <span class="s">- **Property 3</span><span class="err">:</span> <span class="s">Default role assignment**</span> <span class="s">- **Validates</span><span class="err">:</span> <span class="s">Requirements 1.2, 1.3, 1.4, 1.5, 2.4, 5.1, 5.2, 5.3, 5.4**</span> <span class="nn">...</span> </code></pre> </div> <p>Here we need to extend the capabilities using Model Context Protocol (MCP) and add more context:</p> <p>• Access specialized knowledge bases and documentation<br> • Integrate with external APIs and services<br> • Use domain-specific tools and utilities<br> • Connect to databases and cloud services</p> <p>I initially integrate two MCP servers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"awslabs.core-mcp-server"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"uv"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"tool"</span><span class="p">,</span><span class="w"> </span><span class="s2">"run"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--from"</span><span class="p">,</span><span class="w"> </span><span class="s2">"awslabs.core-mcp-server@latest"</span><span class="p">,</span><span class="w"> </span><span class="s2">"awslabs.core-mcp-server.exe"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"env"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"FASTMCP_LOG_LEVEL"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ERROR"</span><span class="p">,</span><span class="w"> </span><span class="nl">"AWS_PROFILE"</span><span class="p">:</span><span class="w"> </span><span class="s2">"labvel-dev"</span><span class="p">,</span><span class="w"> </span><span class="nl">"AWS_REGION"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"aws-foundation"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="p">,</span><span class="w"> </span><span class="nl">"solutions-architect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"disabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"disabledTools"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"aws_knowledge_aws___get_regional_availability"</span><span class="p">,</span><span class="w"> </span><span class="s2">"aws_knowledge_aws___list_regions"</span><span class="p">,</span><span class="w"> </span><span class="s2">"pricing_get_bedrock_patterns"</span><span class="p">,</span><span class="w"> </span><span class="s2">"cost_explorer_get_cost_comparison_drivers"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"playwright"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"@playwright/mcp@latest"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"disabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> The Results </h2> <blockquote> <p>I'm excited to share the outcomes from our hands-on experience building agentic AI solutions with Kiro! 😁</p> </blockquote> <p>The following section captures the valuable lessons I've learned, the best practices I've discovered, and how thoughtful choices have helped us grow from an initial idea to a polished SaaS platform for managing calisthenics events and athlete profiles. </p> <h3> The IDE Project setup </h3> <p>Here is the review of my project setup, as you can see there are MCP, steering project files and some specs. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnci5jsjlko9ry0my3gek.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnci5jsjlko9ry0my3gek.png" alt="KIRO IDE Project" width="800" height="448"></a></p> <h3> The Complete system architecture for tournament auto-advance </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq89q3t82tn95l7b4bk67.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq89q3t82tn95l7b4bk67.png" alt="Complete system Tournament Achitecture " width="800" height="446"></a></p> <h3> Scheduling Domain </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl9ei1t7m254wqj4liasz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl9ei1t7m254wqj4liasz.png" alt="Scheduling Domain" width="800" height="938"></a></p> <p>Watch here some exception to strict DDD and boundex contex domain patterns, in this scenario I choice make read data directly between context because use rest API or service integration increase the complexity for this use case. </p> <h3> Scoring domain Integration </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyidlkh4c8dxmnobxachg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyidlkh4c8dxmnobxachg.png" alt="Scoring domain Integration" width="800" height="708"></a></p> <h3> The landing page </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd2y1e1v8xe8sgeuemsme.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd2y1e1v8xe8sgeuemsme.png" alt=" " width="800" height="332"></a></p> <h2> Best Practices and lessons learned </h2> <ul> <li><p>Make sure that your scaffold project and product rules information are clear and clean.</p></li> <li><p>Runs in supervised way to avoid mistakes, Kiro makes many tasks correctly but sometimes I need reject some changes because violate some rules or use bad approach to solve a technical issue. </p></li> <li><p>Don’t integrate more than 50 MCP tools, this consumes context and could be slow. </p></li> <li><p>Use Kiro CLI for specific troubleshooting and parallel tasks that do not modify the current tasks or files while specs are running. </p></li> <li><p>Create specialized Kiro CLI agents for each SDLC domain and product domains after creating protype or MVP.</p></li> <li><p>Keep flexibility and tradeoff according to your use case. Sometimes apply deep practices like DDD add more complexity however hard guardrails and guidelines are security and operational excellent.</p></li> <li><p>Keep the repository clean, while prompting and refining many md files are created, some related to upgrading summaries or analysis to debug, if those files are added as context to the agent could generate confusion and reprocess.</p></li> </ul> <p>Thank you for your time and support. Please remember to follow us for additional updates.</p> <p>✨ <em><strong>Alejandro Velez, Platform Engineering Latam Lead @ GFT | AWS Ambassador</strong></em></p> aws ai development programming Alejandro Velez Wed, 17 Sep 2025 03:31:17 +0000 https://dev.to/avelez/using-amazon-q-and-custom-agents-for-iac-1i59 https://dev.to/avelez/using-amazon-q-and-custom-agents-for-iac-1i59 <div class="ltag__link--embedded"> <div class="crayons-story "> <a href="https://dev.to/aws-builders/enhancing-infrastructure-as-code-development-and-operations-with-amazon-q-mcp-and-the-thoth-4gh1" class="crayons-story__hidden-navigation-link">Enhancing Infrastructure as Code Development and Operations with Amazon Q, MCP, and Thoth Framework</a> <div class="crayons-story__body crayons-story__body-full_post"> <div class="crayons-story__top"> <div class="crayons-story__meta"> <div class="crayons-story__author-pic"> <a class="crayons-logo crayons-logo--l" href="/aws-builders"> <img alt="AWS Community Builders logo" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Forganization%2Fprofile_image%2F2794%2F88da75b6-aadd-4ea1-8083-ae2dfca8be94.png" class="crayons-logo__image"> </a> <a href="/avelez" class="crayons-avatar crayons-avatar--s absolute -right-2 -bottom-2 border-solid border-2 border-base-inverted "> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F860110%2F56a97906-758a-438a-a886-a15b41498182.jpg" alt="avelez profile" class="crayons-avatar__image"> </a> </div> <div> <div> <a href="/avelez" class="crayons-story__secondary fw-medium m:hidden"> Alejandro Velez </a> <div class="profile-preview-card relative mb-4 s:mb-0 fw-medium hidden m:inline-block"> Alejandro Velez <div id="story-author-preview-content-2840310" class="profile-preview-card__content crayons-dropdown branded-7 p-4 pt-0"> <div class="gap-4 grid"> <div class="-mt-4"> <a href="/avelez" class="flex"> <span class="crayons-avatar crayons-avatar--xl mr-2 shrink-0"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F860110%2F56a97906-758a-438a-a886-a15b41498182.jpg" class="crayons-avatar__image" alt=""> </span> <span class="crayons-link crayons-subtitle-2 mt-5">Alejandro Velez</span> </a> </div> <div class="print-hidden"> Follow </div> <div class="author-preview-metadata-container"></div> </div> </div> </div> <span> <span class="crayons-story__tertiary fw-normal"> for </span><a href="/aws-builders" class="crayons-story__secondary fw-medium">AWS Community Builders </a> </span> </div> <a href="https://dev.to/aws-builders/enhancing-infrastructure-as-code-development-and-operations-with-amazon-q-mcp-and-the-thoth-4gh1" class="crayons-story__tertiary fs-xs"><time>Sep 17 '25</time><span class="time-ago-indicator-initial-placeholder"></span></a> </div> </div> </div> <div class="crayons-story__indention"> <h2 class="crayons-story__title crayons-story__title-full_post"> <a href="https://dev.to/aws-builders/enhancing-infrastructure-as-code-development-and-operations-with-amazon-q-mcp-and-the-thoth-4gh1" id="article-link-2840310"> Enhancing Infrastructure as Code Development and Operations with Amazon Q, MCP, and Thoth Framework </a> </h2> <div class="crayons-story__tags"> <a class="crayons-tag crayons-tag--monochrome " href="/t/devops"><span class="crayons-tag__prefix">#</span>devops</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/ai"><span class="crayons-tag__prefix">#</span>ai</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/aws"><span class="crayons-tag__prefix">#</span>aws</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/iac"><span class="crayons-tag__prefix">#</span>iac</a> </div> <div class="crayons-story__bottom"> <div class="crayons-story__details"> <a href="https://dev.to/aws-builders/enhancing-infrastructure-as-code-development-and-operations-with-amazon-q-mcp-and-the-thoth-4gh1" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left"> <div class="multiple_reactions_aggregate"> <span class="multiple_reactions_icons_container"> <span class="crayons_icon_container"> <img src="https://assets.dev.to/assets/sparkle-heart-5f9bee3767e18deb1bb725290cb151c25234768a0e9a2bd39370c382d02920cf.svg" width="18" height="18"> </span> </span> <span class="aggregate_reactions_counter">2<span class="hidden s:inline">&nbsp;reactions</span></span> </div> </a> <a href="https://dev.to/aws-builders/enhancing-infrastructure-as-code-development-and-operations-with-amazon-q-mcp-and-the-thoth-4gh1#comments" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left flex items-center"> <span class="hidden s:inline">Add&nbsp;Comment</span> </a> </div> <div class="crayons-story__save"> <small class="crayons-story__tertiary fs-xs mr-2"> 5 min read </small> <span class="bm-initial"> </span> <span class="bm-success"> </span> </div> </div> </div> </div> </div> </div> devops ai aws iac Alejandro Velez Wed, 17 Sep 2025 03:23:41 +0000 https://dev.to/aws-builders/enhancing-infrastructure-as-code-development-and-operations-with-amazon-q-mcp-and-the-thoth-4gh1 https://dev.to/aws-builders/enhancing-infrastructure-as-code-development-and-operations-with-amazon-q-mcp-and-the-thoth-4gh1 <p><strong>Level 300</strong></p> <p>With each phase of digital transformation, new approaches are introduced for developing and implementing solutions. Beginning with scripting tools such as Ansible and Chef, and progressing through innovations like Terraform, CDK, Pulumi, and today’s AI-driven agentic and autonomous systems, methodologies continually evolve. Some practices become obsolete, while fresh strategies emerge—challenging engineers to adapt, innovate, and drive progress in solution creation and maintenance.</p> <p>It is common for DevOps professionals to upgrade Infrastructure as Code (IaC) regularly; maintaining clean infrastructure dependencies at scale can be challenging, but many processes are now automated. Thoth framework simplifies dependency management, automates template generation and integrates seamlessly with existing workflows, reducing manual effort and minimizing errors in large-scale infrastructure projects building and managing IaC templates created with tools such as Terraform or Tofu, leveraging wrappers like Terragrunt and Terramate.</p> <p>Let me show you how common tasks can be automatically accelerated using traditional approaches and modern practices with custom agents like <strong>Amazon Q</strong>.</p> <h2> The left side: Development </h2> <p>Things are constantly evolving; tasks like coding are being redefined by tools from developer assistants to agentic AI, moving us closer to fully autonomous development. Soon, writing code may seem as outdated as using an abacus, but human interaction is important and necessary for critical thinking, architecture decisions, continuous improvement and alignment with business strategies. As a cloud architect, developer, or engineer, it is essential to define the infrastructure composition with careful consideration of application-driven design and operational models. Adhering to best practice consistent with the well-architected framework and internal guidelines—is necessary to ensure optimal performance and reliability.</p> <p>So, How can I do this with minimal effort, time, and resources?</p> <p>Companies use internal developer platforms with blueprints and quick starts to reduce toil, lower the learning curve, and enable self-service through established paths. Developers must interact using the correct interfaces. AI agents now serve as intuitive interfaces, exposing platform capabilities via MCP and allowing for tailored agents for each SDLC task.</p> <blockquote> <p>Let’s begin with the code. 👽</p> </blockquote> <p>Start by creating a custom agent with Amazon Q for IaC, including platform context via MCP and a custom CLI. This approach manages tasks like infrastructure composition, compliance, scanning, and reporting, while maintaining traditional practices such as git best practices.</p> <p>The following picture depicts this setup.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F480pkh258uzuchuqjd2g.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F480pkh258uzuchuqjd2g.webp" alt="AmazonQ agent and local Environment"></a></p> <p>The system interfaces directly with AWS services via the AWS SDK and leverages OpenTofu for infrastructure provisioning, ensuring consistent and reproducible deployments across multiple environments.</p> <blockquote> <p>You can add any complementary MCP service from list but be careful verify the source: </p> </blockquote> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/awslabs" rel="noopener noreferrer"> awslabs </a> / <a href="https://github.com/awslabs/mcp" rel="noopener noreferrer"> mcp </a> </h2> <h3> Official MCP Servers for AWS </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"><div class="markdown-heading"> <h1 class="heading-element">Open source MCP servers for AWS</h1> </div> <p>A suite of specialized MCP servers that help you get the most out of AWS, wherever you use MCP.</p> <p><a href="https://github.com/awslabs/mcp" rel="noopener noreferrer"><img src="https://camo.githubusercontent.com/7bef95b38a27f6f93d54756cbcc6c0836290979aac3dc4073c363d8415d4895a/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6769746875622d6177736c6162732f6d63702d626c75652e7376673f7374796c653d666c6174266c6f676f3d676974687562" alt="GitHub"></a> <a href="https://github.com/awslabs/mcp/LICENSE" rel="noopener noreferrer"><img src="https://camo.githubusercontent.com/1ab15760a37e02017d01e83deb523ea4fcd0c2c1ff40582248e5993d4b4bdf8b/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4170616368652d2d322e302d627269676874677265656e" alt="License"></a> <a href="https://app.codecov.io/gh/awslabs/mcp" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/a9f1209a67280570750b6567cf1a9f0bfe6b8608b366071a90f9ccce6c45f33e/68747470733a2f2f696d672e736869656c64732e696f2f636f6465636f762f632f6769746875622f6177736c6162732f6d6370" alt="Codecov"></a> <a href="https://scorecard.dev/viewer/?uri=github.com/awslabs/mcp" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/0ad45245621b0ec67a2ce434e53827983a300dab2b2175a11f8071e602526a6f/68747470733a2f2f696d672e736869656c64732e696f2f6f7373662d73636f7265636172642f6769746875622e636f6d2f6177736c6162732f6d6370" alt="OSSF-Scorecard Score"></a></p> <div class="markdown-heading"> <h2 class="heading-element">Table of Contents</h2> </div> <ul> <li> <a href="https://github.com/awslabs/mcp#open-source-mcp-servers-for-aws" rel="noopener noreferrer">Open source MCP servers for AWS</a> <ul> <li><a href="https://github.com/awslabs/mcp#table-of-contents" rel="noopener noreferrer">Table of Contents</a></li> <li><a href="https://github.com/awslabs/mcp#what-is-the-model-context-protocol-mcp-and-how-does-it-work-with-mcp-servers-for-aws" rel="noopener noreferrer">What is the Model Context Protocol (MCP) and how does it work with MCP Servers for AWS?</a></li> <li> <a href="https://github.com/awslabs/mcp#open-source-mcp-servers-for-aws-transport-mechanisms" rel="noopener noreferrer">Open source MCP servers for AWS Transport Mechanisms</a> <ul> <li><a href="https://github.com/awslabs/mcp#supported-transport-mechanisms" rel="noopener noreferrer">Supported transport mechanisms</a></li> <li><a href="https://github.com/awslabs/mcp#server-sent-events-support-removal" rel="noopener noreferrer">Server Sent Events Support Removal</a></li> </ul> </li> <li><a href="https://github.com/awslabs/mcp#why-mcp-servers-for-aws" rel="noopener noreferrer">Why MCP Servers for AWS?</a></li> <li> <a href="https://github.com/awslabs/mcp#available-mcp-servers-quick-installation" rel="noopener noreferrer">Available MCP Servers: Quick Installation</a> <ul> <li><a href="https://github.com/awslabs/mcp#-getting-started-with-aws" rel="noopener noreferrer">🚀Getting Started with AWS</a></li> <li> <a href="https://github.com/awslabs/mcp#browse-by-what-youre-building" rel="noopener noreferrer">Browse by What You're Building</a> <ul> <li><a href="https://github.com/awslabs/mcp#-real-time-access-to-official-aws-documentation" rel="noopener noreferrer">📚 Real-time access to official AWS documentation</a></li> <li> <a href="https://github.com/awslabs/mcp#%EF%B8%8F-infrastructure--deployment" rel="noopener noreferrer">🏗️ Infrastructure &amp; Deployment</a> <ul> <li><a href="https://github.com/awslabs/mcp#infrastructure-as-code" rel="noopener noreferrer">Infrastructure as Code</a></li> <li><a href="https://github.com/awslabs/mcp#container-platforms" rel="noopener noreferrer">Container Platforms</a></li> <li><a href="https://github.com/awslabs/mcp#serverless--functions" rel="noopener noreferrer">Serverless &amp; Functions</a></li> <li><a href="https://github.com/awslabs/mcp#support" rel="noopener noreferrer">Support</a></li> </ul> </li> <li><a href="https://github.com/awslabs/mcp#-ai--machine-learning" rel="noopener noreferrer">🤖 AI &amp; Machine Learning</a></li> <li> <a href="https://github.com/awslabs/mcp#-data--analytics" rel="noopener noreferrer">📊 Data &amp; Analytics</a> <ul> <li><a href="https://github.com/awslabs/mcp#sql--nosql-databases" rel="noopener noreferrer">SQL &amp; NoSQL Databases</a></li> <li><a href="https://github.com/awslabs/mcp#search--analytics" rel="noopener noreferrer">Search &amp; Analytics</a></li> <li><a href="https://github.com/awslabs/mcp#caching--performance" rel="noopener noreferrer">Caching &amp; Performance</a></li> </ul> </li> <li><a href="https://github.com/awslabs/mcp#%EF%B8%8F-developer-tools--support" rel="noopener noreferrer">🛠️ Developer Tools &amp; Support</a></li> <li><a href="https://github.com/awslabs/mcp#-integration--messaging" rel="noopener noreferrer">📡 Integration &amp; Messaging</a></li> <li><a href="https://github.com/awslabs/mcp#-cost--operations" rel="noopener noreferrer">💰 Cost &amp; Operations</a></li> <li><a href="https://github.com/awslabs/mcp#-healthcare--lifesciences" rel="noopener noreferrer">🧬 Healthcare &amp; Lifesciences</a></li> </ul> </li> <li> <a href="https://github.com/awslabs/mcp#browse-by-how-youre-working" rel="noopener noreferrer">Browse by How You're Working</a><ul><li>…</li></ul> </li> </ul> </li> </ul> </li> </ul></div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/awslabs/mcp" rel="noopener noreferrer">View on GitHub</a></div> </div> <br> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/modelcontextprotocol" rel="noopener noreferrer"> modelcontextprotocol </a> / <a href="https://github.com/modelcontextprotocol/servers" rel="noopener noreferrer"> servers </a> </h2> <h3> Model Context Protocol Servers </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"><div class="markdown-heading"> <h1 class="heading-element">Model Context Protocol servers</h1> </div> <p>This repository is a collection of <em>reference implementations</em> for the <a href="https://modelcontextprotocol.io/" rel="nofollow noopener noreferrer">Model Context Protocol</a> (MCP), as well as references to community-built servers and additional resources.</p> <div class="markdown-alert markdown-alert-important"> <p class="markdown-alert-title">Important</p> <p>If you are looking for a list of MCP servers, you can browse published servers on <a href="https://registry.modelcontextprotocol.io/" rel="nofollow noopener noreferrer">the MCP Registry</a>. The repository served by this README is dedicated to housing just the small number of reference servers maintained by the MCP steering group.</p> </div> <div class="markdown-alert markdown-alert-warning"> <p class="markdown-alert-title">Warning</p> <p>The servers in this repository are intended as <strong>reference implementations</strong> to demonstrate MCP features and SDK usage. They are meant to serve as educational examples for developers building their own MCP servers, not as production-ready solutions. Developers should evaluate their own security requirements and implement appropriate safeguards based on their specific threat model and use case.</p> </div> <p>The servers in this repository showcase the versatility and extensibility of MCP, demonstrating how it can be used to give Large…</p></div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/modelcontextprotocol/servers" rel="noopener noreferrer">View on GitHub</a></div> </div> <h2> Hands On </h2> <h3> Requirements </h3> <ul> <li>WSL or ubuntu 24.04</li> <li>python &gt;= 3.12</li> <li>thothctl &gt;= 0.5.3</li> <li>opentofu &gt;= 1.10.6</li> <li>terragrunt &gt;= 0.88.0</li> </ul> <h3> Preparing the local environment </h3> <p>Bootstrap you environment with the necessary tools following the next steps:</p> <p>a. Download and install thothctl from pypi official repository.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pipx <span class="nb">install </span>thothcl </code></pre> </div> <p>b. Install amazon Q agent and Amazon Q for your IDE, terragrunt, tofu, uv, and pipx and other tools running or just runs the <strong>devtocontainers</strong> environment.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>thothctl init environment <span class="c">#environment for interactive mode</span> </code></pre> </div> <div class="ltag_asciinema"> </div> <p>Select the tools according to the recommended versions. If you already have the tools installed, please run.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>thothctl check environment </code></pre> </div> <div class="ltag_asciinema"> </div> <h3> Creating custom Amazon Q agent (thoth agent) </h3> <blockquote> <p>Please create the <a href="https://docs.aws.amazon.com/es_es/amazonq/latest/qdeveloper-ug/getting-started-builderid.html" rel="noopener noreferrer">AWS Builder Id</a></p> </blockquote> <p>a. Use thothctl to initialize the project with the scaffold template or clone the repository.</p> <p>The Custom agent configuration files are stored as JSON files in specific directories:</p> <p>Project-level custom agents <code>.amazonq/cli-agents/{agent-name}.json</code><br> Available only within the specific project directory and its subdirectories.</p> <p>The Amazon Q Developer CLI searches for a custom agent by following a defined order of precedence:<br> • <strong>Local custom agents first</strong> - Checks for custom agents in the current working directory<br> • <strong>Global custom agents second</strong> - Falls back to custom agents in your home directory<br> • <strong>Built-in default</strong> - Uses the default agent if no custom agent is found</p> <blockquote> <p>ℹ️ Please visit for best practices and deep knowledge: 👉 <a href="https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/command-line-custom-agents-management.html" rel="noopener noreferrer">Custom Agents Management</a> 👈 </p> </blockquote> <p>For this scenario the scaffold project template looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ├── LICENSE ├── README.md ├── common │&nbsp;&nbsp; ├── common.hcl │&nbsp;&nbsp; ├── common.tfvars │&nbsp;&nbsp; └── variables.tf ├── docs │&nbsp;&nbsp; └── catalog │&nbsp;&nbsp; ├── catalog-info.yaml │&nbsp;&nbsp; ├── docs │&nbsp;&nbsp; │&nbsp;&nbsp; ├── general │&nbsp;&nbsp; │&nbsp;&nbsp; ├── guidelines │&nbsp;&nbsp; │&nbsp;&nbsp; │&nbsp;&nbsp; ├── architecture-definition.md │&nbsp;&nbsp; │&nbsp;&nbsp; │&nbsp;&nbsp; └── iac-composition-guidelines.md │&nbsp;&nbsp; │&nbsp;&nbsp; ├── images │&nbsp;&nbsp; │&nbsp;&nbsp; │&nbsp;&nbsp; ├── DiagramArchitecture.png │&nbsp;&nbsp; │&nbsp;&nbsp; │&nbsp;&nbsp; └── graph.svg │&nbsp;&nbsp; │&nbsp;&nbsp; └── index.md │&nbsp;&nbsp; └── mkdocs.yml ├── root.hcl └── stacks ├── application │&nbsp;&nbsp; ├── compute │&nbsp;&nbsp; │&nbsp;&nbsp; ├── alb │&nbsp;&nbsp; │&nbsp;&nbsp; │&nbsp;&nbsp; ├── README.md │&nbsp;&nbsp; │&nbsp;&nbsp; │&nbsp;&nbsp; └── terragrunt.hcl │&nbsp;&nbsp; │&nbsp;&nbsp; └── asg │&nbsp;&nbsp; └── storage │&nbsp;&nbsp; ├── efs │&nbsp;&nbsp; └── s3 ├── foundation │&nbsp;&nbsp; ├── iam │&nbsp;&nbsp; │&nbsp;&nbsp; ├── policies │&nbsp;&nbsp; │&nbsp;&nbsp; └── roles │&nbsp;&nbsp; │&nbsp;&nbsp; └── terragrunt.hcl │&nbsp;&nbsp; └── network │&nbsp;&nbsp; ├── security-groups │&nbsp;&nbsp; └── vpc │&nbsp;&nbsp; ├── README.md │&nbsp;&nbsp; └── terragrunt.hcl ├── observability │&nbsp;&nbsp; └── monitoring │&nbsp;&nbsp; ├── cloudwatch │&nbsp;&nbsp; └── prometheus └── platform ├── containers │&nbsp;&nbsp; ├── ecr │&nbsp;&nbsp; ├── eks-control-plane │&nbsp;&nbsp; │&nbsp;&nbsp; └── terragrunt.hcl │&nbsp;&nbsp; └── eks-nodegroups └── data ├── elasticache └── rds </code></pre> </div> <p>You can find it in: </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/thothforge" rel="noopener noreferrer"> thothforge </a> / <a href="https://github.com/thothforge/terragrunt_project_scaffold" rel="noopener noreferrer"> terragrunt_project_scaffold </a> </h2> <h3> Scaffold for terragrun projects using thoth framework </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"><div class="markdown-heading"> <h1 class="heading-element">Terragrunt Project Scaffold</h1> </div> <p>A production-ready Terragrunt template for AWS infrastructure deployment with GitOps integration and best practices.</p> <div class="markdown-heading"> <h2 class="heading-element">Overview</h2> </div> <p>This scaffold provides a standardized project structure for managing AWS infrastructure using Terragrunt, with built-in support for:</p> <ul> <li>Multi-environment deployments</li> <li>Remote state management with S3 and DynamoDB</li> <li>Code quality tools (TFLint, pre-commit hooks)</li> <li>GitOps workflows</li> <li>Modular architecture</li> </ul> <div class="markdown-heading"> <h2 class="heading-element">Project Structure</h2> </div> <div class="snippet-clipboard-content notranslate position-relative overflow-auto"> <pre class="notranslate"><code>#{project_name}#/ ├── .thothcf.toml # Template configuration ├── .gitignore # Git ignore rules ├── .tflint.hcl # TFLint configuration ├── .pre-commit-config.yaml # Pre-commit hooks ├── root.hcl # Root Terragrunt configuration ├── common/ │ ├── common.hcl # Common variables and provider config │ └── variables.tf # Shared variable definitions ├── stacks/ │ ├── foundation/ # Core infrastructure layer │ │ ├── network/vpc/ # VPC, subnets, routing │ │ └── iam/roles/ # Service roles and policies │ ├── platform/ # Shared services layer │ │ └── containers/ │ │ └── eks-control-plane/ # EKS cluster │ ├── application/ #</code></pre>…</div></div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/thothforge/terragrunt_project_scaffold" rel="noopener noreferrer">View on GitHub</a></div> </div> <div class="ltag_asciinema"> </div> <p>So, the custom agent provides the minimum mcp servers, context and tools. Agents can be created based on environment, technology, specialty or for specific projects for example when using a monorepo structure to store both application and infrastructure code.</p> <p>Here is the baseline agent setup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"thoth"</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"IaC and GitOps specialist THOTH agent for IaC deployments"</span><span class="p">,</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"thothctl"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"thothctl"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"mcp"</span><span class="p">,</span><span class="w"> </span><span class="s2">"server"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--stdio"</span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"git"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"uvx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"mcp-server-git"</span><span class="p">],</span><span class="w"> </span><span class="nl">"timeout"</span><span class="p">:</span><span class="w"> </span><span class="mi">30000</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"terraform"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"docker"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"run"</span><span class="p">,</span><span class="w"> </span><span class="s2">"-i"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--rm"</span><span class="p">,</span><span class="w"> </span><span class="s2">"hashicorp/terraform-mcp-server"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"awslabs.aws-diagram-mcp-server"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"uvx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"awslabs.aws-diagram-mcp-server"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"env"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"FASTMCP_LOG_LEVEL"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ERROR"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"autoApprove"</span><span class="p">:</span><span class="w"> </span><span class="p">[],</span><span class="w"> </span><span class="nl">"disabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"tools"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"fs_read"</span><span class="p">,</span><span class="w"> </span><span class="s2">"fs_write"</span><span class="p">,</span><span class="w"> </span><span class="s2">"execute_bash"</span><span class="p">,</span><span class="w"> </span><span class="s2">"use_aws"</span><span class="p">,</span><span class="w"> </span><span class="s2">"@git"</span><span class="p">,</span><span class="w"> </span><span class="s2">"@thothctl"</span><span class="p">,</span><span class="w"> </span><span class="s2">"@terraform"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"allowedTools"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"fs_read"</span><span class="p">,</span><span class="w"> </span><span class="s2">"use_aws"</span><span class="p">,</span><span class="w"> </span><span class="s2">"@git/git_status"</span><span class="p">,</span><span class="w"> </span><span class="s2">"@git/git_log"</span><span class="p">,</span><span class="w"> </span><span class="s2">"@git/git_diff"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"toolAliases"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"@git/git_status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"status"</span><span class="p">,</span><span class="w"> </span><span class="nl">"@git/git_log"</span><span class="p">:</span><span class="w"> </span><span class="s2">"log"</span><span class="p">,</span><span class="w"> </span><span class="nl">"@git/git_diff"</span><span class="p">:</span><span class="w"> </span><span class="s2">"diff"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"toolsSettings"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"fs_write"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"allowedPaths"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"stacks/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"common/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"modules/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"*.hcl"</span><span class="p">,</span><span class="w"> </span><span class="s2">"*.tf"</span><span class="p">,</span><span class="w"> </span><span class="s2">"*.tfvars"</span><span class="p">,</span><span class="w"> </span><span class="s2">"*.yaml"</span><span class="p">,</span><span class="w"> </span><span class="s2">"*.yml"</span><span class="p">,</span><span class="w"> </span><span class="s2">"*.toml"</span><span class="p">,</span><span class="w"> </span><span class="s2">"*.md"</span><span class="p">,</span><span class="w"> </span><span class="s2">"docs/**"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"resources"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"file://README.md"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://LICENSE"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://.thothcf.toml"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://root.hcl"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://common/common.hcl"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://common/variables.tf"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://.tflint.hcl"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://.pre-commit-config.yaml"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://.gitignore"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://stacks/**/*.hcl"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://stacks/**/*.tf"</span><span class="p">,</span><span class="w"> </span><span class="s2">"file://docs/**/*.md"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The agent has the resources definition block: </p> <blockquote> <p>In <code>docs/catalog/docs/guidelines</code> we include two guidelines, one for architecture definitions and other for IaC composition guidelines. </p> </blockquote> <p>b. Finally, start a chat with the agent in project folder and create some stacks :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ➜ q chat <span class="nt">--agent</span> thoth ✓ terraform loaded <span class="k">in </span>1.05 s ✓ git loaded <span class="k">in </span>1.81 s ✓ awslabs.aws-diagram-mcp-server loaded <span class="k">in </span>2.02 s ✓ thothctl loaded <span class="k">in </span>2.12 s </code></pre> </div> <p>For example: </p> <div class="ltag_asciinema"> </div> <p>Thanks for reading and sharing! 🤠</p> <p>The next blogs offer more examples and explains how traditional and agentic AI can be combined for optimal results. 🥸</p> <p>✨ <em><strong>Alejandro Velez, Platform Engineering Latam Lead @ GFT | AWS Ambassador</strong></em></p> devops ai aws iac Alejandro Velez Mon, 04 Aug 2025 01:48:07 +0000 https://dev.to/avelez/here-the-3rd-part-of-this-series-1adm https://dev.to/avelez/here-the-3rd-part-of-this-series-1adm <div class="ltag__link--embedded"> <div class="crayons-story "> <a href="https://dev.to/aws-builders/gitops-and-iac-at-scale-argocd-and-open-tofu-part-3-hardening-and-manage-users-5b9m" class="crayons-story__hidden-navigation-link">GitOps and IaC at Scale – ArgoCD and Open Tofu – Part 3 – Hardening and Manage users</a> <div class="crayons-story__body crayons-story__body-full_post"> <div class="crayons-story__top"> <div class="crayons-story__meta"> <div class="crayons-story__author-pic"> <a class="crayons-logo crayons-logo--l" href="/aws-builders"> <img alt="AWS Community Builders logo" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Forganization%2Fprofile_image%2F2794%2F88da75b6-aadd-4ea1-8083-ae2dfca8be94.png" class="crayons-logo__image"> </a> <a href="/avelez" class="crayons-avatar crayons-avatar--s absolute -right-2 -bottom-2 border-solid border-2 border-base-inverted "> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F860110%2F56a97906-758a-438a-a886-a15b41498182.jpg" alt="avelez profile" class="crayons-avatar__image"> </a> </div> <div> <div> <a href="/avelez" class="crayons-story__secondary fw-medium m:hidden"> Alejandro Velez </a> <div class="profile-preview-card relative mb-4 s:mb-0 fw-medium hidden m:inline-block"> Alejandro Velez <div id="story-author-preview-content-2707008" class="profile-preview-card__content crayons-dropdown branded-7 p-4 pt-0"> <div class="gap-4 grid"> <div class="-mt-4"> <a href="/avelez" class="flex"> <span class="crayons-avatar crayons-avatar--xl mr-2 shrink-0"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F860110%2F56a97906-758a-438a-a886-a15b41498182.jpg" class="crayons-avatar__image" alt=""> </span> <span class="crayons-link crayons-subtitle-2 mt-5">Alejandro Velez</span> </a> </div> <div class="print-hidden"> Follow </div> <div class="author-preview-metadata-container"></div> </div> </div> </div> <span> <span class="crayons-story__tertiary fw-normal"> for </span><a href="/aws-builders" class="crayons-story__secondary fw-medium">AWS Community Builders </a> </span> </div> <a href="https://dev.to/aws-builders/gitops-and-iac-at-scale-argocd-and-open-tofu-part-3-hardening-and-manage-users-5b9m" class="crayons-story__tertiary fs-xs"><time>Aug 3 '25</time><span class="time-ago-indicator-initial-placeholder"></span></a> </div> </div> </div> <div class="crayons-story__indention"> <h2 class="crayons-story__title crayons-story__title-full_post"> <a href="https://dev.to/aws-builders/gitops-and-iac-at-scale-argocd-and-open-tofu-part-3-hardening-and-manage-users-5b9m" id="article-link-2707008"> GitOps and IaC at Scale – ArgoCD and Open Tofu – Part 3 – Hardening and Manage users </a> </h2> <div class="crayons-story__tags"> <a class="crayons-tag crayons-tag--monochrome " href="/t/devops"><span class="crayons-tag__prefix">#</span>devops</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/aws"><span class="crayons-tag__prefix">#</span>aws</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/terraform"><span class="crayons-tag__prefix">#</span>terraform</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/gitops"><span class="crayons-tag__prefix">#</span>gitops</a> </div> <div class="crayons-story__bottom"> <div class="crayons-story__details"> <a href="https://dev.to/aws-builders/gitops-and-iac-at-scale-argocd-and-open-tofu-part-3-hardening-and-manage-users-5b9m" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left"> <div class="multiple_reactions_aggregate"> <span class="multiple_reactions_icons_container"> <span class="crayons_icon_container"> <img src="https://assets.dev.to/assets/fire-f60e7a582391810302117f987b22a8ef04a2fe0df7e3258a5f49332df1cec71e.svg" width="18" height="18"> </span> <span class="crayons_icon_container"> <img src="https://assets.dev.to/assets/sparkle-heart-5f9bee3767e18deb1bb725290cb151c25234768a0e9a2bd39370c382d02920cf.svg" width="18" height="18"> </span> </span> <span class="aggregate_reactions_counter">4<span class="hidden s:inline">&nbsp;reactions</span></span> </div> </a> <a href="https://dev.to/aws-builders/gitops-and-iac-at-scale-argocd-and-open-tofu-part-3-hardening-and-manage-users-5b9m#comments" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left flex items-center"> 1<span class="hidden s:inline">&nbsp;comment</span> </a> </div> <div class="crayons-story__save"> <small class="crayons-story__tertiary fs-xs mr-2"> 7 min read </small> <span class="bm-initial"> </span> <span class="bm-success"> </span> </div> </div> </div> </div> </div> </div> devops aws terraform gitops Alejandro Velez Sun, 03 Aug 2025 23:40:39 +0000 https://dev.to/aws-builders/gitops-and-iac-at-scale-argocd-and-open-tofu-part-3-hardening-and-manage-users-5b9m https://dev.to/aws-builders/gitops-and-iac-at-scale-argocd-and-open-tofu-part-3-hardening-and-manage-users-5b9m <p><strong><em>Level 400</em></strong></p> <p><a href="https://dev.to/aws-builders/gitops-and-iac-at-scale-aws-argocd-terragrunt-and-opentofu-part-2-creating-spoke-4c6p">Earlier blogs covered scalable delivery</a>,<a href="https://dev.to/aws-builders/gitops-and-iac-at-scale-aws-argocd-terragrunt-and-opentofu-part-1-2ie9"> architecture patterns, and code samples</a>. This section provides additional production-ready examples and best practices using the Well Architected Framework and GitOps with ArgoCD.</p> <h2> Architecture Overview </h2> <p>Now, suppose that you must apply some custom addons for the environment, also enable on-boarding application developer’s teams and platform teams to manage their projects and applications with the least manual effort, integration with AWS ecosystem like IAM identity Center and apply best practices for ArgoCD setup. For accomplishing this the following image depicts the high-level reference architecture with the main services: </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjvvalw64rcawv11q85ul.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjvvalw64rcawv11q85ul.png" alt="Final GitOps on AWS"></a></p> <p>Here the new resources are ALB as an ingress gateway for Argo server, Route 53 to enable a Hosted Zone for public Domain, AWS Certificate management for SSL trough the ALB, and IAM Identity Center for SSO capabilities. </p> <blockquote> <p>For production environments there could be a private hosted Zone and use PKI architecture internal to enable SSL access.</p> </blockquote> <p>For other hand, *<em>how can you be modeling the groups and access to the Argo projects and applications? *</em><br> There is not correct answer and depending on your operational model <a href="https://martinfowler.com/bliki/ConwaysLaw.html" rel="noopener noreferrer">(Conway’s Law)</a> for example, the following image depicts a simple group for each team around a workload. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv9oj3gs0ab3ideszb4sr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv9oj3gs0ab3ideszb4sr.png" alt="GitOps Groups"></a></p> <p>Assigning permissions should follow the principle of the least privilege, separating application and project actions. For example, the application engineering team can run all actions on Applications but only watch and update the platform and addon applications.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwjjccbcz8heybcm88h3z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwjjccbcz8heybcm88h3z.png" alt="GitOps Teams and permissions"></a></p> <h2> Hands On </h2> <p>It’s time to create code.</p> <p>First, we must modify the hub blueprint to enable argo cd best practices<br> ❌ Don’t use Default admin for management- Disable it.<br> ❌ Don’t use the default project<br> ❌ Don’t use local users just if it is completely necessary for CLI or external automatons.<br> ✅ Create Roles and assign to groups instead of individual assignments.</p> <p>Now, according to Argo cd documentation the SSO is configured with IAM Identity Center.</p> <p>A working Single Sign-On configuration using Identity Center (AWS SSO) has been achieved using <a href="https://argo-cd.readthedocs.io/en/latest/operator-manual/user-management/identity-center/" rel="noopener noreferrer">SAML (with Dex)</a></p> <blockquote> <p>To manage IAM Identity Center in AWS, applications must be created because the <code>CreateApplication</code>API only supports custom OAuth 2.0 apps. Third-party SAML or OAuth 2.0 apps must be set up via their respective services or the AWS console. Application creation cannot be automated with Terraform, but user assignments can still be handled through IaC.</p> </blockquote> <p>Initially, a custom Terraform module was developed to establish the ArgoCD hardening baseline. This module leverages the gitops bridge module as its foundation and incorporates SSO configuration, along with group and default role setup and baseline specifications.</p> <p>The module name is <strong>terraform-helm-hardening-gitops-bridge</strong> </p> <blockquote> <p>You can find the source code module here 👉 </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/thothforge" rel="noopener noreferrer"> thothforge </a> / <a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge" rel="noopener noreferrer"> terraform-helm-hardening-gitops-bridge </a> </h2> <h3> GitOps bridge extended module with hardennig practices and examples </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"><div class="markdown-heading"> <h1 class="heading-element">Terraform Hardening GitOps Bridge Module</h1> </div> <p><a href="https://www.terraform.io/" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/8e858e3e21e02106973c29c03e9615d40ea641d008b0c1a2f1fe741c326dbdff/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f7465727261666f726d2d2532333538333543432e7376673f7374796c653d666f722d7468652d6261646765266c6f676f3d7465727261666f726d266c6f676f436f6c6f723d7768697465" alt="Terraform"></a> <a href="https://aws.amazon.com/" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/4dae474904a8c58fd1de6463cfa4692a7ef04064d976e5d6bbbee33131471da2/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4157532d2532334646393930302e7376673f7374796c653d666f722d7468652d6261646765266c6f676f3d616d617a6f6e2d617773266c6f676f436f6c6f723d7768697465" alt="AWS"></a> <a href="https://kubernetes.io/" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/a7dfef554afa4a384788bb87c246f094f7048362db9c835b50ac92e605ce4999/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6b756265726e657465732d2532333332366365352e7376673f7374796c653d666f722d7468652d6261646765266c6f676f3d6b756265726e65746573266c6f676f436f6c6f723d7768697465" alt="Kubernetes"></a> <a href="https://argoproj.github.io/cd/" rel="nofollow noopener noreferrer"><img src="https://camo.githubusercontent.com/d3e321cce1a35554aebe109caca2d1cb830b7abdc3e575f1482fe35f626f7450/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6172676f2d4546374234443f7374796c653d666f722d7468652d6261646765266c6f676f3d6172676f266c6f676f436f6c6f723d7768697465" alt="ArgoCD"></a></p> <p>A comprehensive Terraform module that provides a hardened GitOps bridge for Amazon EKS clusters, implementing security best practices and enterprise-grade configurations for GitOps workflows using ArgoCD.</p> <div class="markdown-heading"> <h2 class="heading-element">📖 Table of Contents</h2> </div> <ul> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-features" rel="noopener noreferrer">Features</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-prerequisites" rel="noopener noreferrer">Prerequisites</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#%EF%B8%8F-architecture" rel="noopener noreferrer">Architecture</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-quick-start" rel="noopener noreferrer">Quick Start</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-examples" rel="noopener noreferrer">Examples</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-configuration-options" rel="noopener noreferrer">Configuration Options</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-security-best-practices" rel="noopener noreferrer">Security Best Practices</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#%EF%B8%8F-deployment-patterns" rel="noopener noreferrer">Deployment Patterns</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-monitoring-and-observability" rel="noopener noreferrer">Monitoring and Observability</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-performance-optimization" rel="noopener noreferrer">Performance Optimization</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-advanced-security-configuration" rel="noopener noreferrer">Advanced Security Configuration</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-dns-and-ingress-configuration" rel="noopener noreferrer">DNS and Ingress Configuration</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-customization-options" rel="noopener noreferrer">Customization Options</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-cost-optimization" rel="noopener noreferrer">Cost Optimization</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-best-practices" rel="noopener noreferrer">Best Practices</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-operational-procedures" rel="noopener noreferrer">Operational Procedures</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-faq" rel="noopener noreferrer">FAQ</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-additional-resources" rel="noopener noreferrer">Additional Resources</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-contributing" rel="noopener noreferrer">Contributing</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-license" rel="noopener noreferrer">License</a></p> </li> <li> <p><a href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge#-support" rel="noopener noreferrer">Support</a></p> </li> </ul> <div class="markdown-heading"> <h2 class="heading-element">🚀 Features</h2> </div> <div class="markdown-heading"> <h3 class="heading-element">Core Capabilities</h3> </div> <ul> <li> <strong>GitOps Integration</strong>: Seamless integration with ArgoCD for GitOps workflows</li> <li> <strong>Security Hardening</strong>: Enterprise-grade security configurations and best practices</li> <li> <strong>Multi-Repository Support</strong>: Support for addons, platform, and workloads repositories</li> <li> <strong>Flexible Deployment</strong>: Single cluster or hub-spoke architecture support</li> <li> <strong>Comprehensive Addons</strong>: Pre-configured essential Kubernetes addons</li> </ul> <div class="markdown-heading"> <h3 class="heading-element">Security Features</h3> </div> <ul> <li> <strong>RBAC Integration</strong>: Role-based access control with customizable permissions</li> <li> <strong>SSO Support</strong>: Microsoft Entra ID (Azure AD) integration</li> <li> <strong>Certificate Management</strong>: Automated SSL/TLS certificate provisioning</li> <li>…</li> </ul></div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/thothforge/terraform-helm-hardening-gitops-bridge" rel="noopener noreferrer">View on GitHub</a></div> </div> </blockquote> <p>or 👉 </p> <div class="crayons-card c-embed text-styles text-styles--secondary"> <div class="c-embed__content"> <div class="c-embed__body flex items-center justify-between"> <a href="https://registry.terraform.io/modules/thothforge/hardening-gitops-bridge/helm/latest?tab=outputs" rel="noopener noreferrer" class="c-link fw-bold flex items-center"> <span class="mr-2">registry.terraform.io</span> </a> </div> </div> </div> <p>The main files are: <code>bootstrap/argocd-values.yaml</code> where the default values are created and parser some parameters from terraform parameters like default project name, dns or argo host, kind of ingress, tags, subnets and more.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># bootstrap/argocd-values.yaml</span> <span class="na">global</span><span class="pi">:</span> <span class="na">topologySpreadConstraints</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">maxSkew</span><span class="pi">:</span> <span class="m">1</span> <span class="na">topologyKey</span><span class="pi">:</span> <span class="s2">"</span><span class="s">topology.kubernetes.io/hostname"</span> <span class="na">whenUnsatisfiable</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ScheduleAnyway"</span> <span class="c1"># Default logging options used by all components</span> <span class="na">logging</span><span class="pi">:</span> <span class="c1"># -- Set the global logging format. Either: `text` or `json`</span> <span class="na">format</span><span class="pi">:</span> <span class="s">text</span> <span class="c1"># -- Set the global logging level. One of: `debug`, `info`, `warn` or `error`</span> <span class="na">level</span><span class="pi">:</span> <span class="s">debug</span> <span class="na">configs</span><span class="pi">:</span> <span class="na">params</span><span class="pi">:</span> <span class="na">server.insecure</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># SSO configuration with Entra ID</span> <span class="na">cm</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://${argo_host}</span> <span class="na">dex.config</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">logger:</span> <span class="s">level: debug</span> <span class="s">format: json</span> <span class="s">connectors:</span> <span class="s">- type: saml</span> <span class="s">id: aws</span> <span class="s">name: "AWS IAM Identity Center"</span> <span class="s">config:</span> <span class="s"># You need value of Identity Center APP SAML (IAM Identity Center sign-in URL)</span> <span class="s">ssoURL: ${sso_assertion_url} #https://portal.sso.yourregion.amazonaws.com/saml/assertion/id</span> <span class="s"># You need `caData` _OR_ `ca`, but not both.</span> <span class="s">#&lt;CA cert (IAM Identity Center Certificate of Identity Center APP SAML) passed through base64 encoding&gt;</span> <span class="s">caData: ${ca_data_iam_app} </span> <span class="s"># Path to mount the secret to the dex container</span> <span class="s">entityIssuer: https://${argo_host}/api/dex/callback</span> <span class="s">redirectURI: https://${argo_host}/api/dex/callback</span> <span class="s">usernameAttr: email</span> <span class="s">emailAttr: email</span> <span class="s">groupsAttr: groups</span> <span class="na">rbac</span><span class="pi">:</span> <span class="na">policy.csv</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">p, role:platform-team, applications, *, */*, allow</span> <span class="s">p, role:platform-team, projects, *, */*, allow</span> <span class="s">p, role:platform-team, clusters, *, *, allow</span> <span class="s">p, role:platform-team, repositories, *, *, allow</span> <span class="s">p, role:platform-team, certificates, *, *, allow</span> <span class="s">p, role:platform-team, logs, get, */*, allow</span> <span class="s">p, role:platform-team, exec, create, */*, allow</span> <span class="s">p, role:platform-team, applicationsets, *, */*, allow</span> <span class="s">p, role:platform-team, accounts, get, */*, allow</span> <span class="s">p, role:platform-team, sessions, create, */*, allow</span> <span class="s">p, role:platform-team, sessions, delete, */*, allow</span> <span class="s">p, role:platform-team, projects, get, *, allow</span> <span class="s">p, role:platform-team, projects, list, *, allow</span> <span class="s">p, role:platform-team, projects, update, *, allow</span> <span class="s">p, role:platform-team, projects, create, *, allow</span> <span class="s">p, role:platform-team, actions, *, */*, allow</span> <span class="s">g, ${admin_idp_group_id}, role:platform-team</span> <span class="na">policy.default</span><span class="pi">:</span> <span class="s">role:deny</span> <span class="na">policy.matchMode</span><span class="pi">:</span> <span class="s">glob</span> <span class="na">scopes</span><span class="pi">:</span> <span class="s1">'</span><span class="s">[groups,</span><span class="nv"> </span><span class="s">email]'</span> <span class="na">server</span><span class="pi">:</span> <span class="na">autoscaling</span><span class="pi">:</span> <span class="na">minReplicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">maxReplicas</span><span class="pi">:</span> <span class="m">20</span> <span class="na">targetCPUUtilizationPercentage</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetMemoryUtilizationPercentage</span><span class="pi">:</span> <span class="m">80</span> <span class="na">serviceAccount</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">eks.amazonaws.com/role-arn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${argocd_irsa_role_arn}"</span> <span class="na">service</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">NodePort"</span> <span class="na">ingress</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${enable_argo_ingress}"</span> <span class="na">hostname</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${argo_host}"</span> <span class="na">controller</span><span class="pi">:</span> <span class="s2">"</span><span class="s">aws"</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">alb"</span> <span class="na">tls</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">aws</span><span class="pi">:</span> <span class="na">backendProtocolVersion</span><span class="pi">:</span> <span class="s">GRPC</span> <span class="na">serviceType</span><span class="pi">:</span> <span class="s2">"</span><span class="s">NodePort"</span> <span class="c1">#"ClusterIP"</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">alb.ingress.kubernetes.io/group.name</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">alb.ingress.kubernetes.io/backend-protocol</span><span class="pi">:</span> <span class="s">HTTP</span> <span class="na">alb.ingress.kubernetes.io/healthcheck-protocol</span><span class="pi">:</span> <span class="s">HTTP</span> <span class="na">alb.ingress.kubernetes.io/listen-ports</span><span class="pi">:</span> <span class="s1">'</span><span class="s">[{"HTTP":80},{"HTTPS":443}]'</span> <span class="na">alb.ingress.kubernetes.io/scheme</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${aws_load_balancer_type}"</span> <span class="na">alb.ingress.kubernetes.io/security-groups</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${argo_ingress_sg}"</span> <span class="na">alb.ingress.kubernetes.io/certificate-arn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${acm_certificate_arn}"</span> <span class="na">alb.ingress.kubernetes.io/ssl-policy</span><span class="pi">:</span> <span class="s">ELBSecurityPolicy-TLS-1-2-2017-01</span> <span class="na">alb.ingress.kubernetes.io/ssl-redirect</span><span class="pi">:</span> <span class="s2">"</span><span class="s">443"</span> <span class="na">alb.ingress.kubernetes.io/healthcheck-path</span><span class="pi">:</span> <span class="s">/healthz</span> <span class="na">alb.ingress.kubernetes.io/subnets</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${ingress_subnets}"</span> <span class="na">alb.ingress.kubernetes.io/tags</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${required_tags}"</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="c1"># -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="c1">#extraRules:</span> <span class="c1">#- http:</span> <span class="c1"># paths:</span> <span class="c1"># - path: /argocd</span> <span class="c1"># pathType: Prefix</span> <span class="c1"># backend:</span> <span class="c1"># service:</span> <span class="c1"># name: 'argo-cd-argocd-server-grpc'</span> <span class="c1"># port:</span> <span class="c1"># name: 'https'</span> <span class="na">ingressGrpc</span><span class="pi">:</span> <span class="c1"># -- Enable an ingress resource for the Argo CD server for dedicated [gRPC-ingress]</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="c1">#"${enable_argo_ingress}"</span> <span class="na">hostname</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${argo_host}"</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">alb"</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">alb.ingress.kubernetes.io/group.name</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">alb.ingress.kubernetes.io/backend-protocol</span><span class="pi">:</span> <span class="s">HTTPS</span> <span class="na">alb.ingress.kubernetes.io/backend-protocol-version</span><span class="pi">:</span> <span class="s">GRPC</span> <span class="na">alb.ingress.kubernetes.io/listen-ports</span><span class="pi">:</span> <span class="s1">'</span><span class="s">[{"HTTP":80},{"HTTPS":443}]'</span> <span class="na">alb.ingress.kubernetes.io/healthcheck-protocol</span><span class="pi">:</span> <span class="s">HTTP</span> <span class="na">alb.ingress.kubernetes.io/target-type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ip"</span> <span class="na">alb.ingress.kubernetes.io/ssl-redirect</span><span class="pi">:</span> <span class="s2">"</span><span class="s">443"</span> <span class="na">alb.ingress.kubernetes.io/healthcheck-path</span><span class="pi">:</span> <span class="s">/healthz</span> <span class="na">alb.ingress.kubernetes.io/success-codes</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0-99"</span> <span class="na">alb.ingress.kubernetes.io/security-groups</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${argo_ingress_sg}"</span> <span class="na">alb.ingress.kubernetes.io/certificate-arn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${acm_certificate_arn}"</span> <span class="na">alb.ingress.kubernetes.io/ssl-policy</span><span class="pi">:</span> <span class="s">ELBSecurityPolicy-TLS-1-2-2017-01</span> <span class="na">alb.ingress.kubernetes.io/subnets</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${ingress_subnets}"</span> <span class="na">alb.ingress.kubernetes.io/tags</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${required_tags}"</span> <span class="na">controller</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">serviceAccount</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">eks.amazonaws.com/role-arn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${argocd_irsa_role_arn}"</span> <span class="na">metrics</span><span class="pi">:</span> <span class="na">enable</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">priorityClassName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">system-node-critical"</span> <span class="na">podAnnotations</span><span class="pi">:</span> <span class="na">prometheus.io/scrape</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">prometheus.io/port</span><span class="pi">:</span> <span class="m">8082</span> <span class="na">prometheus.io/path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/metrics"</span> <span class="na">service</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">prometheus.io/scrape</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">prometheus.io/port</span><span class="pi">:</span> <span class="m">8082</span> <span class="na">prometheus.io/path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/metrics"</span> <span class="na">repoServer</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">serviceAccount</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">eks.amazonaws.com/role-arn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${argocd_irsa_role_arn}"</span> <span class="na">metrics</span><span class="pi">:</span> <span class="na">enable</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">priorityClassName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">system-node-critical"</span> <span class="na">podAnnotations</span><span class="pi">:</span> <span class="na">prometheus.io/scrape</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">prometheus.io/port</span><span class="pi">:</span> <span class="m">8084</span> <span class="na">prometheus.io/path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/metrics"</span> <span class="na">service</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">prometheus.io/scrape</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">prometheus.io/port</span><span class="pi">:</span> <span class="m">8084</span> <span class="na">prometheus.io/path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/metrics"</span> <span class="na">notificationsController</span><span class="pi">:</span> <span class="na">enable</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">redis-ha</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">waitForVotes</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">quorum</span><span class="pi">:</span> <span class="m">2</span> <span class="na">applicationSet</span><span class="pi">:</span> <span class="na">metrics</span><span class="pi">:</span> <span class="na">enable</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">podAnnotations</span><span class="pi">:</span> <span class="na">prometheus.io/scrape</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">prometheus.io/port</span><span class="pi">:</span> <span class="m">8085</span> <span class="na">prometheus.io/path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/metrics"</span> <span class="na">service</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">prometheus.io/scrape</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">prometheus.io/port</span><span class="pi">:</span> <span class="m">8085</span> <span class="na">prometheus.io/path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/metrics"</span> </code></pre> </div> <p>For other hand, the argo project default template is: <code>bootstrap/default_argproj.yaml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">AppProject</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">${default_argoproj_name}</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">argocd.argoproj.io/instance</span><span class="pi">:</span> <span class="s">argoprojects-platform-team</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Team for TI to manage Argo projects and applications</span> <span class="na">sourceRepos</span><span class="pi">:</span> <span class="s">${jsonencode(repositories)}</span> <span class="na">destinations</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">server</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">clusterResourceWhitelist</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">group</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">kind</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">namespaceResourceWhitelist</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">group</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">kind</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> </code></pre> </div> <blockquote> <p>You can modify according to the baseline’s requirements; this is the platform project like default.</p> </blockquote> <p>The platform addons and platform appsets just receive the parameter for default project in argoCD but keep as the beginning of this series.</p> <p>Other kinds of resources for the module are security groups and default secrets, if the SSO is not enabled for platform, for admin, developers and view only users.</p> <p>For other hand, the module can create a certificate and CNAME in a public hosted zone. Is usual that these resources are managed from other team, but in this setup in the same account exists a delegate hosted zone for internal use. This allows use external DNS addon to enable easy integration and register additional services in your control plane.</p> <blockquote> <p>Sensitive data like ca data and group id could be loaded from parameter store provided for security team. Or save in secrets manager to mount the secret onto the dex container in the argocd-dex-server Deployment.</p> </blockquote> <p>The module can be utilized with Terragrunt as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1">#eks_control_plane-terragrunt.hcl</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"root.hcl"</span><span class="p">)</span> <span class="nx">expose</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="c1">#include "kubectl_provider" {</span> <span class="c1"># path = find_in_parent_folders("/common/additional_providers/provider_kubectl.hcl")</span> <span class="c1">#}</span> <span class="nx">include</span> <span class="s2">"k8s_helm_provider"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"/common/additional_providers/provider_k8s_helm.hcl"</span><span class="p">)</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"${get_parent_terragrunt_dir("</span><span class="nx">root</span><span class="s2">")}/infrastructure/containers/eks_control_plane"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"dummy-cluster-name"</span> <span class="nx">cluster_endpoint</span> <span class="p">=</span> <span class="s2">"dummy_cluster_endpoint"</span> <span class="nx">cluster_certificate_authority_data</span> <span class="p">=</span> <span class="s2">"dummy_cluster_certificate_authority_data"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="nx">cluster_platform_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="nx">oidc_provider_arn</span> <span class="p">=</span> <span class="s2">"dummy_arn"</span> <span class="nx">node_security_group_id</span> <span class="p">=</span> <span class="s2">"sg-xasr18923d"</span> <span class="nx">cluster_primary_security_group_id</span> <span class="p">=</span> <span class="s2">"sg-xasr18923d"</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"eks_role"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"${get_parent_terragrunt_dir("</span><span class="nx">root</span><span class="s2">")}/infrastructure/iam/eks_role"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">iam_role_arn</span> <span class="p">=</span> <span class="s2">"arn::..."</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"${get_parent_terragrunt_dir("</span><span class="nx">root</span><span class="s2">")}/infrastructure/network/vpc"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="s2">"vpc-04e3e1e302f8c8f06"</span> <span class="nx">public_subnets</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"subnet-0e4c5aedfc2101502"</span><span class="p">,</span> <span class="s2">"subnet-0d5061f70b69eda14"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">private_subnets</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"subnet-0e4c5aedfc2101502"</span><span class="p">,</span> <span class="s2">"subnet-0d5061f70b69eda14"</span><span class="p">,</span> <span class="s2">"subnet-0d5061f70b69eda15"</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Define parameters for each workspace</span> <span class="nx">env</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">default_project</span> <span class="p">=</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">default_project</span> <span class="nx">enable_argo_ingress</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">sso_assertion_url</span> <span class="p">=</span> <span class="s2">"https://portal.sso.&lt;SSO_REGION&gt;.amazonaws.com/saml/assertion/&lt;id&gt;"</span> <span class="nx">ca_data</span><span class="p">=</span> <span class="s2">"BASE 64 CA Data"</span> <span class="nx">argo_host_dns</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">domain_name</span> <span class="p">=</span> <span class="s2">"argocd.devsecops.labvel.io"</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="s2">"Z101221820UZWIPQ27722"</span> <span class="nx">aws_load_balancer_type</span> <span class="p">=</span> <span class="s2">"internet-facing"</span> <span class="nx">validation</span> <span class="p">=</span> <span class="s2">"public"</span> <span class="p">}</span> <span class="nx">oss_addons</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enable_argo_workflows</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1">#enable_foo = true</span> <span class="c1"># you can add any addon here, make sure to update the gitops repo with the corresponding application set</span> <span class="p">}</span> <span class="nx">addons_metadata</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">addons_repos_properties</span> <span class="p">)</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">Layer</span> <span class="p">=</span> <span class="s2">"Containers"</span> <span class="p">}</span> <span class="p">}</span> <span class="s2">"dev"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="s2">"prod"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Merge parameters</span> <span class="nx">environment_vars</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">(</span><span class="nx">keys</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">),</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span><span class="p">)</span> <span class="err">?</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span> <span class="err">:</span> <span class="s2">"default"</span> <span class="nx">workspace</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="s2">"default"</span><span class="p">],</span> <span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">])</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span><span class="s2">"tfr:///thothforge/hardening-gitops-bridge/helm?version=1.0.1"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">cluster_endpoint</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_endpoint</span> <span class="nx">cluster_platform_version</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_platform_version</span> <span class="nx">oidc_provider_arn</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">oidc_provider_arn</span> <span class="nx">node_security_group</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_primary_security_group_id</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">private_subnet_ids</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">public_subnet_ids</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">public_subnets</span> <span class="nx">cluster_certificate_authority_data</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_certificate_authority_data</span> <span class="nx">enable_argo_ingress</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"enable_argo_ingress"</span><span class="p">]</span> <span class="nx">argo_host_dns</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"argo_host_dns"</span><span class="p">]</span> <span class="c1">#external_dns_domain_filters = [local.workspace["argo_host_dns"]]</span> <span class="nx">sso_assertion_url</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"sso_assertion_url"</span><span class="p">]</span> <span class="nx">ca_data</span><span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"ca_data"</span><span class="p">]</span> <span class="nx">admin_idp_group_id</span> <span class="p">=</span><span class="s2">"318xx789-x071-70f5-63x6-xx21233xxx33"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"tags"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Finally you can login into argocd hub control plane using the url or through AWS SSO login interface.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd85yf2r55dfnb0xxopaj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd85yf2r55dfnb0xxopaj.png" alt="Argo CD simple Access"></a><br> Or<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg91ptwz52ti2d649raar.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg91ptwz52ti2d649raar.png" alt="SSO Argo CD App"></a></p> <p>The upcoming post will include additional customization options and add-ons. <br> Thanks for reading and sharing.🙌 👽 😃</p> devops aws terraform gitops Alejandro Velez Sun, 20 Apr 2025 00:18:12 +0000 https://dev.to/aws-builders/gitops-and-iac-at-scale-aws-argocd-terragrunt-and-opentofu-part-2-creating-spoke-4c6p https://dev.to/aws-builders/gitops-and-iac-at-scale-aws-argocd-terragrunt-and-opentofu-part-2-creating-spoke-4c6p <p><em><em>Level 400</em></em></p> <p>Hi clouders, in the previous <a href="https://dev.to/aws-builders/gitops-and-iac-at-scale-aws-argocd-terragrunt-and-opentofu-part-1-2ie9">blog</a> you can explore the considerations to deploy at scale gitops and IaC, in this post you can learn more about <strong>how to deploy spokes cluster</strong> using the GitOps bridge framework and specific use cases with AWS enterprise capabilities and security best practices. </p> <h2> Architecture Overview </h2> <h3> Spoke clusters and Scenarios </h3> <p>According to the best practices there are many considerations and scenarios, for example:</p> <ul> <li><p>You can have <strong>one stack or IaC repository with the definitions for each account, team or squat</strong>. It depends on your internal organizations and share responsibility model. For this scenario suppose that the model is a <strong>decentralized DevOps Operational Model</strong>, and each squat has their custom IaC for each project. <strong>Consider keeping clear separation and isolation between environments and make match your platform strategy</strong>, for example, some organizations have a single hub for managing dev, QA and prod cluster, others have a hub to manage each environment cluster and other, and others have one hub for previous environments and another for production.</p></li> <li><p>Another key point to note is the <strong>capacity planning</strong> and applications by team, some organizations allow share the same cluster for an organizational unit and keep the applications grouped by namespaces in each environment, others prefer to <strong>have one environment and cluster by workload or application</strong>. Considering the networking and security considerations has main pain and challenges for both scenarios. In this series the main assumption is <strong>that each workload has a dedicated cluster and account by environment but there is a transversal platform team that manages the cluster configuration and control plane</strong>. The following table describe the relationship between scenario and AWS accounts: </p></li> </ul> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>AWS Account</th> <th>Clusters</th> </tr> </thead> <tbody> <tr> <td>Single Hub – N Spokes</td> <td>1 for HUB – N account by environment</td> <td>1 cluster Hub, N Spoke Clusters by environment</td> </tr> <tr> <td>M Hub - N spokes</td> <td>M accounts By Hub environments – N account by environments</td> <td>M Hub Clusters, N Environment Clusters</td> </tr> </tbody> </table></div> <p>The Figure 1 depicts the architecture for this scenario.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbe2b1gncphe69gsd9qt4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbe2b1gncphe69gsd9qt4.png" alt="GitOps Final AWS EKS"></a><br> Figure 1. GitOps bridge Deployment architecture in AWS</p> <blockquote> <p>The FinOps practices are key point independent of your resources distribution you must consider what is the best strategy for track cost and shared resources. </p> </blockquote> <h2> Hands On </h2> <p>First, modify the hub infrastructure stacks to add the stack to manage the credentials cross account and allow the CI infrastructure agents to take them to register the cluster in the control plane. Also, create the role for Argocd to enable the authentication between Argocd hub and spoke cluster. </p> <h3> Updating Control Plane Infrastructure </h3> <p>So, let’s set up the credentials according to the best practices and the scenario described in the previous section, the cluster credentials are stored in parameter store and share with the organizational units for each team or business unit. </p> <blockquote> <p><strong>You must enable RAM as trusted service in your organization from Organizations management account and RAM Console</strong>. </p> </blockquote> <p>For this task, a local module <code>terraform-aws-parameter-store</code> was created:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>└── terraform-aws-ssm-parameter-sotre ├── README.md ├── data.tf ├── main.tf ├── outputs.tf └── variables.tf </code></pre> </div> <p>The module creates the parameter and shares with organization id, organizational unit, or account id principals. </p> <p>Now, using terragrunt the module is called to create a new stack or terragrunt unit.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1">#parameter_store-terragrunt.hcl</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"root.hcl"</span><span class="p">)</span> <span class="nx">expose</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"${get_parent_terragrunt_dir("</span><span class="nx">root</span><span class="s2">")}/infrastructure/containers/eks_control_plane"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"dummy-cluster-name"</span> <span class="nx">cluster_endpoint</span> <span class="p">=</span> <span class="s2">"dummy_cluster_endpoint"</span> <span class="nx">cluster_certificate_authority_data</span> <span class="p">=</span> <span class="s2">"dummy_cluster_certificate_authority_data"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="nx">cluster_platform_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="nx">oidc_provider_arn</span> <span class="p">=</span> <span class="s2">"dummy_arn"</span> <span class="nx">cluster_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:eks:us-east-2:105171185823:cluster/gitops-scale-dev-hub"</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Define parameters for each workspace</span> <span class="nx">env</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">parameter_name</span> <span class="p">=</span> <span class="s2">"/control_plane/${include.root.locals.environment.locals.workspace}/credentials"</span> <span class="nx">sharing_principals</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ou-w3ow-k24p2opx"</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">Layer</span> <span class="p">=</span> <span class="s2">"Operations"</span> <span class="p">}</span> <span class="p">}</span> <span class="s2">"dev"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="s2">"prod"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Merge parameters</span> <span class="nx">environment_vars</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">(</span><span class="nx">keys</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">),</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span><span class="p">)</span> <span class="err">?</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span> <span class="err">:</span> <span class="s2">"default"</span> <span class="nx">workspace</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="s2">"default"</span><span class="p">],</span> <span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">])</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../../modules/terraform-aws-ssm-parameter-sotre"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">parameter_name</span> <span class="p">=</span> <span class="s2">"${local.workspace["</span><span class="nx">parameter_name</span><span class="s2">"]}"</span> <span class="nx">parameter_description</span> <span class="p">=</span> <span class="s2">"Control plane credentials"</span> <span class="nx">parameter_type</span> <span class="p">=</span> <span class="s2">"SecureString"</span> <span class="nx">parameter_tier</span> <span class="p">=</span> <span class="s2">"Advanced"</span> <span class="nx">create_kms</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_sharing</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">sharing_principals</span><span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"sharing_principals"</span><span class="p">]</span> <span class="nx">parameter_value</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_name</span><span class="p">,</span> <span class="nx">cluster_endpoint</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_endpoint</span><span class="p">,</span> <span class="nx">cluster_certificate_authority_data</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_certificate_authority_data</span><span class="p">,</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_version</span><span class="p">,</span> <span class="nx">cluster_platform_version</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_platform_version</span><span class="p">,</span> <span class="nx">oidc_provider_arn</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">oidc_provider_arn</span><span class="p">,</span> <span class="nx">hub_account_id</span> <span class="p">=</span> <span class="nx">split</span><span class="p">(</span><span class="s2">":"</span><span class="p">,</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_arn</span><span class="p">)[</span><span class="mi">4</span><span class="p">]</span> <span class="p">}</span> <span class="p">)</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"tags"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Now, another stack is necessary, the IAM role to enable service account for argocd use the IAM authentication with spoke clusters. The module terraform-aws-iam/iam-eks-role allows to create the IRSA role but also is necessary create a custom policy to allow assume role in the spoke accounts. The Figure 2 depicts in depth this setup.</p> <blockquote> <p>You can create simple stack for managing the role, or a module that supports the EKS definition and IAM role. </p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd2ofwl7tffht6t6qdqmp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd2ofwl7tffht6t6qdqmp.png" alt="GitOps Authentication"></a><br> Figure 2. GitOps authentication summary.</p> <p>So, the module is in <code>modules/terraform-aws-irsa-eks-hub</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">modules</span><span class="err">/</span> <span class="err">├──</span> <span class="nx">terraform-aws-irsa-eks-hub</span> <span class="err">│&nbsp;&nbsp;</span> <span class="err">├──</span> <span class="nx">README</span><span class="err">.</span><span class="nx">md</span> <span class="err">│&nbsp;&nbsp;</span> <span class="err">├──</span> <span class="nx">main</span><span class="err">.</span><span class="nx">tf</span> <span class="err">│&nbsp;&nbsp;</span> <span class="err">├──</span> <span class="nx">outputs</span><span class="err">.</span><span class="nx">tf</span> <span class="err">│&nbsp;&nbsp;</span> <span class="err">└──</span> <span class="nx">variables</span><span class="err">.</span><span class="nx">tf</span> <span class="err">└──</span> <span class="nx">terraform-aws-ssm-parameter-sotre</span> <span class="err">├──</span> <span class="nx">README</span><span class="err">.</span><span class="nx">md</span> <span class="err">├──</span> <span class="nx">data</span><span class="err">.</span><span class="nx">tf</span> <span class="err">├──</span> <span class="nx">main</span><span class="err">.</span><span class="nx">tf</span> <span class="err">├──</span> <span class="nx">outputs</span><span class="err">.</span><span class="nx">tf</span> <span class="err">└──</span> <span class="nx">variables</span><span class="err">.</span><span class="nx">tf</span> <span class="mi">3</span> <span class="nx">directories</span><span class="err">,</span> <span class="mi">9</span> <span class="nx">files</span> </code></pre> </div> <p>and the stack is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1">#eks_role-terragrunt.hcl</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"root.hcl"</span><span class="p">)</span> <span class="nx">expose</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"${get_parent_terragrunt_dir("</span><span class="nx">root</span><span class="s2">")}/infrastructure/containers/eks_control_plane"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"dummy-cluster-name"</span> <span class="nx">cluster_endpoint</span> <span class="p">=</span> <span class="s2">"dummy_cluster_endpoint"</span> <span class="nx">cluster_certificate_authority_data</span> <span class="p">=</span> <span class="s2">"dummy_cluster_certificate_authority_data"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="nx">cluster_platform_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="nx">oidc_provider_arn</span> <span class="p">=</span> <span class="s2">"dummy_arn"</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Define parameters for each workspace</span> <span class="nx">env</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">role_name</span> <span class="p">=</span> <span class="s2">"eks-role-hub"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">Layer</span> <span class="p">=</span> <span class="s2">"Networking"</span> <span class="p">}</span> <span class="p">}</span> <span class="s2">"dev"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="s2">"prod"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Merge parameters</span> <span class="nx">environment_vars</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">(</span><span class="nx">keys</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">),</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span><span class="p">)</span> <span class="err">?</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span> <span class="err">:</span> <span class="s2">"default"</span> <span class="nx">workspace</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="s2">"default"</span><span class="p">],</span> <span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">])</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../../modules/terraform-aws-irsa-eks-hub"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">role_name</span> <span class="p">=</span> <span class="s2">"${local.workspace["</span><span class="nx">role_name</span><span class="s2">"]}-${local.workspace["</span><span class="nx">environment</span><span class="s2">"]}"</span> <span class="nx">cluster_service_accounts</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"${dependency.eks.outputs.cluster_name}"</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"argocd:argocd-application-controller"</span><span class="p">,</span> <span class="s2">"argocd:argo-cd-argocd-repo-server"</span><span class="p">,</span> <span class="s2">"argocd:argocd-server"</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"tags"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Finally, the gitops_bridge stack must look like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1">#eks_control_plane-terragrunt.hcl</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"root.hcl"</span><span class="p">)</span> <span class="nx">expose</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">include</span> <span class="s2">"k8s_helm_provider"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"/common/additional_providers/provider_k8s_helm.hcl"</span><span class="p">)</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"${get_parent_terragrunt_dir("</span><span class="nx">root</span><span class="s2">")}/infrastructure/containers/eks_control_plane"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"dummy-cluster-name"</span> <span class="nx">cluster_endpoint</span> <span class="p">=</span> <span class="s2">"dummy_cluster_endpoint"</span> <span class="nx">cluster_certificate_authority_data</span> <span class="p">=</span> <span class="s2">"dummy_cluster_certificate_authority_data"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="nx">cluster_platform_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="nx">oidc_provider_arn</span> <span class="p">=</span> <span class="s2">"dummy_arn"</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"eks_role"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"${get_parent_terragrunt_dir("</span><span class="nx">root</span><span class="s2">")}/infrastructure/iam/eks_role"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">iam_role_arn</span> <span class="p">=</span> <span class="s2">"arn::..."</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Define parameters for each workspace</span> <span class="nx">env</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">oss_addons</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enable_argo_workflows</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1">#enable_foo = true</span> <span class="c1"># you can add any addon here, make sure to update the gitops repo with the corresponding application set</span> <span class="p">}</span> <span class="nx">addons_metadata</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="p">{</span> <span class="nx">addons_repo_url</span> <span class="p">=</span> <span class="s2">"https://github.com/gitops-bridge-dev/gitops-bridge-argocd-control-plane-template"</span> <span class="nx">addons_repo_basepath</span> <span class="p">=</span> <span class="s2">""</span> <span class="nx">addons_repo_path</span> <span class="p">=</span><span class="s2">"bootstrap/control-plane/addons"</span> <span class="nx">addons_repo_revision</span> <span class="p">=</span> <span class="s2">"HEAD"</span> <span class="p">}</span> <span class="p">)</span> <span class="nx">argocd_apps</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">addons</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"./bootstrap/addons.yaml"</span><span class="p">)</span> <span class="c1">#workloads = file("./bootstrap/workloads.yaml")</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">Layer</span> <span class="p">=</span> <span class="s2">"Networking"</span> <span class="p">}</span> <span class="p">}</span> <span class="s2">"dev"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="s2">"prod"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Merge parameters</span> <span class="nx">environment_vars</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">(</span><span class="nx">keys</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">),</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span><span class="p">)</span> <span class="err">?</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span> <span class="err">:</span> <span class="s2">"default"</span> <span class="nx">workspace</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="s2">"default"</span><span class="p">],</span> <span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">])</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"tfr:///gitops-bridge-dev/gitops-bridge/helm?version=0.1.0"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">cluster_endpoint</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_endpoint</span> <span class="nx">cluster_platform_version</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_platform_version</span> <span class="nx">oidc_provider_arn</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">oidc_provider_arn</span> <span class="nx">cluster_certificate_authority_data</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_certificate_authority_data</span> <span class="nx">cluster</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"environment"</span><span class="p">]</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"addons_metadata"</span><span class="p">]</span> <span class="nx">addons</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"oss_addons"</span><span class="p">],</span> <span class="p">{</span> <span class="nx">kubernetes_version</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_version</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">apps</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"argocd_apps"</span><span class="p">]</span> <span class="nx">argocd</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"argocd"</span> <span class="c1">#set = [</span> <span class="c1"># {</span> <span class="c1"># name = "server.service.type"</span> <span class="c1"># value = "LoadBalancer"</span> <span class="c1"># }</span> <span class="c1">#]</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">yamlencode</span><span class="p">(</span> <span class="p">{</span> <span class="nx">configs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">params</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"server.insecure"</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">server</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"serviceAccount"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">annotations</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"eks.amazonaws.com/role-arn"</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks_role</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">iam_role_arn</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">service</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"NodePort"</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">controller</span> <span class="p">=</span> <span class="s2">"aws"</span> <span class="nx">ingressClassName</span> <span class="err">:</span> <span class="s2">"alb"</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">serviceType</span> <span class="err">:</span> <span class="s2">"NodePort"</span> <span class="p">}</span> <span class="nx">annotations</span> <span class="p">=</span> <span class="p">{</span> <span class="c1">#"alb.ingress.kubernetes.io/backend-protocol" = "HTTPS"</span> <span class="c1">#"alb.ingress.kubernetes.io/ssl-redirect" = "443"</span> <span class="c1">#"service.beta.kubernetes.io/aws-load-balancer-type" = "external"</span> <span class="c1">#"service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" = "ip"</span> <span class="c1">#"alb.ingress.kubernetes.io/listen-ports" : "[{\"HTTPS\":443}]"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">controller</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"serviceAccount"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">annotations</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"eks.amazonaws.com/role-arn"</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks_role</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">iam_role_arn</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">repoServer</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"serviceAccount"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">annotations</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"eks.amazonaws.com/role-arn"</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks_role</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">iam_role_arn</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">)</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"tags"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Basically the main changes was the introduction to argocd map to setup the values for helm chart deployment to enable to use the IRSA role. </p> <p>When you are using cross account deployment the profile that creates the secrets in hub cluster must to have access and permissions, for example in the repository the eks_control_plane stack introduce a new access entry:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1">#eks_control_plane-terragrunt.hcl</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"root.hcl"</span><span class="p">)</span> <span class="nx">expose</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"${get_parent_terragrunt_dir("</span><span class="nx">root</span><span class="s2">")}/infrastructure/network/vpc"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="s2">"vpc-04e3e1e302f8c8f06"</span> <span class="nx">public_subnets</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"subnet-0e4c5aedfc2101502"</span><span class="p">,</span> <span class="s2">"subnet-0d5061f70b69eda14"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">private_subnets</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"subnet-0e4c5aedfc2101502"</span><span class="p">,</span> <span class="s2">"subnet-0d5061f70b69eda14"</span><span class="p">,</span> <span class="s2">"subnet-0d5061f70b69eda15"</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Define parameters for each workspace</span> <span class="nx">env</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"${include.root.locals.common_vars.locals.project}-${include.root.locals.environment.locals.workspace}-hub"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.32"</span> <span class="c1"># Optional</span> <span class="nx">cluster_endpoint_public_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Optional: Adds the current caller identity as an administrator via cluster access entry</span> <span class="nx">enable_cluster_creator_admin_permissions</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">access_entries</span> <span class="p">=</span> <span class="p">{</span> <span class="c1">#####################################################################################################################</span> <span class="c1"># Admin installation and setup for spoke accounts - Demo purpose- must be the ci Agent Role</span> <span class="c1">####################################################################################################################</span> <span class="nx">admins_sso</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">kubernetes_groups</span> <span class="p">=</span> <span class="p">[]</span> <span class="nx">principal_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:sts::123456781234:role/aws-reserved/sso.amazonaws.com/us-east-2/AWSReservedSSO_AWSAdministratorAccess_877fe9e4127a368d"</span> <span class="nx">user_name</span> <span class="p">=</span> <span class="s2">"arn:aws:sts::123456781234:assumed-role/AWSReservedSSO_AWSAdministratorAccess_877fe9e4127a368d/{{SessionName}}"</span> <span class="nx">policy_associations</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">single</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"</span> <span class="nx">access_scope</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"cluster"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">cluster_compute_config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">node_pools</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"general-purpose"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">Layer</span> <span class="p">=</span> <span class="s2">"Networking"</span> <span class="p">}</span> <span class="p">}</span> <span class="s2">"dev"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="s2">"prod"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Merge parameters</span> <span class="nx">environment_vars</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">(</span><span class="nx">keys</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">),</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span><span class="p">)</span> <span class="err">?</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span> <span class="err">:</span> <span class="s2">"default"</span> <span class="nx">workspace</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="s2">"default"</span><span class="p">],</span> <span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">])</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"tfr:///terraform-aws-modules/eks/aws?version=20.33.1"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"create"</span><span class="p">]</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"cluster_name"</span><span class="p">]</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"cluster_version"</span><span class="p">]</span> <span class="c1"># Optional</span> <span class="nx">cluster_endpoint_public_access</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"cluster_endpoint_public_access"</span><span class="p">]</span> <span class="c1"># Optional: Adds the current caller identity as an administrator via cluster access entry</span> <span class="nx">enable_cluster_creator_admin_permissions</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"enable_cluster_creator_admin_permissions"</span><span class="p">]</span> <span class="nx">cluster_compute_config</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"cluster_compute_config"</span><span class="p">]</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">access_entries</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"access_entries"</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span> <span class="nx">Terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"tags"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>The final Hub infrastructure is: </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuhg9z8kxa3isrwhdndid.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuhg9z8kxa3isrwhdndid.png" alt="Hub- infrasctructure"></a><br> Figure 3. Control Plane Infrastructure.</p> <p>👇 Get the code here.<br> </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/velez94" rel="noopener noreferrer"> velez94 </a> / <a href="https://github.com/velez94/terragrunt_aws_gitops_blueprint" rel="noopener noreferrer"> terragrunt_aws_gitops_blueprint </a> </h2> <h3> Public demo for Gitops bridge using terragrunt, OpenTofu and EKS </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"><div class="markdown-heading"> <h1 class="heading-element">AWS GitOps Blueprint with Terragrunt</h1> </div> <p>This project provides a blueprint for implementing GitOps on AWS using Terragrunt and Argo CD. It offers a structured approach to managing infrastructure as code and deploying applications across multiple environments.</p> <p>The blueprint is designed to streamline the process of setting up a GitOps workflow on AWS, leveraging Terragrunt for managing Terraform configurations and Argo CD for continuous deployment. It includes configurations for essential AWS services such as EKS (Elastic Kubernetes Service) and VPC (Virtual Private Cloud), as well as GitOps components for managing cluster addons and platform-level resources.</p> <p>Key features of this blueprint include:</p> <ul> <li>Modular infrastructure setup using Terragrunt</li> <li>EKS cluster configuration for container orchestration</li> <li>VPC network setup for secure and isolated environments</li> <li>GitOps bridge for seamless integration between infrastructure and application deployments</li> <li>Argo CD ApplicationSets for managing cluster addons and platform resources</li> <li>Environment-specific configurations for multi-environment deployments</li> </ul> <div class="markdown-heading"> <h2 class="heading-element">Repository Structure</h2> </div> <div class="snippet-clipboard-content notranslate position-relative overflow-auto"> <pre class="notranslate"><code>terragrunt_aws_gitops_blueprint/ ├── common/ │</code></pre>…</div></div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/velez94/terragrunt_aws_gitops_blueprint" rel="noopener noreferrer">View on GitHub</a></div> </div> <h3> Creating spoke Cluster Infrastructure </h3> <p>The second step is creating the spoke cluster infrastructure. 🧑🏾‍💻</p> <p>To manage a spoke cluster a <strong>single terragrunt or tofu project is created independently for each team from a template</strong>, so, infrastructure has an individual pipeline to manage it, and each team could have custom CI/CD agents, also more flexibility to add features and components to the infrastructure stacks. In some cases, you can have a single pipeline to manage the infrastructure setup and work with environment or parameters managed by the orchestration CI/CD tool. This approach is utilized when necessary to have central governance and control, but consider the changes rates, common tasks and environment setup and CI/CD workers capacity assigned to central ops.</p> <blockquote> <p>The code is like the hub repository; however, the main difference is in the stack GitOps bridge.</p> </blockquote> <p>Let’s watch it in depth. 🕵️‍♀️</p> <p>First, a new provider configuration is necessary, the cluster hub provider, in the <code>terragrunt_aws_gitops_spoke_blueprint/common/additional_providers</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">workspace</span> <span class="p">=</span> <span class="nx">get_env</span><span class="p">(</span><span class="s2">"TF_VAR_env"</span><span class="p">,</span> <span class="s2">"dev"</span><span class="p">)</span> <span class="nx">pipeline</span> <span class="p">=</span> <span class="s2">"false"</span> <span class="nx">hub_account_id</span> <span class="p">=</span> <span class="s2">"105171185823"</span> <span class="p">}</span> <span class="nx">generate</span> <span class="s2">"k8s_helm_provider"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"k8s_helm_provider.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite"</span> <span class="nx">contents</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> ################################################################################ # Kubernetes Access for Spoke Cluster ################################################################################ # First, define the parameter store data source data "aws_ssm_parameter" "hub_cluster_config" { count = 1 with_decryption = true name = "arn:aws:ssm:us-east-2:${local.hub_account_id}:parameter/control_plane/${local.workspace}/credentials" #"/control_plane/${local.workspace}/credentials" # Adjust the parameter path as needed } provider "kubernetes" { host = try(jsondecode(data.aws_ssm_parameter.hub_cluster_config[0].value).cluster_endpoint, var.cluster_endpoint) cluster_ca_certificate = try(base64decode(jsondecode(data.aws_ssm_parameter.hub_cluster_config[0].value).cluster_certificate_authority_data), var.cluster_certificate_authority_data) exec { api_version = "client.authentication.k8s.io/v1beta1" command = "aws" args = [ "eks", "get-token", "--cluster-name", try(jsondecode(data.aws_ssm_parameter.hub_cluster_config[0].value).cluster_name, var.cluster_name), "--region", try(jsondecode(data.aws_ssm_parameter.hub_cluster_config[0].value).cluster_region, data.aws_region.current.name), "--profile", var.profile["${local.workspace}"]["profile"] ] } alias = "hub" } </span><span class="no"> EOF </span><span class="p">}</span> </code></pre> </div> <p>The gitops_bridge stack is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1">#eks_control_plane-terragrunt.hcl</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"root.hcl"</span><span class="p">)</span> <span class="nx">expose</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">include</span> <span class="s2">"k8s_helm_provider"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"/common/additional_providers/provider_k8s_hub.hcl"</span><span class="p">)</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"${get_parent_terragrunt_dir("</span><span class="nx">root</span><span class="s2">")}/infrastructure/containers/eks_spoke"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"dummy-cluster-name"</span> <span class="nx">cluster_endpoint</span> <span class="p">=</span> <span class="s2">"dummy_cluster_endpoint"</span> <span class="nx">cluster_certificate_authority_data</span> <span class="p">=</span> <span class="s2">"dummy_cluster_certificate_authority_data"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="nx">cluster_platform_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="nx">oidc_provider_arn</span> <span class="p">=</span> <span class="s2">"dummy_arn"</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Define parameters for each workspace</span> <span class="nx">env</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">oss_addons</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enable_argo_workflows</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1">#enable_foo = true</span> <span class="c1"># you can add any addon here, make sure to update the gitops repo with the corresponding application set</span> <span class="p">}</span> <span class="nx">addons_metadata</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="p">{</span> <span class="nx">addons_repo_url</span> <span class="p">=</span> <span class="s2">"https://github.com/gitops-bridge-dev/gitops-bridge-argocd-control-plane-template"</span> <span class="nx">addons_repo_basepath</span> <span class="p">=</span> <span class="s2">""</span> <span class="nx">addons_repo_path</span> <span class="p">=</span><span class="s2">"bootstrap/control-plane/addons"</span> <span class="nx">addons_repo_revision</span> <span class="p">=</span> <span class="s2">"HEAD"</span> <span class="p">}</span> <span class="p">)</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">Layer</span> <span class="p">=</span> <span class="s2">"Networking"</span> <span class="p">}</span> <span class="p">}</span> <span class="s2">"dev"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="s2">"prod"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Merge parameters</span> <span class="nx">environment_vars</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">(</span><span class="nx">keys</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">),</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span><span class="p">)</span> <span class="err">?</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span> <span class="err">:</span> <span class="s2">"default"</span> <span class="nx">workspace</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="s2">"default"</span><span class="p">],</span> <span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">])</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../../modules/terraform-aws-gitops-bridge-spoke"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">cluster_endpoint</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_endpoint</span> <span class="nx">cluster_platform_version</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_platform_version</span> <span class="nx">oidc_provider_arn</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">oidc_provider_arn</span> <span class="nx">cluster_certificate_authority_data</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_certificate_authority_data</span> <span class="nx">create_kubernetes_resources</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">cluster</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"environment"</span><span class="p">]</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"addons_metadata"</span><span class="p">]</span> <span class="nx">addons</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"oss_addons"</span><span class="p">],</span> <span class="p">{</span> <span class="nx">kubernetes_version</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_version</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">hub_account_id</span> <span class="p">=</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">common_vars</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">hub_account_id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"tags"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>This stacks defines the data for cluster secret in hub cluster and metadata information for addons, the local module <code>terraform-aws-gitops-bridge-spoke</code> creates the access entry and for enable hub access using spoke role according to Figure 2 and reuse <code>gitops-bridge-dev/gitops-bridge/helm</code> with parameters to deploy the secret but not the argocd installation in spoke clusters. So the infrastructure composition for spokes IaC is: </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgare4ps1gb0xcb174m0d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgare4ps1gb0xcb174m0d.png" alt="Infrastructure Composition"></a><br> Figure 4. Infrastructure composition.</p> <blockquote> <p>An alternative approach is to manage the external secrets Operator and secrets manager, let a comment if you want to know how do it. </p> </blockquote> <p>Finally, after runs the spoke stacks in Argocd Hub Server you can watch the clusters and metadata information: </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F927ifs8um1hl7vtybu70.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F927ifs8um1hl7vtybu70.png" alt="Cluster and metadata Information"></a><br> Figure 5. Cluster and metadata Information. </p> <p>For example some addons was deployed in spoke cluster using applications Set.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpwnuc4yappfzsnnun0ev.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpwnuc4yappfzsnnun0ev.png" alt="Applications Set in spoke clusters"></a><br> Figure 6. Applications Set in spoke clusters.</p> <p><strong>In the next post, you can learn how to custom addons and add advance setups.</strong> 🦸🦸</p> <p>👇 Get the code here.<br> </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/velez94" rel="noopener noreferrer"> velez94 </a> / <a href="https://github.com/velez94/terragrunt_aws_gitops_spoke_blueprint" rel="noopener noreferrer"> terragrunt_aws_gitops_spoke_blueprint </a> </h2> <h3> Infrastructure for Spoke clusters blueprint for GitOps Bridge </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"><div class="markdown-heading"> <h1 class="heading-element">AWS GitOps Scale Infrastructure with EKS Spoke Clusters</h1> </div> <p>A comprehensive Infrastructure as Code (IaC) solution that enables scalable GitOps deployments on AWS using EKS clusters in a hub-spoke architecture with automated infrastructure provisioning and configuration management.</p> <p>This project provides a complete infrastructure setup using Terragrunt and Terraform to create and manage AWS resources including VPC networking, EKS clusters, and GitOps tooling. It implements a hub-spoke architecture where a central hub cluster manages multiple spoke clusters through GitOps practices, enabling consistent and automated application deployments at scale.</p> <p>The solution includes automated VPC creation with proper network segmentation, EKS cluster provisioning with secure configurations, and integration with GitOps tools through a bridge component that enables declarative infrastructure and application management.</p> <div class="markdown-heading"> <h2 class="heading-element">Repository Structure</h2> </div> <div class="snippet-clipboard-content notranslate position-relative overflow-auto"> <pre class="notranslate"><code> ├── common/ # Common configuration and variable definitions │ ├── additional_providers/ # Provider configurations for Kubernetes, Helm, etc. │ ├── common.hcl # Common Terragrunt configuration │ ├── common.tfvars #</code></pre>…</div></div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/velez94/terragrunt_aws_gitops_spoke_blueprint" rel="noopener noreferrer">View on GitHub</a></div> </div> <p>Thanks for reading and sharing! 🫶</p> devops aws gitops terraform Alejandro Velez Thu, 13 Feb 2025 17:18:53 +0000 https://dev.to/aws-builders/gitops-and-iac-at-scale-aws-argocd-terragrunt-and-opentofu-part-1-2ie9 https://dev.to/aws-builders/gitops-and-iac-at-scale-aws-argocd-terragrunt-and-opentofu-part-1-2ie9 <p><em><strong>level 400</strong></em></p> <p>Welcome, builders! In this blog series, we will explore the exciting world of GitOps and Infrastructure as Code (IaC) at scale, focusing on the powerful combination of ArgoCD and Open Tofu and how those tools and frameworks can live together for improving your deployments and reduce the TOIL. The main purpose is to learn some patterns and considerations for increasing efficiency, improving the automation infrastructure provisioning without loss compliance and security requirements</p> <h2> Scenario </h2> <p>Suppose that you are a Cloud Engineer or DevOps engineer, and you have a mission, deploy a cloud native infrastructure to support a modern e-commerce application that offers the possibility to any buy and sell gems. You must implement a system to allow the operations at scale, keep the governance, use IaC and consider the least manual tasks for the setup and onboarding for the developers. The cloud provider for the organization is AWS and the main infrastructure services are EKS, RDS, VPC. Don’t forget that availability, security, and cost efficiency requirements.</p> <p>In the <a href="https://dev.to/aws-builders/devsecops-with-aws-iac-at-scale-building-your-own-platform-part-1-1j87">previous blogs about IaC at scale</a> the main questions and base guidelines was answered to apply the best practices, however, when talking about Kubernetes and cloud native apps many questions emerge from the shadows and suppose al challenge for the technical skills, for example:</p> <ul> <li>What are the best practices to manage the cluster configuration at scale?</li> <li>How can you connect both layers IaC and GitOps?</li> <li>What are the GitOps topologies?</li> <li>What are the best tools?</li> <li>How can you improve developer experience?</li> </ul> <p>Of course, with an AI assistant you can find pretty answers for those questions and some guides. But, we are builders and here we put a real-life example based on experiences and some challenges in a productive environment.</p> <blockquote> <p>First, some theory and good practices 😎</p> </blockquote> <h2> The deployment patterns and GitOps Topology </h2> <p>If you want to know more about gitops, patterns, courses and more please visit <a href="https://opengitops.dev/" rel="noopener noreferrer">opengitops</a> </p> <p>Key points based on the requirements: <br> • You must have multiple environments.<br> • Each environment must isolate from others.<br> • You must manage the cluster configuration at scale.</p> <p>There are tree main Gitops topologies: <br> • <strong>Standalone topology</strong><br> • <strong>Hub-Spoke Push Model</strong><br> • <strong>Hub-Spoke Push and Pull model</strong></p> <p>For this scenario, the <strong>hub-spoke push model is the best solution</strong>. This setup involves deploying GitOps tools on a central "Hub" cluster. The Hub cluster acts as the control plane for GitOps, managing deployments to various clusters dedicated to different environments or workloads.</p> <p>So, <strong>how can you deploy this topology in AWS using EKS</strong>? </p> <p>First, let’s get some assumptions:<br> • Your accounts are in the same AWS organization.<br> • There is already a Networking layer configured.<br> • ArgoCD is the gitops tool.<br> • Github the VSC. <br> • There is no CI tool predefined, in this blog series Codepipeline and <a href="https://dev.to/aws-builders/devsecops-with-aws-iac-at-scale-building-your-own-platform-part-2-ci-for-iac-275c">previous blog posts will be use</a>.</p> <h2> Security considerations: </h2> <p>• The IAM roles and policies for your agents must be clear and apply the least privileged principle. Sometimes the infrastructure deployment role is different from orchestration deployment role. <br> • Use secrets manager to share the credentials between accounts using solid resource policy or use parameters store secure string with RAM. Both must be encrypted using KMS.<br> • Don’t expose your cluster endpoints to the internet, if it is necessary then restrict the access by IP range. <br> • The security of the pipeline must be a priority, the deployment agents can assume many privileged roles, so keep in mind to avoid security breaches.</p> <h2> Solution overview </h2> <ul> <li>Open-Source projects and tools:</li> <li>Open Tofu</li> <li>GitOps bridge</li> <li>ArgoCD</li> </ul> <h2> AWS Services: </h2> <ul> <li>EKS</li> <li>KMS</li> <li>RAM</li> <li>Parameter Store</li> <li>ECR</li> <li>IAM</li> </ul> <p>The following diagrams shows the solution: </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxoxd9akt6y3biv944pku.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxoxd9akt6y3biv944pku.png" alt="Hub-spoke argocd in aws" width="800" height="649"></a></p> <p>1- The code is versioned in git system, usually you have tree main kind of repositories: Infrastructure as code repositories, Argocd applications Set definitions, and app or microservices repositories. Many teams keep separated the Kubernetes manifests from code applications. This is a good practice due the code application and infrastructure definitions don’t follow the same lifecycle but other factors as mono repositories or multiple repositories are key factors. Just keep in different folders 😊.</p> <p>2- The CI/CD service deploys the infrastructure components: the CI/CD agents deploy the control plane cluster, create shared resources to spoke AWS accounts, and create the argocd secret for hub cluster with the metadata to allow operations and bootstrapping configurations.</p> <blockquote> <p>The agent’s role must be part of an access entry in EKS to allow this operation. </p> </blockquote> <p>3- The shared resources are created are common practices that use secure string in parameter store and share it with RAM is more cost effective and practical for this setup, however, you could use secrets manager with resource policies.</p> <p>4- The CI/CD service deploys the spoke resources: the agent deploys the spoke cluster and other resources. Here the agent can access the Hub Kubernetes cluster to create a secret for spoke cluster with the metadata to allow operations and bootstrapping configuration. </p> <p>5- ArgoCD detects new cluster metadata and prepare to deploy de addons: Once the metadata is loaded the applications are deployed in the spoke or hub cluster, to accomplish this the Argocd application controller must assume the role in the spoke account.</p> <blockquote> <p>In ArgoCD, the limit for metadata annotations is 262,144 characters (or 256 KB)</p> </blockquote> <p>6- The application are created: here the deployments al created into the spoken cluster and Argocd sync with the desired state.</p> <p>7- The cluster are ready to workloads.</p> <p>It sounds pretty, but <strong>how can integrate both layers without overhead or manual operations?</strong></p> <p>The answer is to use the <a href="https://github.com/gitops-bridge-dev/gitops-bridge" rel="noopener noreferrer">GitOps bridge framework</a>: Is a community project that aims to showcase best practices and patterns for bridging the process of creating a Kubernetes cluster to subsequently managing everything through GitOps. It focuses on using ArgoCD or FluxCD, both of which are CNN-graduated projects.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhs66v0wc38bx17cb45bc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhs66v0wc38bx17cb45bc.png" alt="GitOps Bridge" width="800" height="398"></a></p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fassets.dev.to%2Fassets%2Fgithub-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/gitops-bridge-dev" rel="noopener noreferrer"> gitops-bridge-dev </a> / <a href="https://github.com/gitops-bridge-dev/gitops-bridge" rel="noopener noreferrer"> gitops-bridge </a> </h2> <h3> </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"><div class="markdown-heading"> <h1 class="heading-element">GitOps Bridge</h1> </div> <p>The <a href="https://github.com/gitops-bridge-dev/gitops-bridge" rel="noopener noreferrer">GitOps Bridge</a> is a community project that aims to showcase best practices and patterns for bridging the process of creating a Kubernetes cluster to subsequently managing everything through GitOps. It focuses on using <a href="https://www.cncf.io/projects/argo/" rel="nofollow noopener noreferrer">ArgoCD</a> or <a href="https://www.cncf.io/projects/flux/" rel="nofollow noopener noreferrer">FluxCD</a>, both of which are CNCF-graduated projects.</p> <p>For an example template on bootstrapping ArgoCD, see the GitHub repository <a href="https://github.com/gitops-bridge-dev/gitops-bridge-argocd-control-plane-template" rel="noopener noreferrer">GitOps Control Plane</a>.</p> <p>There are many tools available for creating Kubernetes clusters. These include "roll-your-own" solutions like <code>kubeadm</code>, <code>minikube</code>, and <code>kind</code>, as well as cloud-managed services like Amazon EKS. The method of cluster creation should not impact GitOps compatibility; GitOps engines should work with any tool that the user chooses for cluster creation. This includes scenarios where Kubernetes is used to create other Kubernetes clusters, such as with CAPI/CAPA, Crossplane, ACK, or any tool running inside Kubernetes to deploy Kubernetes.</p> <p>The GitOps Bridge becomes extremely important in the context…</p></div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/gitops-bridge-dev/gitops-bridge" rel="noopener noreferrer">View on GitHub</a></div> </div> <h2> Hands On </h2> <h3> Creating a control plane </h3> <p>So, let’s hand in to the code for building a control plane.</p> <p>1- The terragrunt project is created with the following structure: </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9owuks0h7r5tynlg9b69.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9owuks0h7r5tynlg9b69.png" alt="The terragrunt project" width="224" height="385"></a></p> <p>The project also can be created with OpenTofu but here is an example using terragrunt a wrapper for opentofu and a powerful tool to keep DRY and manage IaC at scale.</p> <p>In the infrastructure folder you can find two major stacks: network and containers. In containers stacks the cluster for control plane is deployed using the public aws modules and gitops bridge is deployed into the account using the official terraform module.</p> <p>For example, the content for eks_control_plane stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1">#eks_control_plane-terragrunt.hcl</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"root.hcl"</span><span class="p">)</span> <span class="nx">expose</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"${get_parent_terragrunt_dir("</span><span class="nx">root</span><span class="s2">")}/infrastructure/network/vpc"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="s2">"vpc-04e3e1e302f8c8f06"</span> <span class="nx">public_subnets</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"subnet-0e4c5aedfc2101502"</span><span class="p">,</span> <span class="s2">"subnet-0d5061f70b69eda14"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">private_subnets</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"subnet-0e4c5aedfc2101502"</span><span class="p">,</span> <span class="s2">"subnet-0d5061f70b69eda14"</span><span class="p">,</span> <span class="s2">"subnet-0d5061f70b69eda15"</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Define parameters for each workspace</span> <span class="nx">env</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"${include.root.locals.common_vars.locals.project}-${include.root.locals.environment.locals.workspace}-hub"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="c1"># Optional</span> <span class="nx">cluster_endpoint_public_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Optional: Adds the current caller identity as an administrator via cluster access entry</span> <span class="nx">enable_cluster_creator_admin_permissions</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">cluster_compute_config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">node_pools</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"general-purpose"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">Layer</span> <span class="p">=</span> <span class="s2">"Networking"</span> <span class="p">}</span> <span class="p">}</span> <span class="s2">"dev"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="s2">"prod"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Merge parameters</span> <span class="nx">environment_vars</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">(</span><span class="nx">keys</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">),</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span><span class="p">)</span> <span class="err">?</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span> <span class="err">:</span> <span class="s2">"default"</span> <span class="nx">workspace</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="s2">"default"</span><span class="p">],</span> <span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">])</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"tfr:///terraform-aws-modules/eks/aws?version=20.33.1"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">create</span><span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"create"</span><span class="p">]</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"cluster_name"</span><span class="p">]</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"cluster_version"</span><span class="p">]</span> <span class="c1"># Optional</span> <span class="nx">cluster_endpoint_public_access</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"cluster_endpoint_public_access"</span><span class="p">]</span> <span class="c1"># Optional: Adds the current caller identity as an administrator via cluster access entry</span> <span class="nx">enable_cluster_creator_admin_permissions</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"enable_cluster_creator_admin_permissions"</span><span class="p">]</span> <span class="nx">cluster_compute_config</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"cluster_compute_config"</span><span class="p">]</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span> <span class="nx">Terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"tags"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p>Watch that the main properties for this stack are the cluster version and in this case the auto mode for EKS is enabled.</p> </blockquote> <p>In the next blogs you can learn more about this!</p> <p>For other hand, for gitops_bridge stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"root.hcl"</span><span class="p">)</span> <span class="nx">expose</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">include</span> <span class="s2">"k8s_helm_provider"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"/common/additional_providers/provider_k8s_helm.hcl"</span><span class="p">)</span> <span class="p">}</span> <span class="nx">dependency</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">config_path</span> <span class="p">=</span> <span class="s2">"${get_parent_terragrunt_dir("</span><span class="nx">root</span><span class="s2">")}/infrastructure/containers/eks_control_plane"</span> <span class="nx">mock_outputs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"dummy-cluster-name"</span> <span class="nx">cluster_endpoint</span> <span class="p">=</span> <span class="s2">"dummy_cluster_endpoint"</span> <span class="nx">cluster_certificate_authority_data</span> <span class="p">=</span> <span class="s2">"dummy_cluster_certificate_authority_data"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="p">}</span> <span class="nx">mock_outputs_merge_strategy_with_state</span> <span class="p">=</span> <span class="s2">"shallow"</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Define parameters for each workspace</span> <span class="nx">env</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">oss_addons</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enable_argo_workflows</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1">#enable_foo = true</span> <span class="c1"># you can add any addon here, make sure to update the gitops repo with the corresponding application set</span> <span class="p">}</span> <span class="nx">addons_metadata</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="p">{</span> <span class="nx">addons_repo_url</span> <span class="p">=</span> <span class="s2">"https://github.com/gitops-bridge-dev/gitops-bridge-argocd-control-plane-template"</span> <span class="nx">addons_repo_basepath</span> <span class="p">=</span> <span class="s2">""</span> <span class="nx">addons_repo_path</span> <span class="p">=</span><span class="s2">"bootstrap/control-plane/addons"</span> <span class="nx">addons_repo_revision</span> <span class="p">=</span> <span class="s2">"HEAD"</span> <span class="p">}</span> <span class="p">)</span> <span class="nx">argocd_apps</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">addons</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"./bootstrap/addons.yaml"</span><span class="p">)</span> <span class="c1">#workloads = file("./bootstrap/workloads.yaml")</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"control-plane"</span> <span class="nx">Layer</span> <span class="p">=</span> <span class="s2">"Networking"</span> <span class="p">}</span> <span class="p">}</span> <span class="s2">"dev"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="s2">"prod"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Merge parameters</span> <span class="nx">environment_vars</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">(</span><span class="nx">keys</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">),</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span><span class="p">)</span> <span class="err">?</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">environment</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">workspace</span> <span class="err">:</span> <span class="s2">"default"</span> <span class="nx">workspace</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="s2">"default"</span><span class="p">],</span> <span class="nx">local</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">])</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"tfr:///gitops-bridge-dev/gitops-bridge/helm?version=0.1.0"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">cluster_endpoint</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_endpoint</span> <span class="nx">cluster_platform_version</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_platform_version</span> <span class="nx">oidc_provider_arn</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">oidc_provider_arn</span> <span class="nx">cluster_certificate_authority_data</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_certificate_authority_data</span> <span class="nx">cluster</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"environment"</span><span class="p">]</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"addons_metadata"</span><span class="p">]</span> <span class="nx">addons</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"oss_addons"</span><span class="p">],</span> <span class="p">{</span> <span class="nx">kubernetes_version</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">cluster_version</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">apps</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"argocd_apps"</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">workspace</span><span class="p">[</span><span class="s2">"tags"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p>Here the <code>addons</code>are enabled or disable using flags, in <code>oss_addons</code>map also you can and the ArgoCD application Set to bootstrap the cluster.</p> </blockquote> <p>2- Create the application set for addons:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">kind</span><span class="pi">:</span> <span class="s">ApplicationSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-addons</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">preserveResourcesOnDeletion</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">generators</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">clusters</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">control-plane</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">cluster-addons'</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">default</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{{metadata.annotations.addons_repo_url}}'</span> <span class="na">path</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{{metadata.annotations.addons_repo_basepath}}{{metadata.annotations.addons_repo_path}}'</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{{metadata.annotations.addons_repo_revision}}'</span> <span class="na">directory</span><span class="pi">:</span> <span class="na">recurse</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s1">'</span><span class="s">argocd'</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{{name}}'</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">allowEmpty</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <blockquote> <p>The key point here is the generators, where the cluster selector is just deploy the application in the clusters that have the label environment equal to control plane.<br> The source for de applications is the addons_repo_url defined in gitops bridge stack <code>terragrunt_aws_gitops_blueprint/infrastructure/containers/gitops_bridge/terragrunt.hcl</code>. </p> </blockquote> <p>3- Connect to the cluster using a k8s client. <br> Setup the <code>kube context</code> using aws cli:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws eks update-kubeconfig <span class="nt">--name</span> my-cluster <span class="nt">--region</span> us-east-1 <span class="nt">--alias</span> my-cluster-alias </code></pre> </div> <p>For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws eks update-kubeconfig <span class="nt">--name</span> gitops-scale-dev-hub <span class="nt">--region</span> us-east-2 <span class="nt">--alias</span> labvel-devsecops-hub <span class="nt">--profile</span> labvel-dev </code></pre> </div> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>k9s <span class="nt">--context</span> labvel-devsecops-hub </code></pre> </div> <p>for interactive mode or just find the default ArgoCD server admin secret and run kubectl to create a forwarding to connect with the argocd server.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nt">-n</span> argocd get secret argocd-initial-admin-secret <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s2">"{.data.password}"</span> <span class="nt">--context</span> labvel-devsecops-hub | <span class="nb">base64</span> <span class="nt">-d</span><span class="p">;</span> <span class="nb">echo </span>kubectl port-forward svc/argo-cd-argocd-server <span class="nt">-n</span> argocd 8080:443 <span class="nt">--context</span> labvel-devsecops-hub </code></pre> </div> <p>Finally through the web browser you can find the argo apps: </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpw2xm1e0nq0wlpq51i5p.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpw2xm1e0nq0wlpq51i5p.png" alt="The argocd apps" width="800" height="434"></a></p> <p>The application Set: </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcl0a3w0vvnjn2tpoy3mq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcl0a3w0vvnjn2tpoy3mq.png" alt="ApplicationSet ArgoCD" width="800" height="402"></a></p> <p>And the cluster metadata:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjda03c70sayhd35572c9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjda03c70sayhd35572c9.png" alt="The cluster label metadata" width="800" height="351"></a></p> <p>In the next part you can learn more about enable and disable <code>addons</code> and apps and go deeper using AWS controllers. </p> <p>You can find the public code here: </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fassets.dev.to%2Fassets%2Fgithub-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/velez94" rel="noopener noreferrer"> velez94 </a> / <a href="https://github.com/velez94/terragrunt_aws_gitops_blueprint" rel="noopener noreferrer"> terragrunt_aws_gitops_blueprint </a> </h2> <h3> Public demo for Gitops bridge using terragrunt, OpenTofu and EKS </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"><div class="markdown-heading"> <h1 class="heading-element">AWS GitOps Blueprint with Terragrunt</h1> </div> <p>This project provides a blueprint for implementing GitOps on AWS using Terragrunt and Argo CD. It offers a structured approach to managing infrastructure as code and deploying applications across multiple environments.</p> <p>The blueprint is designed to streamline the process of setting up a GitOps workflow on AWS, leveraging Terragrunt for managing Terraform configurations and Argo CD for continuous deployment. It includes configurations for essential AWS services such as EKS (Elastic Kubernetes Service) and VPC (Virtual Private Cloud), as well as GitOps components for managing cluster addons and platform-level resources.</p> <p>Key features of this blueprint include:</p> <ul> <li>Modular infrastructure setup using Terragrunt</li> <li>EKS cluster configuration for container orchestration</li> <li>VPC network setup for secure and isolated environments</li> <li>GitOps bridge for seamless integration between infrastructure and application deployments</li> <li>Argo CD ApplicationSets for managing cluster addons and platform resources</li> <li>Environment-specific configurations for multi-environment deployments</li> </ul> <div class="markdown-heading"> <h2 class="heading-element">Repository Structure</h2> </div> <div class="snippet-clipboard-content notranslate position-relative overflow-auto"> <pre class="notranslate"><code>terragrunt_aws_gitops_blueprint/ ├── common/ │</code></pre>…</div></div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/velez94/terragrunt_aws_gitops_blueprint" rel="noopener noreferrer">View on GitHub</a></div> </div> <p>Thanks for reading and sharing! ☺️⭐</p> devops aws terraform gitops Alejandro Velez Sat, 30 Nov 2024 23:30:51 +0000 https://dev.to/aws-builders/devsecops-with-aws-iac-at-scale-building-your-own-platform-part-3-enable-self-service-5b38 https://dev.to/aws-builders/devsecops-with-aws-iac-at-scale-building-your-own-platform-part-3-enable-self-service-5b38 <p><em><em>Level 300</em></em></p> <p>In the previous post for this series,<a href="https://dev.to/aws-builders/devsecops-with-aws-iac-at-scale-building-your-own-platform-part-1-1j87">DevSecOps with AWS- IaC at scale - Building your own platform - Part 1 </a> and <a href="https://dev.to/aws-builders/devsecops-with-aws-iac-at-scale-building-your-own-platform-part-2-ci-for-iac-275c">DevSecOps with AWS- IaC at scale - Building your own platform - Part 2 - CI for IaC </a> you could learn more about creating the CI pipeline, key questions and practices to enable the self-service capabilities to reuse this pipeline. In the following example, you will learn a use case to allow self-services capabilities using the pipeline of pipeline approach and combine the service Catalog capabilities to get a Pipeline as a Service. </p> <p>So, let’s create as Platform engineer. But first a little overview about the solution:</p> <h2> Solution Overview </h2> <p>Now review the solution exposed in the previous blog post. And focus on creating a SaaS model to deploy your standard pipelines in other DevSecOps accounts. Using CDK Pipelines for this approach. In the future post you can enable the self-service capabilities for now just focusing on the platform’s bases.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx6vjghdi8as195tm5brj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx6vjghdi8as195tm5brj.png" alt="DevSecOps IaC pipeline of pipelines using CDK Pipelines" width="800" height="442"></a></p> <p>You need to follow the next steps:<br> 1- Construct pipeline of pipelines using CDK Pipelines.<br> 2- Test the pipeline of pipelines to create a pipeline for deployment in sandbox account.<br> 3- Approve changes to pass to production environments.<br> 4- Enable self service capabilities to add new project to the pipelines of pipelines.<br> 5- Out the box, create self service portal according to IDP (Internal Developer Portal).</p> <h3> Requirements </h3> <p>• cdk &gt;= 2.167.1<br> • AWS CLI &gt;= 2.7.0<br> • Python &gt;= 3.10.4</p> <h3> AWS Services </h3> <ul> <li> <a href="https://aws.amazon.com/cdk/" rel="noopener noreferrer">AWS Cloud Development Kit (CDK)</a>: is an open-source software development framework to define your cloud application resources using familiar programming languages.</li> <li> <a href="https://aws.amazon.com/iam/?nc2=h_ql_prod_se_iam" rel="noopener noreferrer">AWS Identity and Access Management (IAM)</a>: Securely manage identities and access to AWS services and resources.</li> <li> <a href="https://aws.amazon.com/iam/identity-center/" rel="noopener noreferrer">AWS IAM Identity Center (Successor to AWS Single Sign-On)</a>: helps you securely create or connect your workforce identities and manage their access centrally across AWS accounts and applications.</li> <li> <a href="https://aws.amazon.com/codebuild/" rel="noopener noreferrer">AWS CodeBuild</a>: fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy.</li> <li> <a href="https://aws.amazon.com/codepipeline/" rel="noopener noreferrer">AWS CodePipeline</a>: fully managed continuous delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates.</li> <li> <a href="https://aws.amazon.com/kms/" rel="noopener noreferrer">AWS Key Management Service (AWS KMS)</a>: lets you create, manage, and control cryptographic keys across your applications and more than 100 AWS services.</li> <li> <a href="https://aws.amazon.com/cloudformation/" rel="noopener noreferrer">AWS CloudFormation</a>: Speed up cloud provisioning with infrastructure as code.</li> <li> <a href="https://aws.amazon.com/ram/" rel="noopener noreferrer">AWS Resource Access Manager</a>: Simply and securely share your AWS resources across multiple accounts.</li> </ul> <h3> Hands On ☺️ </h3> <p>First create a CDK pipelines Stack and deployment stage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">Stage</span><span class="p">,</span> <span class="n">Environment</span><span class="p">,</span> <span class="n">Tags</span> <span class="p">)</span> <span class="kn">from</span> <span class="n">constructs</span> <span class="kn">import</span> <span class="n">Construct</span> <span class="kn">from</span> <span class="n">...cdkv2_dev_sec_ops_ia_c_terraform_stack</span> <span class="kn">import</span> <span class="n">Cdkv2DevSecOpsIaCTerraformStack</span> <span class="k">class</span> <span class="nc">PipelineStageProd</span><span class="p">(</span><span class="n">Stage</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">scope</span><span class="p">:</span> <span class="n">Construct</span><span class="p">,</span> <span class="nb">id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">props</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">compliance_buildef</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">terra_plan_buildef</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">kics_buildef</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">tfsec_buildef</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">checkov_buildef</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">testing_buildef</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">deployment_buildef</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">env_devsecops_account</span><span class="p">:</span> <span class="n">Environment</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">environments</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">tags</span><span class="p">:</span><span class="nb">dict</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span><span class="n">scope</span><span class="p">,</span> <span class="nb">id</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="n">core_stack</span> <span class="o">=</span> <span class="nc">Cdkv2DevSecOpsIaCTerraformStack</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">CoreDevSecOpsIaCTerraformStack-</span><span class="si">{</span><span class="n">props</span><span class="p">[</span><span class="sh">'</span><span class="s">project_name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">stack_name</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">CoreDevSecOpsIaCTerraformStack-</span><span class="si">{</span><span class="n">props</span><span class="p">[</span><span class="sh">'</span><span class="s">project_name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">props</span><span class="o">=</span><span class="n">props</span><span class="p">,</span> <span class="n">compliance_buildef</span><span class="o">=</span><span class="n">compliance_buildef</span><span class="p">,</span> <span class="n">tfsec_buildef</span><span class="o">=</span><span class="n">tfsec_buildef</span><span class="p">,</span> <span class="n">checkov_buildef</span><span class="o">=</span><span class="n">checkov_buildef</span><span class="p">,</span> <span class="n">testing_buildef</span><span class="o">=</span><span class="n">testing_buildef</span><span class="p">,</span> <span class="n">terra_plan_buildef</span><span class="o">=</span><span class="n">terra_plan_buildef</span><span class="p">,</span> <span class="n">kics_buildef</span><span class="o">=</span><span class="n">kics_buildef</span><span class="p">,</span> <span class="n">deployment_buildef</span><span class="o">=</span><span class="n">deployment_buildef</span><span class="p">,</span> <span class="n">env_devsecops_account</span><span class="o">=</span><span class="n">env_devsecops_account</span><span class="p">,</span> <span class="n">environments</span><span class="o">=</span><span class="n">environments</span> <span class="p">)</span> <span class="k">for</span> <span class="n">t</span> <span class="ow">in</span> <span class="n">tags</span><span class="p">.</span><span class="nf">keys</span><span class="p">():</span> <span class="n">Tags</span><span class="p">.</span><span class="nf">of</span><span class="p">(</span><span class="n">core_stack</span><span class="p">).</span><span class="nf">add</span><span class="p">(</span><span class="n">key</span><span class="o">=</span><span class="n">t</span><span class="p">,</span> <span class="n">value</span><span class="o">=</span><span class="n">tags</span><span class="p">[</span><span class="n">t</span><span class="p">])</span> </code></pre> </div> <p>Now, from main stack add the stages based on the project properties in yaml files, here a common question for manage parallel deployments and projects with this approach.</p> <p><strong>How can we deploy many stacks parallel when we have many projects?</strong></p> <p>The answer is using the <strong>CDK Pipelines waves</strong> capability, this capability is useful in several scenarios:</p> <ol> <li><p>Parallel Deployments:<br> • Deploy multiple stages simultaneously to different regions or accounts.<br> • Reduce overall pipeline execution time by running independent deployments in parallel.<br> • Deploy the same application to multiple environments concurrently.</p></li> <li><p>Deployment Organization:<br> • Group related deployments logically.<br> • Create deployment waves for different environments (dev, test, prod).<br> • Organize deployments by business units or applications.</p></li> <li><p>Controlled Progressive Rollouts:<br> • Deploy to a subset of regions/accounts first.<br> • Implement progressive deployment patterns.<br> • Add validation steps between waves for safety.</p></li> <li><p>Resource Optimization:<br> • Control concurrent deployments to manage resource usage.<br> • Balance deployment speed with system load.<br> • Optimize pipeline execution costs.</p></li> <li><p>Dependency Management:<br> • Group stages that can run independently.<br> • Separate dependent deployments into sequential waves.<br> • Manage complex deployment orchestration.</p></li> </ol> <blockquote> <p>While stages within a wave run in parallel, the waves themselves execute sequentially. This allows for controlled progression through your deployment pipeline while maximizing efficiency where parallel execution is beneficial.</p> </blockquote> <p>Second, test the stack with the parameters, in this case all definitions in a folder project configs are loaded, and one pipeline is created for each parameters set (team or project definitions).<br><br> Each project properties are loaded with a python function and create a custom class to abstract the project configurations.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">dataclasses</span> <span class="kn">import</span> <span class="n">dataclass</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Dict</span><span class="p">,</span> <span class="n">Any</span><span class="p">,</span> <span class="n">Optional</span> <span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">Environment</span> <span class="kn">from</span> <span class="n">.utils</span> <span class="kn">import</span> <span class="n">load_yamls</span><span class="p">,</span> <span class="n">load_yamls_to_dict</span><span class="p">,</span> <span class="n">load_tags</span><span class="p">,</span> <span class="n">find_yaml_files</span> <span class="nd">@dataclass</span> <span class="k">class</span> <span class="nc">ProjectConfiguration</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Class to manage project configuration and environments</span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">props_path</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">dirname</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="o">=</span> <span class="bp">None</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Initialize ProjectConfiguration Args: props_path (str): Path to the properties file dirname (str, optional): Base directory path. If None, uses the directory of this class </span><span class="sh">"""</span> <span class="n">self</span><span class="p">.</span><span class="n">dirname</span> <span class="o">=</span> <span class="n">dirname</span> <span class="k">if</span> <span class="n">dirname</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span> <span class="k">else</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">dirname</span><span class="p">(</span><span class="n">__file__</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">props_path</span> <span class="o">=</span> <span class="n">props_path</span> <span class="n">self</span><span class="p">.</span><span class="n">props</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_load_properties</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">environments</span> <span class="o">=</span> <span class="p">{}</span> <span class="n">self</span><span class="p">.</span><span class="n">build_definitions</span> <span class="o">=</span> <span class="p">{}</span> <span class="n">self</span><span class="p">.</span><span class="nf">_setup_environments</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="nf">_load_tags</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="nf">_load_build_definitions</span><span class="p">()</span> <span class="k">def</span> <span class="nf">_load_properties</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]:</span> <span class="sh">"""</span><span class="s">Load main properties from YAML file</span><span class="sh">"""</span> <span class="n">full_path</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">props_path</span><span class="p">)</span> <span class="nf">return </span><span class="p">(</span><span class="nf">load_yamls</span><span class="p">(</span><span class="n">full_path</span><span class="p">))[</span><span class="mi">0</span><span class="p">]</span> <span class="k">def</span> <span class="nf">_setup_environments</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Setup environment configurations</span><span class="sh">"""</span> <span class="n">self</span><span class="p">.</span><span class="n">devsecops_env</span> <span class="o">=</span> <span class="nc">Environment</span><span class="p">(</span> <span class="n">account</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">props</span><span class="p">[</span><span class="sh">'</span><span class="s">account_devsecops</span><span class="sh">'</span><span class="p">],</span> <span class="n">region</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">props</span><span class="p">[</span><span class="sh">'</span><span class="s">region_devsecops</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">props</span><span class="p">[</span><span class="sh">"</span><span class="s">def_environments</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">for</span> <span class="n">env_config</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">props</span><span class="p">[</span><span class="sh">"</span><span class="s">environments</span><span class="sh">"</span><span class="p">]:</span> <span class="n">self</span><span class="p">.</span><span class="nf">_process_environment</span><span class="p">(</span><span class="n">env_config</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">props</span><span class="p">[</span><span class="sh">"</span><span class="s">environments</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">environments</span> <span class="k">def</span> <span class="nf">_process_environment</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">env_config</span><span class="p">:</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Process individual environment configuration</span><span class="sh">"""</span> <span class="n">env_name</span> <span class="o">=</span> <span class="n">env_config</span><span class="p">[</span><span class="sh">"</span><span class="s">environment</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Create CDK Environment </span> <span class="n">self</span><span class="p">.</span><span class="n">environments</span><span class="p">[</span><span class="n">env_name</span><span class="p">]</span> <span class="o">=</span> <span class="nc">Environment</span><span class="p">(</span> <span class="n">account</span><span class="o">=</span><span class="n">env_config</span><span class="p">[</span><span class="sh">'</span><span class="s">deployment_account</span><span class="sh">'</span><span class="p">],</span> <span class="n">region</span><span class="o">=</span><span class="n">env_config</span><span class="p">[</span><span class="sh">'</span><span class="s">deployment_region</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="c1"># Basic environment configuration </span> <span class="n">self</span><span class="p">.</span><span class="n">props</span><span class="p">[</span><span class="sh">"</span><span class="s">def_environments</span><span class="sh">"</span><span class="p">][</span><span class="n">env_name</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">deployment_region</span><span class="sh">"</span><span class="p">:</span> <span class="n">env_config</span><span class="p">[</span><span class="sh">"</span><span class="s">deployment_region</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">deployment_account</span><span class="sh">"</span><span class="p">:</span> <span class="n">env_config</span><span class="p">[</span><span class="sh">"</span><span class="s">deployment_account</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">enable</span><span class="sh">"</span><span class="p">:</span> <span class="n">env_config</span><span class="p">[</span><span class="sh">"</span><span class="s">enable</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">manual_approval</span><span class="sh">"</span><span class="p">:</span> <span class="n">env_config</span><span class="p">[</span><span class="sh">"</span><span class="s">manual_approval</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">peer_review_approval</span><span class="sh">"</span><span class="p">:</span> <span class="n">env_config</span><span class="p">[</span><span class="sh">"</span><span class="s">peer_review_approval</span><span class="sh">"</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># Test environment specific configuration </span> <span class="k">if</span> <span class="n">env_name</span> <span class="o">==</span> <span class="sh">"</span><span class="s">test</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">props</span><span class="p">[</span><span class="sh">"</span><span class="s">def_environments</span><span class="sh">"</span><span class="p">][</span><span class="n">env_name</span><span class="p">].</span><span class="nf">update</span><span class="p">({</span> <span class="sh">"</span><span class="s">automate_testing</span><span class="sh">"</span><span class="p">:</span> <span class="n">env_config</span><span class="p">[</span><span class="sh">"</span><span class="s">automate_testing</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">test_workspace</span><span class="sh">"</span><span class="p">:</span> <span class="n">env_config</span><span class="p">[</span><span class="sh">"</span><span class="s">test_workspace</span><span class="sh">"</span><span class="p">]</span> <span class="p">})</span> <span class="c1"># Optional partner review email </span> <span class="k">if</span> <span class="sh">"</span><span class="s">partner_review_email</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">env_config</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">props</span><span class="p">[</span><span class="sh">"</span><span class="s">def_environments</span><span class="sh">"</span><span class="p">][</span><span class="n">env_name</span><span class="p">][</span><span class="sh">"</span><span class="s">partner_review_email</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">env_config</span><span class="p">[</span><span class="sh">"</span><span class="s">partner_review_email</span><span class="sh">"</span><span class="p">]</span> <span class="k">def</span> <span class="nf">_load_tags</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Load tags from YAML file</span><span class="sh">"""</span> <span class="n">tags</span> <span class="o">=</span> <span class="p">(</span><span class="nf">load_yamls</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">props_path</span><span class="p">)))[</span><span class="mi">1</span><span class="p">][</span><span class="sh">'</span><span class="s">tags</span><span class="sh">'</span><span class="p">]</span> <span class="n">self</span><span class="p">.</span><span class="n">props</span><span class="p">[</span><span class="sh">"</span><span class="s">tags</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="nf">load_tags</span><span class="p">(</span><span class="n">tags</span><span class="p">)</span> <span class="k">def</span> <span class="nf">_load_build_definitions</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Load all build definitions</span><span class="sh">"""</span> <span class="n">definition_mappings</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">compliance</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">path_def_compliance</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">terra_plan</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">path_def_create_artifacts</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">tfsec</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">path_def_tfsec</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">checkov</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">path_def_checkov</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">kics</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">path_def_kics</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">testing</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">path_def_testing</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">pipeline_cd</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">path_def_deploy</span><span class="sh">'</span> <span class="p">}</span> <span class="k">for</span> <span class="n">key</span><span class="p">,</span> <span class="n">path_key</span> <span class="ow">in</span> <span class="n">definition_mappings</span><span class="p">.</span><span class="nf">items</span><span class="p">():</span> <span class="n">self</span><span class="p">.</span><span class="n">build_definitions</span><span class="p">[</span><span class="n">key</span><span class="p">]</span> <span class="o">=</span> <span class="nf">load_yamls_to_dict</span><span class="p">(</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">dirname</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">props</span><span class="p">[</span><span class="n">path_key</span><span class="p">])</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">get_environment</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">env_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Environment</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Get specific environment configuration</span><span class="sh">"""</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">environments</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">env_name</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_build_definition</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">definition_type</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]:</span> <span class="sh">"""</span><span class="s">Get specific build definition</span><span class="sh">"""</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">build_definitions</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">definition_type</span><span class="p">,</span> <span class="p">{})</span> <span class="c1"># Example usage with different configuration files </span><span class="k">def</span> <span class="nf">get_project_configs</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Loading project configs ...</span><span class="sh">"</span><span class="p">)</span> <span class="n">dirname</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">dirname</span><span class="p">(</span><span class="sh">"</span><span class="s">./project_configs/environment_options/</span><span class="sh">"</span><span class="p">)</span> <span class="n">dirname_pipes</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">dirname</span><span class="p">(</span><span class="sh">"</span><span class="s">./project_configs/pipeline_definitions</span><span class="sh">"</span><span class="p">)</span> <span class="n">projects</span> <span class="o">=</span> <span class="nf">find_yaml_files</span><span class="p">(</span><span class="n">dirname</span><span class="p">,</span> <span class="sh">"</span><span class="s">environment_options_terragrunt</span><span class="sh">"</span><span class="p">)</span> <span class="n">project_configs</span><span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">p</span> <span class="ow">in</span> <span class="n">projects</span><span class="p">:</span> <span class="c1"># Create instances for different environments or configurations </span> <span class="n">conf</span><span class="o">=</span><span class="nc">ProjectConfiguration</span><span class="p">(</span><span class="n">dirname</span><span class="o">=</span> <span class="n">dirname_pipes</span><span class="p">,</span><span class="n">props_path</span><span class="o">=</span><span class="n">p</span><span class="p">)</span> <span class="n">project_configs</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">conf</span><span class="p">)</span> <span class="k">return</span> <span class="n">project_configs</span> </code></pre> </div> <p>Third, test in sandbox and add the appropriate approval steps.</p> <p>Here code fragment for this deployment, here two waves are created according to reference diagram, the first deploy a sandbox template and after pass to production environments.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">Stack</span><span class="p">,</span> <span class="n">Environment</span><span class="p">,</span> <span class="n">Aws</span><span class="p">,</span> <span class="n">aws_codecommit</span> <span class="k">as</span> <span class="n">codecommit</span><span class="p">,</span> <span class="n">pipelines</span> <span class="p">)</span> <span class="kn">from</span> <span class="n">constructs</span> <span class="kn">import</span> <span class="n">Construct</span> <span class="kn">from</span> <span class="n">.load_project_configs</span> <span class="kn">import</span> <span class="n">get_project_configs</span> <span class="kn">from</span> <span class="n">.stages.deploy_pipeline_stack</span> <span class="kn">import</span> <span class="n">PipelineStageProd</span> <span class="k">class</span> <span class="nc">Cdkv2DSOTerraformPipelineStack</span><span class="p">(</span><span class="n">Stack</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">scope</span><span class="p">:</span> <span class="n">Construct</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">props</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span><span class="n">scope</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="n">repo</span> <span class="o">=</span> <span class="n">props</span><span class="p">[</span><span class="sh">'</span><span class="s">infra_repository</span><span class="sh">'</span><span class="p">][</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">]</span> <span class="n">synth</span> <span class="o">=</span> <span class="n">pipelines</span><span class="p">.</span><span class="nc">ShellStep</span><span class="p">(</span> <span class="sh">"</span><span class="s">Synth</span><span class="sh">"</span><span class="p">,</span> <span class="nb">input</span><span class="o">=</span><span class="n">pipelines</span><span class="p">.</span><span class="n">CodePipelineSource</span><span class="p">.</span><span class="nf">connection</span><span class="p">(</span><span class="n">repo_string</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">props</span><span class="p">[</span><span class="sh">'</span><span class="s">infra_repository</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">owner</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">repo</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">code_build_clone_output</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">branch</span><span class="o">=</span><span class="n">props</span><span class="p">[</span><span class="sh">'</span><span class="s">infra_repository</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">branch</span><span class="sh">'</span><span class="p">],</span> <span class="n">connection_arn</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">arn:aws:codestar-connections:</span><span class="si">{</span><span class="n">Aws</span><span class="p">.</span><span class="n">REGION</span><span class="si">}</span><span class="s">:</span><span class="si">{</span><span class="n">Aws</span><span class="p">.</span><span class="n">ACCOUNT_ID</span><span class="si">}</span><span class="s">:connection/</span><span class="si">{</span><span class="n">props</span><span class="p">[</span><span class="sh">'</span><span class="s">infra_repository</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">connection_id</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span> <span class="p">),</span> <span class="n">commands</span><span class="o">=</span><span class="p">[</span> <span class="sh">"</span><span class="s">npm install -g aws-cdk</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Installs the cdk cli on Codebuild </span> <span class="sh">"</span><span class="s">pip install -r requirements.txt</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">pip install checkov</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Instructs Codebuild to install required packages </span> <span class="sh">"</span><span class="s">npx cdk synth</span><span class="sh">"</span><span class="p">,</span> <span class="p">]</span> <span class="p">)</span> <span class="n">pipeline</span> <span class="o">=</span> <span class="n">pipelines</span><span class="p">.</span><span class="nc">CodePipeline</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">CDKPipeline-</span><span class="si">{</span><span class="n">props</span><span class="p">[</span><span class="sh">'</span><span class="s">project_name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">self_mutation</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">cross_account_keys</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">synth</span><span class="o">=</span><span class="n">synth</span><span class="p">,</span> <span class="n">pipeline_name</span><span class="o">=</span><span class="n">repo</span><span class="p">,</span> <span class="p">)</span> <span class="n">sandbox_wave</span> <span class="o">=</span> <span class="n">pipeline</span><span class="p">.</span><span class="nf">add_wave</span><span class="p">(</span><span class="sh">"</span><span class="s">DeploySandbox</span><span class="sh">"</span><span class="p">)</span> <span class="n">prod_wave</span> <span class="o">=</span> <span class="n">pipeline</span><span class="p">.</span><span class="nf">add_wave</span><span class="p">(</span><span class="sh">"</span><span class="s">DeployProd</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># add manual approval for prod wave </span> <span class="n">sandbox_wave</span><span class="p">.</span><span class="nf">add_post</span><span class="p">(</span><span class="n">pipelines</span><span class="p">.</span><span class="nc">ManualApprovalStep</span><span class="p">(</span><span class="sh">"</span><span class="s">PromoteToProd</span><span class="sh">"</span><span class="p">,</span> <span class="n">comment</span><span class="o">=</span><span class="sh">"</span><span class="s">Ready to apply to prod deployments</span><span class="sh">"</span><span class="p">))</span> <span class="n">projects</span> <span class="o">=</span> <span class="nf">get_project_configs</span><span class="p">()</span> <span class="k">for</span> <span class="n">project</span> <span class="ow">in</span> <span class="n">projects</span><span class="p">:</span> <span class="n">project_name</span> <span class="o">=</span> <span class="n">project</span><span class="p">.</span><span class="n">props</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">project_name</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">project_name</span><span class="p">)</span> <span class="n">stage_id</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Deploy-</span><span class="si">{</span><span class="n">project_name</span><span class="si">}</span><span class="sh">"</span> <span class="c1"># create wave </span> <span class="n">deploy_stage</span> <span class="o">=</span> <span class="nc">PipelineStageProd</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">stage_id</span><span class="p">,</span> <span class="n">stage_name</span><span class="o">=</span><span class="n">stage_id</span><span class="p">,</span> <span class="n">props</span><span class="o">=</span><span class="n">project</span><span class="p">.</span><span class="n">props</span><span class="p">,</span> <span class="n">compliance_buildef</span><span class="o">=</span><span class="n">project</span><span class="p">.</span><span class="nf">get_build_definition</span><span class="p">(</span><span class="sh">"</span><span class="s">compliance</span><span class="sh">"</span><span class="p">),</span> <span class="n">tfsec_buildef</span><span class="o">=</span><span class="n">project</span><span class="p">.</span><span class="nf">get_build_definition</span><span class="p">(</span><span class="sh">"</span><span class="s">tfsec</span><span class="sh">"</span><span class="p">),</span> <span class="n">checkov_buildef</span><span class="o">=</span><span class="n">project</span><span class="p">.</span><span class="nf">get_build_definition</span><span class="p">(</span><span class="sh">"</span><span class="s">checkov</span><span class="sh">"</span><span class="p">),</span> <span class="n">testing_buildef</span><span class="o">=</span><span class="n">project</span><span class="p">.</span><span class="nf">get_build_definition</span><span class="p">(</span><span class="sh">"</span><span class="s">testing</span><span class="sh">"</span><span class="p">),</span> <span class="n">terra_plan_buildef</span><span class="o">=</span><span class="n">project</span><span class="p">.</span><span class="nf">get_build_definition</span><span class="p">(</span><span class="sh">"</span><span class="s">terra_plan</span><span class="sh">"</span><span class="p">),</span> <span class="n">kics_buildef</span><span class="o">=</span><span class="n">project</span><span class="p">.</span><span class="nf">get_build_definition</span><span class="p">(</span><span class="sh">"</span><span class="s">kics</span><span class="sh">"</span><span class="p">),</span> <span class="n">deployment_buildef</span><span class="o">=</span><span class="n">project</span><span class="p">.</span><span class="nf">get_build_definition</span><span class="p">(</span><span class="sh">"</span><span class="s">pipeline_cd</span><span class="sh">"</span><span class="p">),</span> <span class="n">env</span><span class="o">=</span><span class="n">project</span><span class="p">.</span><span class="n">devsecops_env</span><span class="p">,</span> <span class="c1"># env_client_prd_account, </span> <span class="n">env_devsecops_account</span><span class="o">=</span><span class="n">project</span><span class="p">.</span><span class="n">devsecops_env</span><span class="p">,</span> <span class="n">environments</span><span class="o">=</span><span class="n">project</span><span class="p">.</span><span class="n">environments</span><span class="p">,</span> <span class="n">tags</span><span class="o">=</span><span class="n">project</span><span class="p">.</span><span class="n">props</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">tags</span><span class="sh">"</span><span class="p">)</span> <span class="p">)</span> <span class="c1"># env=env_client_prd_account) </span> <span class="k">if</span> <span class="n">project_name</span><span class="p">.</span><span class="nf">endswith</span><span class="p">(</span><span class="sh">"</span><span class="s">sandbox</span><span class="sh">"</span><span class="p">):</span> <span class="n">sandbox_wave</span><span class="p">.</span><span class="nf">add_stage</span><span class="p">(</span> <span class="n">deploy_stage</span><span class="p">,</span> <span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">prod_wave</span><span class="p">.</span><span class="nf">add_stage</span><span class="p">(</span> <span class="n">deploy_stage</span> <span class="p">)</span> </code></pre> </div> <p>You can modify it according to your requirements. </p> <p>The AWS console view is something like this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd9gspkg1amgbx8jd6qg2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd9gspkg1amgbx8jd6qg2.png" alt="Pipeline of pipelines AWS 1" width="800" height="648"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm78yhjia9i9so7mx6pim.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm78yhjia9i9so7mx6pim.png" alt="Pipeline of pipelines AWS 2" width="800" height="539"></a></p> <p>Finally, you are ready to deploy more projects, in this case the project structure allow put a file for each project in the path and the cdk app automatically extend and create new pipelines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> tree project_configs/environment_options/ project_configs/environment_options/ ├── environment_options_advanceiac_v2.yaml ├── environment_options_ecs_fargate_pattern.yaml ├── environment_options_project_1.yaml ├── environment_options_project_2.yaml ├── environment_options_project_3_networking.yaml ├── environment_options_project_4_shared.yaml ├── environment_options_terragrunt_blueprint.yaml ├── environment_options_terragrunt_sandbox.yaml └── environment_options_another_project.yaml 1 directory, 9 files </code></pre> </div> <p>Thanks for reading and sharing. If you want to know more and get the code please follow me and at the end of this series I will share the final project version as opensource project.</p> devops aws terraform cdk