DEV Community: InstaDevOps The latest articles on DEV Community by InstaDevOps (@instadevops). https://dev.to/instadevops https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2952358%2F474aa7f4-09cf-409d-891e-cfc4f071d18a.png DEV Community: InstaDevOps https://dev.to/instadevops en PostgreSQL High Availability: A Practical Guide with Patroni and pgBouncer InstaDevOps Sun, 19 Apr 2026 13:46:56 +0000 https://dev.to/instadevops/postgresql-high-availability-a-practical-guide-with-patroni-and-pgbouncer-2p10 https://dev.to/instadevops/postgresql-high-availability-a-practical-guide-with-patroni-and-pgbouncer-2p10 <h2> Introduction </h2> <p>Your database is the last thing that should go down. Yet setting up PostgreSQL for high availability remains one of the most under-documented areas in the DevOps world. Most teams run a single Postgres instance until the day it dies, then scramble to set up replication while their users stare at error pages.</p> <p>This guide walks through a production-ready PostgreSQL HA setup using the tools that have become the industry standard: <strong>Patroni</strong> for automated failover, <strong>pgBouncer</strong> for connection pooling, <strong>streaming replication</strong> for data redundancy, and <strong>pgBackRest</strong> for backups. We'll cover the architecture, actual configuration files, failure scenarios, and the operational runbooks you'll need.</p> <p>If you're running Postgres in production and don't have automated failover, this article is for you.</p> <h2> Architecture Overview </h2> <p>A production HA Postgres setup has four layers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ┌─────────────┐ │ HAProxy │ (Virtual IP / DNS) │ Port 5432 │ └──────┬──────┘ │ ┌────────────┼────────────┐ │ │ │ ┌─────┴─────┐ ┌───┴───┐ ┌─────┴─────┐ │ pgBouncer │ │pgBouncer│ │ pgBouncer │ │ Node 1 │ │ Node 2 │ │ Node 3 │ └─────┬──────┘ └───┬───┘ └─────┬──────┘ │ │ │ ┌─────┴─────┐ ┌───┴───┐ ┌─────┴─────┐ │ Patroni + │ │Patroni│ │ Patroni + │ │ Postgres │ │ + PG │ │ Postgres │ │ (Primary) │ │(Replica)│ │ (Replica) │ └────────────┘ └────────┘ └────────────┘ │ │ │ ┌─────────────────────────────────────┐ │ etcd Cluster (3 nodes) │ └─────────────────────────────────────┘ </code></pre> </div> <p><strong>Patroni</strong> manages the Postgres instances and handles leader election via a distributed consensus store (etcd, ZooKeeper, or Consul). When the primary fails, Patroni automatically promotes a replica and reconfigures the others to follow the new primary.</p> <p><strong>pgBouncer</strong> sits between your application and Postgres, pooling connections to avoid the expensive fork-per-connection model. Each Postgres node runs its own pgBouncer instance.</p> <p><strong>HAProxy</strong> (or a DNS-based solution) routes traffic to the current primary. Patroni exposes a REST API that HAProxy uses for health checks.</p> <h2> Setting Up Patroni </h2> <p>Install Patroni on each Postgres node:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip3 <span class="nb">install </span>patroni[etcd] </code></pre> </div> <p>Here's a production Patroni configuration (<code>/etc/patroni/patroni.yml</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">scope</span><span class="pi">:</span> <span class="s">postgres-cluster</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pg-node-1</span> <span class="na">restapi</span><span class="pi">:</span> <span class="na">listen</span><span class="pi">:</span> <span class="s">0.0.0.0:8008</span> <span class="na">connect_address</span><span class="pi">:</span> <span class="s">10.0.1.10:8008</span> <span class="na">etcd3</span><span class="pi">:</span> <span class="na">hosts</span><span class="pi">:</span> <span class="s">10.0.1.20:2379,10.0.1.21:2379,10.0.1.22:2379</span> <span class="na">bootstrap</span><span class="pi">:</span> <span class="na">dcs</span><span class="pi">:</span> <span class="na">ttl</span><span class="pi">:</span> <span class="m">30</span> <span class="na">loop_wait</span><span class="pi">:</span> <span class="m">10</span> <span class="na">retry_timeout</span><span class="pi">:</span> <span class="m">10</span> <span class="na">maximum_lag_on_failover</span><span class="pi">:</span> <span class="m">1048576</span> <span class="c1"># 1MB</span> <span class="na">postgresql</span><span class="pi">:</span> <span class="na">use_pg_rewind</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">use_slots</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">parameters</span><span class="pi">:</span> <span class="na">wal_level</span><span class="pi">:</span> <span class="s">replica</span> <span class="na">hot_standby</span><span class="pi">:</span> <span class="s2">"</span><span class="s">on"</span> <span class="na">max_wal_senders</span><span class="pi">:</span> <span class="m">10</span> <span class="na">max_replication_slots</span><span class="pi">:</span> <span class="m">10</span> <span class="na">wal_log_hints</span><span class="pi">:</span> <span class="s2">"</span><span class="s">on"</span> <span class="na">archive_mode</span><span class="pi">:</span> <span class="s2">"</span><span class="s">on"</span> <span class="na">archive_command</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">pgbackrest --stanza=main archive-push %p</span> <span class="na">initdb</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">encoding</span><span class="pi">:</span> <span class="s">UTF8</span> <span class="pi">-</span> <span class="s">data-checksums</span> <span class="na">pg_hba</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">host replication replicator 10.0.1.0/24 md5</span> <span class="pi">-</span> <span class="s">host all all 10.0.1.0/24 md5</span> <span class="na">postgresql</span><span class="pi">:</span> <span class="na">listen</span><span class="pi">:</span> <span class="s">0.0.0.0:5432</span> <span class="na">connect_address</span><span class="pi">:</span> <span class="s">10.0.1.10:5432</span> <span class="na">data_dir</span><span class="pi">:</span> <span class="s">/var/lib/postgresql/16/main</span> <span class="na">bin_dir</span><span class="pi">:</span> <span class="s">/usr/lib/postgresql/16/bin</span> <span class="na">authentication</span><span class="pi">:</span> <span class="na">superuser</span><span class="pi">:</span> <span class="na">username</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">password</span><span class="pi">:</span> <span class="s2">"</span><span class="s">your-secure-password"</span> <span class="na">replication</span><span class="pi">:</span> <span class="na">username</span><span class="pi">:</span> <span class="s">replicator</span> <span class="na">password</span><span class="pi">:</span> <span class="s2">"</span><span class="s">your-replication-password"</span> <span class="na">parameters</span><span class="pi">:</span> <span class="na">shared_buffers</span><span class="pi">:</span> <span class="s">4GB</span> <span class="na">effective_cache_size</span><span class="pi">:</span> <span class="s">12GB</span> <span class="na">work_mem</span><span class="pi">:</span> <span class="s">64MB</span> <span class="na">maintenance_work_mem</span><span class="pi">:</span> <span class="s">512MB</span> <span class="na">max_connections</span><span class="pi">:</span> <span class="m">200</span> <span class="na">checkpoint_completion_target</span><span class="pi">:</span> <span class="m">0.9</span> <span class="na">wal_buffers</span><span class="pi">:</span> <span class="s">64MB</span> <span class="na">random_page_cost</span><span class="pi">:</span> <span class="m">1.1</span> <span class="c1"># SSD storage</span> </code></pre> </div> <p>Key settings to understand:</p> <ul> <li> <strong><code>maximum_lag_on_failover</code></strong>: A replica won't be promoted if it's more than 1MB behind the primary. This prevents data loss but means failover might not happen if all replicas are lagging heavily.</li> <li> <strong><code>use_pg_rewind</code></strong>: Allows the old primary to rejoin the cluster as a replica after failover without a full base backup. This is critical for fast recovery.</li> <li> <strong><code>use_slots</code></strong>: Replication slots prevent the primary from removing WAL segments that replicas still need, avoiding replication breakage during network issues.</li> </ul> <p>Start Patroni as a systemd service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl <span class="nb">enable </span>patroni <span class="nb">sudo </span>systemctl start patroni </code></pre> </div> <p>Check cluster status:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>patronictl <span class="nt">-c</span> /etc/patroni/patroni.yml list </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>+ Cluster: postgres-cluster ----+---------+---------+----+-----------+ | Member | Host | Role | State | TL | Lag in MB | +-----------+------------+---------+---------+----+-----------+ | pg-node-1 | 10.0.1.10 | Leader | running | 1 | | | pg-node-2 | 10.0.1.11 | Replica | running | 1 | 0.0 | | pg-node-3 | 10.0.1.12 | Replica | running | 1 | 0.0 | +-----------+------------+---------+---------+----+-----------+ </code></pre> </div> <h2> Configuring pgBouncer for Connection Pooling </h2> <p>Without connection pooling, each application connection forks a new Postgres backend process (~10MB RAM each). With 500 application connections, that's 5GB just for connection overhead. pgBouncer solves this by multiplexing thousands of application connections over a small pool of actual database connections.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="c">; /etc/pgbouncer/pgbouncer.ini </span> <span class="nn">[databases]</span> <span class="py">myapp</span> <span class="p">=</span> <span class="s">host=127.0.0.1 port=5432 dbname=myapp</span> <span class="nn">[pgbouncer]</span> <span class="py">listen_addr</span> <span class="p">=</span> <span class="s">0.0.0.0</span> <span class="py">listen_port</span> <span class="p">=</span> <span class="s">6432</span> <span class="py">auth_type</span> <span class="p">=</span> <span class="s">md5</span> <span class="py">auth_file</span> <span class="p">=</span> <span class="s">/etc/pgbouncer/userlist.txt</span> <span class="c">; Pool settings </span><span class="py">pool_mode</span> <span class="p">=</span> <span class="s">transaction</span> <span class="py">default_pool_size</span> <span class="p">=</span> <span class="s">25</span> <span class="py">min_pool_size</span> <span class="p">=</span> <span class="s">5</span> <span class="py">reserve_pool_size</span> <span class="p">=</span> <span class="s">5</span> <span class="py">reserve_pool_timeout</span> <span class="p">=</span> <span class="s">3</span> <span class="c">; Connection limits </span><span class="py">max_client_conn</span> <span class="p">=</span> <span class="s">1000</span> <span class="py">max_db_connections</span> <span class="p">=</span> <span class="s">100</span> <span class="c">; Timeouts </span><span class="py">server_idle_timeout</span> <span class="p">=</span> <span class="s">300</span> <span class="py">client_idle_timeout</span> <span class="p">=</span> <span class="s">0</span> <span class="py">query_timeout</span> <span class="p">=</span> <span class="s">60</span> <span class="py">query_wait_timeout</span> <span class="p">=</span> <span class="s">30</span> <span class="c">; Logging </span><span class="py">log_connections</span> <span class="p">=</span> <span class="s">1</span> <span class="py">log_disconnections</span> <span class="p">=</span> <span class="s">1</span> <span class="py">log_pooler_errors</span> <span class="p">=</span> <span class="s">1</span> <span class="py">stats_period</span> <span class="p">=</span> <span class="s">60</span> </code></pre> </div> <p><strong>Critical decision: pool_mode.</strong> Transaction mode is the right default for most applications - it assigns a server connection for the duration of a transaction, then returns it to the pool. Session mode holds the connection for the entire client session (defeats the purpose of pooling). Statement mode is the most aggressive but breaks multi-statement transactions and prepared statements.</p> <p><strong>Warning:</strong> Transaction pooling breaks <code>SET</code> commands, prepared statements that span transactions, and <code>LISTEN/NOTIFY</code>. If your application uses these, you'll need session pooling for those specific connections.</p> <h2> Backup Strategy with pgBackRest </h2> <p>pgBackRest is the gold standard for Postgres backups. It supports full, differential, and incremental backups with parallel compression and encryption.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="c">; /etc/pgbackrest/pgbackrest.conf </span> <span class="nn">[global]</span> <span class="py">repo1-type</span><span class="p">=</span><span class="s">s3</span> <span class="py">repo1-s3-bucket</span><span class="p">=</span><span class="s">your-pg-backups</span> <span class="py">repo1-s3-region</span><span class="p">=</span><span class="s">us-east-1</span> <span class="py">repo1-s3-endpoint</span><span class="p">=</span><span class="s">s3.amazonaws.com</span> <span class="py">repo1-path</span><span class="p">=</span><span class="s">/backups</span> <span class="py">repo1-retention-full</span><span class="p">=</span><span class="s">4</span> <span class="py">repo1-retention-diff</span><span class="p">=</span><span class="s">14</span> <span class="py">repo1-cipher-type</span><span class="p">=</span><span class="s">aes-256-cbc</span> <span class="py">repo1-cipher-pass</span><span class="p">=</span><span class="s">your-encryption-passphrase</span> <span class="py">process-max</span><span class="p">=</span><span class="s">4</span> <span class="py">compress-type</span><span class="p">=</span><span class="s">zst</span> <span class="py">compress-level</span><span class="p">=</span><span class="s">3</span> <span class="nn">[main]</span> <span class="py">pg1-path</span><span class="p">=</span><span class="s">/var/lib/postgresql/16/main</span> <span class="py">pg1-port</span><span class="p">=</span><span class="s">5432</span> </code></pre> </div> <p>Create the stanza and run your first backup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Initialize the backup repository</span> pgbackrest <span class="nt">--stanza</span><span class="o">=</span>main stanza-create <span class="c"># Full backup</span> pgbackrest <span class="nt">--stanza</span><span class="o">=</span>main <span class="nt">--type</span><span class="o">=</span>full backup <span class="c"># Differential backup (only changed since last full)</span> pgbackrest <span class="nt">--stanza</span><span class="o">=</span>main <span class="nt">--type</span><span class="o">=</span>diff backup <span class="c"># Incremental backup (only changed since last backup of any type)</span> pgbackrest <span class="nt">--stanza</span><span class="o">=</span>main <span class="nt">--type</span><span class="o">=</span>incr backup </code></pre> </div> <p>Set up a cron schedule:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Full backup every Sunday at 1 AM</span> 0 1 <span class="k">*</span> <span class="k">*</span> 0 pgbackrest <span class="nt">--stanza</span><span class="o">=</span>main <span class="nt">--type</span><span class="o">=</span>full backup <span class="c"># Differential backup every day at 1 AM (except Sunday)</span> 0 1 <span class="k">*</span> <span class="k">*</span> 1-6 pgbackrest <span class="nt">--stanza</span><span class="o">=</span>main <span class="nt">--type</span><span class="o">=</span>diff backup </code></pre> </div> <p><strong>Point-in-time recovery</strong> is where pgBackRest shines. Because Patroni is already archiving WAL segments to pgBackRest, you can restore to any point in time:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pgbackrest <span class="nt">--stanza</span><span class="o">=</span>main <span class="nt">--type</span><span class="o">=</span><span class="nb">time</span> <span class="se">\</span> <span class="nt">--target</span><span class="o">=</span><span class="s2">"2026-04-09 14:30:00"</span> <span class="se">\</span> <span class="nt">--target-action</span><span class="o">=</span>promote restore </code></pre> </div> <h2> Failover Testing and Operational Runbooks </h2> <p>Setting up HA means nothing if you don't test it. Here are the failure scenarios you must validate:</p> <p><strong>1. Primary node crash:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Simulate primary failure</span> <span class="nb">sudo </span>systemctl stop patroni <span class="c"># on the primary node</span> </code></pre> </div> <p>Expected: Within 30 seconds (TTL), Patroni promotes a replica. HAProxy health checks detect the change and route traffic to the new primary. Application sees a brief connection error, retries, and reconnects.</p> <p><strong>2. Network partition:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Isolate primary from etcd</span> iptables <span class="nt">-A</span> OUTPUT <span class="nt">-p</span> tcp <span class="nt">--dport</span> 2379 <span class="nt">-j</span> DROP </code></pre> </div> <p>Expected: Primary can't reach etcd, Patroni demotes it to read-only. A replica with etcd access gets promoted. When network heals, the old primary uses pg_rewind to rejoin as a replica.</p> <p><strong>3. Switchover (planned maintenance):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Graceful switchover to a specific replica</span> patronictl <span class="nt">-c</span> /etc/patroni/patroni.yml switchover <span class="se">\</span> <span class="nt">--master</span> pg-node-1 <span class="nt">--candidate</span> pg-node-2 <span class="nt">--force</span> </code></pre> </div> <p>Expected: Zero or near-zero downtime. The primary finishes in-flight transactions, transfers leadership, and becomes a replica.</p> <p><strong>4. Full cluster restore from backup:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Stop all Patroni instances</span> <span class="c"># On the new primary node:</span> pgbackrest <span class="nt">--stanza</span><span class="o">=</span>main <span class="nt">--type</span><span class="o">=</span><span class="nb">time</span> <span class="se">\</span> <span class="nt">--target</span><span class="o">=</span><span class="s2">"2026-04-09 10:00:00"</span> restore <span class="c"># Start Patroni - it will bootstrap from the restored data</span> <span class="nb">sudo </span>systemctl start patroni </code></pre> </div> <p>Run these tests quarterly. Document the results. Your future self at 3 AM will thank you.</p> <h2> Monitoring Your HA Cluster </h2> <p>You need visibility into replication lag, connection pool utilization, and failover events. Key metrics to track:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Replication lag (run on primary)</span> <span class="k">SELECT</span> <span class="n">client_addr</span><span class="p">,</span> <span class="k">state</span><span class="p">,</span> <span class="n">sent_lsn</span><span class="p">,</span> <span class="n">write_lsn</span><span class="p">,</span> <span class="n">flush_lsn</span><span class="p">,</span> <span class="n">replay_lsn</span><span class="p">,</span> <span class="n">pg_wal_lsn_diff</span><span class="p">(</span><span class="n">sent_lsn</span><span class="p">,</span> <span class="n">replay_lsn</span><span class="p">)</span> <span class="k">AS</span> <span class="n">replay_lag_bytes</span> <span class="k">FROM</span> <span class="n">pg_stat_replication</span><span class="p">;</span> <span class="c1">-- Connection counts</span> <span class="k">SELECT</span> <span class="k">state</span><span class="p">,</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">pg_stat_activity</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="k">state</span><span class="p">;</span> <span class="c1">-- Long-running queries</span> <span class="k">SELECT</span> <span class="n">pid</span><span class="p">,</span> <span class="n">now</span><span class="p">()</span> <span class="o">-</span> <span class="n">pg_stat_activity</span><span class="p">.</span><span class="n">query_start</span> <span class="k">AS</span> <span class="n">duration</span><span class="p">,</span> <span class="n">query</span> <span class="k">FROM</span> <span class="n">pg_stat_activity</span> <span class="k">WHERE</span> <span class="k">state</span> <span class="o">!=</span> <span class="s1">'idle'</span> <span class="k">AND</span> <span class="n">now</span><span class="p">()</span> <span class="o">-</span> <span class="n">pg_stat_activity</span><span class="p">.</span><span class="n">query_start</span> <span class="o">&gt;</span> <span class="n">interval</span> <span class="s1">'30 seconds'</span><span class="p">;</span> </code></pre> </div> <p>For Prometheus monitoring, use <code>postgres_exporter</code> and set up alerts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Prometheus alerting rules</span> <span class="na">groups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">PostgresReplicationLag</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">pg_replication_lag_seconds &gt; </span><span class="m">30</span> <span class="na">for</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">warning</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Replication</span><span class="nv"> </span><span class="s">lag</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">$value</span><span class="nv"> </span><span class="s">}}s</span><span class="nv"> </span><span class="s">on</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">$labels.instance</span><span class="nv"> </span><span class="s">}}"</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">PostgresConnectionPoolExhausted</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">pgbouncer_pools_server_active / pgbouncer_pools_server_max &gt; </span><span class="m">0.9</span> <span class="na">for</span><span class="pi">:</span> <span class="s">2m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">pgBouncer</span><span class="nv"> </span><span class="s">pool</span><span class="nv"> </span><span class="s">&gt;90%</span><span class="nv"> </span><span class="s">utilized</span><span class="nv"> </span><span class="s">on</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">$labels.instance</span><span class="nv"> </span><span class="s">}}"</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">PatroniNoLeader</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">patroni_master == </span><span class="m">0</span> <span class="na">for</span><span class="pi">:</span> <span class="s">1m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">No</span><span class="nv"> </span><span class="s">Patroni</span><span class="nv"> </span><span class="s">leader</span><span class="nv"> </span><span class="s">detected</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">cluster"</span> </code></pre> </div> <h2> Need Help with Your DevOps? </h2> <p>Building a production-grade PostgreSQL HA cluster takes time and expertise - and maintaining it takes even more. At <strong>InstaDevOps</strong>, we design, deploy, and manage database infrastructure alongside your entire DevOps stack, starting at <strong>$2,999/month</strong>.</p> <p>Book a free 15-minute consultation to discuss your database reliability needs: <a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">https://calendly.com/instadevops/15min</a></p> postgres database devops highavailability Nginx vs Traefik vs Caddy: Which Reverse Proxy Should You Pick? InstaDevOps Sat, 18 Apr 2026 13:46:53 +0000 https://dev.to/instadevops/nginx-vs-traefik-vs-caddy-which-reverse-proxy-should-you-pick-3ekl https://dev.to/instadevops/nginx-vs-traefik-vs-caddy-which-reverse-proxy-should-you-pick-3ekl <h2> Introduction </h2> <p>Choosing a reverse proxy is one of those decisions that seems trivial until you're debugging TLS certificate renewals at 2 AM or trying to figure out why your service discovery isn't propagating. If you're running microservices, your reverse proxy is the front door to everything - and picking the wrong one can cost you weeks of configuration headaches.</p> <p>Here, we'll do a hands-on comparison of the three most popular reverse proxies in the modern DevOps stack: <strong>Nginx</strong>, <strong>Traefik</strong>, and <strong>Caddy</strong>. We'll look at configuration complexity, automatic TLS, service discovery, performance characteristics, and when each one makes sense.</p> <p>No fluff. Just real configs, real trade-offs, and a clear recommendation based on your use case.</p> <h2> The Contenders at a Glance </h2> <p>Before we dive in, here's a quick snapshot:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Nginx</th> <th>Traefik</th> <th>Caddy</th> </tr> </thead> <tbody> <tr> <td>Language</td> <td>C</td> <td>Go</td> <td>Go</td> </tr> <tr> <td>Config Format</td> <td>Custom DSL</td> <td>YAML/TOML/Labels</td> <td>Caddyfile/JSON</td> </tr> <tr> <td>Auto TLS</td> <td>Via Certbot</td> <td>Built-in (Let's Encrypt)</td> <td>Built-in (Let's Encrypt + ZeroSSL)</td> </tr> <tr> <td>Service Discovery</td> <td>Manual/scripted</td> <td>Native (Docker, K8s, Consul)</td> <td>Limited (on_demand_tls)</td> </tr> <tr> <td>Hot Reload</td> <td><code>nginx -s reload</code></td> <td>Automatic</td> <td>Automatic</td> </tr> <tr> <td>Dashboard</td> <td>Nginx Plus only</td> <td>Built-in</td> <td>Via API</td> </tr> <tr> <td>Memory Footprint</td> <td>~2-5 MB</td> <td>~30-50 MB</td> <td>~20-40 MB</td> </tr> </tbody> </table></div> <p>Nginx has been the default choice for over a decade. Traefik was built specifically for dynamic microservice environments. Caddy focuses on simplicity and security-by-default.</p> <h2> Configuration Complexity </h2> <p>This is where the differences hit you first. Let's set up a simple reverse proxy with TLS for two services: an API on port 3000 and a frontend on port 8080.</p> <p><strong>Nginx:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">80</span><span class="p">;</span> <span class="kn">server_name</span> <span class="s">api.example.com</span><span class="p">;</span> <span class="kn">return</span> <span class="mi">301</span> <span class="s">https://</span><span class="nv">$server_name$request_uri</span><span class="p">;</span> <span class="p">}</span> <span class="k">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">443</span> <span class="s">ssl</span> <span class="s">http2</span><span class="p">;</span> <span class="kn">server_name</span> <span class="s">api.example.com</span><span class="p">;</span> <span class="kn">ssl_certificate</span> <span class="n">/etc/letsencrypt/live/api.example.com/fullchain.pem</span><span class="p">;</span> <span class="kn">ssl_certificate_key</span> <span class="n">/etc/letsencrypt/live/api.example.com/privkey.pem</span><span class="p">;</span> <span class="kn">ssl_protocols</span> <span class="s">TLSv1.2</span> <span class="s">TLSv1.3</span><span class="p">;</span> <span class="kn">ssl_ciphers</span> <span class="s">HIGH:!aNULL:!MD5</span><span class="p">;</span> <span class="kn">location</span> <span class="n">/</span> <span class="p">{</span> <span class="kn">proxy_pass</span> <span class="s">http://localhost:3000</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$host</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Real-IP</span> <span class="nv">$remote_addr</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-For</span> <span class="nv">$proxy_add_x_forwarded_for</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-Proto</span> <span class="nv">$scheme</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">443</span> <span class="s">ssl</span> <span class="s">http2</span><span class="p">;</span> <span class="kn">server_name</span> <span class="s">app.example.com</span><span class="p">;</span> <span class="kn">ssl_certificate</span> <span class="n">/etc/letsencrypt/live/app.example.com/fullchain.pem</span><span class="p">;</span> <span class="kn">ssl_certificate_key</span> <span class="n">/etc/letsencrypt/live/app.example.com/privkey.pem</span><span class="p">;</span> <span class="kn">location</span> <span class="n">/</span> <span class="p">{</span> <span class="kn">proxy_pass</span> <span class="s">http://localhost:8080</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$host</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Real-IP</span> <span class="nv">$remote_addr</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Plus you need Certbot installed, cron jobs for renewal, and you'll reload Nginx manually after any change.</p> <p><strong>Traefik (docker-compose labels):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">traefik</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">traefik:v3.1</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--providers.docker=true"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--entrypoints.web.address=:80"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--entrypoints.websecure.address=:443"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--certificatesresolvers.letsencrypt.acme.email=you@example.com"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--certificatesresolvers.letsencrypt.acme.storage=/acme/acme.json"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">80:80"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">443:443"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/var/run/docker.sock:/var/run/docker.sock:ro</span> <span class="pi">-</span> <span class="s">./acme:/acme</span> <span class="na">api</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">my-api:latest</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.api.rule=Host(`api.example.com`)"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.api.tls.certresolver=letsencrypt"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.services.api.loadbalancer.server.port=3000"</span> <span class="na">frontend</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">my-frontend:latest</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.frontend.rule=Host(`app.example.com`)"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.frontend.tls.certresolver=letsencrypt"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.services.frontend.loadbalancer.server.port=8080"</span> </code></pre> </div> <p><strong>Caddy (Caddyfile):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight vcl"><code>api.example.com <span class="p">{</span> reverse_proxy localhost:<span class="mi">3000</span> <span class="p">}</span> app.example.com <span class="p">{</span> reverse_proxy localhost:<span class="mi">8080</span> <span class="p">}</span> </code></pre> </div> <p>That's it. Caddy automatically provisions TLS certificates, redirects HTTP to HTTPS, and enables HTTP/2. Two lines per service.</p> <h2> Automatic TLS and Certificate Management </h2> <p>This is Caddy's killer feature and Traefik's strong suit. With Nginx, you're on your own.</p> <p><strong>Caddy</strong> obtains certificates from Let's Encrypt and ZeroSSL automatically. It handles renewal, OCSP stapling, and even falls back to a secondary CA if the primary is down. You literally do nothing - just put a domain name in the Caddyfile and it works.</p> <p><strong>Traefik</strong> supports Let's Encrypt via ACME with HTTP-01 and DNS-01 challenges. DNS-01 is crucial if you're behind a load balancer or need wildcard certificates. Configuration looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">certificatesResolvers</span><span class="pi">:</span> <span class="na">letsencrypt</span><span class="pi">:</span> <span class="na">acme</span><span class="pi">:</span> <span class="na">email</span><span class="pi">:</span> <span class="s">ops@example.com</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">/acme/acme.json</span> <span class="na">dnsChallenge</span><span class="pi">:</span> <span class="na">provider</span><span class="pi">:</span> <span class="s">cloudflare</span> <span class="na">resolvers</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">1.1.1.1:53"</span> </code></pre> </div> <p><strong>Nginx</strong> requires Certbot or a similar ACME client as a separate process. You need to configure it, set up renewal hooks, and make sure the reload happens after certificate updates. It works, but it's another moving part to maintain.</p> <p><strong>Verdict:</strong> If automatic TLS matters to you (it should), Caddy wins on simplicity and Traefik wins on flexibility. Nginx is manageable but requires more operational overhead.</p> <h2> Service Discovery and Dynamic Configuration </h2> <p>This is where Traefik pulls ahead for container-heavy environments.</p> <p><strong>Traefik</strong> natively watches Docker labels, Kubernetes Ingress resources, Consul catalogs, etcd, and more. When a new container spins up with the right labels, Traefik picks it up immediately - no restart, no reload, no config file change. This is incredibly powerful for dynamic environments where services scale up and down frequently.</p> <p><strong>Caddy</strong> has an API for dynamic configuration but doesn't natively integrate with container orchestrators the way Traefik does. You can use <code>caddy-docker-proxy</code> (community plugin) to get Docker label support, but it's not first-party.</p> <p><strong>Nginx</strong> is static by default. You change a file, you reload. Tools like <code>consul-template</code> or <code>nginx-proxy</code> (jwilder) exist to generate configs dynamically, but they're external tools bolted on.</p> <p>For Kubernetes specifically, all three have Ingress controller implementations, but Traefik's is the most mature for dynamic environments and ships as the default ingress controller in K3s.</p> <h2> Performance Benchmarks </h2> <p>Raw performance matters less than you think for most workloads, but here are realistic numbers from common benchmarking setups:</p> <p><strong>Requests per second (simple HTTP proxy, wrk with 100 connections):</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Proxy</th> <th>RPS (HTTP)</th> <th>RPS (HTTPS)</th> <th>p99 Latency</th> </tr> </thead> <tbody> <tr> <td>Nginx</td> <td>~45,000</td> <td>~32,000</td> <td>2.1 ms</td> </tr> <tr> <td>Traefik</td> <td>~28,000</td> <td>~22,000</td> <td>3.8 ms</td> </tr> <tr> <td>Caddy</td> <td>~30,000</td> <td>~24,000</td> <td>3.2 ms</td> </tr> </tbody> </table></div> <p>Nginx is faster, period. It's written in C with an event-driven architecture that has been optimized for 20+ years. If you're proxying tens of thousands of requests per second and every millisecond counts, Nginx is the right choice.</p> <p>But for most applications - handling hundreds to low thousands of RPS - the difference between 3ms and 2ms latency at p99 is irrelevant. You'll hit bottlenecks in your application code, database, or network long before the proxy becomes the issue.</p> <h2> Middleware and Advanced Features </h2> <p>All three support common middleware patterns, but the implementation differs.</p> <p><strong>Rate limiting:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="c1"># Nginx</span> <span class="k">http</span> <span class="p">{</span> <span class="kn">limit_req_zone</span> <span class="nv">$binary_remote_addr</span> <span class="s">zone=api:10m</span> <span class="s">rate=10r/s</span><span class="p">;</span> <span class="kn">server</span> <span class="p">{</span> <span class="kn">location</span> <span class="n">/api/</span> <span class="p">{</span> <span class="kn">limit_req</span> <span class="s">zone=api</span> <span class="s">burst=20</span> <span class="s">nodelay</span><span class="p">;</span> <span class="kn">proxy_pass</span> <span class="s">http://backend</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Traefik (middleware via labels)</span> <span class="na">labels</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.middlewares.ratelimit.ratelimit.average=10"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.middlewares.ratelimit.ratelimit.burst=20"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">traefik.http.routers.api.middlewares=ratelimit"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight vcl"><code><span class="c1"># Caddy</span> api.example.com <span class="p">{</span> rate_limit <span class="p">{</span><span class="nv">remote.ip</span><span class="p">}</span> <span class="mi">10</span>r<span class="o">/</span>s reverse_proxy localhost:<span class="mi">3000</span> <span class="p">}</span> </code></pre> </div> <p><strong>Authentication, compression, headers, CORS</strong> - all three handle these well. Traefik has the concept of middleware chains that you can compose and reuse across routers, which is elegant for complex setups. Nginx has the most extensive third-party module ecosystem. Caddy has a growing plugin system but fewer options overall.</p> <h2> When to Use Each </h2> <p><strong>Choose Nginx when:</strong></p> <ul> <li>You need maximum raw performance (high-traffic APIs, CDN edge nodes)</li> <li>You have a static infrastructure that doesn't change often</li> <li>Your team already knows Nginx configuration well</li> <li>You need advanced features like TCP/UDP proxying, custom Lua scripting, or GeoIP</li> <li>You're running on resource-constrained hardware</li> </ul> <p><strong>Choose Traefik when:</strong></p> <ul> <li>You're running Docker or Kubernetes with frequently changing services</li> <li>You want automatic service discovery without config file management</li> <li>You need the built-in dashboard for visibility into routing</li> <li>You're using multiple orchestration platforms (Docker + Consul, for example)</li> <li>Your microservices scale up and down dynamically</li> </ul> <p><strong>Choose Caddy when:</strong></p> <ul> <li>You want the simplest possible setup with automatic HTTPS</li> <li>You're a small team that doesn't want to maintain proxy configuration</li> <li>You're running a handful of services that don't change often</li> <li>You want a single binary with no external dependencies</li> <li>You value security defaults (HTTPS everywhere, modern TLS settings out of the box)</li> </ul> <h2> Migration Tips </h2> <p>If you're switching from Nginx to Traefik or Caddy, here's what to watch for:</p> <ol> <li><p><strong>Upstream health checks</strong> - Nginx does passive health checks by default; Traefik and Caddy have active health check options that behave differently. Test failover behavior.</p></li> <li><p><strong>Websocket proxying</strong> - Nginx needs explicit <code>proxy_set_header Upgrade</code> and <code>Connection</code> headers. Caddy and Traefik handle websockets transparently.</p></li> <li><p><strong>Custom error pages</strong> - Each proxy handles error responses differently. Test your 502/503 pages after migration.</p></li> <li><p><strong>Logging format</strong> - If you're parsing access logs with Loki/ELK, your log format will change. Update your parsers before switching.</p></li> <li><p><strong>Certificate storage</strong> - If migrating to Traefik or Caddy, your existing Let's Encrypt certificates from Certbot won't transfer. The new proxy will obtain fresh certificates automatically, but be aware of Let's Encrypt rate limits (50 certificates per registered domain per week).</p></li> </ol> <h2> Need Help with Your DevOps? </h2> <p>Setting up and maintaining reverse proxies, load balancers, and TLS infrastructure is just one piece of the DevOps puzzle. At <strong>InstaDevOps</strong>, we handle your entire infrastructure - from proxy configuration to CI/CD pipelines, monitoring, and Kubernetes management - starting at <strong>$2,999/month</strong>.</p> <p>Book a free 15-minute consultation to discuss your infrastructure needs: <a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">https://calendly.com/instadevops/15min</a></p> nginx traefik devops infrastructure Cloud Cost FinOps: Cut Your AWS Bill by 40% Without Sacrificing Performance InstaDevOps Fri, 17 Apr 2026 13:46:50 +0000 https://dev.to/instadevops/cloud-cost-finops-cut-your-aws-bill-by-40-without-sacrificing-performance-39md https://dev.to/instadevops/cloud-cost-finops-cut-your-aws-bill-by-40-without-sacrificing-performance-39md <h2> Introduction </h2> <p>Cloud spending has a way of creeping up silently. You start with a few EC2 instances and an RDS database, and eighteen months later your AWS bill is five figures and nobody can explain exactly where the money goes. Engineering says they need all the resources. Finance says the cloud was supposed to be cheaper than on-premise. Both are frustrated.</p> <p>FinOps - short for Cloud Financial Operations - is the practice of bringing financial accountability to cloud spending. It is not about cutting costs to the bone. It is about making sure every dollar you spend on cloud infrastructure delivers value, and that your team can make informed trade-off decisions between cost, speed, and quality.</p> <p>This guide covers the practical FinOps strategies that consistently deliver the biggest savings on AWS: commitment discounts, spot instances, right-sizing, cost allocation, and the organizational practices that make cost optimization sustainable.</p> <h2> Understanding Your Current Spend </h2> <p>Before optimizing anything, you need visibility into where your money goes. Without data, you are guessing.</p> <h3> Enable Cost Allocation Tags </h3> <p>Tags are the foundation of cloud cost management. Without them, your bill is one opaque number. With them, you can attribute costs to teams, services, environments, and projects.</p> <p>At minimum, enforce these tags on all resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Terraform - enforce tagging via default_tags</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="nx">default_tags</span> <span class="p">{</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="c1"># production, staging, development</span> <span class="nx">Team</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">team_name</span> <span class="c1"># payments, platform, data</span> <span class="nx">Service</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">service_name</span> <span class="c1"># payment-api, user-service</span> <span class="nx">CostCenter</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cost_center</span> <span class="c1"># maps to finance department codes</span> <span class="nx">ManagedBy</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Activate tags in the AWS Billing console under <strong>Cost Allocation Tags</strong>. It takes 24 hours for newly activated tags to appear in Cost Explorer.</p> <h3> AWS Cost Explorer and CUR </h3> <p>Cost Explorer gives you quick visibility. For deeper analysis, enable the <strong>Cost and Usage Report (CUR)</strong> which exports detailed billing data to S3:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_cur_report_definition"</span> <span class="s2">"cost_report"</span> <span class="p">{</span> <span class="nx">report_name</span> <span class="p">=</span> <span class="s2">"daily-cost-report"</span> <span class="nx">time_unit</span> <span class="p">=</span> <span class="s2">"DAILY"</span> <span class="nx">format</span> <span class="p">=</span> <span class="s2">"Parquet"</span> <span class="nx">compression</span> <span class="p">=</span> <span class="s2">"Parquet"</span> <span class="nx">additional_schema_elements</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"RESOURCES"</span><span class="p">]</span> <span class="nx">s3_bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">cost_reports</span><span class="p">.</span><span class="nx">id</span> <span class="nx">s3_region</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="nx">s3_prefix</span> <span class="p">=</span> <span class="s2">"cur"</span> <span class="nx">report_versioning</span> <span class="p">=</span> <span class="s2">"OVERWRITE_REPORT"</span> <span class="p">}</span> </code></pre> </div> <p>Query the CUR data with Athena to answer questions like "How much did the payments team spend on RDS last quarter?"</p> <h3> Set Up Budget Alerts </h3> <p>Never let a bill surprise you. Create budgets with alerts at 50%, 80%, and 100% thresholds:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_budgets_budget"</span> <span class="s2">"monthly"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"monthly-total"</span> <span class="nx">budget_type</span> <span class="p">=</span> <span class="s2">"COST"</span> <span class="nx">limit_amount</span> <span class="p">=</span> <span class="s2">"5000"</span> <span class="nx">limit_unit</span> <span class="p">=</span> <span class="s2">"USD"</span> <span class="nx">time_unit</span> <span class="p">=</span> <span class="s2">"MONTHLY"</span> <span class="nx">notification</span> <span class="p">{</span> <span class="nx">comparison_operator</span> <span class="p">=</span> <span class="s2">"GREATER_THAN"</span> <span class="nx">threshold</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">threshold_type</span> <span class="p">=</span> <span class="s2">"PERCENTAGE"</span> <span class="nx">notification_type</span> <span class="p">=</span> <span class="s2">"ACTUAL"</span> <span class="nx">subscriber_email_addresses</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"engineering@company.com"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">notification</span> <span class="p">{</span> <span class="nx">comparison_operator</span> <span class="p">=</span> <span class="s2">"GREATER_THAN"</span> <span class="nx">threshold</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">threshold_type</span> <span class="p">=</span> <span class="s2">"PERCENTAGE"</span> <span class="nx">notification_type</span> <span class="p">=</span> <span class="s2">"FORECASTED"</span> <span class="nx">subscriber_email_addresses</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"engineering@company.com"</span><span class="p">,</span> <span class="s2">"finance@company.com"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Reserved Instances vs Savings Plans </h2> <p>Commitment discounts are the single largest cost lever for most AWS accounts, typically saving 30-60% over on-demand pricing.</p> <h3> Savings Plans (Recommended for Most Teams) </h3> <p>Savings Plans offer flexibility that Reserved Instances lack. You commit to a dollar amount per hour of compute usage, and AWS applies the discount automatically.</p> <p><strong>Compute Savings Plans</strong> cover EC2, Fargate, and Lambda across all regions and instance families. They offer the most flexibility:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>On-demand: $0.0416/hour (t3.medium, eu-west-1) 1-year Compute SP (no upfront): $0.0270/hour - 35% savings 3-year Compute SP (all upfront): $0.0166/hour - 60% savings </code></pre> </div> <p><strong>EC2 Instance Savings Plans</strong> are locked to a specific instance family and region but offer slightly deeper discounts.</p> <h3> How to Calculate Your Commitment </h3> <ol> <li>Open Cost Explorer and view the last 3 months of EC2/Fargate spend</li> <li>Identify your baseline (the minimum spend that is consistent every day)</li> <li>Commit to 70-80% of that baseline with Savings Plans</li> <li>Cover the remaining variable usage with on-demand and spot </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Example: Average daily compute spend: $200/day Minimum daily spend (baseline): $160/day Recommended SP commitment: $160 * 0.75 = $120/day = $5.00/hour Annual savings: $120/day * 365 * 0.35 = $15,330/year </code></pre> </div> <h3> Common Mistake: Over-Committing </h3> <p>Do not commit to 100% of current usage. Your architecture will change, services will be rewritten, and traffic patterns will shift. Commit conservatively and re-evaluate quarterly.</p> <h2> Spot Instances: Up to 90% Savings </h2> <p>Spot instances use AWS's spare capacity at steep discounts (60-90% off on-demand), but can be interrupted with 2 minutes notice.</p> <h3> Where Spot Works Well </h3> <ul> <li>CI/CD build runners</li> <li>Batch processing and data pipelines</li> <li>Dev/staging environments</li> <li>Stateless web workers behind a load balancer (with enough capacity diversity)</li> <li>Machine learning training jobs with checkpointing</li> </ul> <h3> Where Spot Does Not Work </h3> <ul> <li>Single-instance databases</li> <li>Stateful services without replication</li> <li>Anything where a 2-minute shutdown causes data loss</li> </ul> <h3> ECS Spot with Capacity Providers </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_ecs_capacity_provider"</span> <span class="s2">"spot"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"spot-provider"</span> <span class="nx">auto_scaling_group_provider</span> <span class="p">{</span> <span class="nx">auto_scaling_group_arn</span> <span class="p">=</span> <span class="nx">aws_autoscaling_group</span><span class="p">.</span><span class="nx">spot</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">managed_termination_protection</span> <span class="p">=</span> <span class="s2">"ENABLED"</span> <span class="nx">managed_scaling</span> <span class="p">{</span> <span class="nx">maximum_scaling_step_size</span> <span class="p">=</span> <span class="mi">5</span> <span class="nx">minimum_scaling_step_size</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">status</span> <span class="p">=</span> <span class="s2">"ENABLED"</span> <span class="nx">target_capacity</span> <span class="p">=</span> <span class="mi">100</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_ecs_cluster_capacity_providers"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">aws_ecs_cluster</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">name</span> <span class="nx">capacity_providers</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_ecs_capacity_provider</span><span class="p">.</span><span class="nx">spot</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="s2">"FARGATE"</span><span class="p">,</span> <span class="s2">"FARGATE_SPOT"</span> <span class="p">]</span> <span class="nx">default_capacity_provider_strategy</span> <span class="p">{</span> <span class="nx">base</span> <span class="p">=</span> <span class="mi">2</span> <span class="c1"># 2 tasks always on regular Fargate</span> <span class="nx">weight</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">capacity_provider</span> <span class="p">=</span> <span class="s2">"FARGATE"</span> <span class="p">}</span> <span class="nx">default_capacity_provider_strategy</span> <span class="p">{</span> <span class="nx">weight</span> <span class="p">=</span> <span class="mi">3</span> <span class="c1"># 3x weight on Fargate Spot</span> <span class="nx">capacity_provider</span> <span class="p">=</span> <span class="s2">"FARGATE_SPOT"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This runs a baseline of 2 tasks on regular Fargate and scales additional tasks on Fargate Spot at roughly 70% discount.</p> <h2> Right-Sizing: Stop Paying for Idle Resources </h2> <p>Most organizations over-provision by 30-50%. Right-sizing means matching resource allocation to actual usage.</p> <h3> Identifying Oversized Instances </h3> <p>Use AWS Compute Optimizer (free) or query CloudWatch directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check average CPU utilization for an instance over the last 2 weeks</span> aws cloudwatch get-metric-statistics <span class="se">\</span> <span class="nt">--namespace</span> AWS/EC2 <span class="se">\</span> <span class="nt">--metric-name</span> CPUUtilization <span class="se">\</span> <span class="nt">--dimensions</span> <span class="nv">Name</span><span class="o">=</span>InstanceId,Value<span class="o">=</span>i-0123456789abcdef0 <span class="se">\</span> <span class="nt">--start-time</span> <span class="si">$(</span><span class="nb">date</span> <span class="nt">-u</span> <span class="nt">-v-14d</span> +%Y-%m-%dT%H:%M:%S<span class="si">)</span> <span class="se">\</span> <span class="nt">--end-time</span> <span class="si">$(</span><span class="nb">date</span> <span class="nt">-u</span> +%Y-%m-%dT%H:%M:%S<span class="si">)</span> <span class="se">\</span> <span class="nt">--period</span> 3600 <span class="se">\</span> <span class="nt">--statistics</span> Average Maximum <span class="se">\</span> <span class="nt">--output</span> table </code></pre> </div> <p><strong>Rules of thumb:</strong></p> <ul> <li>Average CPU under 20%: downsize by one tier</li> <li>Average CPU under 10%: downsize by two tiers or consider Fargate</li> <li>Max CPU consistently under 40%: safe to downsize one tier</li> </ul> <h3> Graviton Instances: 20% Better Price-Performance </h3> <p>AWS Graviton (ARM) instances offer 20% better price-performance than equivalent x86 instances. If your application runs on Linux and does not depend on x86-specific binaries, switching is straightforward:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>t3.medium (x86): $0.0416/hour t4g.medium (ARM): $0.0336/hour - 19% cheaper, 20% faster </code></pre> </div> <p>For containerized workloads, build multi-arch images:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker buildx build <span class="nt">--platform</span> linux/amd64,linux/arm64 <span class="nt">-t</span> myapp:latest <span class="nt">--push</span> <span class="nb">.</span> </code></pre> </div> <h2> Storage and Data Transfer Optimization </h2> <h3> S3 Lifecycle Policies </h3> <p>Most S3 data is accessed frequently for a short period and then rarely again:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_s3_bucket_lifecycle_configuration"</span> <span class="s2">"logs"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">logs</span><span class="p">.</span><span class="nx">id</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">=</span> <span class="s2">"archive-old-logs"</span> <span class="nx">status</span> <span class="p">=</span> <span class="s2">"Enabled"</span> <span class="nx">transition</span> <span class="p">{</span> <span class="nx">days</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">storage_class</span> <span class="p">=</span> <span class="s2">"STANDARD_IA"</span> <span class="c1"># 45% cheaper</span> <span class="p">}</span> <span class="nx">transition</span> <span class="p">{</span> <span class="nx">days</span> <span class="p">=</span> <span class="mi">90</span> <span class="nx">storage_class</span> <span class="p">=</span> <span class="s2">"GLACIER_IR"</span> <span class="c1"># 68% cheaper, millisecond retrieval</span> <span class="p">}</span> <span class="nx">transition</span> <span class="p">{</span> <span class="nx">days</span> <span class="p">=</span> <span class="mi">365</span> <span class="nx">storage_class</span> <span class="p">=</span> <span class="s2">"DEEP_ARCHIVE"</span> <span class="c1"># 95% cheaper</span> <span class="p">}</span> <span class="nx">expiration</span> <span class="p">{</span> <span class="nx">days</span> <span class="p">=</span> <span class="mi">730</span> <span class="c1"># Delete after 2 years</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> EBS Volume Optimization </h3> <ul> <li>Switch gp2 volumes to gp3: same performance, 20% cheaper, and you can independently scale IOPS</li> <li>Delete unattached EBS volumes (check monthly)</li> <li>Use EBS snapshots for infrequently accessed data instead of keeping volumes running </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Find unattached EBS volumes</span> aws ec2 describe-volumes <span class="se">\</span> <span class="nt">--filters</span> <span class="nv">Name</span><span class="o">=</span>status,Values<span class="o">=</span>available <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'Volumes[*].{ID:VolumeId,Size:Size,Created:CreateTime}'</span> <span class="se">\</span> <span class="nt">--output</span> table </code></pre> </div> <h3> NAT Gateway Costs </h3> <p>NAT Gateways charge $0.045/hour ($32.85/month) plus $0.045/GB of data processed. For high-traffic workloads, this adds up fast.</p> <p>Alternatives:</p> <ul> <li> <strong>VPC Endpoints</strong> for AWS services (S3, DynamoDB, ECR) - eliminates NAT data charges for AWS API calls</li> <li> <strong>NAT instances</strong> on t4g.nano ($3.07/month) for dev/staging environments </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># S3 Gateway Endpoint (free, eliminates NAT charges for S3)</span> <span class="nx">resource</span> <span class="s2">"aws_vpc_endpoint"</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">service_name</span> <span class="p">=</span> <span class="s2">"com.amazonaws.eu-west-1.s3"</span> <span class="nx">route_table_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">private</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># ECR Interface Endpoints</span> <span class="nx">resource</span> <span class="s2">"aws_vpc_endpoint"</span> <span class="s2">"ecr_api"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">service_name</span> <span class="p">=</span> <span class="s2">"com.amazonaws.eu-west-1.ecr.api"</span> <span class="nx">vpc_endpoint_type</span> <span class="p">=</span> <span class="s2">"Interface"</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private</span><span class="p">[*].</span><span class="nx">id</span> <span class="nx">private_dns_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <h2> Building a FinOps Culture </h2> <p>Tools alone do not reduce cloud costs. You need organizational practices that create accountability.</p> <h3> Weekly Cost Reviews </h3> <p>Run a 15-minute weekly meeting reviewing:</p> <ol> <li>Total spend vs budget</li> <li>Week-over-week change and top 3 drivers of increase</li> <li>Top 5 most expensive services</li> <li>Any anomalies or unexpected charges</li> <li>Action items from last week</li> </ol> <h3> Team-Level Cost Dashboards </h3> <p>Give each team visibility into their own spending (this is where tags become critical). When engineers can see that their service costs $2,400/month, they start caring about optimization.</p> <h3> Architecture Decision Records for Cost </h3> <p>For significant infrastructure decisions, document the cost implications:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gh"># ADR-015: Switch payment-api from t3.xlarge to t4g.large</span> <span class="gu">## Context</span> Payment API currently runs on 3x t3.xlarge ($0.1664/hr each). Average CPU: 22%. Average memory: 35%. <span class="gu">## Decision</span> Migrate to 3x t4g.large (ARM, $0.0672/hr each). CPU and memory are sufficient based on 30-day CloudWatch data. <span class="gu">## Cost Impact</span> Before: 3 <span class="ge">* $0.1664 *</span> 730 = $364.42/month After: 3 <span class="ge">* $0.0672 *</span> 730 = $147.17/month Savings: $217.25/month ($2,607/year) </code></pre> </div> <h2> Quick Wins Checklist </h2> <p>If you are just starting with FinOps, tackle these in order. Each one can be done in a day or less:</p> <ol> <li> <strong>Delete unused resources</strong> - unattached EBS volumes, old snapshots, idle load balancers, stopped instances with EBS volumes</li> <li> <strong>Enable S3 Intelligent-Tiering</strong> on buckets with unpredictable access patterns</li> <li> <strong>Switch gp2 to gp3</strong> EBS volumes (20% savings, no performance loss)</li> <li> <strong>Add VPC endpoints</strong> for S3 and DynamoDB (eliminates NAT data charges)</li> <li> <strong>Purchase Savings Plans</strong> covering 70% of your steady-state compute</li> <li> <strong>Set up budget alerts</strong> so you know before the bill arrives</li> <li> <strong>Enable Compute Optimizer</strong> recommendations (free)</li> <li><strong>Review and clean up old ECR images, CloudWatch log groups, and Lambda versions</strong></li> </ol> <h2> Need Help with Your DevOps? </h2> <p>Cloud cost optimization is an ongoing practice, not a one-time project. At <strong><a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a></strong>, we help startups and growing companies implement FinOps practices that reduce cloud spending by 30-50% while maintaining the performance and reliability your users expect.</p> <p>Plans start at <strong>$2,999/mo</strong> for a dedicated fractional DevOps engineer.</p> <p><strong><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free 15-minute consultation</a></strong> to get a cloud cost assessment.</p> aws finops cloud costoptimization Building a DevSecOps Pipeline: Shift Security Left Without Slowing Down InstaDevOps Thu, 16 Apr 2026 13:46:46 +0000 https://dev.to/instadevops/building-a-devsecops-pipeline-shift-security-left-without-slowing-down-31fl https://dev.to/instadevops/building-a-devsecops-pipeline-shift-security-left-without-slowing-down-31fl <h2> Introduction </h2> <p>Every week brings news of another data breach, supply chain attack, or misconfigured cloud resource exposing millions of records. The traditional approach of bolting security on at the end of the development cycle no longer works. By the time a penetration tester finds a vulnerability in staging, the code has been through weeks of development, and fixing it means expensive rework.</p> <p>DevSecOps integrates security testing directly into your CI/CD pipeline so vulnerabilities are caught in minutes, not months. The goal is not to slow down development - it is to catch security issues at the same speed you catch bugs: automatically, on every commit.</p> <p>This guide walks through building a practical DevSecOps pipeline with real tool configurations, covering static analysis, dependency scanning, container image scanning, infrastructure security, and policy-as-code.</p> <h2> The DevSecOps Pipeline Stages </h2> <p>A mature DevSecOps pipeline runs security checks at every stage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Code Commit → SAST → Dependency Scan → Build → Container Scan → IaC Scan → DAST → Deploy → Runtime Protection </code></pre> </div> <p>You do not need all of these on day one. Start with the highest-impact, lowest-friction stages and layer on additional checks as your team matures.</p> <h2> Stage 1: Static Application Security Testing (SAST) </h2> <p>SAST tools analyze your source code for vulnerabilities without executing it. They catch issues like SQL injection, cross-site scripting, hardcoded secrets, and insecure cryptographic patterns.</p> <h3> Semgrep for Custom and Community Rules </h3> <p>Semgrep is fast, supports 30+ languages, and lets you write custom rules in a simple YAML syntax:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/sast.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">SAST Scan</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">pull_request</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">semgrep</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">container</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">semgrep/semgrep</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">semgrep scan --config auto --error --sarif --output semgrep.sarif .</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">github/codeql-action/upload-sarif@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">sarif_file</span><span class="pi">:</span> <span class="s">semgrep.sarif</span> <span class="na">if</span><span class="pi">:</span> <span class="s">always()</span> </code></pre> </div> <p>The <code>--config auto</code> flag uses Semgrep's curated community ruleset. For stricter scanning, add specific rule packs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>semgrep scan <span class="se">\</span> <span class="nt">--config</span> p/security-audit <span class="se">\</span> <span class="nt">--config</span> p/secrets <span class="se">\</span> <span class="nt">--config</span> p/owasp-top-ten <span class="se">\</span> <span class="nt">--error</span> <span class="nb">.</span> </code></pre> </div> <h3> Writing Custom Security Rules </h3> <p>Create organization-specific rules for patterns your team should avoid:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .semgrep/custom-rules.yml</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">no-raw-sql-queries</span> <span class="na">patterns</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">db.query($SQL, ...)</span> <span class="pi">-</span> <span class="na">pattern-not</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">db.query($SQL, [...])</span> <span class="na">message</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Use</span><span class="nv"> </span><span class="s">parameterized</span><span class="nv"> </span><span class="s">queries</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">prevent</span><span class="nv"> </span><span class="s">SQL</span><span class="nv"> </span><span class="s">injection"</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">ERROR</span> <span class="na">languages</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">javascript</span><span class="pi">,</span> <span class="nv">typescript</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">no-console-log-in-production</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">console.log(...)</span> <span class="na">message</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Remove</span><span class="nv"> </span><span class="s">console.log</span><span class="nv"> </span><span class="s">before</span><span class="nv"> </span><span class="s">merging</span><span class="nv"> </span><span class="s">to</span><span class="nv"> </span><span class="s">main"</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">WARNING</span> <span class="na">languages</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">javascript</span><span class="pi">,</span> <span class="nv">typescript</span><span class="pi">]</span> <span class="na">paths</span><span class="pi">:</span> <span class="na">include</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">src/</span> </code></pre> </div> <h2> Stage 2: Dependency and Supply Chain Scanning </h2> <p>Your application's dependencies are a massive attack surface. A single vulnerable transitive dependency can compromise your entire system.</p> <h3> Scanning with Trivy </h3> <p>Trivy scans not just containers but also filesystems for vulnerable dependencies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/dependency-scan.yml</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">scan-dependencies</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run Trivy filesystem scan</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aquasecurity/trivy-action@master</span> <span class="na">with</span><span class="pi">:</span> <span class="na">scan-type</span><span class="pi">:</span> <span class="s">fs</span> <span class="na">scan-ref</span><span class="pi">:</span> <span class="s">.</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">HIGH,CRITICAL</span> <span class="na">exit-code</span><span class="pi">:</span> <span class="m">1</span> <span class="na">format</span><span class="pi">:</span> <span class="s">sarif</span> <span class="na">output</span><span class="pi">:</span> <span class="s">trivy-fs.sarif</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">github/codeql-action/upload-sarif@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">sarif_file</span><span class="pi">:</span> <span class="s">trivy-fs.sarif</span> <span class="na">if</span><span class="pi">:</span> <span class="s">always()</span> </code></pre> </div> <h3> Software Bill of Materials (SBOM) </h3> <p>Generate an SBOM for compliance and vulnerability tracking:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate SBOM with Syft</span> syft packages <span class="nb">dir</span>:. <span class="nt">-o</span> spdx-json <span class="o">&gt;</span> sbom.spdx.json <span class="c"># Scan the SBOM for vulnerabilities with Grype</span> grype sbom:sbom.spdx.json <span class="nt">--fail-on</span> high </code></pre> </div> <h3> Automated Dependency Updates </h3> <p>Use Renovate or Dependabot to keep dependencies current:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">renovate.json</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"$schema"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://docs.renovatebot.com/renovate-schema.json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"extends"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"config:recommended"</span><span class="p">],</span><span class="w"> </span><span class="nl">"vulnerabilityAlerts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"labels"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"security"</span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"packageRules"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"matchUpdateTypes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"patch"</span><span class="p">],</span><span class="w"> </span><span class="nl">"automerge"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"automergeType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"branch"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"matchUpdateTypes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"major"</span><span class="p">],</span><span class="w"> </span><span class="nl">"labels"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"breaking-change"</span><span class="p">],</span><span class="w"> </span><span class="nl">"assignees"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"team-lead"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Stage 3: Container Image Scanning </h2> <p>Container images often contain vulnerable OS packages, misconfigured permissions, and unnecessary tools that increase the attack surface.</p> <h3> Scanning During Build </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">build-and-scan</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build image</span> <span class="na">run</span><span class="pi">:</span> <span class="s">docker build -t myapp:${{ github.sha }} .</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Scan image with Trivy</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aquasecurity/trivy-action@master</span> <span class="na">with</span><span class="pi">:</span> <span class="na">image-ref</span><span class="pi">:</span> <span class="s">myapp:${{ github.sha }}</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">HIGH,CRITICAL</span> <span class="na">exit-code</span><span class="pi">:</span> <span class="m">1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Check for root user</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">USER=$(docker inspect --format='{{.Config.User}}' myapp:${{ github.sha }})</span> <span class="s">if [ -z "$USER" ] || [ "$USER" = "root" ]; then</span> <span class="s">echo "ERROR: Container runs as root. Add a USER directive to your Dockerfile."</span> <span class="s">exit 1</span> <span class="s">fi</span> </code></pre> </div> <h3> Hardening Dockerfiles </h3> <p>A secure Dockerfile follows these patterns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Use specific version, not :latest</span> <span class="k">FROM</span><span class="w"> </span><span class="s">node:20.11-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> package*.json ./</span> <span class="k">RUN </span>npm ci <span class="nt">--only</span><span class="o">=</span>production <span class="c"># Multi-stage build - no build tools in final image</span> <span class="k">FROM</span><span class="s"> node:20.11-alpine</span> <span class="c"># Create non-root user</span> <span class="k">RUN </span>addgroup <span class="nt">-g</span> 1001 <span class="nt">-S</span> appuser <span class="o">&amp;&amp;</span> <span class="se">\ </span> adduser <span class="nt">-S</span> appuser <span class="nt">-u</span> 1001 <span class="nt">-G</span> appuser <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> --from=builder /app/node_modules ./node_modules</span> <span class="k">COPY</span><span class="s"> --chown=appuser:appuser . .</span> <span class="c"># Drop all capabilities</span> <span class="k">USER</span><span class="s"> appuser</span> <span class="c"># Use dumb-init to handle PID 1 properly</span> <span class="k">RUN </span>apk add <span class="nt">--no-cache</span> dumb-init <span class="k">ENTRYPOINT</span><span class="s"> ["dumb-init", "--"]</span> <span class="k">CMD</span><span class="s"> ["node", "server.js"]</span> </code></pre> </div> <h2> Stage 4: Infrastructure as Code Security </h2> <p>Misconfigured infrastructure is the leading cause of cloud breaches. Scan your Terraform, CloudFormation, and Kubernetes manifests before they reach production.</p> <h3> Checkov for IaC Scanning </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">iac-scan</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run Checkov</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">bridgecrewio/checkov-action@v12</span> <span class="na">with</span><span class="pi">:</span> <span class="na">directory</span><span class="pi">:</span> <span class="s">terraform/</span> <span class="na">framework</span><span class="pi">:</span> <span class="s">terraform</span> <span class="na">soft_fail</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">output_format</span><span class="pi">:</span> <span class="s">sarif</span> <span class="na">output_file_path</span><span class="pi">:</span> <span class="s">checkov.sarif</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">github/codeql-action/upload-sarif@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">sarif_file</span><span class="pi">:</span> <span class="s">checkov.sarif</span> <span class="na">if</span><span class="pi">:</span> <span class="s">always()</span> </code></pre> </div> <p>Checkov catches misconfigurations like:</p> <ul> <li>S3 buckets without encryption</li> <li>Security groups open to 0.0.0.0/0</li> <li>RDS instances without encryption at rest</li> <li>IAM policies with wildcard permissions</li> <li>EBS volumes without encryption</li> </ul> <h3> tfsec for Terraform-Specific Scanning </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Run tfsec on your Terraform directory</span> tfsec terraform/ <span class="nt">--format</span> sarif <span class="nt">--out</span> tfsec.sarif <span class="c"># Common findings:</span> <span class="c"># - aws-ec2-no-public-ingress-sgr</span> <span class="c"># - aws-s3-enable-bucket-encryption</span> <span class="c"># - aws-iam-no-policy-wildcards</span> <span class="c"># - aws-rds-encrypt-instance-storage-data</span> </code></pre> </div> <h2> Stage 5: Dynamic Application Security Testing (DAST) </h2> <p>DAST tools test your running application by sending requests and analyzing responses for vulnerabilities. Run these against a staging environment after deployment.</p> <h3> OWASP ZAP Baseline Scan </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">dast</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">deploy-staging</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">OWASP ZAP Baseline Scan</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">zaproxy/action-baseline@v0.12.0</span> <span class="na">with</span><span class="pi">:</span> <span class="na">target</span><span class="pi">:</span> <span class="s">https://staging.example.com</span> <span class="na">rules_file_name</span><span class="pi">:</span> <span class="s">zap-rules.tsv</span> <span class="na">fail_action</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">cmd_options</span><span class="pi">:</span> <span class="s1">'</span><span class="s">-a</span><span class="nv"> </span><span class="s">-j'</span> </code></pre> </div> <p>DAST scans are slower (minutes to hours) and noisier than SAST, so run them post-deployment rather than on every commit.</p> <h2> Stage 6: Policy-as-Code with Open Policy Agent </h2> <p>Policy-as-Code enforces organizational rules programmatically. Open Policy Agent (OPA) lets you write policies in Rego that gate deployments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rego"><code><span class="c1"># policy/kubernetes.rego</span> <span class="ow">package</span> <span class="n">kubernetes</span><span class="p">.</span><span class="n">admission</span> <span class="n">deny</span><span class="p">[</span><span class="n">msg</span><span class="p">]</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="n">kind</span><span class="p">.</span><span class="n">kind</span> <span class="o">==</span> <span class="s2">"Deployment"</span> <span class="n">container</span> <span class="o">:=</span> <span class="n">input</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="n">object</span><span class="p">.</span><span class="n">spec</span><span class="p">.</span><span class="n">template</span><span class="p">.</span><span class="n">spec</span><span class="p">.</span><span class="n">containers</span><span class="p">[</span><span class="n">_</span><span class="p">]</span> <span class="ow">not</span> <span class="n">container</span><span class="p">.</span><span class="n">resources</span><span class="p">.</span><span class="n">limits</span><span class="p">.</span><span class="n">memory</span> <span class="n">msg</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span><span class="s2">"Container '%v' must have memory limits set"</span><span class="p">,</span> <span class="p">[</span><span class="n">container</span><span class="p">.</span><span class="n">name</span><span class="p">])</span> <span class="p">}</span> <span class="n">deny</span><span class="p">[</span><span class="n">msg</span><span class="p">]</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="n">kind</span><span class="p">.</span><span class="n">kind</span> <span class="o">==</span> <span class="s2">"Deployment"</span> <span class="n">container</span> <span class="o">:=</span> <span class="n">input</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="n">object</span><span class="p">.</span><span class="n">spec</span><span class="p">.</span><span class="n">template</span><span class="p">.</span><span class="n">spec</span><span class="p">.</span><span class="n">containers</span><span class="p">[</span><span class="n">_</span><span class="p">]</span> <span class="n">container</span><span class="p">.</span><span class="n">image</span> <span class="ow">not</span> <span class="n">contains</span><span class="p">(</span><span class="n">container</span><span class="p">.</span><span class="n">image</span><span class="p">,</span> <span class="s2">"@sha256:"</span><span class="p">)</span> <span class="ow">not</span> <span class="n">regex</span><span class="p">.</span><span class="n">match</span><span class="p">(</span><span class="s2">"^.*:[0-9]+\\.[0-9]+\\.[0-9]+$"</span><span class="p">,</span> <span class="n">container</span><span class="p">.</span><span class="n">image</span><span class="p">)</span> <span class="n">msg</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span><span class="s2">"Container '%v' must use a specific version tag or digest, not :latest"</span><span class="p">,</span> <span class="p">[</span><span class="n">container</span><span class="p">.</span><span class="n">name</span><span class="p">])</span> <span class="p">}</span> <span class="n">deny</span><span class="p">[</span><span class="n">msg</span><span class="p">]</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="n">kind</span><span class="p">.</span><span class="n">kind</span> <span class="o">==</span> <span class="s2">"Deployment"</span> <span class="n">container</span> <span class="o">:=</span> <span class="n">input</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="n">object</span><span class="p">.</span><span class="n">spec</span><span class="p">.</span><span class="n">template</span><span class="p">.</span><span class="n">spec</span><span class="p">.</span><span class="n">containers</span><span class="p">[</span><span class="n">_</span><span class="p">]</span> <span class="n">container</span><span class="p">.</span><span class="n">securityContext</span><span class="p">.</span><span class="n">privileged</span> <span class="o">==</span> <span class="kc">true</span> <span class="n">msg</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span><span class="s2">"Container '%v' must not run in privileged mode"</span><span class="p">,</span> <span class="p">[</span><span class="n">container</span><span class="p">.</span><span class="n">name</span><span class="p">])</span> <span class="p">}</span> </code></pre> </div> <h3> Conftest for CI Integration </h3> <p>Use Conftest to run OPA policies against Kubernetes manifests, Terraform plans, and Dockerfiles in CI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test Kubernetes manifests</span> conftest <span class="nb">test </span>k8s/deployment.yaml <span class="nt">--policy</span> policy/ <span class="c"># Test Terraform plans</span> terraform plan <span class="nt">-out</span><span class="o">=</span>tfplan terraform show <span class="nt">-json</span> tfplan <span class="o">&gt;</span> tfplan.json conftest <span class="nb">test </span>tfplan.json <span class="nt">--policy</span> policy/terraform/ <span class="c"># Test Dockerfiles</span> conftest <span class="nb">test </span>Dockerfile <span class="nt">--policy</span> policy/docker/ </code></pre> </div> <h2> Putting It All Together </h2> <p>Here is a complete pipeline that ties all stages together:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">DevSecOps Pipeline</span> <span class="na">on</span><span class="pi">:</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="c1"># Fast checks first (&lt; 2 minutes)</span> <span class="na">secrets-scan</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">trufflesecurity/trufflehog@main</span> <span class="na">with</span><span class="pi">:</span> <span class="na">extra_args</span><span class="pi">:</span> <span class="s">--only-verified</span> <span class="na">sast</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker run --rm -v "${PWD}:/src" semgrep/semgrep \</span> <span class="s">semgrep scan --config auto --error /src</span> <span class="c1"># Medium checks (2-5 minutes)</span> <span class="na">dependency-scan</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aquasecurity/trivy-action@master</span> <span class="na">with</span><span class="pi">:</span> <span class="na">scan-type</span><span class="pi">:</span> <span class="s">fs</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">HIGH,CRITICAL</span> <span class="na">exit-code</span><span class="pi">:</span> <span class="m">1</span> <span class="na">iac-scan</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">bridgecrewio/checkov-action@v12</span> <span class="na">with</span><span class="pi">:</span> <span class="na">directory</span><span class="pi">:</span> <span class="s">terraform/</span> <span class="c1"># Build and container scan</span> <span class="na">build</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">secrets-scan</span><span class="pi">,</span> <span class="nv">sast</span><span class="pi">,</span> <span class="nv">dependency-scan</span><span class="pi">,</span> <span class="nv">iac-scan</span><span class="pi">]</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">docker build -t app:${{ github.sha }} .</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aquasecurity/trivy-action@master</span> <span class="na">with</span><span class="pi">:</span> <span class="na">image-ref</span><span class="pi">:</span> <span class="s">app:${{ github.sha }}</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">HIGH,CRITICAL</span> <span class="na">exit-code</span><span class="pi">:</span> <span class="m">1</span> <span class="c1"># Deploy to staging, then DAST</span> <span class="na">deploy-staging</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">build</span> <span class="na">if</span><span class="pi">:</span> <span class="s">github.ref == 'refs/heads/main'</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">staging</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">echo "Deploy to staging"</span> <span class="na">dast</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">deploy-staging</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">zaproxy/action-baseline@v0.12.0</span> <span class="na">with</span><span class="pi">:</span> <span class="na">target</span><span class="pi">:</span> <span class="s">https://staging.example.com</span> </code></pre> </div> <h2> Managing False Positives </h2> <p>Every security scanning tool produces false positives. If you do not manage them, your team will start ignoring security alerts entirely.</p> <p><strong>Create a baseline.</strong> On initial integration, capture existing findings as a baseline and only alert on new issues.</p> <p><strong>Use inline suppressions with justification.</strong> Every suppressed finding should include a reason:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># nosemgrep: python.lang.security.audit.insecure-hash.insecure-hash # Justification: MD5 used for non-security cache key, not for cryptographic purposes </span><span class="n">cache_key</span> <span class="o">=</span> <span class="n">hashlib</span><span class="p">.</span><span class="nf">md5</span><span class="p">(</span><span class="n">data</span><span class="p">).</span><span class="nf">hexdigest</span><span class="p">()</span> </code></pre> </div> <p><strong>Triage weekly.</strong> Assign someone to review and triage findings weekly. Close false positives, create tickets for real issues, and tune rules that produce too much noise.</p> <h2> Security Metrics That Matter </h2> <p>Tracking the right metrics tells you whether your DevSecOps pipeline is actually improving security or just generating noise.</p> <h3> Mean Time to Remediate (MTTR) </h3> <p>How long does it take from when a vulnerability is detected to when it is fixed in production? Track this by severity:</p> <ul> <li> <strong>Critical:</strong> Target under 24 hours</li> <li> <strong>High:</strong> Target under 7 days</li> <li> <strong>Medium:</strong> Target under 30 days</li> <li> <strong>Low:</strong> Target under 90 days</li> </ul> <h3> Vulnerability Escape Rate </h3> <p>What percentage of vulnerabilities make it past your CI/CD pipeline into production? This is your pipeline's effectiveness metric. Track it by comparing CI findings against production security scans and penetration test results.</p> <h3> Coverage Percentage </h3> <p>What percentage of your repositories have security scanning enabled? In most organizations, the answer is disturbingly low. Aim for 100% of production services covered by at minimum dependency scanning and SAST.</p> <h3> Fix Rate vs Find Rate </h3> <p>If you are finding vulnerabilities faster than you are fixing them, your backlog will grow indefinitely. This signals that your pipeline is too noisy (tune it) or your team needs more security training.</p> <h2> Getting Started: A Phased Approach </h2> <p>Do not try to implement everything at once. Here is a realistic rollout plan:</p> <p><strong>Week 1-2: Secrets scanning and dependency scanning.</strong> These have the highest signal-to-noise ratio and catch the most impactful issues. Enable Dependabot or Renovate for automated updates.</p> <p><strong>Week 3-4: SAST with Semgrep.</strong> Start with the default auto config. Do not write custom rules yet. Let the team get comfortable with the findings.</p> <p><strong>Month 2: Container image scanning.</strong> Add Trivy to your Docker build pipeline. Fix the critical and high findings, suppress the false positives with documentation.</p> <p><strong>Month 3: IaC scanning with Checkov.</strong> Scan your Terraform and Kubernetes manifests. This catches misconfigurations before they reach production.</p> <p><strong>Month 4+: DAST and policy-as-code.</strong> These require more setup and tuning but provide the deepest security coverage.</p> <h2> Need Help with Your DevOps? </h2> <p>Building a DevSecOps pipeline that catches real vulnerabilities without drowning your team in false positives takes careful tuning. At <strong><a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a></strong>, we implement security-hardened CI/CD pipelines for startups and growing teams - baking security in from day one.</p> <p>Plans start at <strong>$2,999/mo</strong> for a dedicated fractional DevOps engineer.</p> <p><strong><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free 15-minute consultation</a></strong> to discuss your security posture.</p> devsecops security cicd devops AWS ECS vs EKS: A Practical Decision Framework for Startups InstaDevOps Wed, 15 Apr 2026 13:46:43 +0000 https://dev.to/instadevops/aws-ecs-vs-eks-a-practical-decision-framework-for-startups-3dgp https://dev.to/instadevops/aws-ecs-vs-eks-a-practical-decision-framework-for-startups-3dgp <h2> Introduction </h2> <p>You have containerized your application and now you need to run it in production on AWS. The two main options stare back at you from the AWS console: Elastic Container Service (ECS) and Elastic Kubernetes Service (EKS). Both are fully managed, both run containers, and both integrate deeply with the AWS ecosystem.</p> <p>So which one should you pick?</p> <p>The answer is not "EKS because Kubernetes is the industry standard" and it is not "ECS because it is simpler." The right choice depends on your team size, operational maturity, workload characteristics, and growth trajectory. This article gives you a practical framework for making this decision, with real cost numbers and migration considerations.</p> <h2> ECS: The AWS-Native Path </h2> <p>ECS is AWS's proprietary container orchestration service. It is deeply integrated with the AWS ecosystem and was purpose-built to make running containers on AWS as straightforward as possible.</p> <h3> ECS Architecture </h3> <p>ECS has two launch types:</p> <p><strong>EC2 Launch Type:</strong> You manage the underlying EC2 instances. ECS handles container placement and scheduling.</p> <p><strong>Fargate Launch Type:</strong> Serverless containers. AWS manages the infrastructure entirely. You just define CPU, memory, and your container image.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"family"</span><span class="p">:</span><span class="w"> </span><span class="s2">"my-api"</span><span class="p">,</span><span class="w"> </span><span class="nl">"networkMode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"awsvpc"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requiresCompatibilities"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"FARGATE"</span><span class="p">],</span><span class="w"> </span><span class="nl">"cpu"</span><span class="p">:</span><span class="w"> </span><span class="s2">"512"</span><span class="p">,</span><span class="w"> </span><span class="nl">"memory"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1024"</span><span class="p">,</span><span class="w"> </span><span class="nl">"containerDefinitions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"api"</span><span class="p">,</span><span class="w"> </span><span class="nl">"image"</span><span class="p">:</span><span class="w"> </span><span class="s2">"123456789012.dkr.ecr.eu-west-1.amazonaws.com/my-api:latest"</span><span class="p">,</span><span class="w"> </span><span class="nl">"portMappings"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"containerPort"</span><span class="p">:</span><span class="w"> </span><span class="mi">3000</span><span class="p">,</span><span class="w"> </span><span class="nl">"protocol"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tcp"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"logConfiguration"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"logDriver"</span><span class="p">:</span><span class="w"> </span><span class="s2">"awslogs"</span><span class="p">,</span><span class="w"> </span><span class="nl">"options"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"awslogs-group"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/ecs/my-api"</span><span class="p">,</span><span class="w"> </span><span class="nl">"awslogs-region"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eu-west-1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"awslogs-stream-prefix"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ecs"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> ECS Strengths </h3> <p><strong>Zero Kubernetes knowledge required.</strong> Your team interacts with familiar AWS concepts: task definitions, services, target groups, IAM roles. There is no <code>kubectl</code>, no YAML manifests with 15 indentation levels, no CRDs.</p> <p><strong>Deep AWS integration.</strong> ECS natively integrates with ALB/NLB, CloudWatch, IAM task roles, Secrets Manager, Parameter Store, App Mesh, and CloudMap for service discovery. These integrations work out of the box with minimal configuration.</p> <p><strong>Lower operational overhead.</strong> Especially with Fargate, there are no nodes to patch, no cluster upgrades to manage, no etcd to worry about. AWS handles all of it.</p> <p><strong>Simpler networking.</strong> The <code>awsvpc</code> network mode gives each task its own ENI and security group. No overlay networks, no kube-proxy, no CNI plugin decisions.</p> <h3> ECS Limitations </h3> <ul> <li>Vendor lock-in to AWS</li> <li>Smaller community and ecosystem compared to Kubernetes</li> <li>Limited scheduling customization</li> <li>No equivalent to Kubernetes operators or CRDs for extending the platform</li> <li>Fewer third-party tools (no Helm, no ArgoCD, no Istio)</li> </ul> <h2> EKS: The Kubernetes Path </h2> <p>EKS is AWS's managed Kubernetes service. AWS manages the control plane (API server, etcd, scheduler), and you manage the worker nodes or use Fargate for serverless pods.</p> <h3> EKS Architecture </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Sample Kubernetes deployment</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-api</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">production</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">my-api</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">my-api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">my-api</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api</span> <span class="na">image</span><span class="pi">:</span> <span class="s">123456789012.dkr.ecr.eu-west-1.amazonaws.com/my-api:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">250m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">512Mi</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">500m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">1Gi</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/ready</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3000</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">my-api</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">3000</span> </code></pre> </div> <h3> EKS Strengths </h3> <p><strong>Portability.</strong> Kubernetes manifests work on any cloud provider or on-premises cluster. If multi-cloud or hybrid-cloud is in your future, EKS keeps your options open.</p> <p><strong>Rich ecosystem.</strong> Helm charts, ArgoCD for GitOps, Istio or Linkerd for service mesh, Prometheus and Grafana for monitoring, cert-manager for TLS, external-dns for DNS automation. The Kubernetes ecosystem is enormous.</p> <p><strong>Advanced scheduling.</strong> Node affinities, taints and tolerations, pod topology spread constraints, priority classes, and preemption give you fine-grained control over workload placement.</p> <p><strong>Extensibility.</strong> Custom Resource Definitions and operators let you extend Kubernetes to manage databases, message queues, ML pipelines, and virtually anything else as native Kubernetes resources.</p> <h3> EKS Limitations </h3> <ul> <li>$0.10/hour ($73/month) control plane cost before any compute</li> <li>Steep learning curve (expect 3-6 months for a team new to Kubernetes)</li> <li>Cluster upgrades require planning and testing (new version every 4 months)</li> <li>More moving parts: CNI plugins, ingress controllers, cluster autoscaler, DNS</li> <li>Significantly higher operational burden</li> </ul> <h2> Cost Comparison </h2> <p>Let us compare the cost of running a typical startup workload: 3 services, each running 2 replicas with 0.5 vCPU and 1 GB RAM.</p> <h3> ECS Fargate </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Per task: 0.5 vCPU + 1 GB RAM Fargate pricing (eu-west-1): vCPU: $0.04048/hour Memory: $0.004445/GB/hour Per task/hour: (0.5 * $0.04048) + (1 * $0.004445) = $0.02469 6 tasks total: $0.02469 * 6 = $0.14814/hour Monthly: $0.14814 * 730 = $108.14/month </code></pre> </div> <h3> ECS EC2 (with Reserved Instances) </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>2x t3.medium (2 vCPU, 4 GB) with 1-year RI: On-demand: $0.0416/hour each 1-year RI (no upfront): $0.027/hour each Monthly: 2 * $0.027 * 730 = $39.42/month </code></pre> </div> <h3> EKS with Managed Node Group </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>EKS control plane: $0.10/hour = $73/month 2x t3.medium nodes (same as ECS EC2): 1-year RI: 2 * $0.027 * 730 = $39.42/month Monthly total: $73 + $39.42 = $112.42/month </code></pre> </div> <h3> EKS Fargate </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>EKS control plane: $73/month Fargate pods (same as ECS Fargate): $108.14/month Plus CoreDNS pods on Fargate: ~$15/month Monthly total: $73 + $108.14 + $15 = $196.14/month </code></pre> </div> <p>At small scale, ECS on EC2 is the cheapest option by far. EKS adds a fixed $73/month control plane cost that only becomes negligible at larger scales.</p> <h2> The Decision Framework </h2> <h3> Choose ECS When </h3> <p><strong>Your team is small (under 10 engineers).</strong> The operational overhead of Kubernetes is not justified when a few people can manage ECS with part-time attention.</p> <p><strong>You are all-in on AWS.</strong> If you have no plans for multi-cloud and are already using ALB, CloudWatch, and IAM extensively, ECS slots in naturally.</p> <p><strong>You want Fargate's simplicity.</strong> ECS Fargate is the easiest path from container image to running workload. No nodes, no cluster management, no upgrades.</p> <p><strong>Your workloads are straightforward.</strong> Web APIs, background workers, and scheduled tasks that do not need advanced scheduling or custom operators.</p> <p><strong>You need to ship fast.</strong> A team new to containers can have ECS running in production within a week. Kubernetes takes months to operate confidently.</p> <h3> Choose EKS When </h3> <p><strong>Multi-cloud or hybrid is a real requirement.</strong> Not a hypothetical future possibility, but an actual business constraint.</p> <p><strong>You have Kubernetes experience on the team.</strong> If your engineers already know Kubernetes, EKS employs that knowledge. Forcing Kubernetes-experienced engineers to learn ECS is a lateral move with no payoff.</p> <p><strong>You need the ecosystem.</strong> If your architecture requires service mesh, GitOps (ArgoCD), advanced traffic management, or custom operators, the Kubernetes ecosystem is unmatched.</p> <p><strong>You are running 20+ services.</strong> At scale, Kubernetes' sophisticated scheduling, resource management, and namespace isolation become genuine advantages.</p> <p><strong>You are building a platform team.</strong> If part of your strategy is building an internal developer platform, Kubernetes provides the extensibility to build abstractions on top.</p> <h2> Migration Paths </h2> <h3> ECS to EKS </h3> <p>If you outgrow ECS, migration is manageable:</p> <ol> <li>Set up EKS cluster alongside existing ECS</li> <li>Convert task definitions to Kubernetes deployments (the container config is similar)</li> <li>Use AWS ALB Ingress Controller to maintain the same load balancer</li> <li>Migrate services one at a time, shifting traffic gradually</li> <li>Decommission ECS services after verification</li> </ol> <h3> EKS to ECS </h3> <p>Rarer, but it happens when teams realize they over-invested in Kubernetes:</p> <ol> <li>Convert Kubernetes deployments to ECS task definitions</li> <li>Replace Kubernetes services with ECS services + ALB target groups</li> <li>Replace Helm/ArgoCD with AWS CodePipeline or similar</li> <li>Migrate ConfigMaps/Secrets to AWS Parameter Store/Secrets Manager</li> </ol> <h2> A Pragmatic Recommendation </h2> <p>For most startups and SMBs running fewer than 15 services on AWS, <strong>start with ECS</strong>. Here is why:</p> <ol> <li>You avoid 3-6 months of Kubernetes learning curve</li> <li>You save $73/month in control plane costs (trivial individually, but symbolic of broader overhead)</li> <li>You eliminate cluster upgrade maintenance windows</li> <li>Your engineers focus on product features instead of infrastructure plumbing</li> <li>If you outgrow ECS, the migration to EKS is well-understood</li> </ol> <p>The exception: if you already have a team member who is deeply experienced with Kubernetes and can own the cluster operations, EKS is fine from day one.</p> <h2> Operational Overhead: What Nobody Tells You </h2> <p>The cost comparison above only covers compute. The real difference between ECS and EKS is operational overhead - the time your engineers spend managing the orchestration platform itself rather than building product features.</p> <h3> ECS Day-2 Operations </h3> <p>With ECS (especially Fargate), your ongoing operational tasks are minimal:</p> <ul> <li> <strong>Task definition updates</strong> when you change container config (straightforward JSON/Terraform changes)</li> <li> <strong>Service scaling policies</strong> adjustments based on traffic patterns</li> <li> <strong>ALB health check tuning</strong> to match your application's startup time</li> <li> <strong>Security group and IAM role updates</strong> as your network requirements change</li> </ul> <p>Most of this is standard AWS work that any cloud engineer can handle.</p> <h3> EKS Day-2 Operations </h3> <p>EKS adds a significant layer of Kubernetes-specific operational work:</p> <ul> <li> <strong>Cluster version upgrades</strong> every 4 months (Kubernetes drops support for old versions aggressively). Each upgrade requires testing all workloads, updating add-ons, and often updating manifests for deprecated APIs.</li> <li> <strong>Add-on management</strong>: CoreDNS, kube-proxy, VPC CNI, cluster autoscaler, ingress controller, cert-manager, external-dns - each has its own version matrix and upgrade path.</li> <li> <strong>Node group rotation</strong> when you change AMIs or instance types. Cordon, drain, replace.</li> <li> <strong>RBAC policy management</strong> as teams and services grow.</li> <li> <strong>etcd monitoring</strong> for the control plane (managed by AWS, but you still need to understand its implications for API server performance).</li> <li> <strong>Debugging Kubernetes networking</strong> when services cannot reach each other (is it a NetworkPolicy? A CNI issue? A security group? A missing service account?).</li> </ul> <p>A reasonable estimate: EKS adds 10-20 hours per month of platform engineering work compared to ECS. At a senior engineer's loaded cost, that is $3,000-6,000/month in operational overhead that does not show up on your AWS bill.</p> <h2> Real-World Scenarios </h2> <h3> Scenario 1: 4-Person Startup, 2 Services </h3> <p><strong>Choose ECS Fargate.</strong> You do not have the engineering bandwidth to learn and operate Kubernetes. ECS Fargate lets you deploy containers in an afternoon and forget about infrastructure management for the next 12 months.</p> <h3> Scenario 2: 25-Person Scale-Up, 12 Services, AWS Only </h3> <p><strong>Choose ECS EC2.</strong> You are big enough that Fargate costs add up, but your services are straightforward enough that Kubernetes' advanced features are not needed. ECS on EC2 with Reserved Instances gives you the best cost efficiency.</p> <h3> Scenario 3: 50-Person Company, 30 Services, Multi-Cloud Mandate </h3> <p><strong>Choose EKS.</strong> At this scale, you likely have or can hire a dedicated platform engineer. Kubernetes' portability and ecosystem justify the operational investment, and you will benefit from tools like ArgoCD, Istio, and custom operators.</p> <h3> Scenario 4: Regulated Industry, Compliance Requirements </h3> <p><strong>EKS edges ahead.</strong> Kubernetes' namespace isolation, network policies, pod security standards, and OPA Gatekeeper provide a richer set of compliance controls. Combined with tools like Falco for runtime security, you can build a compliance story that auditors understand and respect.</p> <h2> Need Help with Your DevOps? </h2> <p>Choosing the right container orchestration platform is just the first decision. At <strong><a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a></strong>, we help startups set up production-grade container infrastructure on AWS - whether that is ECS, EKS, or a migration between the two.</p> <p>Plans start at <strong>$2,999/mo</strong> for a dedicated fractional DevOps engineer.</p> <p><strong><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free 15-minute consultation</a></strong> to discuss your container strategy.</p> aws ecs eks kubernetes Advanced GitHub Actions: Matrix Builds, Reusable Workflows, and Self-Hosted Runners InstaDevOps Tue, 14 Apr 2026 13:46:40 +0000 https://dev.to/instadevops/advanced-github-actions-matrix-builds-reusable-workflows-and-self-hosted-runners-h07 https://dev.to/instadevops/advanced-github-actions-matrix-builds-reusable-workflows-and-self-hosted-runners-h07 <h2> Introduction </h2> <p>GitHub Actions has matured from a simple CI tool into a full-featured automation platform. Most teams start with a basic build-and-test workflow, but GitHub Actions offers far more powerful patterns that can dramatically reduce pipeline duplication, speed up builds, and cut CI costs.</p> <p>This article covers advanced patterns that separate hobby-level GitHub Actions usage from production-grade CI/CD: matrix builds for testing across multiple environments, reusable workflows for eliminating duplication, self-hosted runners for cost and performance, and secrets management strategies that keep your pipelines secure.</p> <p>If you are already comfortable writing basic GitHub Actions workflows, this guide will take you to the next level.</p> <h2> Matrix Builds: Test Everything in Parallel </h2> <p>Matrix builds let you run the same job across multiple combinations of variables - OS versions, language versions, dependency versions - without duplicating workflow code.</p> <h3> Basic Matrix Strategy </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">matrix</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">18</span><span class="pi">,</span> <span class="nv">20</span><span class="pi">,</span> <span class="nv">22</span><span class="pi">]</span> <span class="na">os</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">ubuntu-latest</span><span class="pi">,</span> <span class="nv">macos-latest</span><span class="pi">]</span> <span class="na">fail-fast</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s">${{ matrix.node-version }}</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm test</span> </code></pre> </div> <p>Setting <code>fail-fast: false</code> ensures all matrix combinations run to completion even if one fails. This is critical for understanding the full scope of compatibility issues.</p> <h3> Dynamic Matrix Generation </h3> <p>For more complex scenarios, generate the matrix dynamically from a previous job:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">detect-services</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">outputs</span><span class="pi">:</span> <span class="na">services</span><span class="pi">:</span> <span class="s">${{ steps.find.outputs.services }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">find</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s"># Find all directories with a Dockerfile</span> <span class="s">SERVICES=$(find services/ -name Dockerfile -exec dirname {} \; | jq -R -s -c 'split("\n")[:-1]')</span> <span class="s">echo "services=$SERVICES" &gt;&gt; $GITHUB_OUTPUT</span> <span class="na">build</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">detect-services</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">matrix</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="s">${{ fromJson(needs.detect-services.outputs.services) }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">docker build -t ${{ matrix.service }}:latest ${{ matrix.service }}</span> </code></pre> </div> <p>This pattern is invaluable for monorepos: only build and test services that have changed, and automatically pick up new services without modifying the workflow.</p> <h3> Matrix Include and Exclude </h3> <p>Fine-tune your matrix with include and exclude rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">strategy</span><span class="pi">:</span> <span class="na">matrix</span><span class="pi">:</span> <span class="na">os</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">ubuntu-latest</span><span class="pi">,</span> <span class="nv">windows-latest</span><span class="pi">]</span> <span class="na">node</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">18</span><span class="pi">,</span> <span class="nv">20</span><span class="pi">]</span> <span class="na">include</span><span class="pi">:</span> <span class="c1"># Add an experimental Node 22 build on Ubuntu only</span> <span class="pi">-</span> <span class="na">os</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">node</span><span class="pi">:</span> <span class="m">22</span> <span class="na">experimental</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">exclude</span><span class="pi">:</span> <span class="c1"># Skip Node 18 on Windows (known incompatibility)</span> <span class="pi">-</span> <span class="na">os</span><span class="pi">:</span> <span class="s">windows-latest</span> <span class="na">node</span><span class="pi">:</span> <span class="m">18</span> </code></pre> </div> <h2> Reusable Workflows: Eliminate Duplication </h2> <p>If you have 10 microservices with nearly identical CI workflows, reusable workflows let you define the pipeline once and call it from each repository.</p> <h3> Creating a Reusable Workflow </h3> <p>Define a workflow with <code>workflow_call</code> trigger in a shared repository:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/build-and-deploy.yml in org/shared-workflows repo</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and Deploy Service</span> <span class="na">on</span><span class="pi">:</span> <span class="na">workflow_call</span><span class="pi">:</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">service-name</span><span class="pi">:</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">dockerfile-path</span><span class="pi">:</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">default</span><span class="pi">:</span> <span class="s1">'</span><span class="s">./Dockerfile'</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">secrets</span><span class="pi">:</span> <span class="na">AWS_ACCESS_KEY_ID</span><span class="pi">:</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">AWS_SECRET_ACCESS_KEY</span><span class="pi">:</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">ECR_REGISTRY</span><span class="pi">:</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">eu-west-1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Login to ECR</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/amazon-ecr-login@v2</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and push image</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">IMAGE="${{ secrets.ECR_REGISTRY }}/${{ inputs.service-name }}:${{ github.sha }}"</span> <span class="s">docker build -f ${{ inputs.dockerfile-path }} -t $IMAGE .</span> <span class="s">docker push $IMAGE</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">build</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">${{ inputs.environment }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to ECS</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">aws ecs update-service \</span> <span class="s">--cluster ${{ inputs.environment }}-cluster \</span> <span class="s">--service ${{ inputs.service-name }} \</span> <span class="s">--force-new-deployment</span> </code></pre> </div> <h3> Calling a Reusable Workflow </h3> <p>Each service repository calls the shared workflow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/ci.yml in service repo</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CI/CD</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy-staging</span><span class="pi">:</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">org/shared-workflows/.github/workflows/build-and-deploy.yml@v2.1.0</span> <span class="na">with</span><span class="pi">:</span> <span class="na">service-name</span><span class="pi">:</span> <span class="s">payment-api</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">staging</span> <span class="na">secrets</span><span class="pi">:</span> <span class="na">AWS_ACCESS_KEY_ID</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">AWS_SECRET_ACCESS_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">ECR_REGISTRY</span><span class="pi">:</span> <span class="s">${{ secrets.ECR_REGISTRY }}</span> <span class="na">deploy-production</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">deploy-staging</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">org/shared-workflows/.github/workflows/build-and-deploy.yml@v2.1.0</span> <span class="na">with</span><span class="pi">:</span> <span class="na">service-name</span><span class="pi">:</span> <span class="s">payment-api</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">production</span> <span class="na">secrets</span><span class="pi">:</span> <span class="na">AWS_ACCESS_KEY_ID</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">AWS_SECRET_ACCESS_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">ECR_REGISTRY</span><span class="pi">:</span> <span class="s">${{ secrets.ECR_REGISTRY }}</span> </code></pre> </div> <p>Pin the reusable workflow to a specific tag (<code>@v2.1.0</code>) so that upstream changes do not break your pipelines unexpectedly.</p> <h2> Self-Hosted Runners: Performance and Cost Control </h2> <p>GitHub-hosted runners are convenient but come with limitations: fixed hardware specs, cold start times, no persistent caches, and costs that scale linearly with usage. Self-hosted runners solve these problems.</p> <h3> When Self-Hosted Runners Make Sense </h3> <ul> <li> <strong>Large Docker builds</strong> that benefit from persistent layer caches</li> <li> <strong>GPU workloads</strong> for ML model training or testing</li> <li> <strong>Network-restricted environments</strong> where jobs need access to internal resources</li> <li> <strong>High CI volume</strong> where GitHub-hosted runner costs exceed $1,000/month</li> <li> <strong>Specialized hardware</strong> requirements</li> </ul> <h3> Setting Up Ephemeral Self-Hosted Runners on AWS </h3> <p>Use the <code>actions-runner-controller</code> (ARC) to autoscale runners on Kubernetes, or use EC2 with a simpler setup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Terraform for self-hosted runner ASG</span> <span class="s">resource "aws_launch_template" "runner" {</span> <span class="s">name_prefix = "github-runner-"</span> <span class="s">image_id = data.aws_ami.ubuntu.id</span> <span class="s">instance_type = "c6i.2xlarge"</span> <span class="s">user_data = base64encode(templatefile("runner-init.sh", {</span> <span class="s">github_org = var.github_org</span> <span class="s">runner_token = var.runner_registration_token</span> <span class="s">runner_labels = "self-hosted,linux,x64,large"</span> <span class="s">}))</span> <span class="s">block_device_mappings {</span> <span class="s">device_name = "/dev/sda1"</span> <span class="s">ebs {</span> <span class="s">volume_size = </span><span class="m">100</span> <span class="s">volume_type = "gp3"</span> <span class="s">}</span> <span class="s">}</span> <span class="err">}</span> <span class="s">resource "aws_autoscaling_group" "runners" {</span> <span class="s">desired_capacity = </span><span class="m">2</span> <span class="s">max_size = </span><span class="m">10</span> <span class="s">min_size = </span><span class="m">0</span> <span class="s">launch_template {</span> <span class="s">id = aws_launch_template.runner.id</span> <span class="s">version = "$Latest"</span> <span class="s">}</span> <span class="s">tag {</span> <span class="s">key = "Purpose"</span> <span class="s">value = "github-actions-runner"</span> <span class="s">propagate_at_launch = </span><span class="kc">true</span> <span class="s">}</span> <span class="err">}</span> </code></pre> </div> <h3> Using Runner Labels for Job Routing </h3> <p>Target specific runners using labels:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">unit-tests</span><span class="pi">:</span> <span class="c1"># Fast tests on GitHub-hosted runners</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm test</span> <span class="na">docker-build</span><span class="pi">:</span> <span class="c1"># Heavy builds on self-hosted with Docker cache</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">self-hosted</span><span class="pi">,</span> <span class="nv">linux</span><span class="pi">,</span> <span class="nv">large</span><span class="pi">]</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">docker build -t myapp:latest .</span> <span class="na">gpu-tests</span><span class="pi">:</span> <span class="c1"># ML tests on GPU runners</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">self-hosted</span><span class="pi">,</span> <span class="nv">gpu</span><span class="pi">]</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">python -m pytest tests/ml/</span> </code></pre> </div> <h2> Secrets Management Patterns </h2> <p>Secrets handling in CI/CD is a top security concern. GitHub Actions provides several mechanisms, but you need to layer them correctly.</p> <h3> Environment-Scoped Secrets </h3> <p>Use GitHub environments to scope secrets to specific deployment targets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">production</span> <span class="c1"># Only secrets defined in "production" environment are available</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy</span> <span class="na">env</span><span class="pi">:</span> <span class="na">DB_PASSWORD</span><span class="pi">:</span> <span class="s">${{ secrets.DB_PASSWORD }}</span> <span class="c1"># Production-specific secret</span> <span class="na">run</span><span class="pi">:</span> <span class="s">./deploy.sh</span> </code></pre> </div> <p>Configure required reviewers on the production environment so deployments require manual approval.</p> <h3> OIDC Authentication (No Long-Lived Keys) </h3> <p>Eliminate static AWS credentials entirely using OpenID Connect:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">permissions</span><span class="pi">:</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">role-to-assume</span><span class="pi">:</span> <span class="s">arn:aws:iam::123456789012:role/GitHubActionsRole</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">eu-west-1</span> <span class="c1"># No access key or secret needed - uses OIDC token exchange</span> </code></pre> </div> <p>The IAM role trust policy restricts which repositories and branches can assume it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Federated"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts:AssumeRoleWithWebIdentity"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"token.actions.githubusercontent.com:aud"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts.amazonaws.com"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"StringLike"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"token.actions.githubusercontent.com:sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"repo:yourorg/yourrepo:ref:refs/heads/main"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Secrets Scanning and Rotation </h3> <p>Add a workflow that scans for accidentally committed secrets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">secrets-scan</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">trufflesecurity/trufflehog@main</span> <span class="na">with</span><span class="pi">:</span> <span class="na">extra_args</span><span class="pi">:</span> <span class="s">--only-verified</span> </code></pre> </div> <h2> Caching Strategies for Faster Builds </h2> <p>Effective caching can cut build times by 50-80%.</p> <h3> Dependency Caching </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/cache@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">~/.npm</span> <span class="s">node_modules</span> <span class="na">key</span><span class="pi">:</span> <span class="s">deps-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }}</span> <span class="na">restore-keys</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">deps-${{ runner.os }}-</span> </code></pre> </div> <h3> Docker Layer Caching </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/build-push-action@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">.</span> <span class="na">push</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">tags</span><span class="pi">:</span> <span class="s">myapp:latest</span> <span class="na">cache-from</span><span class="pi">:</span> <span class="s">type=gha</span> <span class="na">cache-to</span><span class="pi">:</span> <span class="s">type=gha,mode=max</span> </code></pre> </div> <h3> Artifact Passing Between Jobs </h3> <p>Use artifacts to pass build outputs between jobs without rebuilding:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run build</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/upload-artifact@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">build-output</span> <span class="na">path</span><span class="pi">:</span> <span class="s">dist/</span> <span class="na">retention-days</span><span class="pi">:</span> <span class="m">1</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">build</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/download-artifact@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">build-output</span> <span class="na">path</span><span class="pi">:</span> <span class="s">dist/</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">./deploy.sh dist/</span> </code></pre> </div> <h2> Workflow Organization at Scale </h2> <h3> Path-Based Triggers </h3> <p>Only run workflows when relevant files change:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">services/payment-api/**'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">.github/workflows/payment-api.yml'</span> </code></pre> </div> <h3> Concurrency Control </h3> <p>Prevent redundant workflow runs when commits are pushed rapidly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">concurrency</span><span class="pi">:</span> <span class="na">group</span><span class="pi">:</span> <span class="s">deploy-${{ github.ref }}</span> <span class="na">cancel-in-progress</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>This cancels the previous run when a new commit is pushed to the same branch, saving runner minutes.</p> <h3> Composite Actions for Shared Steps </h3> <p>When full reusable workflows are overkill, composite actions bundle common steps:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/actions/setup-project/action.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Project</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Install dependencies and configure environment</span> <span class="na">inputs</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="na">required</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">default</span><span class="pi">:</span> <span class="s1">'</span><span class="s">20'</span> <span class="na">runs</span><span class="pi">:</span> <span class="na">using</span><span class="pi">:</span> <span class="s">composite</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s">${{ inputs.node-version }}</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/cache@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">node_modules</span> <span class="na">key</span><span class="pi">:</span> <span class="s">deps-${{ hashFiles('package-lock.json') }}</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="na">shell</span><span class="pi">:</span> <span class="s">bash</span> </code></pre> </div> <p>Use it in any workflow with a single line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">./.github/actions/setup-project</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">20'</span> </code></pre> </div> <h2> Monitoring and Debugging Workflows </h2> <p>When workflows fail in production, you need fast diagnosis. GitHub provides several tools for this.</p> <h3> Step-Level Timing Analysis </h3> <p>Every workflow run shows timing per step. If your pipeline is slow, look for steps that take disproportionate time. Common culprits:</p> <ul> <li> <strong>Checkout with full history</strong> (<code>fetch-depth: 0</code>) on large repos - use shallow clones unless you need full history</li> <li> <strong>Docker builds without caching</strong> - always use BuildKit cache with <code>cache-from</code> and <code>cache-to</code> </li> <li> <strong>NPM/pip installs without cache</strong> - dependency caching alone can save 30-60 seconds per run</li> </ul> <h3> Workflow Run Logs and Annotations </h3> <p>Use <code>::warning</code> and <code>::error</code> workflow commands to surface issues directly in PR annotations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Check bundle size</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">SIZE=$(stat -f%z dist/bundle.js)</span> <span class="s">if [ "$SIZE" -gt 500000 ]; then</span> <span class="s">echo "::warning file=dist/bundle.js::Bundle size is ${SIZE} bytes (over 500KB limit)"</span> <span class="s">fi</span> </code></pre> </div> <h3> Reusable Debug Workflow </h3> <p>Create a debug composite action that dumps useful context when things go wrong:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Debug info</span> <span class="na">if</span><span class="pi">:</span> <span class="s">failure()</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">echo "## Environment" &gt;&gt; $GITHUB_STEP_SUMMARY</span> <span class="s">echo "- Runner: ${{ runner.os }} ${{ runner.arch }}" &gt;&gt; $GITHUB_STEP_SUMMARY</span> <span class="s">echo "- Node: $(node --version)" &gt;&gt; $GITHUB_STEP_SUMMARY</span> <span class="s">echo "- Disk: $(df -h / | tail -1)" &gt;&gt; $GITHUB_STEP_SUMMARY</span> <span class="s">echo "- Memory: $(free -h 2&gt;/dev/null || vm_stat)" &gt;&gt; $GITHUB_STEP_SUMMARY</span> </code></pre> </div> <h2> Common Pitfalls to Avoid </h2> <p><strong>Not pinning action versions.</strong> Using <code>actions/checkout@main</code> means your workflow can break without any change on your side. Always pin to a specific version tag or commit SHA for third-party actions.</p> <p><strong>Leaking secrets in logs.</strong> GitHub automatically masks secrets in logs, but derived values (like a URL containing a token) are not masked. Use <code>::add-mask::</code> for any sensitive derived values.</p> <p><strong>Ignoring workflow permissions.</strong> The default <code>GITHUB_TOKEN</code> has broad permissions. Use the <code>permissions</code> key to restrict to only what each job needs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">pull-requests</span><span class="pi">:</span> <span class="s">write</span> </code></pre> </div> <p><strong>Running everything on push and pull_request.</strong> This causes duplicate runs. Use <code>push</code> for deploys (main branch only) and <code>pull_request</code> for checks.</p> <p><strong>Not using job summaries.</strong> The <code>$GITHUB_STEP_SUMMARY</code> file lets you write rich Markdown summaries that appear in the workflow run UI - much better than scrolling through raw logs.</p> <h2> Need Help with Your DevOps? </h2> <p>Setting up production-grade CI/CD pipelines with proper security, caching, and scaling takes real-world experience. At <strong><a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a></strong>, we build and maintain CI/CD infrastructure for startups and growing teams so your developers can focus on shipping features.</p> <p>Plans start at <strong>$2,999/mo</strong> for a dedicated fractional DevOps engineer.</p> <p><strong><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free 15-minute consultation</a></strong> to optimize your GitHub Actions workflows.</p> github cicd devops automation Terraform Modules Done Right: Mono-Repo, Versioning, and Registry Patterns InstaDevOps Mon, 13 Apr 2026 13:46:36 +0000 https://dev.to/instadevops/terraform-modules-done-right-mono-repo-versioning-and-registry-patterns-34g6 https://dev.to/instadevops/terraform-modules-done-right-mono-repo-versioning-and-registry-patterns-34g6 <h2> Introduction </h2> <p>As your Terraform codebase grows beyond a handful of resources, you inevitably face a structural decision: how do you organize reusable infrastructure components so that multiple teams can collaborate without stepping on each other's toes?</p> <p>The answer is Terraform modules. But writing a module is easy - organizing, versioning, and distributing them at scale is where most teams struggle. Poorly structured modules lead to copy-paste drift, version conflicts, and infrastructure that nobody fully understands.</p> <p>In this guide, we will walk through battle-tested patterns for organizing Terraform modules, choosing between mono-repo and multi-repo strategies, leveraging module registries, and implementing versioning that actually works in production.</p> <h2> What Makes a Good Terraform Module </h2> <p>Before discussing organization, let us establish what a well-designed module looks like. A good Terraform module follows these principles:</p> <p><strong>Single responsibility.</strong> Each module should manage one logical piece of infrastructure. A VPC module should not also create RDS instances.</p> <p><strong>Sensible defaults with full override capability.</strong> Provide defaults that work for 80% of use cases, but allow every significant parameter to be overridden:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"instance_type"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"EC2 instance type for the application servers"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"t3.medium"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"enable_enhanced_monitoring"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Enable enhanced monitoring with 60-second granularity"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">bool</span> <span class="nx">default</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"tags"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Additional tags to apply to all resources"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Clear input/output contracts.</strong> Every variable should have a description, type constraint, and validation where appropriate. Every output that downstream consumers need should be explicitly exported:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"vpc_cidr"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"CIDR block for the VPC"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">cidrhost</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Must be a valid CIDR block."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vpc_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"ID of the created VPC"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"private_subnet_ids"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"List of private subnet IDs"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private</span><span class="p">[*].</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p><strong>Minimal provider assumptions.</strong> Do not hardcode provider configurations inside modules. Let the caller configure the provider:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Bad - hardcoded provider in module</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="c1"># Good - module relies on caller's provider configuration</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"&gt;= 5.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Mono-Repo vs Multi-Repo: Choosing the Right Strategy </h2> <p>This is the most debated structural decision in Terraform module management. Both approaches have legitimate trade-offs.</p> <h3> Mono-Repo Pattern </h3> <p>All modules live in a single repository with a directory structure like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-modules/ ├── modules/ │ ├── vpc/ │ │ ├── main.tf │ │ ├── variables.tf │ │ ├── outputs.tf │ │ └── README.md │ ├── ecs-service/ │ │ ├── main.tf │ │ ├── variables.tf │ │ ├── outputs.tf │ │ └── README.md │ ├── rds-postgres/ │ │ ├── main.tf │ │ ├── variables.tf │ │ ├── outputs.tf │ │ └── README.md │ └── s3-bucket/ │ ├── main.tf │ ├── variables.tf │ ├── outputs.tf │ └── README.md ├── examples/ │ ├── complete-vpc/ │ └── ecs-with-rds/ ├── tests/ │ ├── vpc_test.go │ └── ecs_test.go └── .github/ └── workflows/ └── test.yml </code></pre> </div> <p><strong>Advantages:</strong></p> <ul> <li>Atomic cross-module changes in a single PR</li> <li>Unified CI/CD pipeline for testing</li> <li>Easier to maintain consistency across modules</li> <li>Simpler onboarding for new team members</li> <li>One place to search for all infrastructure patterns</li> </ul> <p><strong>Disadvantages:</strong></p> <ul> <li>Git tags version the entire repo, not individual modules</li> <li>Large repos can slow down CI runs</li> <li>Permission boundaries are harder (everyone can see everything)</li> </ul> <p><strong>When to use:</strong> Teams under 20 engineers, organizations with fewer than 30 modules, or when most modules are tightly coupled.</p> <h3> Multi-Repo Pattern </h3> <p>Each module gets its own repository:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-module-vpc/ (v2.3.1) terraform-module-ecs-service/ (v1.8.0) terraform-module-rds-postgres/ (v3.1.0) terraform-module-s3-bucket/ (v1.2.4) </code></pre> </div> <p><strong>Advantages:</strong></p> <ul> <li>Independent versioning per module using Git tags</li> <li>Fine-grained access control per repository</li> <li>Smaller, focused CI/CD pipelines</li> <li>Clear ownership boundaries</li> </ul> <p><strong>Disadvantages:</strong></p> <ul> <li>Cross-module changes require multiple PRs</li> <li>Dependency management becomes complex</li> <li>More repositories to maintain</li> <li>Harder to ensure consistency</li> </ul> <p><strong>When to use:</strong> Organizations with 50+ modules, multiple platform teams owning different modules, or strict compliance requirements needing audit trails per component.</p> <h3> The Hybrid Approach </h3> <p>Many mature organizations use a hybrid: a mono-repo for foundational modules maintained by the platform team, with separate repos for domain-specific modules owned by product teams:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>platform-terraform-modules/ # Platform team owns VPC, IAM, networking ├── modules/vpc/ ├── modules/iam-roles/ └── modules/cloudfront/ team-payments-terraform/ # Payments team owns their service modules ├── modules/payment-service/ └── modules/fraud-detection/ </code></pre> </div> <h2> Module Versioning Strategies </h2> <p>Versioning is where most Terraform setups break down. Without proper versioning, a module change can silently break every environment that references it.</p> <h3> Semantic Versioning </h3> <p>Follow semver strictly for modules:</p> <ul> <li> <strong>MAJOR</strong> (v2.0.0): Breaking changes (removed variables, renamed resources that force replacement)</li> <li> <strong>MINOR</strong> (v1.3.0): New features, new optional variables with defaults</li> <li> <strong>PATCH</strong> (v1.2.1): Bug fixes, documentation updates</li> </ul> <h3> Pinning Module Versions </h3> <p>Always pin module versions in your root configurations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Good - pinned to exact version</span> <span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"git::https://github.com/yourorg/terraform-modules.git//modules/vpc?ref=v2.3.1"</span> <span class="p">}</span> <span class="c1"># Acceptable - pinned to minor version range</span> <span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"app.terraform.io/yourorg/vpc/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 2.3"</span> <span class="p">}</span> <span class="c1"># Bad - no version pin, uses latest</span> <span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"git::https://github.com/yourorg/terraform-modules.git//modules/vpc"</span> <span class="p">}</span> </code></pre> </div> <h3> Automated Version Bumping </h3> <p>Use a CI workflow that automatically creates releases when module directories change:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/release.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Release Modules</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">detect-changes</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">outputs</span><span class="pi">:</span> <span class="na">changed_modules</span><span class="pi">:</span> <span class="s">${{ steps.changes.outputs.modules }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">changes</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">CHANGED=$(git diff --name-only HEAD~1 HEAD | grep '^modules/' | cut -d'/' -f2 | sort -u | jq -R -s -c 'split("\n")[:-1]')</span> <span class="s">echo "modules=$CHANGED" &gt;&gt; $GITHUB_OUTPUT</span> <span class="na">release</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">detect-changes</span> <span class="na">if</span><span class="pi">:</span> <span class="s">needs.detect-changes.outputs.changed_modules != '[]'</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">matrix</span><span class="pi">:</span> <span class="na">module</span><span class="pi">:</span> <span class="s">${{ fromJson(needs.detect-changes.outputs.changed_modules) }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Determine version bump</span> <span class="na">id</span><span class="pi">:</span> <span class="s">version</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">CURRENT=$(git tag -l "modules/${{ matrix.module }}/v*" | sort -V | tail -1)</span> <span class="s"># Parse commit messages for bump type</span> <span class="s">if git log --oneline HEAD~1..HEAD | grep -q "BREAKING"; then</span> <span class="s">BUMP="major"</span> <span class="s">elif git log --oneline HEAD~1..HEAD | grep -q "feat"; then</span> <span class="s">BUMP="minor"</span> <span class="s">else</span> <span class="s">BUMP="patch"</span> <span class="s">fi</span> <span class="s">echo "bump=$BUMP" &gt;&gt; $GITHUB_OUTPUT</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create release tag</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s"># Bump version and create tag</span> <span class="s">git tag "modules/${{ matrix.module }}/v${NEW_VERSION}"</span> <span class="s">git push --tags</span> </code></pre> </div> <h2> Using a Private Module Registry </h2> <p>A module registry provides a discoverable, versioned catalog of your organization's modules. You have several options.</p> <h3> Terraform Cloud / HCP Terraform Registry </h3> <p>The simplest option if you are already using Terraform Cloud:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"app.terraform.io/yourorg/vpc/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"2.3.1"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="p">}</span> </code></pre> </div> <p>Publishing is automatic when you connect your VCS repository to the registry.</p> <h3> Self-Hosted with Artifactory or S3 </h3> <p>For air-gapped or highly regulated environments, you can host modules on S3:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"s3::https://my-terraform-modules.s3.amazonaws.com/vpc/v2.3.1.zip"</span> <span class="p">}</span> </code></pre> </div> <p>Pair this with a CI pipeline that packages and uploads module archives on release:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nv">MODULE</span><span class="o">=</span><span class="nv">$1</span> <span class="nv">VERSION</span><span class="o">=</span><span class="nv">$2</span> <span class="nb">cd </span>modules/<span class="nv">$MODULE</span> zip <span class="nt">-r</span> <span class="s2">"/tmp/</span><span class="k">${</span><span class="nv">MODULE</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span><span class="s2">.zip"</span> <span class="nb">.</span> aws s3 <span class="nb">cp</span> <span class="s2">"/tmp/</span><span class="k">${</span><span class="nv">MODULE</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span><span class="s2">.zip"</span> <span class="se">\</span> <span class="s2">"s3://my-terraform-modules/</span><span class="k">${</span><span class="nv">MODULE</span><span class="k">}</span><span class="s2">/</span><span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span><span class="s2">.zip"</span> </code></pre> </div> <h3> GitHub Releases as a Registry </h3> <p>A lightweight approach using Git tags directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"git::https://github.com/yourorg/terraform-modules.git//modules/vpc?ref=v2.3.1"</span> <span class="p">}</span> </code></pre> </div> <p>This works well for smaller organizations and avoids the overhead of a dedicated registry.</p> <h2> Module Testing and Validation </h2> <p>Modules without tests are modules you cannot trust. Here are the layers of testing you should implement.</p> <h3> Static Analysis </h3> <p>Run these on every PR:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Format check</span> terraform <span class="nb">fmt</span> <span class="nt">-check</span> <span class="nt">-recursive</span> modules/ <span class="c"># Validation</span> <span class="k">for </span><span class="nb">dir </span><span class="k">in </span>modules/<span class="k">*</span>/<span class="p">;</span> <span class="k">do </span><span class="nb">cd</span> <span class="s2">"</span><span class="nv">$dir</span><span class="s2">"</span> terraform init <span class="nt">-backend</span><span class="o">=</span><span class="nb">false </span>terraform validate <span class="nb">cd</span> ../.. <span class="k">done</span> <span class="c"># Security scanning with tfsec</span> tfsec modules/ <span class="c"># Linting with tflint</span> tflint <span class="nt">--recursive</span> </code></pre> </div> <h3> Integration Testing with Terratest </h3> <p>Write Go tests that actually provision and destroy infrastructure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">test</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"testing"</span> <span class="s">"github.com/gruntwork-io/terratest/modules/terraform"</span> <span class="s">"github.com/stretchr/testify/assert"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">TestVpcModule</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Parallel</span><span class="p">()</span> <span class="n">terraformOptions</span> <span class="o">:=</span> <span class="n">terraform</span><span class="o">.</span><span class="n">WithDefaultRetryableErrors</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">terraform</span><span class="o">.</span><span class="n">Options</span><span class="p">{</span> <span class="n">TerraformDir</span><span class="o">:</span> <span class="s">"../modules/vpc"</span><span class="p">,</span> <span class="n">Vars</span><span class="o">:</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">interface</span><span class="p">{}{</span> <span class="s">"cidr_block"</span><span class="o">:</span> <span class="s">"10.99.0.0/16"</span><span class="p">,</span> <span class="s">"environment"</span><span class="o">:</span> <span class="s">"test"</span><span class="p">,</span> <span class="s">"name"</span><span class="o">:</span> <span class="s">"terratest-vpc"</span><span class="p">,</span> <span class="p">},</span> <span class="p">})</span> <span class="k">defer</span> <span class="n">terraform</span><span class="o">.</span><span class="n">Destroy</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">)</span> <span class="n">terraform</span><span class="o">.</span><span class="n">InitAndApply</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">)</span> <span class="n">vpcId</span> <span class="o">:=</span> <span class="n">terraform</span><span class="o">.</span><span class="n">Output</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">,</span> <span class="s">"vpc_id"</span><span class="p">)</span> <span class="n">assert</span><span class="o">.</span><span class="n">NotEmpty</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">vpcId</span><span class="p">)</span> <span class="n">privateSubnets</span> <span class="o">:=</span> <span class="n">terraform</span><span class="o">.</span><span class="n">OutputList</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">,</span> <span class="s">"private_subnet_ids"</span><span class="p">)</span> <span class="n">assert</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="m">3</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">privateSubnets</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <h3> Example Configurations </h3> <p>Every module should ship with a working example in an <code>examples/</code> directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/vpc/ ├── main.tf ├── variables.tf ├── outputs.tf ├── README.md └── examples/ ├── simple/ │ └── main.tf # Minimal usage └── complete/ └── main.tf # All features enabled </code></pre> </div> <h2> Module Composition Patterns </h2> <p>Real infrastructure is built by composing modules together. Here are patterns that work well at scale.</p> <h3> The Root Module Pattern </h3> <p>Create environment-specific root modules that compose shared modules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># environments/production/main.tf</span> <span class="nx">module</span> <span class="s2">"network"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"app.terraform.io/yourorg/vpc/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"2.3.1"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">availability_zones</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"eu-west-1a"</span><span class="p">,</span> <span class="s2">"eu-west-1b"</span><span class="p">,</span> <span class="s2">"eu-west-1c"</span><span class="p">]</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"database"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"app.terraform.io/yourorg/rds-postgres/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"3.1.0"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="s2">"db.r6g.xlarge"</span> <span class="nx">multi_az</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"application"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"app.terraform.io/yourorg/ecs-service/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1.8.0"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="nx">lb_target_group</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">network</span><span class="p">.</span><span class="nx">alb_target_group_arn</span> <span class="nx">database_endpoint</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">database</span><span class="p">.</span><span class="nx">endpoint</span> <span class="nx">desired_count</span> <span class="p">=</span> <span class="mi">6</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="p">}</span> </code></pre> </div> <h3> The Terragrunt DRY Pattern </h3> <p>For organizations managing many environments, Terragrunt eliminates repetition:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terragrunt.hcl (root)</span> <span class="nx">remote_state</span> <span class="p">{</span> <span class="nx">backend</span> <span class="p">=</span> <span class="s2">"s3"</span> <span class="nx">generate</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"backend.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite_terragrunt"</span> <span class="p">}</span> <span class="nx">config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"myorg-terraform-state"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"${path_relative_to_include()}/terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="nx">encrypt</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">dynamodb_table</span> <span class="p">=</span> <span class="s2">"terraform-locks"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># environments/production/vpc/terragrunt.hcl</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"git::https://github.com/yourorg/terraform-modules.git//modules/vpc?ref=v2.3.1"</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="p">}</span> </code></pre> </div> <h2> Common Pitfalls and How to Avoid Them </h2> <p><strong>Over-abstracting too early.</strong> Do not create a module until you have written the same Terraform code at least twice. Premature abstraction creates rigid modules that fight against real requirements.</p> <p><strong>Nested modules more than two levels deep.</strong> Module A calls module B which calls module C is already hard to debug. Keep your module hierarchy shallow.</p> <p><strong>Not using <code>moved</code> blocks during refactors.</strong> When restructuring modules, use <code>moved</code> blocks to prevent Terraform from destroying and recreating resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">moved</span> <span class="p">{</span> <span class="nx">from</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">web</span> <span class="nx">to</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">application</span><span class="p">.</span><span class="nx">aws_instance</span><span class="p">.</span><span class="nx">web</span> <span class="p">}</span> </code></pre> </div> <p><strong>Ignoring module documentation.</strong> Every module should have a README generated by <code>terraform-docs</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate docs automatically</span> terraform-docs markdown table modules/vpc/ <span class="o">&gt;</span> modules/vpc/README.md </code></pre> </div> <p><strong>Storing secrets in tfvars files.</strong> Use a secrets manager and data sources instead of committing sensitive values.</p> <h2> Need Help with Your DevOps? </h2> <p>Building and maintaining a well-structured Terraform module library takes experience. At <strong><a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a></strong>, we help startups and growing teams implement production-grade Infrastructure as Code from day one - so you can ship infrastructure changes with the same confidence as application code.</p> <p>Plans start at <strong>$2,999/mo</strong> for a dedicated fractional DevOps engineer.</p> <p><strong><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a free 15-minute consultation</a></strong> to discuss your Terraform architecture.</p> terraform iac devops modules Infrastructure Testing: Terratest, Checkov, and Validating Your IaC InstaDevOps Sun, 12 Apr 2026 13:46:59 +0000 https://dev.to/instadevops/infrastructure-testing-terratest-checkov-and-validating-your-iac-2c49 https://dev.to/instadevops/infrastructure-testing-terratest-checkov-and-validating-your-iac-2c49 <h2> Introduction </h2> <p>Infrastructure as Code has transformed cloud management, but when a single Terraform apply can spin up hundreds of resources, testing becomes essential.</p> <p>This article explores Terratest for functional testing and Checkov for security scanning.</p> <h2> Static Analysis with Checkov </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>checkov checkov <span class="nt">-d</span> ./terraform </code></pre> </div> <h3> Custom Policies </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">checkov.terraform.checks.resource.base_resource_check</span> <span class="kn">import</span> <span class="n">BaseResourceCheck</span> <span class="kn">from</span> <span class="n">checkov.common.models.enums</span> <span class="kn">import</span> <span class="n">CheckCategories</span><span class="p">,</span> <span class="n">CheckResult</span> <span class="k">class</span> <span class="nc">EC2HasEnvironmentTag</span><span class="p">(</span><span class="n">BaseResourceCheck</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">name</span> <span class="o">=</span> <span class="sh">"</span><span class="s">Ensure EC2 instances have environment tag</span><span class="sh">"</span> <span class="nb">id</span> <span class="o">=</span> <span class="sh">"</span><span class="s">CKV_CUSTOM_1</span><span class="sh">"</span> <span class="n">supported_resources</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">aws_instance</span><span class="sh">'</span><span class="p">]</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="n">name</span><span class="p">,</span> <span class="nb">id</span><span class="o">=</span><span class="nb">id</span><span class="p">,</span> <span class="n">supported_resources</span><span class="o">=</span><span class="n">supported_resources</span><span class="p">)</span> <span class="k">def</span> <span class="nf">scan_resource_conf</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">conf</span><span class="p">):</span> <span class="n">tags</span> <span class="o">=</span> <span class="n">conf</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">tags</span><span class="sh">'</span><span class="p">,</span> <span class="p">[{}])[</span><span class="mi">0</span><span class="p">]</span> <span class="k">if</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">tags</span><span class="p">,</span> <span class="nb">dict</span><span class="p">)</span> <span class="ow">and</span> <span class="sh">'</span><span class="s">Environment</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">tags</span><span class="p">:</span> <span class="k">return</span> <span class="n">CheckResult</span><span class="p">.</span><span class="n">PASSED</span> <span class="k">return</span> <span class="n">CheckResult</span><span class="p">.</span><span class="n">FAILED</span> </code></pre> </div> <h2> Functional Testing with Terratest </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">TestS3Bucket</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Parallel</span><span class="p">()</span> <span class="n">terraformOptions</span> <span class="o">:=</span> <span class="n">terraform</span><span class="o">.</span><span class="n">WithDefaultRetryableErrors</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">terraform</span><span class="o">.</span><span class="n">Options</span><span class="p">{</span> <span class="n">TerraformDir</span><span class="o">:</span> <span class="s">"../modules/s3-bucket"</span><span class="p">,</span> <span class="n">Vars</span><span class="o">:</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">interface</span><span class="p">{}{</span> <span class="s">"bucket_name"</span><span class="o">:</span> <span class="s">"test-bucket-"</span> <span class="o">+</span> <span class="n">random</span><span class="o">.</span><span class="n">UniqueId</span><span class="p">(),</span> <span class="p">},</span> <span class="p">})</span> <span class="k">defer</span> <span class="n">terraform</span><span class="o">.</span><span class="n">Destroy</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">)</span> <span class="n">terraform</span><span class="o">.</span><span class="n">InitAndApply</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">)</span> <span class="n">bucketID</span> <span class="o">:=</span> <span class="n">terraform</span><span class="o">.</span><span class="n">Output</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">terraformOptions</span><span class="p">,</span> <span class="s">"bucket_id"</span><span class="p">)</span> <span class="n">actualStatus</span> <span class="o">:=</span> <span class="n">aws</span><span class="o">.</span><span class="n">GetS3BucketVersioning</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="s">"us-east-1"</span><span class="p">,</span> <span class="n">bucketID</span><span class="p">)</span> <span class="n">assert</span><span class="o">.</span><span class="n">Equal</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="s">"Enabled"</span><span class="p">,</span> <span class="n">actualStatus</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h2> When to Use Each Tool </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Aspect</th> <th>Checkov</th> <th>Terratest</th> </tr> </thead> <tbody> <tr> <td>Type</td> <td>Static analysis</td> <td>Functional testing</td> </tr> <tr> <td>Speed</td> <td>Seconds</td> <td>Minutes to hours</td> </tr> <tr> <td>Cost</td> <td>Free</td> <td>Incurs cloud costs</td> </tr> <tr> <td>Coverage</td> <td>Security, compliance</td> <td>Actual functionality</td> </tr> </tbody> </table></div> <h2> CI/CD Integration </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">static-analysis</span><span class="pi">:</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">bridgecrewio/checkov-action@master</span> <span class="na">with</span><span class="pi">:</span> <span class="na">directory</span><span class="pi">:</span> <span class="s">terraform/</span> <span class="na">terratest</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">static-analysis</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cd test</span> <span class="s">go test -v -timeout 30m ./...</span> </code></pre> </div> <h2> Conclusion </h2> <p>Layer your testing: Start with Checkov for fast feedback, add Terratest for critical modules, and run full integration tests before production.</p> <h2> Need Help with Your DevOps Infrastructure? </h2> <p>At <strong><a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a></strong>, we specialize in helping startups build production-ready infrastructure.</p> <p>📅 <strong><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a Free 15-Min Consultation</a></strong></p> <p><em>Originally published at <a href="https://instadevops.com/blog/infrastructure-testing" rel="noopener noreferrer">instadevops.com</a></em></p> terraform testing iac devops Kubernetes Networking Demystified: Services, Ingress, and Network Policies InstaDevOps Sat, 11 Apr 2026 13:46:57 +0000 https://dev.to/instadevops/kubernetes-networking-demystified-services-ingress-and-network-policies-43ne https://dev.to/instadevops/kubernetes-networking-demystified-services-ingress-and-network-policies-43ne <h2> Introduction </h2> <p>Kubernetes networking is often cited as one of the most challenging aspects of container orchestration. This guide covers the three pillars: Services, Ingress, and Network Policies.</p> <h2> Services: Stable Endpoints for Dynamic Pods </h2> <h3> ClusterIP Services </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">backend-api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">backend</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">8080</span> </code></pre> </div> <h3> LoadBalancer Services </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">public-api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">LoadBalancer</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">api</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">443</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">8443</span> </code></pre> </div> <h2> Ingress: HTTP/HTTPS Traffic Management </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-ingress</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">tls</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">app.example.com</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">app-tls-secret</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">app.example.com</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/api</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">backend-api</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">80</span> </code></pre> </div> <h2> Network Policies: Securing Pod Communication </h2> <h3> Default Deny All </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">NetworkPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">default-deny-all</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">policyTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Ingress</span> <span class="pi">-</span> <span class="s">Egress</span> </code></pre> </div> <h3> Allow Specific Ingress </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">NetworkPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">allow-frontend-to-backend</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">backend</span> <span class="na">ingress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">from</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">frontend</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> </code></pre> </div> <h2> Troubleshooting </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check endpoints</span> kubectl get endpoints my-service <span class="c"># Test DNS</span> kubectl <span class="nb">exec</span> <span class="nt">-it</span> my-pod <span class="nt">--</span> nslookup kubernetes.default <span class="c"># Debug with netshoot</span> kubectl run netshoot <span class="nt">--image</span><span class="o">=</span>nicolaka/netshoot <span class="nt">-it</span> <span class="nt">--rm</span> <span class="nt">--</span> bash </code></pre> </div> <h2> Conclusion </h2> <p>Master Services, Ingress, and Network Policies, and you'll have a solid foundation for building secure, scalable applications on Kubernetes.</p> <h2> Need Help with Your DevOps Infrastructure? </h2> <p>At <strong><a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a></strong>, we specialize in helping startups build production-ready infrastructure.</p> <p>📅 <strong><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a Free 15-Min Consultation</a></strong></p> <p><em>Originally published at <a href="https://instadevops.com/blog/kubernetes-networking" rel="noopener noreferrer">instadevops.com</a></em></p> kubernetes networking devops security Container Registry Best Practices: ECR, Docker Hub, and Self-Hosted Options InstaDevOps Fri, 10 Apr 2026 13:46:54 +0000 https://dev.to/instadevops/container-registry-best-practices-ecr-docker-hub-and-self-hosted-options-22kh https://dev.to/instadevops/container-registry-best-practices-ecr-docker-hub-and-self-hosted-options-22kh <h2> Introduction </h2> <p>Container registries are the backbone of containerized application deployment. Choosing the right registry and implementing proper practices can mean the difference between smooth deployments and security nightmares.</p> <h2> Amazon ECR: AWS-Native Registry </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a repository</span> aws ecr create-repository <span class="se">\</span> <span class="nt">--repository-name</span> my-app <span class="se">\</span> <span class="nt">--image-scanning-configuration</span> <span class="nv">scanOnPush</span><span class="o">=</span><span class="nb">true</span> <span class="c"># Push an image</span> docker push 123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:latest </code></pre> </div> <h3> ECR Lifecycle Policies </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"rules"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nl">"rulePriority"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Keep last 10 production images"</span><span class="p">,</span><span class="w"> </span><span class="nl">"selection"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"tagStatus"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tagged"</span><span class="p">,</span><span class="w"> </span><span class="nl">"tagPrefixList"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"prod-"</span><span class="p">],</span><span class="w"> </span><span class="nl">"countType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"imageCountMoreThan"</span><span class="p">,</span><span class="w"> </span><span class="nl">"countNumber"</span><span class="p">:</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"expire"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Docker Hub </h2> <p>Docker Hub remains the most widely used registry, hosting millions of public images.</p> <p><strong>Rate Limits</strong>: Anonymous pulls limited to 100 per 6 hours; authenticated free users get 200.</p> <h2> Self-Hosted: Harbor </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">helm install harbor harbor/harbor \</span> <span class="s">--set expose.type=ingress \</span> <span class="s">--set expose.ingress.hosts.core=registry.example.com \</span> <span class="s">--set trivy.enabled=true</span> </code></pre> </div> <h2> Security Best Practices </h2> <ol> <li>Enable image scanning</li> <li>Implement least-privilege access</li> <li>Sign your images with Cosign</li> <li>Use immutable tags</li> <li>Scan base images regularly</li> </ol> <h2> Image Tagging Strategies </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">VERSION</span><span class="o">=</span><span class="s2">"1.2.3"</span> <span class="nv">GIT_SHA</span><span class="o">=</span><span class="si">$(</span>git rev-parse <span class="nt">--short</span> HEAD<span class="si">)</span> docker build <span class="se">\</span> <span class="nt">-t</span> my-app:<span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span> <span class="se">\</span> <span class="nt">-t</span> my-app:<span class="k">${</span><span class="nv">VERSION</span><span class="k">}</span>-<span class="k">${</span><span class="nv">GIT_SHA</span><span class="k">}</span> <span class="se">\</span> <span class="nt">-t</span> my-app:<span class="k">${</span><span class="nv">GIT_SHA</span><span class="k">}</span> <span class="se">\</span> <span class="nb">.</span> </code></pre> </div> <h2> Conclusion </h2> <p>Whether you choose ECR for AWS integration, Docker Hub for ubiquity, or Harbor for control, applying security best practices will keep your container infrastructure secure.</p> <h2> Need Help with Your DevOps Infrastructure? </h2> <p>At <strong><a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a></strong>, we specialize in helping startups build production-ready infrastructure.</p> <p>📅 <strong><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a Free 15-Min Consultation</a></strong></p> <p><em>Originally published at <a href="https://instadevops.com/blog/container-registry-guide" rel="noopener noreferrer">instadevops.com</a></em></p> docker ecr containers devops Incident Management: Building Effective On-Call Rotations and Runbooks InstaDevOps Thu, 09 Apr 2026 20:46:50 +0000 https://dev.to/instadevops/incident-management-building-effective-on-call-rotations-and-runbooks-10ho https://dev.to/instadevops/incident-management-building-effective-on-call-rotations-and-runbooks-10ho <h2> Introduction </h2> <p>Every engineering team dreads the 3 AM page. How your team handles these moments defines your reliability as a service provider.</p> <p>This guide covers on-call rotation design, runbook creation, incident response processes, and blameless post-mortems.</p> <h2> On-Call Best Practices </h2> <h3> Designing Sustainable Rotations </h3> <ul> <li> <strong>Rotation Length</strong>: Weekly rotations work best</li> <li> <strong>Minimum Team Size</strong>: Never fewer than 4 engineers</li> <li> <strong>Compensation</strong>: Fair pay for on-call work</li> </ul> <h3> Reducing Alert Fatigue </h3> <ul> <li>Actionable alerts only</li> <li>Consolidate related alerts</li> <li>Regular alert reviews</li> </ul> <h2> Runbook Template Example </h2> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gh"># Runbook: Database Connection Pool Exhausted</span> <span class="gu">## Impact Assessment</span> <span class="p">-</span> User Impact: New requests may fail <span class="p">-</span> Affected Services: All services using primary database <span class="gu">## Immediate Actions</span> <span class="p">1.</span> Check current connections: SELECT count(<span class="err">*</span>), state FROM pg_stat_activity GROUP BY state; <span class="p"> 2.</span> Identify connection hogs: SELECT usename, application_name, count(<span class="err">*</span>) FROM pg_stat_activity GROUP BY usename, application_name; <span class="gu">## Resolution Steps</span> <span class="p">-</span> If long-running query: pg_terminate_backend(<span class="nt">&lt;pid&gt;</span>) <span class="p">-</span> If traffic spike: Scale up read replicas <span class="p">-</span> If connection leak: Restart affected service </code></pre> </div> <h2> Incident Response Process </h2> <h3> Phase 1: Detection and Triage (0-5 minutes) </h3> <ol> <li>Acknowledge the alert</li> <li>Assess severity</li> <li>Open relevant runbook</li> </ol> <h3> Phase 2: Response Coordination </h3> <ul> <li> <strong>Incident Commander</strong>: Coordinates response</li> <li> <strong>Technical Lead</strong>: Hands-on debugging</li> <li> <strong>Communications Lead</strong>: Updates stakeholders</li> </ul> <h2> Blameless Post-Mortems </h2> <p>Focus on systems and processes, not individuals. The goal is learning and improvement.</p> <h2> Conclusion </h2> <p>Effective incident management is built on preparation, not heroics. Well-designed rotations, comprehensive runbooks, and blameless post-mortems transform incident response from stress into a competitive advantage.</p> <h2> Need Help with Your DevOps Infrastructure? </h2> <p>At <strong><a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a></strong>, we specialize in helping startups build production-ready infrastructure.</p> <p>📅 <strong><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a Free 15-Min Consultation</a></strong></p> <p><em>Originally published at <a href="https://instadevops.com/blog/incident-management" rel="noopener noreferrer">instadevops.com</a></em></p> incident oncall sre devops SRE Fundamentals: Defining SLOs, SLIs, and Error Budgets That Actually Work InstaDevOps Thu, 09 Apr 2026 20:33:35 +0000 https://dev.to/instadevops/sre-fundamentals-defining-slos-slis-and-error-budgets-that-actually-work-42k7 https://dev.to/instadevops/sre-fundamentals-defining-slos-slis-and-error-budgets-that-actually-work-42k7 <h2> Introduction </h2> <p>Site Reliability Engineering (SRE) has transformed how organizations think about system reliability. Central to this framework are Service Level Objectives (SLOs), Service Level Indicators (SLIs), and Error Budgets.</p> <p>This guide will walk you through defining SLOs, SLIs, and Error Budgets that actually drive meaningful improvements.</p> <h2> Understanding the Reliability Hierarchy </h2> <p><strong>SLAs (Service Level Agreements)</strong>: External contracts with customers specifying consequences for failures.</p> <p><strong>SLOs (Service Level Objectives)</strong>: Internal targets your team commits to, stricter than SLAs.</p> <p><strong>SLIs (Service Level Indicators)</strong>: The actual measurements determining whether you're meeting SLOs.</p> <p><strong>Error Budgets</strong>: How much unreliability you can tolerate while meeting your SLO.</p> <h2> Defining Meaningful SLIs </h2> <h3> The Four Golden Signals </h3> <ul> <li> <strong>Latency</strong>: How long requests take</li> <li> <strong>Traffic</strong>: Request volume</li> <li> <strong>Errors</strong>: Rate of failed requests</li> <li> <strong>Saturation</strong>: How "full" your service is </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Availability SLI sum(rate(http_requests_total{status=~"2.."}[5m])) / sum(rate(http_requests_total[5m])) # Latency SLI sum(rate(http_request_duration_seconds_bucket{le="0.2"}[5m])) / sum(rate(http_request_duration_seconds_count[5m])) </code></pre> </div> <h2> Setting Realistic SLOs </h2> <p>Each additional "nine" dramatically reduces your error budget:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Availability</th> <th>Monthly Downtime</th> </tr> </thead> <tbody> <tr> <td>99%</td> <td>7.2 hours</td> </tr> <tr> <td>99.9%</td> <td>43.8 minutes</td> </tr> <tr> <td>99.99%</td> <td>4.38 minutes</td> </tr> </tbody> </table></div> <h2> Error Budgets: The Key to Balance </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error Budget = 1 - SLO For a 99.9% SLO over 30 days: Error Budget = 0.1% = 43.2 minutes of downtime </code></pre> </div> <h2> Conclusion </h2> <p>SLOs, SLIs, and Error Budgets aren't just metrics—they're a framework for making better decisions about reliability. The goal is appropriate reliability—enough to keep users happy while maintaining velocity.</p> <h2> Need Help with Your DevOps Infrastructure? </h2> <p>At <strong><a href="https://instadevops.com" rel="noopener noreferrer">InstaDevOps</a></strong>, we specialize in helping startups build production-ready infrastructure.</p> <p>📅 <strong><a href="https://calendly.com/instadevops/15min" rel="noopener noreferrer">Book a Free 15-Min Consultation</a></strong></p> <p><em>Originally published at <a href="https://instadevops.com/blog/sre-slos-slis" rel="noopener noreferrer">instadevops.com</a></em></p> sre monitoring devops