DEV Community: Celestine Ntadi

From Zero to VibeRoll: Production-Ready DevOps Stack on AWS with Terraform & GitHub Actions

Celestine Ntadi — Tue, 03 Jun 2025 17:41:06 +0000

An educational deep dive into deploying a scalable, secure cloud application using DevOps best practices.

What’s This About?

In this post, I’ll walk you through how I built VibeRoll. A modern backend service using a fully automated, production-ready infrastructure powered by:

AWS: ECS Fargate, RDS PostgreSQL, ElastiCache Redis, ALB, Secrets Manager
Terraform: Modular infrastructure as code
GitHub Actions: End-to-end CI/CD automation
Secrets Management: Validated, versioned, and secure

Whether you're a cloud engineer, a DevOps enthusiast, or a backend developer curious about scaling securely, you're in the right place.

Project Overview

VibeRoll is a stateless Node.js API that runs entirely on AWS using container orchestration, persistent storage, and a secrets-driven CI/CD pipeline.

Requirements

Node.js API deployed via ECS Fargate
PostgreSQL database on Amazon RDS
Redis cluster using ElastiCache
Secrets in AWS Secrets Manager (rotated and validated)
GitHub Actions for CI/CD
VPC, Subnets, Security Groups, WAF for network isolation

1. Architecture Overview

Component	AWS Service
Compute	ECS Fargate
Image Registry	Elastic Container Registry (ECR)
Database	RDS PostgreSQL
Caching	ElastiCache (Redis)
Load Balancer	Application Load Balancer (ALB)
Secrets	AWS Secrets Manager
CI/CD	GitHub Actions
Monitoring	Amazon CloudWatch
Networking	VPC with Public/Private Subnets and NAT Gateway
Security	Security Groups + AWS WAF

Why This Architecture?

ECS Fargate provides serverless container orchestration, reducing ops overhead.
ECR is a secure and scalable container image registry tightly integrated with ECS.
RDS PostgreSQL manages our relational data layer, providing automated backups and failover.
ElastiCache Redis boosts application performance with low-latency caching.
ALB ensures traffic is distributed intelligently with built-in health checks.
Secrets Manager centralizes and encrypts environment secrets for applications.
GitHub Actions handles continuous integration and deployment from the repo to the cloud.
CloudWatch offers full-stack observability with logs, metrics, and alarms.
VPC + NAT GW create a secure and flexible network layout with controlled internet access.
WAF + Security Groups protect against common web exploits and control traffic at the instance level.

Diagram Summary

ALB in public subnet → routes traffic to ECS tasks in private subnets
RDS and Redis stay private and secure
ECR hosts Docker images for ECS to pull on deployment
NAT Gateway allows outbound ECS traffic (e.g., pulling images from ECR)
GitHub Actions automates the deployment of both infrastructure and app

2. VPC + Subnet Layout

Three-tier network setup:

public subnet → ALB
private subnet → ECS tasks, RDS, Redis
NAT Gateway allows private ECS tasks to pull images

module "vpc" {
  source   = "./modules/vpc"
  vpc_cidr = var.vpc_cidr
  azs      = var.azs
}

3. Modular Terraform Setup

Each part of the infrastructure is modularized for reusability and clarity:

celestn@CN001:/viberoll-project/viberoll-infra$ tree -I 'node_modules' -L 2
.
├── README.md
├── backend.tf
├── images
│   └── viberoll_architecture_improved.png
├── main.tf
├── modules
│   ├── alb
│   ├── cloudwatch
│   ├── ecr
│   ├── ecs
│   ├── elasticache
│   ├── rds
│   ├── secrets
│   ├── vpc
│   └── waf
├── outputs.tf
├── terraform.tfvars
└── variables.tf

12 directories, 8 files
celestn@CN001:/viberoll-project/viberoll-infra$

Example – RDS Module

resource "aws_db_instance" "postgres" {
  identifier = "${var.project_name}-postgres"
  engine     = "postgres"
  db_name    = var.db_name
  username   = var.db_username
  password   = var.db_password
}

4. Secrets Management via AWS Secrets Manager

Secrets are securely passed and verified via GitHub Actions:

resource "aws_secretsmanager_secret" "secrets" {
  for_each = var.secrets_map
  name     = "${var.project_name}-${each.key}"
}

resource "aws_secretsmanager_secret_version" "secrets_version" {
  for_each        = aws_secretsmanager_secret.secrets
  secret_id       = each.value.id
  secret_string   = var.secrets_map[each.key]
  version_stages  = ["AWSCURRENT"]
}

✅ CI pipeline fails early if a secret is missing or empty

✅ Secrets are validated before any terraform apply

5. CI/CD with GitHub Actions

Here’s how the workflow is structured:

- name: Terraform Plan
  run: |
    terraform plan -input=false -out=tfplan \
      -var-file="secrets.auto.tfvars.json" \
      -var="project_name=${TF_PROJECT_NAME}" \
      -var="db_username=${TF_DB_USERNAME}"

Key Steps:

✅ Validate secrets
✅ Generate secrets.auto.tfvars.json
✅ Run terraform init, plan, apply
✅ Fail early if secrets are misconfigured

6. Testing the Setup

✅ ECS

Get the ALB DNS output
Curl or open it in a browser to verify your service is running

✅ RDS

Temporarily allow your IP in the RDS security group and run:

psql -h <endpoint> -U viberoll_service -d viberoll -p 5432

Run basic SQL queries to verify connectivity.

7. Lessons Learned

What Went Wrong

Secrets missing the AWSCURRENT label
Dynamic for_each maps failed during plan

Fixes

Forced secret version to always include AWSCURRENT
Added a null_resource to validate secrets
Refactored the secrets map to be predictable

8. Final Thoughts

This project showcases how to build secure, scalable, and repeatable infrastructure for real-world backend applications using modern DevOps practices:

Secure by design (VPC, secrets, IAM)
Modular infrastructure (Terraform)
Fully automated CI/CD (GitHub Actions)
Post-deploy testing included

ElasticCache Cluster

Amazon Elastic Container Service (ECS) Cluster

Application Load Balancer (ALB)

Elastic Container Registry

SwaggerUI Sample User Created

Integrated Docker Image to Infra Deployment

WAF & Shield

Application ELB

Resources

GitHub Repo: viberoll-infra Repo
Terraform AWS Provider: terraform.io
AWS Secrets Manager: docs.aws.amazon.com

❤️ Like This Setup?

Fork the repository, tweak the variables, and you're ready to deploy your own cloud-native service quickly, securely, and in production-grade quality.

Got questions or ideas to improve this stack? Drop a comment below!

Building and Deploying a Scalable Video Platform: DevOps Contributions from the VibeRoll Project

Celestine Ntadi — Sat, 17 May 2025 10:50:56 +0000

As part of my work on VibeRoll, a next-generation video-sharing platform with blockchain integrations, I led the full backend architecture and DevOps implementation. This post outlines how I applied advanced DevOps practices, overcame infrastructure challenges, and built a CI/CD pipeline that aligns with industry best practices. The project is fully open-source and available at GitHub Repo.

Why DevOps Matters for Media-Heavy Applications

VibeRoll aims to blend social video sharing with NFT and AI integrations. The infrastructure requirements included:

High I/O and network throughput for video uploads
Real-time data support using Redis
Token-based authentication and rate limiting
Frequent iteration and deployments

To deliver this reliably, I implemented a DevOps-first approach.

Cloud Infrastructure and CI/CD Pipeline

I deployed the application on an Azure Linux VM, using:

Node.js (Express) for the backend API
PostgreSQL and Redis for persistent and cache storage
GitHub Actions for CI/CD with service containers

Contributions:

Created a CI/CD workflow that:
- Spins up Postgres and Redis using Docker
- Installs dependencies, runs tests, linting, and audit checks
- Seeds a test database via Prisma
Authored the .github/workflows/ci.yml from scratch and debugged cross-service health checks

Repo: viberoll-backend GitHub

Dependency and Security Management

During testing, GitHub Dependabot flagged a high-severity SSRF vulnerability in axios.

My Actions:

Used npm-check-updates to upgrade all packages
Integrated Dependabot into the CI lifecycle
Configured GitHub Actions to fail builds on npm audit high-severity issues

Impact:

Improved application security posture
Ensured continuous compliance with open-source package hygiene

Infrastructure as Code and Database Migrations

To support version-controlled schema changes:

I added Prisma ORM with full migration and seed capabilities
Wrote seed scripts to automate admin account provisioning
Enabled repeatable test environments in CI/CD

npx prisma migrate deploy
npx prisma db seed

This ensured consistency between local, test, and production environments.

Swagger UI and Dynamic Cloud URLs

Swagger by default binds to localhost, which fails in cloud deployments. I enhanced it to dynamically detect IPs:

const baseUrl = `${process.env.HOST || 'http://localhost:'}${process.env.PORT || 4000}`;

This allowed both local and public Swagger API access, critical for QA and frontend developers.

Final DevOps Checklist

Task	Description	Status
CI/CD Pipeline	GitHub Actions with Docker containers	✅ Done
Prisma Migrations	Schema version control	✅ Done
Seed Script	Automated admin and test data	✅ Done
`.env.example`	Environment templating and validation	✅ Done
Swagger Dynamic Host	Public documentation support	✅ Done
Security Audit Integration	`npm audit` + Dependabot	✅ Done

Outcomes and Lessons Learned

Reduced onboarding time by automating dev setup and DB creation
Shortened deploy cycles with CI/CD pipelines
Prevented production risks by patching vulnerabilities early
Enabled safe multi-user collaboration via GitHub workflows

Conclusion

In this project, I showcased how DevOps practices, from CI/CD automation to security enforcement, can transform a backend service from being local-only to becoming cloud-ready. My contributions included infrastructure planning, toolchain integration, and ensuring deployment resilience.

This work reflects my ability to build, scale, and secure cloud-native services with DevOps methodologies.

Feel free to explore the open-source repo and CI/CD workflows: Open-source viberoll-backend repo.