DEV Community: varun varde The latest articles on DEV Community by varun varde (@varunvarde). https://dev.to/varunvarde https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3761696%2Fecce1536-897c-45d3-ba4f-11e7d0b344ed.jpg DEV Community: varun varde https://dev.to/varunvarde en Team Topologies for DevOps: A Practical Implementation Guide varun varde Thu, 21 May 2026 11:35:55 +0000 https://dev.to/varunvarde/team-topologies-for-devops-a-practical-implementation-guide-16on https://dev.to/varunvarde/team-topologies-for-devops-a-practical-implementation-guide-16on <p>Most engineering organisations do not fail because their developers are untalented.</p> <p>They fail because their communication structures, ownership boundaries, and operational dependencies create friction that compounds over time.</p> <p>A deployment takes three weeks because four teams must approve it. A platform team becomes a ticket queue instead of a product team. Stream-aligned teams spend more time negotiating dependencies than shipping software. Cognitive overload silently accumulates until incident frequency rises and delivery velocity collapses.</p> <p>These are not tooling problems.</p> <p>They are topology problems.</p> <p>The framework introduced in the book Team Topologies by Matthew Skelton and Manuel Pais provides one of the clearest operational models for designing engineering organisations around flow rather than hierarchy.</p> <p>The core idea is deceptively simple<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Optimise team structures for fast, sustainable software delivery. </code></pre> </div> <p>This article explains how to apply Team Topologies in practice, identify the organisational anti-patterns slowing your DevOps initiatives, and implement structural changes that improve delivery speed without creating organisational chaos.</p> <h2> Why Team Structure Matters in DevOps </h2> <p>DevOps is often described as a tooling movement.</p> <p>It is not.</p> <p>It is fundamentally a sociotechnical systems discipline.</p> <p>Tooling matters. Automation matters. CI/CD matters.</p> <p>But organisational communication paths ultimately determine delivery speed.</p> <p>Conway’s Law famously states:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Organisations design systems that mirror their communication structures. </code></pre> </div> <p>Meaning:</p> <ul> <li>Fragmented teams create fragmented systems</li> <li>Bottlenecked organisations create bottlenecked architectures</li> <li>High-friction communication creates high-friction delivery</li> </ul> <p>Team Topologies provides a practical framework for reducing those organisational bottlenecks systematically.</p> <h2> The 4 Team Types </h2> <p>The Team Topologies model defines four fundamental team types.</p> <p>Each exists to solve a distinct operational problem.</p> <p><strong>1. Stream-Aligned Teams</strong></p> <p>These are the primary delivery teams.</p> <p>A stream-aligned team owns a flow of business value end-to-end.</p> <p>Examples:</p> <ul> <li>Payments platform</li> <li>Customer onboarding</li> <li>Mobile checkout</li> <li>Recommendation engine</li> </ul> <p>The key principle:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Single team → owns service lifecycle completely </code></pre> </div> <p>Including:</p> <ul> <li>Development</li> <li>Deployment</li> <li>Operations</li> <li>Monitoring</li> <li>Incident response</li> </ul> <h2> Characteristics of Strong Stream-Aligned Teams </h2> <p>Healthy stream-aligned teams typically:</p> <ul> <li>Deploy independently</li> <li>Own production support</li> <li>Minimise external dependencies</li> <li>Have clear business alignment</li> <li>Operate autonomously</li> </ul> <p>Example structure<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Team</span><span class="pi">:</span> <span class="s">Payments</span> <span class="na">Ownership</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Payment API</span> <span class="pi">-</span> <span class="s">Fraud checks</span> <span class="pi">-</span> <span class="s">Transaction database</span> <span class="pi">-</span> <span class="s">Deployment pipelines</span> <span class="pi">-</span> <span class="s">Monitoring dashboards</span> </code></pre> </div> <p>This dramatically reduces coordination overhead.</p> <p><strong>Warning Signs</strong></p> <p>Stream-aligned teams fail when:</p> <ul> <li>Too many systems are owned</li> <li>Multiple domains are mixed together</li> <li>External dependencies dominate delivery</li> <li>Teams lack operational authority</li> </ul> <p>The result is cognitive overload.</p> <p><strong>2. Enabling Teams</strong></p> <p>Enabling teams exist to help other teams improve capabilities.</p> <p>Not to permanently do the work for them.</p> <p>Examples:</p> <ul> <li>Kubernetes adoption team</li> <li>SRE coaching team</li> <li>Security enablement team</li> <li>Observability specialists</li> </ul> <p>Their role is temporary acceleration.</p> <p>Not long-term ownership.</p> <h2> Healthy Enabling Team Behaviour </h2> <p>Good enabling teams:</p> <ul> <li>Teach</li> <li>Coach</li> <li>Pair</li> <li>Document</li> <li>Reduce friction</li> <li>Transfer knowledge</li> </ul> <p>Bad enabling teams become outsourced implementation departments.</p> <p>That destroys scalability.</p> <h2> Example: Kubernetes Enablement </h2> <p>Good pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Enabling Team</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Creates templates</span> <span class="pi">-</span> <span class="s">Runs workshops</span> <span class="pi">-</span> <span class="s">Helps first deployments</span> <span class="pi">-</span> <span class="s">Coaches incident response</span> </code></pre> </div> <p>Bad pattern<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Every Kubernetes deployment requires enabling team intervention forever </code></pre> </div> <p>That becomes another bottleneck.</p> <h2> 3. Complicated Subsystem Teams </h2> <p>Some domains require deep specialist expertise.</p> <p>Examples:</p> <ul> <li>ML inference systems</li> <li>Real-time video encoding</li> <li>Cryptography engines</li> <li>High-frequency trading systems</li> </ul> <p>These are cognitively dense domains unsuitable for broad ownership.</p> <p>Dedicated specialist teams reduce complexity exposure for the rest of the organisation.</p> <h2> Why This Team Type Exists </h2> <p>Without complicated subsystem teams<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Every stream-aligned team ↓ Must understand advanced specialist systems </code></pre> </div> <p>This overwhelms cognitive capacity rapidly.</p> <p><strong>Example</strong></p> <p>A recommendation-engine ML platform might require:</p> <ul> <li>Tensor optimisation</li> <li>GPU scheduling</li> <li>Feature stores</li> <li>Embedding pipelines</li> </ul> <p>That expertise does not belong inside every product team.</p> <h2> 4. Platform Teams </h2> <p>Platform teams build internal developer platforms.</p> <p>Their mission<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Reduce cognitive load for stream-aligned teams. </code></pre> </div> <p>Platform teams should operate like product teams.</p> <p>Not internal ticket queues.</p> <h2> Platform Team Responsibilities </h2> <p>Typical responsibilities:</p> <ul> <li>CI/CD systems</li> <li>Kubernetes platforms</li> <li>Observability tooling</li> <li>Secrets management</li> <li>Golden deployment paths</li> <li>Infrastructure templates</li> </ul> <h2> Platform-as-a-Product </h2> <p>This concept is critical.</p> <p>A healthy platform team provides<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Self-service capabilities </code></pre> </div> <p>Not manual intervention.</p> <p>Good platform<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Developer clicks button → environment created </code></pre> </div> <p>Bad platform<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Developer opens Jira ticket → waits 2 weeks </code></pre> </div> <h2> The 3 Interaction Modes </h2> <p>The framework also defines three interaction patterns between teams.</p> <p>These interaction modes are enormously important operationally.</p> <h2> 1. Collaboration Mode </h2> <p>Temporary close cooperation between teams.</p> <p>Used for:</p> <p>New capability adoption<br> Complex integrations<br> Discovery work</p> <p>Example<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Payments Team ↔ Platform Team </code></pre> </div> <p>Working together to implement service mesh adoption.</p> <h2> The Key Word: Temporary </h2> <p>Permanent collaboration indicates unclear boundaries.</p> <p>Collaboration mode should end eventually.</p> <p>Otherwise dependency chains become permanent.</p> <h2> 2. X-as-a-Service Mode </h2> <p>One team provides services consumed independently by others.</p> <p>This is the desired long-term state for platform teams.</p> <p>Example<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Platform Team → Kubernetes Platform </code></pre> </div> <p>Consumed self-service by product teams.</p> <p>Minimal synchronous interaction required.</p> <h2> Signs Your Platform Interface Is Healthy </h2> <p>Healthy X-as-a-Service characteristics:</p> <ul> <li>Well documented</li> <li>Self-service</li> <li>Stable APIs</li> <li>Clear support boundaries</li> <li>Minimal tickets required</li> </ul> <h2> 3. Facilitating Mode </h2> <p>Used by enabling teams.</p> <p>Purpose<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Teach capability Not own capability </code></pre> </div> <p>Examples:</p> <ul> <li>Security workshops</li> <li>Incident response coaching</li> <li>Terraform migration guidance</li> </ul> <p>Facilitating mode transfers knowledge intentionally.</p> <h2> Assessing Your Current Topology: The 6 Key Questions </h2> <p>Most organisations already feel their topology pain intuitively.</p> <p>This framework helps diagnose it systematically.</p> <h2> Question 1: How Many Teams Are Required for a Deployment? </h2> <p>If the answer exceeds three consistently<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Flow efficiency is already degraded. </code></pre> </div> <p><strong>Question 2: Are Platform Teams Productive or Ticket-Driven?</strong></p> <p>Platform teams buried in support queues are usually under-designed.</p> <h2> Question 3: Is Production Ownership Clear? </h2> <p>During incidents<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Who owns this? </code></pre> </div> <p>Should never require debate.</p> <h2> Question 4: How Much Cognitive Load Exists Per Team? </h2> <p>Too many technologies, domains, or dependencies create delivery paralysis.</p> <h2> Question 5: How Often Are Teams Waiting on Other Teams? </h2> <p>Dependency-heavy organisations slow exponentially as headcount grows.</p> <h2> Question 6: Are Teams Optimised Around Technology or Business Flow? </h2> <p>Technology-aligned teams often create excessive handoffs.</p> <p>Business-stream alignment improves delivery velocity dramatically.</p> <h2> Cognitive Load Assessment Framework </h2> <p>Example survey structure<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">COGNITIVE_LOAD_SURVEY</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">domain_complexity</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">question</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">How well does the team understand the business domain?</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">red_flag</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">&lt; 3</span><span class="sh">"</span> <span class="p">},</span> <span class="sh">"</span><span class="s">technology_breadth</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">question</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">How many distinct technologies are maintained?</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">red_flag</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">&gt; 5</span><span class="sh">"</span> <span class="p">},</span> <span class="sh">"</span><span class="s">dependency_count</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">question</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">How many teams are required per sprint?</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">red_flag</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">&gt; 3</span><span class="sh">"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This kind of lightweight operational telemetry is surprisingly valuable.</p> <h2> The Most Common Team Topologies Anti-Patterns </h2> <p>Most engineering organisations fail in recognisable ways.</p> <p>The same patterns appear repeatedly.</p> <h2> Anti-Pattern 1: The Shared Services Team Bottleneck </h2> <p>Classic example<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Shared DevOps Team </code></pre> </div> <p>Responsible for:</p> <ul> <li>CI/CD</li> <li>Kubernetes</li> <li>Terraform</li> <li>Monitoring</li> <li>Networking</li> <li>Security</li> <li>Deployments</li> </ul> <p>For every product team.</p> <p>Result<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Centralised dependency bottleneck </code></pre> </div> <p>Symptoms:</p> <ul> <li>Long ticket queues</li> <li>Slow onboarding</li> <li>Deployment delays</li> <li>Platform burnout</li> </ul> <h2> The Real Cost </h2> <p>Shared services teams often become<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Organisational rate limiters </code></pre> </div> <p>Every engineering initiative slows behind them.</p> <h2> Better Model </h2> <p>Replace shared services with:</p> <ul> <li>Stream-aligned ownership</li> <li>Self-service platforms</li> <li>Enabling teams</li> <li>Platform-as-product</li> </ul> <h2> Anti-Pattern 2: Platform Teams Without a Defined Interface </h2> <p>Many platform teams say<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>"We provide Kubernetes." </code></pre> </div> <p>But what does that actually mean operationally?</p> <p>Healthy platforms define:</p> <ul> <li>APIs</li> <li>Golden paths</li> <li>Support models</li> <li>Service expectations</li> <li>Onboarding flows</li> </ul> <p>Without interfaces<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Platform becomes tribal knowledge. </code></pre> </div> <h2> Anti-Pattern 3: Enabling Teams That Never Stop Enabling </h2> <p>Enabling teams should create independence.</p> <p>Not permanent dependency.</p> <p>Danger signs:</p> <ul> <li>Teams require constant coaching forever</li> <li>Knowledge transfer never completes</li> <li>Enablement becomes embedded implementation</li> </ul> <p>At that point the enabling team has failed structurally.</p> <h2> Anti-Pattern 4: Cognitive Load Mismatches </h2> <p>This is one of the most damaging failure modes.</p> <p>Teams own too much simultaneously:</p> <ul> <li>Multiple languages</li> <li>Multiple databases</li> <li>Infrastructure</li> <li>Security</li> <li>CI/CD</li> <li>ML systems</li> <li>Distributed systems complexity</li> </ul> <p>Eventually<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Incident frequency rises Delivery speed drops Burnout accelerates </code></pre> </div> <h2> Measuring Cognitive Load </h2> <p>Indicators include</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Signal</th> <th>Warning Threshold</th> </tr> </thead> <tbody> <tr> <td>Technologies maintained</td> <td>&gt; 5</td> </tr> <tr> <td>Teams depended on</td> <td>&gt; 3</td> </tr> <tr> <td>Incident ambiguity</td> <td>Frequent</td> </tr> <tr> <td>Deployment complexity</td> <td>High</td> </tr> <tr> <td>Documentation quality</td> <td>Poor</td> </tr> </tbody> </table></div> <p>Cognitive overload is usually visible before collapse occurs.</p> <h2> Planning a Topology Change </h2> <p>Topology redesign is organisational surgery.</p> <p>Done poorly, it creates chaos.</p> <p>Done carefully, it dramatically improves flow.</p> <h2> Step 1: Identify Friction Points </h2> <p>Start with:</p> <ul> <li>Deployment delays</li> <li>Dependency bottlenecks</li> <li>Ticket queues</li> <li>Incident ownership confusion</li> <li>Platform dissatisfaction</li> </ul> <p>Map flow disruptions explicitly.</p> <h2> Step 2: Reduce Team Dependencies </h2> <p>Optimise for<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Independent delivery capability </code></pre> </div> <p>Dependency reduction is usually the highest-ROI organisational improvement.</p> <h2> Step 3: Define Platform Interfaces </h2> <p>Every platform capability should answer:</p> <ul> <li>Who uses this?</li> <li>How is it consumed?</li> <li>Is it self-service?</li> <li>What are support expectations?</li> </ul> <h2> Step 4: Transition Gradually </h2> <p>Never reorganise everything simultaneously.</p> <p>Recommended approach<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Pilot topology ↓ Measure outcomes ↓ Expand incrementally </code></pre> </div> <p>Organisational stability matters.</p> <h2> Measuring the Impact </h2> <p>Topology changes should produce measurable improvements.</p> <p><strong>Delivery Metrics</strong></p> <p>Track:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Why It Matters</th> </tr> </thead> <tbody> <tr> <td>Deployment frequency</td> <td>Measures flow</td> </tr> <tr> <td>Lead time</td> <td>Measures delivery friction</td> </tr> <tr> <td>MTTR</td> <td>Measures operational clarity</td> </tr> <tr> <td>Change failure rate</td> <td>Measures stability</td> </tr> </tbody> </table></div> <p>These align closely with DORA metrics.</p> <h2> Cognitive Load Surveys </h2> <p>Run quarterly.</p> <p>Example<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="n">red_flags</span> <span class="o">&gt;=</span> <span class="mi">3</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Urgent restructuring required</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>Even lightweight surveys reveal structural problems surprisingly well.</p> <h2> Platform Satisfaction Scores </h2> <p>Ask stream-aligned teams<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>How frictionless is the platform? </code></pre> </div> <p>This single question often exposes platform dysfunction rapidly.</p> <h2> Example Topology Transformation </h2> <p><strong>Before</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Developers ↓ Shared DevOps Team ↓ Infrastructure Team ↓ Security Team </code></pre> </div> <p>Heavy coordination overhead.</p> <p>Slow deployments.</p> <p>Unclear ownership.</p> <p><strong>After</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Stream-Aligned Teams ↓ Self-Service Platform ↓ Enabling Teams </code></pre> </div> <p>Much faster flow.</p> <p>Reduced dependencies.</p> <p>Improved operational autonomy.</p> <h2> Common Mistakes During Team Topologies Adoption </h2> <h2> Mistake 1: Renaming Teams Without Changing Responsibilities </h2> <p>Changing titles changes nothing operationally.</p> <h2> Mistake 2: Treating Platform Teams as Infrastructure Operations </h2> <p>Platform teams should optimise developer experience.</p> <p>Not merely manage Kubernetes clusters.</p> <h2> Mistake 3: Ignoring Cognitive Load </h2> <p>More ownership is not always better.</p> <h2> Mistake 4: Measuring Utilisation Instead of Flow </h2> <p>Highly utilised teams often create slower organisations overall.</p> <p>Flow efficiency matters more.</p> <h2> Recommended Organisational Architecture </h2> <p>Healthy modern engineering organisations increasingly resemble<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Stream-Aligned Teams ↓ Platform-as-a-Service ↓ Enabling Teams ↓ Specialist Subsystem Teams </code></pre> </div> <p>This structure scales operationally far better than traditional siloed models.</p> <p>Team Topologies matters because software delivery problems are rarely just technical.</p> <p>They are organisational.</p> <p>The framework gives engineering leaders a practical vocabulary for understanding why certain DevOps transformations stall despite heavy investment in tooling and automation.</p> <p>The most successful organisations consistently optimise for.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Fast flow Low cognitive load Clear ownership Self-service platforms Minimal dependencies </code></pre> </div> <p>And those outcomes emerge not from organisational theory alone, but from deliberate topology design.</p> <p>Because ultimately:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>The architecture of your systems reflects the architecture of your teams. </code></pre> </div> <p>Always</p> devops aws software topologies Secrets Management in Modern DevOps: Vault, IRSA, External Secrets When to Use Each varun varde Fri, 15 May 2026 06:11:00 +0000 https://dev.to/varunvarde/secrets-management-in-modern-devops-vault-irsa-external-secrets-when-to-use-each-352m https://dev.to/varunvarde/secrets-management-in-modern-devops-vault-irsa-external-secrets-when-to-use-each-352m <p>Secrets management failures rarely begin with malicious intent.</p> <p>They begin with expediency.</p> <p>An engineer hardcodes an API key “temporarily.” A .env file gets committed accidentally. A production database password gets shared in Slack during an outage because “we’ll rotate it later.” Eventually those shortcuts accumulate into a sprawling credential catastrophe hidden beneath otherwise competent infrastructure.</p> <p>The uncomfortable truth is that poor secrets hygiene exists everywhere:</p> <ul> <li>Startups</li> <li>Scaleups</li> <li>Enterprises</li> <li>Banks</li> <li>Government systems</li> <li>Fortune 500 infrastructure</li> </ul> <p>The issue is rarely ignorance. It is architectural ambiguity.</p> <p>Modern DevOps teams now face multiple competing approaches:</p> <ul> <li>Cloud-native identity systems</li> <li>Kubernetes secret abstractions</li> <li>Vault</li> <li>External Secrets Operator</li> <li>Sealed Secrets</li> <li>Workload identity federation</li> <li>Dynamic credentials</li> </ul> <p>Choosing incorrectly creates operational fragility. Choosing well dramatically improves both security and developer experience.</p> <p>This guide explains when to use each model, where each one fails, and how to evolve from common anti-patterns toward a production-grade secrets architecture without detonating existing workloads.</p> <h2> The Secrets Management Anti-Patterns (and Their Blast Radius) </h2> <p>Before discussing solutions, understand the failure modes.</p> <p>Because nearly every modern secrets architecture exists to solve one of these disasters.</p> <p><strong>Anti-Pattern 1: Hardcoded Secrets in Source Code</strong></p> <p>Example<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">API_KEY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">sk-prod-293847239847</span><span class="sh">"</span> </code></pre> </div> <p>This is not merely bad practice.</p> <p>It is operationally radioactive.</p> <p>Once committed:</p> <ul> <li>Git history preserves it</li> <li>Forks replicate it</li> <li>CI logs may expose it</li> <li>Developers clone it locally</li> <li>Backups persist it indefinitely</li> </ul> <p>Even if deleted later.</p> <p><strong>Anti-Pattern 2: Shared Credentials</strong></p> <p>Example<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>prod-admin / password123 </code></pre> </div> <p>Used by:</p> <ul> <li>Developers</li> <li>CI systems</li> <li>Automation tools</li> <li>Contractors</li> </ul> <p>Result<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>No attribution No least privilege No revocation granularity </code></pre> </div> <p>Shared credentials eliminate accountability entirely.</p> <p><strong>Anti-Pattern 3: Long-Lived Cloud Access Keys</strong></p> <p>Example<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY </code></pre> </div> <p>Stored inside:</p> <ul> <li>Jenkins</li> <li>GitHub Actions</li> <li>Kubernetes Secrets</li> <li>Terraform variables</li> </ul> <p>Static credentials eventually leak.</p> <p>The question is timing, not probability.</p> <p><strong>Anti-Pattern 4: Kubernetes Secrets Misunderstood as Encryption</strong></p> <p>Base64 encoding is not encryption.</p> <p>This surprises people alarmingly often.</p> <p>Example<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s2">"cGFzc3dvcmQ="</span> | <span class="nb">base64</span> <span class="nt">-d</span> </code></pre> </div> <p>Outputs<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>password </code></pre> </div> <p>Kubernetes Secrets require additional controls:</p> <ul> <li>Encryption at rest</li> <li>RBAC</li> <li>Admission policies</li> <li>Audit logging</li> </ul> <p>Otherwise they become plaintext credential storage with better branding.</p> <p><strong>Understanding the Modern Secrets Management Stack</strong></p> <p>Modern secrets management generally falls into four categories</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F637vw56z5kk9qrywpb9t.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F637vw56z5kk9qrywpb9t.png" alt=" "></a></p> <p>Each solves different problems.</p> <p><strong>IRSA / Workload Identity: Cloud-Native Secretless Authentication</strong></p> <p>This is the most important architectural shift in modern cloud security<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Stop distributing credentials. Start distributing identity. </code></pre> </div> <p>Instead of giving workloads access keys<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Pod → authenticated identity → temporary credentials </code></pre> </div> <p>No static secrets required.</p> <h2> AWS IRSA (IAM Roles for Service Accounts) </h2> <p>Pods authenticate using Kubernetes service accounts mapped to IAM roles.</p> <p><strong>Terraform IRSA Role</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"payment_service"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"payment-service-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Federated</span> <span class="p">=</span> <span class="nx">aws_iam_openid_connect_provider</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRoleWithWebIdentity"</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringEquals</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"</span><span class="k">${</span><span class="nx">replace</span><span class="p">(</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">identity</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">oidc</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">issuer</span><span class="p">,</span> <span class="s2">"https://"</span><span class="p">,</span> <span class="s2">""</span> <span class="p">)</span><span class="k">}</span><span class="s2">:sub"</span> <span class="p">=</span> <span class="s2">"system:serviceaccount:payments:payment-service"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p><strong>Kubernetes Service Account</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">payment-service</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">payments</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">eks.amazonaws.com/role-arn</span><span class="pi">:</span> <span class="s">arn:aws:iam::ACCOUNT:role/payment-service-role</span> </code></pre> </div> <p>Pods automatically receive temporary credentials.</p> <p>No secrets required.</p> <p><strong>Why IRSA Is Excellent</strong></p> <p>Advantages:</p> <ul> <li>No static AWS keys</li> <li>Automatic credential rotation</li> <li>IAM-native permissions</li> <li>Short-lived credentials</li> <li>Excellent auditability</li> </ul> <p>This should be the default model for AWS-native workloads.</p> <h2> GCP Workload Identity Equivalent </h2> <p>GCP uses<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Kubernetes Service Account ↔ Google Service Account </code></pre> </div> <p>Equivalent concept. Different implementation.</p> <p><strong>Azure Workload Identity</strong></p> <p>Azure now supports federated workload identity similarly.</p> <p>The industry is converging on identity federation rather than credential distribution.</p> <p>This is good.</p> <p>When IRSA / Workload Identity Is NOT Enough</p> <p>Cloud-native identity works beautifully for cloud APIs.</p> <p>It becomes weaker when dealing with:</p> <ul> <li>Databases</li> <li>Third-party APIs</li> <li>Cross-cloud systems</li> <li>Legacy applications</li> <li>Dynamic credential issuance</li> <li>Multi-cluster secret orchestration</li> </ul> <p>This is where Vault becomes valuable.</p> <h2> HashiCorp Vault: When You Need More Than Cloud-Native </h2> <p>Vault solves problems identity federation alone cannot.</p> <p>Especially dynamic secrets.</p> <h2> The Core Vault Capability </h2> <p>Vault does not merely store secrets.</p> <p>It generates them dynamically.</p> <p>Example<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Application requests PostgreSQL credentials ↓ Vault creates short-lived DB user ↓ Credentials expire automatically </code></pre> </div> <p>Massive security improvement.</p> <p><strong>Vault Kubernetes Authentication</strong></p> <p>Example<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vault auth <span class="nb">enable </span>kubernetes </code></pre> </div> <p><strong>Vault Role Example</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vault write auth/kubernetes/role/payment-api <span class="se">\</span> <span class="nv">bound_service_account_names</span><span class="o">=</span>payment-service <span class="se">\</span> <span class="nv">bound_service_account_namespaces</span><span class="o">=</span>payments <span class="se">\</span> <span class="nv">policies</span><span class="o">=</span>payment-read <span class="se">\</span> <span class="nv">ttl</span><span class="o">=</span>1h </code></pre> </div> <p>Pods authenticate automatically via Kubernetes identity.</p> <p><strong>Dynamic Database Credentials</strong></p> <p>Example<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vault <span class="nb">read </span>database/creds/payment-role </code></pre> </div> <p>Returns<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"v-token-abc123"</span><span class="p">,</span><span class="w"> </span><span class="nl">"password"</span><span class="p">:</span><span class="w"> </span><span class="s2">"generated-secret"</span><span class="p">,</span><span class="w"> </span><span class="nl">"lease_duration"</span><span class="p">:</span><span class="w"> </span><span class="mi">3600</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Credentials expire automatically after one hour.</p> <p><strong>When Vault Is the Right Choice</strong></p> <p>Use Vault when you need</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Requirement</th> <th>Vault</th> </tr> </thead> <tbody> <tr> <td>Dynamic secrets</td> <td>Excellent</td> </tr> <tr> <td>Multi-cloud support</td> <td>Excellent</td> </tr> <tr> <td>Fine-grained audit logs</td> <td>Excellent</td> </tr> <tr> <td>PKI management</td> <td>Excellent</td> </tr> <tr> <td>Database credential rotation</td> <td>Excellent</td> </tr> <tr> <td>Secret leasing</td> <td>Excellent</td> </tr> </tbody> </table></div> <p><strong>Vault Tradeoffs</strong></p> <p>Vault is operationally heavier.</p> <p>You now manage:</p> <ul> <li>HA clustering</li> <li>Storage backend</li> <li>Unseal process</li> <li>Disaster recovery</li> <li>Performance replication</li> </ul> <p>Vault is powerful because it solves hard problems.</p> <p>Hard problems come with operational complexity.</p> <h2> External Secrets Operator: The Kubernetes-Native Abstraction Layer </h2> <p>External Secrets Operator (ESO) is one of the cleanest Kubernetes-native abstractions available today.</p> <p>Instead of storing secrets directly in Kubernetes<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Kubernetes Secret ← synced from → Vault / AWS Secrets Manager / GCP Secret Manager </code></pre> </div> <p><strong>Installing ESO</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm <span class="nb">install </span>external-secrets external-secrets/external-secrets </code></pre> </div> <h2> AWS Secrets Manager Example </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">external-secrets.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ExternalSecret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">payment-api-secret</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">refreshInterval</span><span class="pi">:</span> <span class="s">1h</span> <span class="na">secretStoreRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws-secret-store</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">SecretStore</span> <span class="na">target</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">payment-api-secret</span> <span class="na">data</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">secretKey</span><span class="pi">:</span> <span class="s">api-key</span> <span class="na">remoteRef</span><span class="pi">:</span> <span class="na">key</span><span class="pi">:</span> <span class="s">prod/payment-api</span> <span class="na">property</span><span class="pi">:</span> <span class="s">api_key</span> </code></pre> </div> <p><strong>Why ESO Is Excellent</strong></p> <p>Advantages:</p> <ul> <li>Kubernetes-native</li> <li>GitOps-friendly</li> <li>Central secret backend</li> <li>Automatic refresh</li> <li>Cleaner operational model</li> </ul> <p>ESO is often the best abstraction for Kubernetes workloads.</p> <h2> When ESO Is NOT Enough </h2> <p>ESO synchronises secrets.</p> <p>It does not generate dynamic credentials.</p> <p>If you need:</p> <ul> <li>Dynamic DB users</li> <li>Certificate issuance</li> <li>Secret leasing</li> <li>PKI workflows</li> </ul> <p>You still need Vault or equivalent systems.</p> <h2> Sealed Secrets: Simple Offline Encryption for GitOps </h2> <p>Sealed Secrets solve a specific problem elegantly<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>How do you store encrypted secrets safely in Git? </code></pre> </div> <p><strong>Sealed Secret Workflow</strong></p> <p>Developer creates<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create secret generic app-secret </code></pre> </div> <p>Encrypts<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubeseal <span class="nt">--format</span> yaml </code></pre> </div> <p>Result<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">bitnami.com/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">SealedSecret</span> </code></pre> </div> <p>Only the cluster controller can decrypt it.</p> <h2> Why Teams Love Sealed Secrets </h2> <p>Benefits:</p> <ul> <li>Simple</li> <li>GitOps-compatible</li> <li>Easy onboarding</li> <li>No external dependency</li> </ul> <p><strong>Where Sealed Secrets Fall Short</strong></p> <p>Limitations:</p> <ul> <li>Static secrets only</li> <li>No automatic rotation</li> <li>Kubernetes-scoped</li> <li>No dynamic credential issuance</li> </ul> <p>Excellent for smaller GitOps environments.</p> <p>Less ideal for enterprise-scale secret orchestration.</p> <h2> Secrets Rotation: The Missing Piece Most Implementations Skip </h2> <p>This is the most neglected part of secrets management.</p> <p>Teams store secrets securely but never rotate them.</p> <p>Which defeats half the purpose.</p> <p><strong>Rotation Targets</strong></p> <p>Rotate regularly:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Secret Type</th> <th>Rotation Frequency</th> </tr> </thead> <tbody> <tr> <td>API keys</td> <td>30–90 days</td> </tr> <tr> <td>DB credentials</td> <td>Dynamic preferred</td> </tr> <tr> <td>TLS certificates</td> <td>30–90 days</td> </tr> <tr> <td>CI tokens</td> <td>30 days</td> </tr> </tbody> </table></div> <p><strong>Vault Dynamic Rotation</strong></p> <p>Best model<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Generate → use → expire automatically </code></pre> </div> <p>No manual rotation required.</p> <p><strong>AWS Secrets Manager Rotation</strong></p> <p>Example Lambda rotation<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">RotationRules</span><span class="pi">:</span> <span class="na">AutomaticallyAfterDays</span><span class="pi">:</span> <span class="m">30</span> </code></pre> </div> <p><strong>Common Rotation Failure Mode</strong></p> <p>Applications caching credentials indefinitely.</p> <p>Result<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Secret rotated ↓ Application breaks </code></pre> </div> <p>Applications must reload credentials gracefully.</p> <h2> Audit Logging: Knowing Who Accessed What and When </h2> <p>Secrets access without auditing is operational blindness.</p> <p><strong>Vault Audit Logging</strong></p> <p>Enable<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>vault audit <span class="nb">enable </span>file <span class="nv">file_path</span><span class="o">=</span>/var/log/vault_audit.log </code></pre> </div> <p>Every secret request becomes traceable.</p> <p><strong>AWS CloudTrail</strong></p> <p>IRSA requests appear in CloudTrail automatically.</p> <p>This is one reason identity federation is so operationally attractive.</p> <p><strong>Critical Audit Questions</strong></p> <p>You should always answer:</p> <ul> <li>Who accessed this secret?</li> <li>When?</li> <li>From which workload?</li> <li>Was it expected?</li> <li>Was it anomalous?</li> </ul> <p>Without auditability, incident response becomes guesswork.</p> <p><strong>Migration Playbook: Moving from Hard-Coded to Vault in 4 Weeks</strong></p> <p>Most organisations cannot migrate instantly.</p> <p>They need staged evolution.</p> <p><strong>Week 1: Discovery</strong></p> <p>Identify:</p> <ul> <li>.env files</li> <li>Hardcoded credentials</li> <li>CI secrets</li> <li>Kubernetes Secrets</li> <li>Shared accounts</li> </ul> <p><strong>Week 2: Centralisation</strong></p> <p>Move secrets into:</p> <ul> <li>Vault</li> <li>AWS Secrets Manager</li> <li>GCP Secret Manager</li> </ul> <p>Without changing applications yet.</p> <p><strong>Week 3: Kubernetes Integration</strong></p> <p>Deploy:</p> <ul> <li>ESO</li> <li>Vault Agent Injector</li> <li>IRSA</li> </ul> <p>Start consuming secrets dynamically.</p> <p><strong>Week 4: Rotation and Cleanup</strong></p> <p>Rotate:</p> <ul> <li>Old credentials</li> <li>Shared passwords</li> <li>Long-lived tokens</li> </ul> <p>Then delete legacy storage completely.</p> <p>Not “later.”</p> <p>Immediately.</p> <h2> Multi-Cloud Secrets: Managing Credentials Across AWS, Azure, and GCP </h2> <p>Multi-cloud secrets management becomes operationally difficult quickly.</p> <p><strong>Recommended Strategy</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Use Case</th> <th>Recommended Tool</th> </tr> </thead> <tbody> <tr> <td>AWS-only</td> <td>IRSA + Secrets Manager</td> </tr> <tr> <td>GCP-only</td> <td>Workload Identity + Secret Manager</td> </tr> <tr> <td>Azure-only</td> <td>Managed Identity + Key Vault</td> </tr> <tr> <td>Multi-cloud</td> <td>Vault</td> </tr> </tbody> </table></div> <p>Vault becomes particularly valuable when standardising identity across clouds.</p> <p><strong>Recommended Enterprise Architecture</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Kubernetes Workload ↓ IRSA / Workload Identity ↓ Vault / Cloud Secret Manager ↓ External Secrets Operator ↓ Application Runtime </code></pre> </div> <p>Layered abstractions create operational flexibility.</p> <h2> Common Secrets Management Mistakes </h2> <p><strong>1. Treating Kubernetes Secrets as Secure by Default</strong></p> <p>They are not.</p> <p><strong>2. Never Rotating Credentials</strong></p> <p>Static secrets become permanent liabilities.</p> <p><strong>3. Using Shared Accounts</strong></p> <p>Breaks attribution entirely.</p> <p><strong>4. Giving Vault Excessive Permissions</strong></p> <p>Vault should broker secrets.</p> <p>Not become root over everything.</p> <p><strong>5. Ignoring Audit Logs</strong></p> <p>Visibility matters as much as encryption.</p> <p>Modern secrets management is no longer about hiding passwords.</p> <p>It is about distributing trust safely.</p> <p>The strongest DevOps environments increasingly follow several principles:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Identity over credentials Temporary over permanent Dynamic over static Automated over manual Auditable over opaque </code></pre> </div> <p>IRSA and workload identity eliminate entire classes of cloud credential risk.</p> <p>Vault enables dynamic, short-lived infrastructure authentication.</p> <p>External Secrets Operator creates elegant Kubernetes-native integration.</p> <p>Sealed Secrets simplify GitOps encryption.</p> <p>Each tool has a legitimate role.</p> <p>The mistake is not choosing the wrong product.</p> <p>The mistake is assuming one tool solves every secrets problem equally well.</p> devops programming irsa linux DevSecOps Pipeline in a Day: Automated Security from Commit to Deploy varun varde Tue, 12 May 2026 05:23:00 +0000 https://dev.to/varunvarde/devsecops-pipeline-in-a-day-automated-security-from-commit-to-deploy-1c6h https://dev.to/varunvarde/devsecops-pipeline-in-a-day-automated-security-from-commit-to-deploy-1c6h <p>Security that happens after deployment is already too late.</p> <p>By the time a quarterly penetration test discovers hardcoded secrets, vulnerable containers, or publicly exposed infrastructure, the vulnerable code has usually been in production for months. Sometimes years. The remediation backlog grows. Developers lose context. Security becomes bureaucratic archaeology rather than operational engineering.</p> <p>DevSecOps changes the timing.</p> <p>Instead of treating security as a gate at the end of delivery, it embeds security checks throughout the software lifecycle.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Commit → Build → Test → Scan → Deploy → Monitor </code></pre> </div> <p>Every stage becomes an opportunity to reduce risk automatically.</p> <p>This tutorial builds a complete open-source DevSecOps pipeline in a single day:</p> <ul> <li>Secret detection before commits</li> <li>SAST on every pull request</li> <li>Dependency vulnerability scanning</li> <li>Container image scanning</li> <li>Terraform and Kubernetes IaC scanning</li> <li>DAST against staging environments</li> <li>Centralised vulnerability reporting</li> <li>Security SLA policies</li> </ul> <p>No enterprise security platform required.</p> <h2> The DevSecOps Security Layer Model Where Each Check Lives </h2> <p>Security works best when distributed.</p> <p>Not centralised.</p> <p>Each security control belongs at the earliest operational layer where it can execute effectively.</p> <h2> The Six-Layer Model </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Layer 1 → Developer workstation Layer 2 → Pull request pipeline Layer 3 → Dependency validation Layer 4 → Container security Layer 5 → Infrastructure-as-Code validation Layer 6 → Runtime application testing </code></pre> </div> <p>Every layer catches different failure modes.</p> <h2> Why Layering Matters </h2> <p>No single scanner catches everything.</p> <p>Example</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzlv5etk2eal8d4z6p8z6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzlv5etk2eal8d4z6p8z6.png" alt=" "></a></p> <p>Security becomes resilient through redundancy.</p> <h2> Layer 1: Pre-Commit Hooks — detect-secrets and git-secrets Setup </h2> <p>The cheapest vulnerability to fix is the one that never enters Git history.</p> <p><strong>Installing Pre-Commit Framework</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>pre-commit </code></pre> </div> <p><strong>detect-secrets Configuration</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">repos</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">repo</span><span class="pi">:</span> <span class="s">https://github.com/Yelp/detect-secrets</span> <span class="na">rev</span><span class="pi">:</span> <span class="s">v1.4.0</span> <span class="na">hooks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">detect-secrets</span> </code></pre> </div> <p>Install hooks<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pre-commit <span class="nb">install</span> </code></pre> </div> <p><strong>git-secrets for AWS Credentials</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git secrets <span class="nt">--install</span> git secrets <span class="nt">--register-aws</span> </code></pre> </div> <p><strong>Example Detection</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AWS_SECRET_ACCESS_KEY detected Commit rejected </code></pre> </div> <p>This prevents catastrophic credential leakage before CI even starts.</p> <p><strong>Why Pre-Commit Security Matters</strong></p> <p>Secrets committed once often persist forever in Git history.</p> <p>Even after deletion.</p> <p>Prevention beats remediation.</p> <p>Always.</p> <h2> Layer 2: SAST in CI — Semgrep for Application Code </h2> <p>Static Application Security Testing identifies insecure coding patterns before deployment.</p> <p>Semgrep is exceptionally effective because it balances signal quality with developer usability.</p> <p><strong>GitHub Actions SAST Workflow</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">sast</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Semgrep SAST</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">returntocorp/semgrep-action@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="s2">"</span><span class="s">p/owasp-top-ten</span><span class="nv"> </span><span class="s">p/python</span><span class="nv"> </span><span class="s">p/javascript"</span> </code></pre> </div> <p><strong>Example Vulnerability Detection</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">query</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">SELECT * FROM users WHERE id = </span><span class="si">{</span><span class="n">user_input</span><span class="si">}</span><span class="sh">"</span> </code></pre> </div> <p>Semgrep flags<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Possible SQL injection vulnerability </code></pre> </div> <p><strong>Custom Security Rules</strong></p> <p>Production environments eventually require organisation-specific rules.</p> <p>Example<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">no-public-s3</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s1">'</span><span class="s">"public-read"'</span> <span class="na">message</span><span class="pi">:</span> <span class="s">Public S3 ACL forbidden</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">ERROR</span> </code></pre> </div> <p><strong>Why SAST Must Run on Every PR</strong></p> <p>Security reviews delayed until release branches create vulnerability bottlenecks.</p> <p>Fast feedback changes behaviour.</p> <p>Delayed feedback creates resentment.</p> <h2> Layer 3: SCA — OWASP Dependency-Check and Trivy for Dependencies </h2> <p>Modern applications inherit more code than they write.</p> <p>Dependency vulnerabilities therefore matter enormously.</p> <p><strong>OWASP Dependency-Check</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dependency-check.sh <span class="se">\</span> <span class="nt">--project</span> app <span class="se">\</span> <span class="nt">--scan</span> <span class="nb">.</span> </code></pre> </div> <p><strong>Trivy Dependency Scan</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>trivy fs <span class="nb">.</span> </code></pre> </div> <p><strong>Example Output</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Critical vulnerability: log4j-core 2.14.1 CVE-2021-44228 </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu5a39xvsx2zaid2flmaz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu5a39xvsx2zaid2flmaz.png" alt=" "></a></p> <p><strong>Dependency Update Automation</strong></p> <p>Use Renovate or Dependabot<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="m">2</span> <span class="na">updates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">package-ecosystem</span><span class="pi">:</span> <span class="s">npm</span> <span class="na">schedule</span><span class="pi">:</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">daily</span> </code></pre> </div> <p>Automation reduces vulnerability half-life dramatically.</p> <h2> Layer 4: Container Image Scanning — Trivy in Your Docker Build Pipeline </h2> <p>Containers frequently contain:</p> <ul> <li>Vulnerable OS packages</li> <li>Unpatched libraries</li> <li>Misconfigurations</li> <li>Embedded secrets</li> </ul> <p>Scanning them is mandatory.</p> <p><strong>Build and Scan Workflow</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">container-scan</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build image</span> <span class="na">run</span><span class="pi">:</span> <span class="s">docker build -t app:${{ github.sha }} .</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Trivy vulnerability scan</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aquasecurity/trivy-action@master</span> <span class="na">with</span><span class="pi">:</span> <span class="na">image-ref</span><span class="pi">:</span> <span class="s">app:${{ github.sha }}</span> <span class="na">exit-code</span><span class="pi">:</span> <span class="s1">'</span><span class="s">1'</span> <span class="na">severity</span><span class="pi">:</span> <span class="s1">'</span><span class="s">CRITICAL,HIGH'</span> </code></pre> </div> <p><strong>Example Container Findings</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>openssl package vulnerable Severity: HIGH </code></pre> </div> <p><strong>Distroless Images Reduce Attack Surface</strong></p> <p>Instead of<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> ubuntu:22.04</span> </code></pre> </div> <p>Use<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> gcr.io/distroless/static</span> </code></pre> </div> <p>Smaller images. Fewer packages. Fewer CVEs.</p> <h2> Layer 5: IaC Security Scanning — Checkov on Every Terraform Plan </h2> <p>Infrastructure misconfigurations cause some of the most damaging cloud breaches.</p> <p>IaC scanning catches them before deployment.</p> <p><strong>Checkov GitHub Action</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">iac-scan</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkov IaC scan</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">bridgecrewio/checkov-action@master</span> <span class="na">with</span><span class="pi">:</span> <span class="na">directory</span><span class="pi">:</span> <span class="s">terraform/</span> <span class="na">framework</span><span class="pi">:</span> <span class="s">terraform</span> </code></pre> </div> <p><strong>Example Terraform Misconfiguration</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"bad"</span> <span class="p">{</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Checkov flags<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Security group allows unrestricted ingress </code></pre> </div> <p><strong>Recommended IaC Policies</strong></p> <p>Block:</p> <ul> <li>Public S3 buckets</li> <li>Open security groups</li> <li>Unencrypted databases</li> <li>Unencrypted EBS volumes</li> <li>Wildcard IAM policies</li> </ul> <h2> Layer 6: DAST — OWASP ZAP Against Your Staging Environment </h2> <p>DAST validates runtime behaviour.</p> <p>Unlike SAST, it tests deployed applications directly.</p> <p><strong>OWASP ZAP Docker Scan</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run <span class="nt">-t</span> owasp/zap2docker-stable <span class="se">\</span> zap-baseline.py <span class="se">\</span> <span class="nt">-t</span> https://staging.example.com </code></pre> </div> <p><strong>CI Integration Example</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ZAP Scan</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker run -t owasp/zap2docker-stable \</span> <span class="s">zap-baseline.py \</span> <span class="s">-t https://staging.example.com</span> </code></pre> </div> <p><strong>Vulnerabilities DAST Finds Well</strong></p> <ul> <li>XSS</li> <li>Missing headers</li> <li>Insecure cookies</li> <li>Open redirects</li> <li>Authentication weaknesses</li> </ul> <p><strong>Why DAST Complements SAST</strong></p> <p>SAST sees code.</p> <p>DAST sees behaviour.</p> <p>You need both.</p> <p><strong>Centralising Findings in Defect Dojo</strong></p> <p>Without centralisation, findings scatter across tools and become operational noise.</p> <p>Defect Dojo consolidates:</p> <ul> <li>SAST results</li> <li>Dependency scans</li> <li>Container findings</li> <li>DAST reports <strong>Defect Dojo Deployment</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm <span class="nb">install </span>defectdojo defectdojo/defectdojo </code></pre> </div> <p><strong>Importing Scan Results</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST https://dojo/api/v2/import-scan/ </code></pre> </div> <p><strong>Why Centralisation Matters</strong></p> <p>Security programmes fail when visibility fragments.</p> <p>One dashboard changes operational behaviour.</p> <h2> SLA Policies: How to Treat CRITICAL vs HIGH vs MEDIUM Findings </h2> <p>Not all vulnerabilities deserve identical urgency.</p> <p><strong>Recommended SLA Model</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiwzg6g6wvrj87bu6dkd6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fiwzg6g6wvrj87bu6dkd6.png" alt=" "></a></p> <p><strong>CI Enforcement Strategy</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>CRITICAL → Block merge HIGH → Fail release MEDIUM → Warn only </code></pre> </div> <p>Security governance must remain operationally realistic.</p> <p>Overly aggressive policies create bypass behaviour.</p> <p>Measuring DevSecOps Effectiveness Mean Time to Remediation</p> <p>Security programmes require measurable outcomes.</p> <p><strong>Core Metrics</strong><br> <strong>Mean Time to Remediation (MTTR)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Discovery → Remediation </code></pre> </div> <p>Shorter is better.</p> <p><strong>Vulnerability Escape Rate</strong></p> <p>How many vulnerabilities reach production?</p> <p><strong>False Positive Rate</strong></p> <p>If scanners create excessive noise<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Developers stop trusting alerts </code></pre> </div> <p>Signal quality matters enormously.</p> <p><strong>Coverage Metrics</strong></p> <p>Track:</p> <ul> <li>Repositories scanned</li> <li>Terraform coverage</li> <li>Container coverage</li> <li>Dependency scan adoption</li> </ul> <h2> Full GitHub Actions DevSecOps Workflow </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">DevSecOps Pipeline</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">push</span><span class="pi">,</span> <span class="nv">pull_request</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">secrets-scan</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">TruffleHog</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">trufflesecurity/trufflehog@main</span> <span class="na">sast</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Semgrep</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">returntocorp/semgrep-action@v1</span> <span class="na">dependency-scan</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Trivy FS Scan</span> <span class="na">run</span><span class="pi">:</span> <span class="s">trivy fs .</span> <span class="na">container-scan</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">docker build -t app:${{ github.sha }} .</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Trivy Image Scan</span> <span class="na">run</span><span class="pi">:</span> <span class="s">trivy image app:${{ github.sha }}</span> <span class="na">iac-scan</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkov</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">bridgecrewio/checkov-action@master</span> <span class="na">dast</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">OWASP ZAP</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker run -t owasp/zap2docker-stable \</span> <span class="s">zap-baseline.py \</span> <span class="s">-t https://staging.example.com</span> </code></pre> </div> <h2> Common DevSecOps Mistakes </h2> <p><strong>1. Blocking Everything Immediately</strong></p> <p>Teams bypass pipelines if friction becomes unbearable.</p> <p>Adopt incrementally.</p> <p><strong>2. Ignoring False Positives</strong></p> <p>Poor signal quality destroys developer trust.</p> <p><strong>3. Treating Security as Separate from Engineering</strong></p> <p>Security tooling must integrate into existing workflows.</p> <p>Not create parallel ones.</p> <p><strong>4. No Ownership Model</strong></p> <p>Findings without owners become backlog sediment.</p> <p>DevSecOps is not about inserting security gates into delivery pipelines.</p> <p>It is about making security part of normal engineering behaviour.</p> <p>The most successful DevSecOps environments share several characteristics:</p> <ul> <li>Fast feedback</li> <li>Automated enforcement</li> <li>Low-friction tooling</li> <li>Developer-visible results</li> <li>Incremental adoption</li> </ul> <p>Security stops being ceremonial compliance theatre and becomes operational engineering.</p> <p>And that is the critical shift.</p> <p>Because modern software delivery moves too quickly for security reviews performed weeks after deployment.</p> <p>The only scalable model is continuous security at continuous delivery speed.</p> devsecops devops ai webdev FinOps for DevOps Engineers: The Complete Cloud Cost Optimisation Playbook varun varde Fri, 08 May 2026 12:03:16 +0000 https://dev.to/varunvarde/finops-for-devops-engineers-the-complete-cloud-cost-optimisation-playbook-2ep9 https://dev.to/varunvarde/finops-for-devops-engineers-the-complete-cloud-cost-optimisation-playbook-2ep9 <p>Cloud bills rarely explode because of one catastrophic decision. They grow incrementally. Quietly. A forgotten load balancer here. Overprovisioned Kubernetes nodes there. NAT Gateway traffic multiplying invisibly in the background like fiscal mold behind drywall.</p> <p>Most organisations approach FinOps as a finance exercise. That is a strategic mistake.</p> <p>The engineers provisioning infrastructure are the same engineers best positioned to optimise it. DevOps teams control autoscaling, storage policies, networking topology, observability retention, and workload scheduling. They are not adjacent to cloud cost optimisation. They are the operational epicentre of it.</p> <p>This playbook focuses on practical FinOps implementation for DevOps and platform engineers. Not abstract governance theory. Actual engineering patterns that reduce spend without degrading reliability.</p> <p>The optimisation path is organised by return on investment. Start with visibility. Then tackle compute, storage, networking, Kubernetes, and finally governance automation.</p> <h2> Part 1: Visibility First — Tagging Standards and Cost Attribution </h2> <p>You cannot optimise what you cannot attribute.</p> <p>Most cloud environments fail at cost management because nobody knows which team owns what.</p> <p><strong>The Minimum Viable Tagging Standard</strong></p> <p>Every resource should contain<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">tags</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">team</span> <span class="p">=</span> <span class="s2">"platform-engineering"</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="nx">application</span> <span class="p">=</span> <span class="s2">"checkout-api"</span> <span class="nx">cost-centre</span> <span class="p">=</span> <span class="s2">"ENG-042"</span> <span class="nx">owner</span> <span class="p">=</span> <span class="s2">"payments-team"</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why Tags Matter</strong></p> <p>Without tags<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Cloud bill = giant undifferentiated blob </code></pre> </div> <p>With tags<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Cloud bill = attributable operational data </code></pre> </div> <p>This changes engineering behaviour immediately.</p> <h2> AWS Cost Allocation Tags </h2> <p>Enable them explicitly<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ce list-cost-allocation-tags </code></pre> </div> <p>Then activate<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Billing Console → Cost Allocation Tags → Activate </code></pre> </div> <h2> Cost Dashboard Strategy </h2> <p>Build dashboards around:</p> <ul> <li><p>Cost by team</p></li> <li><p>Cost by environment</p></li> <li><p>Cost by service</p></li> <li><p>Week-over-week growth</p></li> <li><p>Top anomalous resources</p></li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi3s2qml6nzonzlvrmizg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi3s2qml6nzonzlvrmizg.png" alt=" " width="607" height="242"></a></p> <h2> Part 2: Compute Optimisation — Rightsizing, Spot, Graviton </h2> <p>Compute is usually the largest controllable expense category.</p> <p>And most environments are dramatically oversized.</p> <h2> Rightsizing EC2 Instances </h2> <p>Example<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>m5.4xlarge Average CPU: 9% </code></pre> </div> <p>This is not infrastructure. It is financial leakage.</p> <h2> Identify Idle Instances </h2> <p>Using CloudWatch</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fphhuu32fnijfwkffgkc1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fphhuu32fnijfwkffgkc1.png" alt=" " width="642" height="237"></a></p> <h2> Spot Instances </h2> <p>Spot pricing can reduce costs by 70–90%.</p> <p>Perfect for:</p> <ul> <li><p>CI runners</p></li> <li><p>Batch jobs</p></li> <li><p>Non-critical workloads</p></li> <li><p>Kubernetes worker nodes</p></li> </ul> <p><strong>Terraform Spot Example</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"spot_worker"</span> <span class="p">{</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"m7g.large"</span> <span class="nx">instance_market_options</span> <span class="p">{</span> <span class="nx">market_type</span> <span class="p">=</span> <span class="s2">"spot"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> AWS Graviton Migration </h2> <p>Graviton instances routinely reduce compute costs by 20–40%.</p> <p><strong>Migration Candidate Checklist</strong></p> <p>Best workloads:</p> <ul> <li>Stateless APIs</li> <li>Containers</li> <li>Node.js</li> <li>Go</li> <li>Java 17+</li> </ul> <p><strong>Kubernetes Node Group Example</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">eksctl.io/v1alpha5</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterConfig</span> <span class="na">managedNodeGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">graviton-workers</span> <span class="na">instanceType</span><span class="pi">:</span> <span class="s">m7g.large</span> </code></pre> </div> <h2> Part 3: Storage Optimisation — S3 Tiers, EBS, Lifecycle Policies </h2> <p>Storage inefficiency compounds silently over years.</p> <p><strong>S3 Lifecycle Policies</strong></p> <p>The fastest storage win in AWS.</p> <p><strong>Terraform Lifecycle Policy</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_s3_bucket_lifecycle_configuration"</span> <span class="s2">"cost_optimised"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">id</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">=</span> <span class="s2">"archive-old-data"</span> <span class="nx">status</span> <span class="p">=</span> <span class="s2">"Enabled"</span> <span class="nx">transition</span> <span class="p">{</span> <span class="nx">days</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">storage_class</span> <span class="p">=</span> <span class="s2">"INTELLIGENT_TIERING"</span> <span class="p">}</span> <span class="nx">transition</span> <span class="p">{</span> <span class="nx">days</span> <span class="p">=</span> <span class="mi">90</span> <span class="nx">storage_class</span> <span class="p">=</span> <span class="s2">"GLACIER_IR"</span> <span class="p">}</span> <span class="nx">transition</span> <span class="p">{</span> <span class="nx">days</span> <span class="p">=</span> <span class="mi">365</span> <span class="nx">storage_class</span> <span class="p">=</span> <span class="s2">"DEEP_ARCHIVE"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>EBS Optimisation</strong></p> <p>Common waste patterns:</p> <ul> <li>Detached volumes</li> <li>Oversized gp3 disks</li> <li>Unused snapshots</li> </ul> <p><strong>Find Unattached Volumes</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ec2 describe-volumes <span class="se">\</span> <span class="nt">--filters</span> <span class="nv">Name</span><span class="o">=</span>status,Values<span class="o">=</span>available </code></pre> </div> <p>Unless compliance requires otherwise.</p> <h2> Part 4: Networking Cost Reduction — NAT Gateway, VPC Endpoints, Data Transfer </h2> <p>Networking costs surprise almost everyone.</p> <p>Especially NAT Gateways.</p> <p><strong>NAT Gateway Optimisation</strong></p> <p>NAT Gateway charges include:</p> <ul> <li>Hourly fee</li> <li>Per-GB transfer fee</li> </ul> <p>Large clusters can spend thousands monthly on NAT traffic alone.</p> <p><strong>Replace NAT Traffic with VPC Endpoints</strong></p> <p>Example<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_vpc_endpoint"</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">service_name</span> <span class="p">=</span> <span class="s2">"com.amazonaws.us-east-1.s3"</span> <span class="p">}</span> </code></pre> </div> <p>This eliminates NAT transfer charges for S3 traffic.</p> <p><strong>Reduce Cross-AZ Traffic</strong></p> <p>Hidden cost source:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Service A → AZ-1 Service B → AZ-2 </code></pre> </div> <p>Every request incurs transfer cost.</p> <p><strong>Kubernetes Affinity Rules</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">topologySpreadConstraints</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">topologyKey</span><span class="pi">:</span> <span class="s">topology.kubernetes.io/zone</span> </code></pre> </div> <p>Keep chatty services co-located.</p> <h2> Part 5: Database Cost Optimisation — RDS Rightsizing, Aurora Serverless, Read Replica Pruning </h2> <p>Databases are expensive because teams fear touching them.</p> <p>Reasonably so.</p> <p><strong>RDS Rightsizing</strong></p> <p>Monitor:</p> <ul> <li>CPU</li> <li>Connections</li> <li>IOPS</li> <li>Memory pressure</li> </ul> <p><strong>Example Downsize</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>db.r6g.4xlarge → db.r6g.xlarge </code></pre> </div> <p>Often invisible to applications.</p> <p>Massively visible to finance.</p> <p><strong>Aurora Serverless v2</strong></p> <p>Ideal for:</p> <ul> <li>Variable workloads</li> <li>Internal APIs</li> <li>Intermittent services</li> </ul> <p><strong>Terraform Example</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">serverlessv2_scaling_configuration</span> <span class="p">{</span> <span class="nx">min_capacity</span> <span class="p">=</span> <span class="mf">0.5</span> <span class="nx">max_capacity</span> <span class="p">=</span> <span class="mi">8</span> <span class="p">}</span> </code></pre> </div> <p><strong>Read Replica Cleanup</strong></p> <p>Common anti-pattern<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Temporary read replica → never removed → costs persist forever </code></pre> </div> <p>Audit quarterly.</p> <h2> Part 6: Reserved Instances &amp; Savings Plans — When to Buy and How Much </h2> <p>Savings Plans are powerful when used correctly.</p> <p>Dangerous when guessed incorrectly.</p> <p><strong>Recommended Strategy</strong></p> <p>Start conservative.</p> <p>Target:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>60–70% baseline utilisation coverage </code></pre> </div> <p>Never 100%.</p> <p><strong>Compute Savings Plans</strong></p> <p>Best default option.</p> <p>Flexible across:</p> <ul> <li>Instance families</li> <li>Regions</li> <li>Compute types</li> </ul> <p><strong>AWS Recommendation API</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ce get-savings-plans-purchase-recommendation </code></pre> </div> <p>Use actual usage history.</p> <p>Not optimism.</p> <h2> Part 7: Kubernetes Cost Optimisation — Bin Packing, Cluster Autoscaler, Spot Node Groups </h2> <p>Kubernetes amplifies both efficiency and waste.</p> <p><strong>Bin Packing</strong></p> <p>Underutilised nodes are financial dead weight.</p> <p><strong>Resource Requests Matter</strong></p> <p>Bad:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">4"</span> </code></pre> </div> <p>Actual usage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>300m </code></pre> </div> <p><strong>Goldilocks Recommendation Tool</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">install </span>goldilocks </code></pre> </div> <p>Automatically suggests request sizing.</p> <p><strong>Cluster Autoscaler</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>--balance-similar-node-groups=true </code></pre> </div> <p>Removes idle nodes dynamically.</p> <p><strong>Spot Node Groups</strong></p> <p>Example<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">capacityType</span><span class="pi">:</span> <span class="s">SPOT</span> </code></pre> </div> <p>Excellent for:</p> <ul> <li>Stateless apps</li> <li>Batch workers</li> <li>CI runners</li> </ul> <h2> Part 8: Monitoring Cost Creep — Alerting on Unexpected Spend Increases </h2> <p>Cost optimisation without monitoring regresses rapidly.</p> <p><strong>Budget Alerts</strong></p> <p>AWS Example<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws budgets create-budget </code></pre> </div> <p><strong>Prometheus Cost Alert</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight prometheus"><code><span class="n">groups:</span> <span class="o">-</span> <span class="n">name:</span> <span class="n">cloud_cost_alerts</span> <span class="n">rules:</span> <span class="o">-</span> <span class="n">alert:</span> <span class="n">MonthlySpendSpike</span> <span class="n">expr:</span> <span class="nb">increase</span><span class="p">(</span><span class="n">cloud_cost_total</span><span class="p">[</span><span class="mi">24h</span><span class="p">])</span> <span class="o">&gt;</span> <span class="mi">1000</span> </code></pre> </div> <p><strong>Slack Notification Example</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">requests</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="n">webhook_url</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Cloud spend increased unexpectedly</span><span class="sh">"</span><span class="p">}</span> <span class="p">)</span> </code></pre> </div> <p>Immediate visibility changes behaviour.</p> <p><strong>Part 9: The Monthly Cost Review Checklist</strong></p> <p>The best FinOps teams operationalise review cadence.</p> <p><strong>Monthly Checklist</strong><br> <strong>Compute</strong></p> <ul> <li>Idle instances removed</li> <li>Rightsizing opportunities reviewed</li> <li>Spot coverage audited</li> </ul> <p><strong>Storage</strong></p> <ul> <li>Snapshot retention reviewed</li> <li>Glacier transitions verified</li> <li>Orphaned volumes deleted</li> </ul> <p><strong>Kubernetes</strong></p> <ul> <li>Node utilisation checked</li> <li>Resource requests audited</li> <li>Cluster Autoscaler effectiveness reviewed</li> </ul> <p><strong>Networking</strong></p> <ul> <li>NAT Gateway spend analysed</li> <li>Cross-region traffic reviewed</li> </ul> <p><strong>Databases</strong></p> <ul> <li>Read replicas validated</li> <li>Aurora scaling reviewed</li> </ul> <p><strong>Governance</strong></p> <ul> <li>Untagged resources identified</li> <li>Budget alerts tested</li> </ul> <h2> Appendix: Azure and GCP Equivalents </h2> <p><strong>Compute</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4xuavmky3ylbejdfjpjf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4xuavmky3ylbejdfjpjf.png" alt=" " width="770" height="542"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7z3xwsdggqf6cpzuq1m1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7z3xwsdggqf6cpzuq1m1.png" alt=" " width="733" height="152"></a></p> <p>FinOps is not about making infrastructure cheap.</p> <p>It is about making infrastructure intentional.</p> <p>The most effective DevOps teams treat cloud cost as an engineering metric alongside latency, reliability, and deployment frequency.</p> <p>Because every oversized node, forgotten snapshot, or unnecessary NAT transfer represents engineering inefficiency expressed financially.</p> <p>The progression usually looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Visibility → Attribution → Accountability → Optimisation </code></pre> </div> <p>Without visibility, optimisation is guesswork.</p> <p>Without attribution, accountability disappears.</p> <p>Without accountability, cloud spend becomes entropy.</p> <p>But when engineers own both infrastructure reliability and infrastructure economics, something powerful happens:</p> <p>Systems become leaner.<br> Architectures become cleaner.<br> And cloud bills stop being monthly surprises.</p> devops cloud playbook aws The FinOps Starter Kit: Making Cloud Cost Visible in 5 Days varun varde Fri, 01 May 2026 08:29:13 +0000 https://dev.to/varunvarde/the-finops-starter-kit-making-cloud-cost-visible-in-5-days-4d0k https://dev.to/varunvarde/the-finops-starter-kit-making-cloud-cost-visible-in-5-days-4d0k <p>Most cloud cost advice starts at the wrong layer. It jumps straight into optimization tactics Reserved Instances, Spot capacity, aggressive rightsizing without first addressing the more fundamental problem: visibility.</p> <p>Because without visibility, optimization becomes guesswork. And guesswork is expensive.</p> <p>This guide takes a different approach. Five days. No third-party FinOps platforms. Just native tooling, deliberate structure, and a system engineers will actually use.</p> <h2> Day 1: Tagging Strategy The Foundation Everything Else Depends On </h2> <p>Every meaningful cost analysis begins with attribution. Without tags, cost data is a monolith. With tags, it becomes dimensional.</p> <p><strong>Core Tagging Model</strong></p> <p>A minimal, effective tagging schema:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"team"</span><span class="p">:</span><span class="w"> </span><span class="s2">"platform"</span><span class="p">,</span><span class="w"> </span><span class="nl">"service"</span><span class="p">:</span><span class="w"> </span><span class="s2">"auth-api"</span><span class="p">,</span><span class="w"> </span><span class="nl">"environment"</span><span class="p">:</span><span class="w"> </span><span class="s2">"production"</span><span class="p">,</span><span class="w"> </span><span class="nl">"owner"</span><span class="p">:</span><span class="w"> </span><span class="s2">"team-lead"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Enforcing Tags at Resource Creation</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ec2 run-instances <span class="se">\</span> <span class="nt">--image-id</span> ami-123456 <span class="se">\</span> <span class="nt">--tag-specifications</span> <span class="s1">'ResourceType=instance,Tags=[{Key=team,Value=platform},{Key=service,Value=auth-api}]'</span> </code></pre> </div> <p><strong>Tag Compliance Check</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws resourcegroupstaggingapi get-resources <span class="se">\</span> <span class="nt">--tag-filters</span> <span class="nv">Key</span><span class="o">=</span>team </code></pre> </div> <p><strong>Why This Matters</strong></p> <p>Tags are not metadata. They are the index keys for your cost database.</p> <p>No tags → no attribution → no accountability.</p> <h2> Day 2: AWS Cost Explorer API — Pulling Cost Data Programmatically </h2> <p>The console is fine for humans. Systems need APIs.</p> <p><strong>Basic Cost Query</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="n">ce</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">ce</span><span class="sh">'</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="n">ce</span><span class="p">.</span><span class="nf">get_cost_and_usage</span><span class="p">(</span> <span class="n">TimePeriod</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">Start</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">2026-04-01</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">End</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">2026-04-30</span><span class="sh">"</span><span class="p">},</span> <span class="n">Granularity</span><span class="o">=</span><span class="sh">"</span><span class="s">DAILY</span><span class="sh">"</span><span class="p">,</span> <span class="n">Metrics</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">UnblendedCost</span><span class="sh">"</span><span class="p">]</span> <span class="p">)</span> </code></pre> </div> <p><strong>Group by Service and Team Tag</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">response</span> <span class="o">=</span> <span class="n">ce</span><span class="p">.</span><span class="nf">get_cost_and_usage</span><span class="p">(</span> <span class="n">TimePeriod</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">Start</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">2026-04-01</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">End</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">2026-04-30</span><span class="sh">"</span><span class="p">},</span> <span class="n">Granularity</span><span class="o">=</span><span class="sh">"</span><span class="s">DAILY</span><span class="sh">"</span><span class="p">,</span> <span class="n">Metrics</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">UnblendedCost</span><span class="sh">"</span><span class="p">],</span> <span class="n">GroupBy</span><span class="o">=</span><span class="p">[</span> <span class="p">{</span><span class="sh">"</span><span class="s">Type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">DIMENSION</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Key</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">SERVICE</span><span class="sh">"</span><span class="p">},</span> <span class="p">{</span><span class="sh">"</span><span class="s">Type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">TAG</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Key</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">team</span><span class="sh">"</span><span class="p">}</span> <span class="p">]</span> <span class="p">)</span> </code></pre> </div> <p><strong>Key Insight</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Cost data is delayed (~24h), but still actionable. </code></pre> </div> <p>This becomes your source of truth. Everything else builds on it.</p> <h2> Day 3: Building Per-Service Cost Dashboards in Grafana </h2> <p>Raw data is inert. Visualization activates it.</p> <p><strong>Architecture</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AWS Cost Explorer → Export Script → JSON/Prometheus → Grafana </code></pre> </div> <p><strong>Example Export Script</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span> <span class="n">data</span> <span class="o">=</span> <span class="n">response</span><span class="p">[</span><span class="sh">"</span><span class="s">ResultsByTime</span><span class="sh">"</span><span class="p">]</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sh">"</span><span class="s">cost.json</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">w</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dump</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="n">f</span><span class="p">)</span> </code></pre> </div> <p><strong>Prometheus Metric Format</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight prometheus"><code><span class="n">aws_cost</span><span class="p">{</span><span class="na">service</span><span class="o">=</span><span class="s2">"EC2"</span><span class="p">,</span><span class="na">team</span><span class="o">=</span><span class="s2">"platform"</span><span class="p">}</span> <span class="mf">123.45</span> </code></pre> </div> <p><strong>Grafana Panel Query</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sum by(service) (aws_cost) </code></pre> </div> <p><strong>Dashboard Views</strong></p> <ul> <li><p>Cost per service</p></li> <li><p>Cost per team</p></li> <li><p>Daily trend lines</p></li> <li><p>Top 10 spenders</p></li> </ul> <p>Good dashboards don’t overwhelm. They illuminate.</p> <h2> Day 4: Anomaly Detection Alerting When Cost Spikes Unexpectedly </h2> <p>Spikes happen. Some are valid. Others are not.</p> <p>Detection must be immediate.</p> <p><strong>Simple Threshold Alert</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws_cost_daily &gt; 500 </code></pre> </div> <p><strong>Deviation-Based Alert</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws_cost_daily &gt; avg_over_time(aws_cost_daily[7d]) * 1.5 </code></pre> </div> <p><strong>CloudWatch Anomaly Detection</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws cloudwatch put-anomaly-detector <span class="se">\</span> <span class="nt">--metric-name</span> EstimatedCharges <span class="se">\</span> <span class="nt">--namespace</span> AWS/Billing </code></pre> </div> <p><strong>Alert Routing</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Alert → SNS → Slack / Email </code></pre> </div> <p>Short spikes matter. Long drifts matter more.</p> <p>Both need visibility.</p> <h2> Day 5: The Weekly Cost Digest Automated Slack Report Per Team </h2> <p>Dashboards are passive. Digests are proactive.</p> <p>Engineers rarely check dashboards. They read Slack.</p> <p><strong>Weekly Cost Digest Script</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># cost_digest.py Weekly per-team cost report to Slack </span><span class="kn">import</span> <span class="n">boto3</span><span class="p">,</span> <span class="n">json</span><span class="p">,</span> <span class="n">datetime</span> <span class="kn">from</span> <span class="n">slack_sdk</span> <span class="kn">import</span> <span class="n">WebClient</span> <span class="n">ce</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">ce</span><span class="sh">'</span><span class="p">,</span> <span class="n">region_name</span><span class="o">=</span><span class="sh">'</span><span class="s">us-east-1</span><span class="sh">'</span><span class="p">)</span> <span class="n">slack</span> <span class="o">=</span> <span class="nc">WebClient</span><span class="p">(</span><span class="n">token</span><span class="o">=</span><span class="sh">"</span><span class="s">YOUR_SLACK_TOKEN</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_team_costs</span><span class="p">(</span><span class="n">team_tag</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">days</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">7</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="n">end</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="n">date</span><span class="p">.</span><span class="nf">today</span><span class="p">()</span> <span class="n">start</span> <span class="o">=</span> <span class="n">end</span> <span class="o">-</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">timedelta</span><span class="p">(</span><span class="n">days</span><span class="o">=</span><span class="n">days</span><span class="p">)</span> <span class="n">resp</span> <span class="o">=</span> <span class="n">ce</span><span class="p">.</span><span class="nf">get_cost_and_usage</span><span class="p">(</span> <span class="n">TimePeriod</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">Start</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">start</span><span class="p">),</span> <span class="sh">"</span><span class="s">End</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">end</span><span class="p">)},</span> <span class="n">Granularity</span><span class="o">=</span><span class="sh">"</span><span class="s">DAILY</span><span class="sh">"</span><span class="p">,</span> <span class="n">Filter</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">Tags</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">Key</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">team</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Values</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="n">team_tag</span><span class="p">],</span> <span class="sh">"</span><span class="s">MatchOptions</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">EQUALS</span><span class="sh">"</span><span class="p">]}},</span> <span class="n">Metrics</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">UnblendedCost</span><span class="sh">"</span><span class="p">],</span> <span class="n">GroupBy</span><span class="o">=</span><span class="p">[{</span><span class="sh">"</span><span class="s">Type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">DIMENSION</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Key</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">SERVICE</span><span class="sh">"</span><span class="p">}]</span> <span class="p">)</span> <span class="n">totals</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">for</span> <span class="n">result</span> <span class="ow">in</span> <span class="n">resp</span><span class="p">[</span><span class="sh">"</span><span class="s">ResultsByTime</span><span class="sh">"</span><span class="p">]:</span> <span class="k">for</span> <span class="n">group</span> <span class="ow">in</span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">Groups</span><span class="sh">"</span><span class="p">]:</span> <span class="n">svc</span> <span class="o">=</span> <span class="n">group</span><span class="p">[</span><span class="sh">"</span><span class="s">Keys</span><span class="sh">"</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> <span class="n">cost</span> <span class="o">=</span> <span class="nf">float</span><span class="p">(</span><span class="n">group</span><span class="p">[</span><span class="sh">"</span><span class="s">Metrics</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">UnblendedCost</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">Amount</span><span class="sh">"</span><span class="p">])</span> <span class="n">totals</span><span class="p">[</span><span class="n">svc</span><span class="p">]</span> <span class="o">=</span> <span class="n">totals</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">svc</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="n">cost</span> <span class="k">return</span> <span class="n">totals</span> <span class="k">def</span> <span class="nf">post_digest</span><span class="p">(</span><span class="n">team</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">channel</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">costs</span> <span class="o">=</span> <span class="nf">get_team_costs</span><span class="p">(</span><span class="n">team</span><span class="p">)</span> <span class="n">total</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span><span class="n">costs</span><span class="p">.</span><span class="nf">values</span><span class="p">())</span> <span class="n">lines</span> <span class="o">=</span> <span class="p">[</span> <span class="sa">f</span><span class="sh">"</span><span class="s">*Weekly Cloud Cost Digest — Team: </span><span class="si">{</span><span class="n">team</span><span class="si">}</span><span class="s">*</span><span class="sh">"</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Total (last 7 days): *$</span><span class="si">{</span><span class="n">total</span><span class="si">:</span><span class="p">,.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s">*</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span> <span class="p">]</span> <span class="k">for</span> <span class="n">svc</span><span class="p">,</span> <span class="n">cost</span> <span class="ow">in</span> <span class="nf">sorted</span><span class="p">(</span><span class="n">costs</span><span class="p">.</span><span class="nf">items</span><span class="p">(),</span> <span class="n">key</span><span class="o">=</span><span class="k">lambda</span> <span class="n">x</span><span class="p">:</span> <span class="o">-</span><span class="n">x</span><span class="p">[</span><span class="mi">1</span><span class="p">])[:</span><span class="mi">8</span><span class="p">]:</span> <span class="n">lines</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> • </span><span class="si">{</span><span class="n">svc</span><span class="si">}</span><span class="s">: $</span><span class="si">{</span><span class="n">cost</span><span class="si">:</span><span class="p">,.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">slack</span><span class="p">.</span><span class="nf">chat_postMessage</span><span class="p">(</span><span class="n">channel</span><span class="o">=</span><span class="n">channel</span><span class="p">,</span> <span class="n">text</span><span class="o">=</span><span class="sh">"</span><span class="se">\n</span><span class="sh">"</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">lines</span><span class="p">))</span> <span class="c1"># Run weekly via EventBridge scheduled rule </span><span class="nf">post_digest</span><span class="p">(</span><span class="sh">"</span><span class="s">platform-team</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">#platform-costs</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p><strong>Scheduling with EventBridge</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws events put-rule <span class="se">\</span> <span class="nt">--schedule-expression</span> <span class="s2">"cron(0 9 ? * MON *)"</span> </code></pre> </div> <p>This creates a ritual. A cadence. Cost becomes visible and social.</p> <p><strong>Bonus: Cost-per-Request Metrics Using CloudWatch + Lambda</strong></p> <p>Absolute cost is useful. Unit cost is transformative.</p> <p><strong>Custom Metric Example</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="n">cloudwatch</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">cloudwatch</span><span class="sh">'</span><span class="p">)</span> <span class="n">cloudwatch</span><span class="p">.</span><span class="nf">put_metric_data</span><span class="p">(</span> <span class="n">Namespace</span><span class="o">=</span><span class="sh">'</span><span class="s">AppMetrics</span><span class="sh">'</span><span class="p">,</span> <span class="n">MetricData</span><span class="o">=</span><span class="p">[</span> <span class="p">{</span> <span class="sh">'</span><span class="s">MetricName</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">CostPerRequest</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Value</span><span class="sh">'</span><span class="p">:</span> <span class="mf">0.002</span> <span class="p">}</span> <span class="p">]</span> <span class="p">)</span> </code></pre> </div> <p><strong>Formula</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Cost per request = Total service cost / Total requests </code></pre> </div> <p>Now teams optimize efficiency not just spend.</p> <h2> Azure and GCP Equivalents </h2> <p><strong>Azure</strong></p> <ul> <li><p>Cost Management API</p></li> <li><p>Azure Monitor</p></li> <li><p>Tags via Resource Manager</p></li> </ul> <p><strong>GCP</strong></p> <ul> <li><p>Billing Export to BigQuery</p></li> <li><p>Looker Studio dashboards</p></li> <li><p>Labels for resource tagging</p></li> </ul> <p>The principles remain identical. Only the APIs differ.</p> <h2> Common Tagging Mistakes (and How to Fix Them) </h2> <p><strong>1. Inconsistent Tag Keys</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>team vs Team vs TEAM </code></pre> </div> <p>Fix: Enforce via policy.</p> <p><strong>2. Missing Tags on Critical Resources</strong></p> <p>Fix: Use SCPs or IAM policies<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Deny"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ec2:RunInstances"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Null"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:RequestTag/team"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>3. Over-Tagging</strong></p> <p>Too many tags dilute clarity.</p> <p>Fix: Keep it minimal. Intentional.</p> <p>FinOps does not begin with optimization. It begins with visibility.</p> <p>In five days:</p> <ul> <li><p>Costs become attributable</p></li> <li><p>Dashboards become actionable</p></li> <li><p>Alerts become immediate</p></li> <li><p>Engineers become accountable</p></li> </ul> <p>And something subtle happens.</p> <p>Cost stops being a finance concern. It becomes an engineering signal.</p> <p>That shift quiet, structural, and profound is where real savings begin.</p> cloud devops finops aws Your First LLMOps Pipeline: From Prompt to Production in One Sprint varun varde Tue, 21 Apr 2026 04:37:00 +0000 https://dev.to/varunvarde/your-first-llmops-pipeline-from-prompt-to-production-in-one-sprint-4ppp https://dev.to/varunvarde/your-first-llmops-pipeline-from-prompt-to-production-in-one-sprint-4ppp <p>AI applications don’t behave like traditional systems. They don’t fail cleanly. They don’t produce identical outputs for identical inputs. And they don’t lend themselves to binary testing pass or fail.</p> <p>Instead, they operate in gradients. Probabilities. Trade-offs.</p> <p>That is precisely why applying standard DevOps or MLOps practices without adaptation often leads to brittle pipelines and unreliable outcomes.</p> <p>This guide walks through a complete LLMOps pipeline practical, production-ready, and deployable within a single sprint.</p> <h2> LLMOps vs MLOps vs DevOps - The Operational Model Differences </h2> <p>Traditional DevOps assumes determinism<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Input → Code → Output (predictable) </code></pre> </div> <p>MLOps introduces probabilistic behavior but still focuses on trained models<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Input → Model → Prediction (statistical) </code></pre> </div> <p>LLMOps shifts the paradigm further<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Input → Prompt + Model → Generated Output (non-deterministic) </code></pre> </div> <p>Key distinctions</p> <ul> <li><p>Outputs vary even with identical inputs</p></li> <li><p>Prompt design is as critical as code</p></li> <li><p>Latency and cost are tied to tokens, not just compute</p></li> </ul> <p>This necessitates new operational primitives.</p> <h2> Prompt Versioning: Treating Prompts as Code </h2> <p>Prompts are no longer ephemeral strings. They are artifacts.</p> <p>Store them in Git<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/prompts/ summarization/ v1.0.0.txt v1.1.0.txt </code></pre> </div> <p>Example prompt<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># v2.3.1 Summarize the following text in 3 bullet points with a professional tone: </code></pre> </div> <p>Reference prompts explicitly in code<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">PROMPT_VERSION</span> <span class="o">=</span> <span class="sh">"</span><span class="s">v2.3.1</span><span class="sh">"</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">prompts/summarization/</span><span class="si">{</span><span class="n">PROMPT_VERSION</span><span class="si">}</span><span class="s">.txt</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">prompt_template</span> <span class="o">=</span> <span class="n">f</span><span class="p">.</span><span class="nf">read</span><span class="p">()</span> </code></pre> </div> <p>Never use latest. Ambiguity is the enemy of reproducibility.</p> <h2> Evaluation Frameworks: How to Test LLM Outputs </h2> <p>Testing LLMs requires nuance. Exact matches are rare. Evaluation must be semantic.</p> <p>Example using a scoring function<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">evaluate_output</span><span class="p">(</span><span class="n">expected</span><span class="p">,</span> <span class="n">actual</span><span class="p">):</span> <span class="k">return</span> <span class="nf">similarity_score</span><span class="p">(</span><span class="n">expected</span><span class="p">,</span> <span class="n">actual</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mf">0.85</span> </code></pre> </div> <p>Dataset-driven testing<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"input"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Explain Kubernetes"</span><span class="p">,</span><span class="w"> </span><span class="nl">"expected"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Container orchestration platform"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span></code></pre> </div> <p>Run batch evaluations<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">python evaluate.py --dataset test_cases.json </span></code></pre> </div> <p>Metrics to track</p> <ul> <li><p>Relevance</p></li> <li><p>Coherence</p></li> <li><p>Hallucination rate</p></li> </ul> <p>Testing becomes statistical—not absolute.</p> <h2> CI/CD for LLM Applications: What to Run on Every PR </h2> <p>CI pipelines must evolve.</p> <p>A minimal LLM CI pipeline<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">LLM CI</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">pull_request</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">python evaluate.py</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">python lint_prompts.py</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">python cost_estimator.py</span> </code></pre> </div> <p>Checks include</p> <ul> <li><p>Prompt syntax validation</p></li> <li><p>Regression detection in outputs</p></li> <li><p>Cost estimation per request</p></li> </ul> <p>A failing evaluation blocks the merge. Quality is enforced early.</p> <h2> Deployment Patterns: Blue-Green and Canary </h2> <p>Non-determinism demands cautious rollout.</p> <p><strong>Blue-Green Deployment</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>version: v1 (blue) version: v2 (green) </code></pre> </div> <p>Switch traffic atomically.</p> <p><strong>Canary Deployment</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">traffic</span><span class="pi">:</span> <span class="na">v1</span><span class="pi">:</span> <span class="s">90%</span> <span class="na">v2</span><span class="pi">:</span> <span class="s">10%</span> </code></pre> </div> <p>Monitor performance before full rollout.</p> <p>Example Kubernetes snippet<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">llm-service-v2</span> </code></pre> </div> <p>Observe behavior before committing fully.</p> <h2> Observability: Traces, Latency, and Token Costs </h2> <p>Observability must capture more than uptime.</p> <p><strong>Tracing</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">opentelemetry</span> <span class="kn">import</span> <span class="n">trace</span> <span class="n">tracer</span> <span class="o">=</span> <span class="n">trace</span><span class="p">.</span><span class="nf">get_tracer</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="k">with</span> <span class="n">tracer</span><span class="p">.</span><span class="nf">start_as_current_span</span><span class="p">(</span><span class="sh">"</span><span class="s">llm_request</span><span class="sh">"</span><span class="p">):</span> <span class="n">response</span> <span class="o">=</span> <span class="nf">call_llm</span><span class="p">()</span> </code></pre> </div> <p><strong>Metrics</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight prometheus"><code><span class="nb">histogram_quantile</span><span class="p">(</span><span class="mf">0.95</span><span class="p">,</span> <span class="nb">rate</span><span class="p">(</span><span class="n">llm_latency_seconds_bucket</span><span class="p">[</span><span class="mi">5m</span><span class="p">]))</span> </code></pre> </div> <p><strong>Cost Tracking</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight prometheus"><code><span class="nf">sum</span><span class="p">(</span><span class="nb">increase</span><span class="p">(</span><span class="n">llm_tokens_total</span><span class="p">[</span><span class="mi">1h</span><span class="p">]))</span> <span class="o">*</span> <span class="mf">0.000002</span> </code></pre> </div> <p>Dashboards should answer</p> <ul> <li><p>How fast?</p></li> <li><p>How expensive?</p></li> <li><p>How reliable?</p></li> </ul> <h2> Guardrails: Output Validation and Fallback Chains </h2> <p>LLMs can produce unexpected outputs. Guardrails mitigate risk.</p> <p><strong>Validation Example</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">validate_output</span><span class="p">(</span><span class="n">output</span><span class="p">):</span> <span class="k">return</span> <span class="sh">"</span><span class="s">forbidden_word</span><span class="sh">"</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">output</span> </code></pre> </div> <p><strong>Fallback Chain</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">try</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="nf">call_primary_model</span><span class="p">()</span> <span class="k">except</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="nf">call_secondary_model</span><span class="p">()</span> </code></pre> </div> <p><strong>Content Filtering</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="nf">toxicity_score</span><span class="p">(</span><span class="n">output</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mf">0.7</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Content not allowed</span><span class="sh">"</span> </code></pre> </div> <p>Guardrails are not optional. They are essential.</p> <h2> Cost Controls: Token Budgets and Rate Limiting </h2> <p>Costs scale with usage. Left unchecked, they escalate rapidly.</p> <p><strong>Token Limits</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">MAX_TOKENS</span> <span class="o">=</span> <span class="mi">2000</span> </code></pre> </div> <p><strong>Rate Limiting</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="n">requests_per_minute</span> <span class="o">&gt;</span> <span class="mi">100</span><span class="p">:</span> <span class="nf">reject_request</span><span class="p">()</span> </code></pre> </div> <p><strong>Budget Enforcement</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="n">monthly_tokens</span> <span class="o">&gt;</span> <span class="n">budget</span><span class="p">:</span> <span class="nf">disable_non_critical_features</span><span class="p">()</span> </code></pre> </div> <p>Cost awareness must be embedded in the system—not retrofitted.</p> <h2> Human-in-the-Loop Workflows </h2> <p>For high-stakes decisions, automation alone is insufficient.</p> <p><strong>Approval Workflow</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>LLM Output → Human Review → Final Decision </code></pre> </div> <p><strong>Queue System</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="n">confidence_score</span> <span class="o">&lt;</span> <span class="mf">0.8</span><span class="p">:</span> <span class="nf">send_to_review_queue</span><span class="p">()</span> </code></pre> </div> <p>Humans provide judgment where models provide probability.</p> <h2> Complete Example: Production-Ready LLM Pipeline on Kubernetes </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># llm-pipeline-values.yaml — Kubernetes deployment with cost + observability</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">llm-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">llm-service</span> <span class="na">image</span><span class="pi">:</span> <span class="s">your-org/llm-service:v1.2.0</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">MAX_TOKENS_PER_REQUEST</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2000"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">MONTHLY_TOKEN_BUDGET</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">10000000"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">OTEL_EXPORTER_OTLP_ENDPOINT</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://otel-collector:4317"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">PROMPT_VERSION</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">v2.3.1"</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">256Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">100m"</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">512Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">500m"</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">monitoring.coreos.com/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PrometheusRule</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">llm-cost-alerts</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">groups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">llm_cost</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">LLMDailySpendHigh</span> <span class="na">expr</span><span class="pi">:</span> <span class="s">sum(increase(llm_tokens_total[24h])) * 0.000002 &gt; </span><span class="m">50</span> <span class="na">for</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">LLM</span><span class="nv"> </span><span class="s">daily</span><span class="nv"> </span><span class="s">spend</span><span class="nv"> </span><span class="s">exceeding</span><span class="nv"> </span><span class="s">$50</span><span class="nv"> </span><span class="s">threshold"</span> </code></pre> </div> <p>This configuration encapsulates</p> <ul> <li><p>Versioned prompts</p></li> <li><p>Observability hooks</p></li> <li><p>Cost safeguards</p></li> <li><p>Scalable deployment</p></li> </ul> <p>LLMOps is not an extension of DevOps. It is a rethinking.</p> <p>Systems are no longer deterministic. Testing is no longer binary. Costs are no longer predictable.</p> <p>Yet, with the right structure versioning, evaluation, observability, and control—the uncertainty becomes manageable. Even advantageous.</p> <p>A well-designed LLMOps pipeline does not eliminate unpredictability. It harnesses it.</p> ai devops kubernetes llmops Building Production-Grade Observability: OpenTelemetry + Grafana Stack varun varde Tue, 14 Apr 2026 09:05:05 +0000 https://dev.to/varunvarde/building-production-grade-observability-opentelemetry-grafana-stack-9mc https://dev.to/varunvarde/building-production-grade-observability-opentelemetry-grafana-stack-9mc <p>Stop guessing what's broken in production. Here's a complete, deploy-it-this-week observability stack built on OpenTelemetry and Grafana — the same stack I've deployed for three clients in the last 18 months.</p> <p>This isn't a toy setup. This is production-grade: traces, metrics, and logs unified under a single pane of glass, with auto-instrumentation for the most common runtimes, alerting that pages on symptoms not causes, and dashboards your non-SRE teammates can actually read.</p> <p>What you'll build:</p> <ul> <li><p>OpenTelemetry Collector (gateway mode) for vendor-agnostic telemetry collection</p></li> <li><p>Grafana Tempo for distributed tracing</p></li> <li><p>Prometheus + Grafana Mimir for metrics at scale</p></li> <li><p>Loki for structured log aggregation</p></li> <li><p>Grafana dashboards with pre-built SLO panels</p></li> <li><p>AlertManager rules tied to error budgets</p></li> </ul> <p>Prerequisites: Kubernetes 1.25+, Helm 3, basic familiarity with YAML. Estimated time: 3–5 hours end to end.</p> <h2> Why OpenTelemetry? The vendor-lock argument settled once and for all </h2> <p>You’ve heard it before: “Just use Datadog.” Then the bill arrives. Or “Use Prometheus alone.” Then you lose traces.</p> <p>OpenTelemetry (OTel) is the single CNCF standard for generating and exporting telemetry data. Here’s why it wins:</p> <ul> <li><p>One instrumentation, many backends: Instrument your app once with OTel SDKs. Send to Tempo, Jaeger, Datadog, or New Relic simultaneously.</p></li> <li><p>No vendor lock-in: Your telemetry data remains in your control (S3 for traces, block storage for metrics).</p></li> <li><p>Automatic context propagation: Trace IDs flow seamlessly across services, even across different languages (Java → Python → Node.js).</p></li> <li><p>Future-proof: New backends emerge? Point your OTel Collector there. No code changes.</p></li> </ul> <p>The bottom line: OTel is the USB-C of observability. Stop writing custom exporters.</p> <h2> Architecture overview: Collector, Backends, Visualization </h2> <p>Here’s what you’re deploying:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Your App] --(OTLP)--&gt; [OTel Collector (Gateway)] --+--&gt; [Tempo] (traces) +--&gt; [Mimir] (metrics) +--&gt; [Loki] (logs) | [Grafana] (visualization) | [AlertManager] (paging) </code></pre> </div> <ul> <li><p>OTel Collector (Gateway mode): Receives OTLP from all services. Validates, batches, and routes telemetry. Single ingress point.</p></li> <li><p>Tempo: Object-storage-backed tracing. Cheap, scalable, no indexing costs.</p></li> <li><p>Mimir: Horizontally scalable Prometheus-compatible metrics store.</p></li> <li><p>Loki: Log aggregation with low-cost object storage.</p></li> <li><p>Grafana: Unified UI with Explore, dashboards, and alerting.</p></li> <li><p>AlertManager: Deduplicates, groups, and routes alerts to PagerDuty/Slack.</p></li> </ul> <p>Storage requirements (minimal): 50GB for Loki, 100GB for Tempo (can use S3/GCS/MinIO), 50GB for Mimir.</p> <h2> Installing the OTel Collector (gateway mode Helm values) </h2> <p>Create otel-collector-values.yaml<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">mode</span><span class="pi">:</span> <span class="s">deployment</span> <span class="c1"># gateway mode (as opposed to daemonset for agent mode)</span> <span class="na">config</span><span class="pi">:</span> <span class="na">receivers</span><span class="pi">:</span> <span class="na">otlp</span><span class="pi">:</span> <span class="na">protocols</span><span class="pi">:</span> <span class="na">grpc</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s">0.0.0.0:4317</span> <span class="na">http</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s">0.0.0.0:4318</span> <span class="na">processors</span><span class="pi">:</span> <span class="na">batch</span><span class="pi">:</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">1s</span> <span class="na">send_batch_size</span><span class="pi">:</span> <span class="m">1024</span> <span class="na">memory_limiter</span><span class="pi">:</span> <span class="na">check_interval</span><span class="pi">:</span> <span class="s">1s</span> <span class="na">limit_mib</span><span class="pi">:</span> <span class="m">512</span> <span class="na">attributes</span><span class="pi">:</span> <span class="na">actions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">environment</span> <span class="na">value</span><span class="pi">:</span> <span class="s">production</span> <span class="na">action</span><span class="pi">:</span> <span class="s">upsert</span> <span class="na">exporters</span><span class="pi">:</span> <span class="na">otlp/tempo</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s2">"</span><span class="s">tempo-distributor:4317"</span> <span class="na">tls</span><span class="pi">:</span> <span class="na">insecure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">prometheusremotewrite/mimir</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://mimir-distributor:8080/api/v1/push"</span> <span class="na">loki</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://loki-gateway:3100/loki/api/v1/push"</span> <span class="na">service</span><span class="pi">:</span> <span class="na">pipelines</span><span class="pi">:</span> <span class="na">traces</span><span class="pi">:</span> <span class="na">receivers</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">otlp</span><span class="pi">]</span> <span class="na">processors</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">memory_limiter</span><span class="pi">,</span> <span class="nv">batch</span><span class="pi">,</span> <span class="nv">attributes</span><span class="pi">]</span> <span class="na">exporters</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">otlp/tempo</span><span class="pi">]</span> <span class="na">metrics</span><span class="pi">:</span> <span class="na">receivers</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">otlp</span><span class="pi">]</span> <span class="na">processors</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">memory_limiter</span><span class="pi">,</span> <span class="nv">batch</span><span class="pi">]</span> <span class="na">exporters</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">prometheusremotewrite/mimir</span><span class="pi">]</span> <span class="na">logs</span><span class="pi">:</span> <span class="na">receivers</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">otlp</span><span class="pi">]</span> <span class="na">processors</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">memory_limiter</span><span class="pi">,</span> <span class="nv">batch</span><span class="pi">]</span> <span class="na">exporters</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">loki</span><span class="pi">]</span> </code></pre> </div> <p>Deploy<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm repo add open-telemetry https://open-telemetry.github.io/opentelemetry-helm-charts helm upgrade <span class="nt">--install</span> otel-collector open-telemetry/opentelemetry-collector <span class="nt">-f</span> otel-collector-values.yaml </code></pre> </div> <h2> Auto-instrumentation: Java, Python, Node.js, Go </h2> <p>No code changes for traces/metrics/logs. Use OTel's auto-instrumentation agents.</p> <p><strong>Java (Spring Boot, any JVM app)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">ENV</span><span class="s"> JAVA_TOOL_OPTIONS="-javaagent:/otel/opentelemetry-javaagent.jar"</span> <span class="k">ENV</span><span class="s"> OTEL_SERVICE_NAME=payment-service</span> <span class="k">ENV</span><span class="s"> OTEL_EXPORTER_OTLP_ENDPOINT=http://otel-collector:4317</span> </code></pre> </div> <p><strong>Python (Django, Flask, FastAPI)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>opentelemetry-distro opentelemetry-exporter-otlp opentelemetry-bootstrap <span class="nt">-a</span> <span class="nb">install </span>otel-instrument <span class="se">\</span> <span class="nt">--service_name</span> checkout-service <span class="se">\</span> <span class="nt">--exporter_otlp_endpoint</span> http://otel-collector:4317 <span class="se">\</span> python app.py </code></pre> </div> <p><strong>Node.js (Express, NestJS)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @opentelemetry/auto-instrumentations-node npx opentelemetry-instrument <span class="se">\</span> <span class="nt">--service_name</span><span class="o">=</span>api-gateway <span class="se">\</span> <span class="nt">--exporter_otlp_endpoint</span><span class="o">=</span>http://otel-collector:4317 <span class="se">\</span> node server.js </code></pre> </div> <p><strong>Go (manual instrumentation required, but minimal)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="p">(</span> <span class="s">"go.opentelemetry.io/otel"</span> <span class="s">"go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">initTracer</span><span class="p">()</span> <span class="p">{</span> <span class="n">exporter</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">otlptracegrpc</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">otlptracegrpc</span><span class="o">.</span><span class="n">WithEndpoint</span><span class="p">(</span><span class="s">"otel-collector:4317"</span><span class="p">),</span> <span class="n">otlptracegrpc</span><span class="o">.</span><span class="n">WithInsecure</span><span class="p">())</span> <span class="c">// ... standard setup (5 lines)</span> <span class="p">}</span> </code></pre> </div> <p>Verify: Check Collector logs for TraceID spans.</p> <h2> Deploying Tempo for distributed tracing </h2> <p>Tempo is designed for cost-effective tracing. It stores traces in object storage (S3/MinIO) and indexes only by trace ID.</p> <p>tempo-values.yaml<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">tempo</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="na">trace</span><span class="pi">:</span> <span class="na">backend</span><span class="pi">:</span> <span class="s">s3</span> <span class="na">s3</span><span class="pi">:</span> <span class="na">bucket</span><span class="pi">:</span> <span class="s">tempo-traces</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s">minio.minio:9000</span> <span class="na">access_key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">minioadmin"</span> <span class="na">secret_key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">minioadmin"</span> <span class="na">insecure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">pool</span><span class="pi">:</span> <span class="na">max_workers</span><span class="pi">:</span> <span class="m">100</span> <span class="na">queue_depth</span><span class="pi">:</span> <span class="m">10000</span> <span class="na">overrides</span><span class="pi">:</span> <span class="na">defaults</span><span class="pi">:</span> <span class="na">ingestion</span><span class="pi">:</span> <span class="na">rate_limit_bytes</span><span class="pi">:</span> <span class="m">15000000</span> <span class="c1"># 15MB/s</span> <span class="na">burst_size_bytes</span><span class="pi">:</span> <span class="m">20000000</span> <span class="na">distributor</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="na">receivers</span><span class="pi">:</span> <span class="na">otlp</span><span class="pi">:</span> <span class="na">protocols</span><span class="pi">:</span> <span class="na">grpc</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.0.0.0:4317"</span> </code></pre> </div> <p>Deploy<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm repo add grafana https://grafana.github.io/helm-charts helm upgrade <span class="nt">--install</span> tempo grafana/tempo <span class="nt">-f</span> tempo-values.yaml </code></pre> </div> <p>Query Tempo from Grafana: Add data source → Tempo → URL: <a href="http://tempo-query-frontend:16686" rel="noopener noreferrer">http://tempo-query-frontend:16686</a></p> <h2> Prometheus + Mimir for long-term metrics storage </h2> <p>Mimir replaces single-instance Prometheus. It provides horizontal scaling, replication, and long-term retention.</p> <p>mimir-values.yaml<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">mimir</span><span class="pi">:</span> <span class="na">structuredConfig</span><span class="pi">:</span> <span class="na">blocks_storage</span><span class="pi">:</span> <span class="na">backend</span><span class="pi">:</span> <span class="s">s3</span> <span class="na">s3</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s">minio.minio:9000</span> <span class="na">bucket_name</span><span class="pi">:</span> <span class="s">mimir-blocks</span> <span class="na">access_key_id</span><span class="pi">:</span> <span class="s2">"</span><span class="s">minioadmin"</span> <span class="na">secret_access_key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">minioadmin"</span> <span class="na">insecure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">ingester</span><span class="pi">:</span> <span class="na">ring</span><span class="pi">:</span> <span class="na">replication_factor</span><span class="pi">:</span> <span class="m">3</span> <span class="c1"># for HA</span> <span class="na">ruler</span><span class="pi">:</span> <span class="na">rule_path</span><span class="pi">:</span> <span class="s">/data/rules</span> <span class="na">alertmanager_url</span><span class="pi">:</span> <span class="s">http://alertmanager:9093</span> <span class="na">ingester</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">distributor</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">querier</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> </code></pre> </div> <p>Deploy<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm upgrade <span class="nt">--install</span> mimir grafana/mimir <span class="nt">-f</span> mimir-values.yaml </code></pre> </div> <p><strong>Migrate existing Prometheus data</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>promtool tsdb create-blocks-from-rules <span class="nt">--rules-file</span><span class="o">=</span>recording-rules.yaml data/ </code></pre> </div> <p>Then point Prometheus remote write to <a href="http://mimir-distributor:8080/api/v1/push" rel="noopener noreferrer">http://mimir-distributor:8080/api/v1/push</a>.</p> <h2> Loki for log aggregation with structured querying </h2> <p>Loki is like Prometheus for logs. It indexes only labels, not full text, making it cheap at scale.</p> <p>loki-values.yaml<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">loki</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">s3</span> <span class="na">s3</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s">minio.minio:9000</span> <span class="na">bucketnames</span><span class="pi">:</span> <span class="s">loki-chunks</span> <span class="na">access_key_id</span><span class="pi">:</span> <span class="s2">"</span><span class="s">minioadmin"</span> <span class="na">secret_access_key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">minioadmin"</span> <span class="na">s3forcepathstyle</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">insecure</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">schemaConfig</span><span class="pi">:</span> <span class="na">configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">from</span><span class="pi">:</span> <span class="s">2024-01-01</span> <span class="na">store</span><span class="pi">:</span> <span class="s">boltdb-shipper</span> <span class="na">object_store</span><span class="pi">:</span> <span class="s">s3</span> <span class="na">schema</span><span class="pi">:</span> <span class="s">v12</span> <span class="na">index</span><span class="pi">:</span> <span class="na">prefix</span><span class="pi">:</span> <span class="s">loki_index_</span> <span class="na">period</span><span class="pi">:</span> <span class="s">24h</span> <span class="na">limits_config</span><span class="pi">:</span> <span class="na">ingestion_rate_mb</span><span class="pi">:</span> <span class="m">10</span> <span class="na">ingestion_burst_size_mb</span><span class="pi">:</span> <span class="m">20</span> <span class="na">max_global_streams_per_user</span><span class="pi">:</span> <span class="m">10000</span> <span class="na">chunk_store_config</span><span class="pi">:</span> <span class="na">max_look_back_period</span><span class="pi">:</span> <span class="s">672h</span> <span class="c1"># 28 days</span> </code></pre> </div> <p>Deploy<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm upgrade <span class="nt">--install</span> loki grafana/loki <span class="nt">-f</span> loki-values.yaml </code></pre> </div> <p><strong>Query example (LogQL)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{namespace="production", app="payment-service"} |= "error" | json | latency_ms &gt; 500 | line_format "{{.trace_id}} - {{.message}}" </code></pre> </div> <h2> Grafana: Connecting all three data sources </h2> <p>grafana-values.yaml<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">datasources</span><span class="pi">:</span> <span class="na">datasources.yaml</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="m">1</span> <span class="na">datasources</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Prometheus-Mimir</span> <span class="na">type</span><span class="pi">:</span> <span class="s">prometheus</span> <span class="na">url</span><span class="pi">:</span> <span class="s">http://mimir-query-frontend:8080/prometheus</span> <span class="na">access</span><span class="pi">:</span> <span class="s">proxy</span> <span class="na">isDefault</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Tempo</span> <span class="na">type</span><span class="pi">:</span> <span class="s">tempo</span> <span class="na">url</span><span class="pi">:</span> <span class="s">http://tempo-query-frontend:16686</span> <span class="na">access</span><span class="pi">:</span> <span class="s">proxy</span> <span class="na">jsonData</span><span class="pi">:</span> <span class="na">tracesToLogs</span><span class="pi">:</span> <span class="na">datasourceUid</span><span class="pi">:</span> <span class="s1">'</span><span class="s">loki'</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">service.name'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">pod'</span><span class="pi">]</span> <span class="na">serviceMap</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Loki</span> <span class="na">type</span><span class="pi">:</span> <span class="s">loki</span> <span class="na">url</span><span class="pi">:</span> <span class="s">http://loki-gateway:3100</span> <span class="na">access</span><span class="pi">:</span> <span class="s">proxy</span> <span class="na">jsonData</span><span class="pi">:</span> <span class="na">derivedFields</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">trace_id</span> <span class="na">matcherRegex</span><span class="pi">:</span> <span class="s1">'</span><span class="s">trace_id=(\w+)'</span> <span class="na">url</span><span class="pi">:</span> <span class="s1">'</span><span class="s">$${__value.raw}'</span> <span class="na">datasourceUid</span><span class="pi">:</span> <span class="s1">'</span><span class="s">tempo'</span> <span class="na">dashboardProviders</span><span class="pi">:</span> <span class="na">dashboardproviders.yaml</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="m">1</span> <span class="na">providers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">slo'</span> <span class="na">orgId</span><span class="pi">:</span> <span class="m">1</span> <span class="na">folder</span><span class="pi">:</span> <span class="s1">'</span><span class="s">SLO</span><span class="nv"> </span><span class="s">Dashboards'</span> <span class="na">type</span><span class="pi">:</span> <span class="s">file</span> <span class="na">options</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/var/lib/grafana/dashboards</span> </code></pre> </div> <p>Deploy<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm upgrade <span class="nt">--install</span> grafana grafana/grafana <span class="nt">-f</span> grafana-values.yaml </code></pre> </div> <p>Test correlation: In Loki, find a log with trace_id=abc123. Click it → jumps to Tempo trace. In Tempo, see affected service → jumps to Mimir metrics for that service.</p> <h2> Building your first SLO dashboard (template included) </h2> <p>Save as slo-dashboard.json and mount into Grafana<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SLO Dashboard - Payment Service"</span><span class="p">,</span><span class="w"> </span><span class="nl">"panels"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Availability (30d SLI)"</span><span class="p">,</span><span class="w"> </span><span class="nl">"targets"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nl">"expr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sum(rate(http_requests_total{status!~'5..'}[$__range])) / sum(rate(http_requests_total[$__range]))"</span><span class="p">,</span><span class="w"> </span><span class="nl">"legendFormat"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Availability SLI"</span><span class="w"> </span><span class="p">}],</span><span class="w"> </span><span class="nl">"thresholds"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="nl">"color"</span><span class="p">:</span><span class="w"> </span><span class="s2">"red"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"op"</span><span class="p">:</span><span class="w"> </span><span class="s2">"lt"</span><span class="p">,</span><span class="w"> </span><span class="nl">"valueType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"absolute"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.995</span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="nl">"color"</span><span class="p">:</span><span class="w"> </span><span class="s2">"yellow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"op"</span><span class="p">:</span><span class="w"> </span><span class="s2">"lt"</span><span class="p">,</span><span class="w"> </span><span class="nl">"valueType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"absolute"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.999</span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="nl">"color"</span><span class="p">:</span><span class="w"> </span><span class="s2">"green"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"op"</span><span class="p">:</span><span class="w"> </span><span class="s2">"gte"</span><span class="p">,</span><span class="w"> </span><span class="nl">"valueType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"absolute"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.999</span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Error Budget Remaining (30d)"</span><span class="p">,</span><span class="w"> </span><span class="nl">"targets"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nl">"expr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"(1 - (sum(rate(http_requests_total{status=~'5..'}[30d])) / sum(rate(http_requests_total[30d])))) / 0.999"</span><span class="p">,</span><span class="w"> </span><span class="nl">"legendFormat"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Budget remaining"</span><span class="w"> </span><span class="p">}],</span><span class="w"> </span><span class="nl">"fieldConfig"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"defaults"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"unit"</span><span class="p">:</span><span class="w"> </span><span class="s2">"percentunit"</span><span class="p">,</span><span class="w"> </span><span class="nl">"min"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"max"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"color"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"mode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"thresholds"</span><span class="p">},</span><span class="w"> </span><span class="nl">"thresholds"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="nl">"color"</span><span class="p">:</span><span class="w"> </span><span class="s2">"red"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"op"</span><span class="p">:</span><span class="w"> </span><span class="s2">"lt"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.7</span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="nl">"color"</span><span class="p">:</span><span class="w"> </span><span class="s2">"yellow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"op"</span><span class="p">:</span><span class="w"> </span><span class="s2">"lt"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.9</span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="nl">"color"</span><span class="p">:</span><span class="w"> </span><span class="s2">"green"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"op"</span><span class="p">:</span><span class="w"> </span><span class="s2">"gte"</span><span class="p">,</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.9</span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Latency P99 (30d SLI)"</span><span class="p">,</span><span class="w"> </span><span class="nl">"targets"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nl">"expr"</span><span class="p">:</span><span class="w"> </span><span class="s2">"histogram_quantile(0.99, sum(rate(http_request_duration_seconds_bucket[$__range])) by (le))"</span><span class="p">,</span><span class="w"> </span><span class="nl">"legendFormat"</span><span class="p">:</span><span class="w"> </span><span class="s2">"P99 latency"</span><span class="w"> </span><span class="p">}]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>SLO math explained</strong></p> <ul> <li><p>Availability target: 99.9% → error budget = 0.1% of requests can fail.</p></li> <li><p>Budget remaining: (actual_availability - target) / (1 - target) → 1.0 means on track, 0 means exhausted.</p></li> </ul> <h2> AlertManager: Alerting on symptoms, not causes </h2> <p>Bad alert: <em>"CPU on pod payment-7d8f9 is 92%"</em> (cause)<br> Good alert: "Payment service error budget exhausted" (symptom)</p> <p>alertmanager-config.yaml<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">route</span><span class="pi">:</span> <span class="na">group_by</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">alertname'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">service'</span><span class="pi">]</span> <span class="na">group_wait</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">group_interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">repeat_interval</span><span class="pi">:</span> <span class="s">12h</span> <span class="na">receiver</span><span class="pi">:</span> <span class="s1">'</span><span class="s">pagerduty-critical'</span> <span class="na">routes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">receiver</span><span class="pi">:</span> <span class="s">pagerduty-critical</span> <span class="na">continue</span><span class="pi">:</span> <span class="kc">false</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">warning</span> <span class="na">receiver</span><span class="pi">:</span> <span class="s">slack-warnings</span> <span class="na">receivers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">pagerduty-critical'</span> <span class="na">pagerduty_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">service_key</span><span class="pi">:</span> <span class="s">&lt;your-pd-key&gt;</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">slack-warnings'</span> <span class="na">slack_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">api_url</span><span class="pi">:</span> <span class="s">&lt;webhook&gt;</span> <span class="na">channel</span><span class="pi">:</span> <span class="s1">'</span><span class="s">#alerts-warning'</span> </code></pre> </div> <p><strong>Prometheus alerting rule example</strong> (slo-alerts.yaml)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">groups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">slo</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">ErrorBudgetExhausted</span> <span class="na">expr</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">(1 - (sum(rate(http_requests_total{status=~"5.."}[30d])) </span> <span class="s">/ sum(rate(http_requests_total[30d])))) / 0.999 &lt; 0.2</span> <span class="na">for</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">critical</span> <span class="na">service</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{$labels.service}}"</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Error</span><span class="nv"> </span><span class="s">budget</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">{{$labels.service}}</span><span class="nv"> </span><span class="s">is</span><span class="nv"> </span><span class="s">below</span><span class="nv"> </span><span class="s">20%"</span> <span class="na">description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Remaining</span><span class="nv"> </span><span class="s">budget:</span><span class="nv"> </span><span class="s">{{$value</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">humanizePercentage}}"</span> </code></pre> </div> <p>Deploy<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create configmap alertmanager-config <span class="nt">--from-file</span><span class="o">=</span>alertmanager.yaml<span class="o">=</span>alertmanager-config.yaml helm upgrade <span class="nt">--install</span> prometheus prometheus-community/prometheus <span class="se">\</span> <span class="nt">--set</span> alertmanager.enabled<span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--set</span> alertmanager.configFromSecret<span class="o">=</span>alertmanager-config </code></pre> </div> <h2> The 3 dashboards every on-call engineer needs </h2> <p>Stop building 50-panel dashboards. Start with these three.</p> <p><strong>Dashboard 1: Service Health (RED method)</strong></p> <ul> <li><p>Rate (requests per second) per endpoint</p></li> <li><p>Errors (5xx rate, grouped by status code)</p></li> <li><p>Duration (P50, P95, P99 latency)</p></li> <li><p>Saturation (CPU/memory per pod, queue depth)</p></li> </ul> <p>PromQL snippets<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Rate sum(rate(http_requests_total[1m])) by (service, endpoint) # Error ratio sum(rate(http_requests_total{status=~"5.."}[1m])) / sum(rate(http_requests_total[1m])) # P99 latency histogram_quantile(0.99, sum(rate(http_request_duration_seconds_bucket[5m])) by (le, service)) </code></pre> </div> <p><strong>Dashboard 2: Trace Explorer</strong></p> <ul> <li><p>Top 10 slowest traces in last hour</p></li> <li><p>Trace heatmap (duration vs. timestamp)</p></li> <li><p>Service dependency graph (from Tempo service graph)</p></li> <li><p>High-error traces panel (filter by status.error=true)</p></li> </ul> <p><strong>Dashboard 3: The "Burndown" Chart</strong></p> <ul> <li><p>Error budget remaining (daily trend line)</p></li> <li><p>SLO burn rate (1h, 6h, 24h windows)</p></li> <li><p>Multi-burn alert status (green/yellow/red)</p></li> <li><p>Top offending services by error budget consumption</p></li> </ul> <p>Why this works: On-call opens Dashboard 1 → sees elevated latency → clicks a trace in Dashboard 2 → finds slow database query → checks Dashboard 3 to decide if paging SREs is urgent.</p> <p>Final checklist for production readiness</p> <p>Before you sleep soundly:</p> <ul> <li><p>Ingestion testing: curl a test span/metric/log through the Collector.</p></li> <li><p>Retention: Set Mimir 30d, Tempo 14d, Loki 30d (adjust to compliance).</p></li> <li><p>Auth: Add Grafana OAuth (Google/GitHub) and basic auth for Mimir/Loki ingesters.</p></li> <li><p>Backups: Object storage (MinIO/S3) should have versioning enabled.</p></li> <li><p>Alert testing: Silence a service, verify PagerDuty gets the page.</p></li> <li><p>Runbook: Link each alert to a Confluence doc (e.g., "ErrorBudgetExhausted → <a href="https://wiki/runbooks/slo%22" rel="noopener noreferrer">https://wiki/runbooks/slo"</a>).</p></li> </ul> <p>What’s next? Add OpenTelemetry for your database (PostgreSQL, Redis, MongoDB) using OTel collector receivers. Or add synthetic monitoring with Blackbox exporter.</p> <p>You now have the same stack that cost my clients $0/month (excluding storage) instead of $15k/month for Datadog. Ship it.</p> devops kubernetes sre grafana From GitHub Actions to ArgoCD: A Complete GitOps Migration Guide varun varde Tue, 07 Apr 2026 13:33:40 +0000 https://dev.to/varunvarde/from-github-actions-to-argocd-a-complete-gitops-migration-guide-4kd4 https://dev.to/varunvarde/from-github-actions-to-argocd-a-complete-gitops-migration-guide-4kd4 <p>I've done this migration three times now. Each time, I learn something new about what NOT to do. This guide is the documentation I wish I'd had the first time: the complete migration from a multi-stage GitHub Actions deployment pipeline to a fully declarative GitOps workflow with ArgoCD including the parts every other tutorial glosses over.</p> <p>What you'll build: Production ready ArgoCD installation, ApplicationSet for multi cluster management, Image Updater for automated rollouts, RBAC configuration for multi-team environments, Rollback procedures that work under pressure.</p> <p>Prerequisites: Kubernetes cluster (1.24+), kubectl, Helm 3, existing GitHub Actions CI pipeline. Estimated time: 4-6 hours for learning setup (30 days for production migration).</p> <h2> Phase 1: Assessment — Mapping Your Existing GitHub Actions Pipeline </h2> <p>Every successful migration begins with clarity. Before introducing GitOps, the existing CI/CD topology must be dissected—methodically, not casually.</p> <p>Start by inventorying workflows<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/deploy.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy Service</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">docker build -t myapp .</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">build</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">kubectl apply -f k8s/</span> </code></pre> </div> <p>This pipeline reveals implicit assumptions:</p> <ul> <li><p>Deployment is tightly coupled with CI</p></li> <li><p>Kubernetes manifests are applied imperatively</p></li> <li><p>No state reconciliation exists</p></li> </ul> <p>Map each component</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td>Build Step</td> <td>Artifact creation</td> </tr> <tr> <td>Deploy Step</td> <td>Cluster mutation</td> </tr> <tr> <td>Secrets</td> <td>Runtime configuration</td> </tr> </tbody> </table></div> <p>The goal is not replication but transformation. GitOps demands declarative intent, not procedural execution.</p> <h2> Phase 2: ArgoCD Installation (Production-Grade Helm Values) </h2> <p>A default installation is rarely sufficient. Production demands rigor secure ingress, RBAC, and resource constraints.</p> <p>Install ArgoCD using Helm<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm repo add argo https://argoproj.github.io/argo-helm helm <span class="nb">install </span>argocd argo/argo-cd <span class="nt">-n</span> argocd <span class="nt">--create-namespace</span> <span class="nt">-f</span> values.yaml </code></pre> </div> <p>A hardened values.yaml might resemble<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">server</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="na">ingress</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">argocd.example.com</span> <span class="na">configs</span><span class="pi">:</span> <span class="na">params</span><span class="pi">:</span> <span class="na">server.insecure</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">cm</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://argocd.example.com</span> <span class="na">redis</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">controller</span><span class="pi">:</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">500m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">512Mi</span> </code></pre> </div> <p>Security is not ornamental. It is foundational. Misconfigured access at this stage invites future instability.</p> <h2> Phase 3: Structuring Your GitOps Repository </h2> <p>Git becomes the single source of truth. Structure, therefore, becomes paramount.</p> <p>A canonical layout<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gitops-repo/ ├── apps/ │ ├── payments/ │ ├── auth/ ├── environments/ │ ├── dev/ │ ├── staging/ │ └── prod/ └── infrastructure/ ├── ingress/ └── monitoring/ </code></pre> </div> <p>Each directory encapsulates intent.</p> <p>Example application manifest<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">payments-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/org/gitops-repo</span> <span class="na">path</span><span class="pi">:</span> <span class="s">apps/payments</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">HEAD</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">payments</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>Declarative. Predictable. Auditable.</p> <h2> Phase 4: ApplicationSet Configuration for Multi-Team </h2> <p>At scale, manually defining applications becomes untenable. ApplicationSet introduces dynamic orchestration.</p> <p>A Git generator example<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ApplicationSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">team-apps</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">generators</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">git</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/org/gitops-repo</span> <span class="na">revision</span><span class="pi">:</span> <span class="s">HEAD</span> <span class="na">directories</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">apps/*</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{{path.basename}}'</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">default</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/org/gitops-repo</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">HEAD</span> <span class="na">path</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{{path}}'</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{{path.basename}}'</span> </code></pre> </div> <p>Teams simply add a folder. The system reacts autonomously.</p> <p>This is where GitOps begins to feel almost sentient responsive, adaptive, yet deterministic.</p> <h2> Phase 5: Migrating Your First Service (with Rollback Plan) </h2> <p>Start small. Select a non-critical service. Minimize risk while maximizing insight.</p> <p><strong>Step 1: Remove Deploy Step from CI</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Keep build, remove kubectl apply</span> - run: docker build <span class="nt">-t</span> myapp <span class="nb">.</span> </code></pre> </div> <p><strong>Step 2: Push Kubernetes Manifests to GitOps Repo</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> </code></pre> </div> <p><strong>Step 3: Let ArgoCD Sync</strong></p> <p>ArgoCD reconciles desired state with actual state.</p> <p><strong>Rollback Strategy</strong></p> <p>Rollback becomes trivial<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git revert &lt;commit-hash&gt; git push origin main </code></pre> </div> <p>No manual intervention. No frantic patching. Just version control.</p> <h2> Phase 6: Image Updater for CI Integration </h2> <p>CI still builds images. But deployment is decoupled.</p> <p>ArgoCD Image Updater bridges the gap<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">argocd-image-updater.argoproj.io/image-list</span><span class="pi">:</span> <span class="s">myapp=repo/myapp</span> <span class="na">argocd-image-updater.argoproj.io/update-strategy</span><span class="pi">:</span> <span class="s">latest</span> </code></pre> </div> <p>Pipeline pushes image<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker push repo/myapp:1.2.3 </code></pre> </div> <p>Image Updater modifies Git<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">image</span><span class="pi">:</span> <span class="s">repo/myapp:1.2.3</span> </code></pre> </div> <p>ArgoCD syncs automatically.</p> <p>Elegant. Autonomous.</p> <h2> Phase 7: RBAC and Multi-Tenant Configuration </h2> <p>As teams proliferate, governance becomes essential.</p> <p>Define roles<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">argocd-rbac-cm</span> <span class="na">data</span><span class="pi">:</span> <span class="na">policy.csv</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">p, role:dev, applications, get, */*, allow</span> <span class="s">p, role:dev, applications, sync, */*, allow</span> <span class="s">g, team-dev, role:dev</span> </code></pre> </div> <p>Namespace isolation<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">spec</span><span class="pi">:</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">team-a</span> </code></pre> </div> <p>Each team operates within boundaries autonomous yet controlled.</p> <h2> Phase 8: Observability for Your GitOps Pipelines </h2> <p>Visibility transforms guesswork into certainty.</p> <p>Enable metrics<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">controller</span><span class="pi">:</span> <span class="na">metrics</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>Scrape with Prometheus<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">job_name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">argocd'</span> <span class="na">static_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">targets</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">argocd-metrics:8082'</span><span class="pi">]</span> </code></pre> </div> <p>Key metrics</p> <ul> <li><p>Sync status</p></li> <li><p>Reconciliation duration</p></li> <li><p>Drift detection</p></li> </ul> <p>Logs provide narrative<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs deployment/argocd-application-controller </code></pre> </div> <p>Without observability, GitOps becomes a black box. With it, a glass box.</p> <h2> The 5 Things No Tutorial Mentions (Learned the Hard Way) </h2> <p><strong>1. Git Becomes Your Bottleneck</strong></p> <p>Frequent commits can overwhelm repositories. Optimize branching strategies. Avoid unnecessary churn.</p> <p><strong>2. Drift Happens More Than Expected</strong></p> <p>Manual changes in clusters still occur. ArgoCD corrects them—but not always instantly. Expect transient inconsistencies.</p> <p><strong>3. Secrets Are a Persistent Challenge</strong></p> <p>Plain YAML is insufficient. Integrate tools like sealed secrets or external secret managers.</p> <p><strong>4. ApplicationSet Can Spiral into Complexity</strong></p> <p>Dynamic generation is powerful—but dangerous. Poor templates create cascading misconfigurations.</p> <p><strong>5. Human Behavior Is the Hardest Problem</strong></p> <p>Engineers accustomed to imperative deployments resist change. Training is not optional. It is essential.</p> <p>Migrating to ArgoCD is not merely a tooling shift. It is a philosophical transition—from imperative control to declarative intent.</p> <p>The rewards are substantial. Stability. Traceability. Confidence.</p> <p>But the journey demands discipline. And a willingness to relinquish old habits in favor of something far more resilient.</p> gitops argocd kubernetes devops Zero Downtime Cloud Migration: The 6-Phase Playbook varun varde Thu, 26 Mar 2026 08:27:40 +0000 https://dev.to/varunvarde/zero-downtime-cloud-migration-the-6-phase-playbook-13p8 https://dev.to/varunvarde/zero-downtime-cloud-migration-the-6-phase-playbook-13p8 <p>Phase 1 is never 'lift and shift.' Here's the framework that keeps production stable throughout the entire move.</p> <p>After leading migrations for organizations ranging from 200 to 4,000 engineers, I've distilled it into 6 phases that keep production alive and teams sane.</p> <p><strong>Phase 1: Discovery &amp; Dependency Mapping</strong><br> Before touching a single VM, audit everything.</p> <ul> <li><p>Inventory all services: apps, databases, middleware, integrations</p></li> <li><p>Map inter service dependencies including the undocumented ones (ask the engineers who've been there longest)</p></li> <li><p>Tag everything by criticality, data sensitivity, migration complexity</p></li> <li><p>Identify the "spiders in the web" services everything else depends on</p></li> </ul> <p>Tools: AWS Application Discovery Service, Cloudamize, or a structured spreadsheet + interviews.</p> <p><strong>Phase 2: Cloud Foundation &amp; Landing Zone</strong><br> Build the platform before you migrate anything.</p> <ul> <li><p>Set up your VPC architecture (hub spoke or flat decide now)</p></li> <li><p>Implement IAM roles, SCPs, and guardrails</p></li> <li><p>Deploy centralized logging, monitoring, and alerting</p></li> <li><p>Establish your IaC standard (Terraform modules, Pulumi stacks — standardize before day one)</p></li> <li><p>Set cost budgets and alerts BEFORE anything runs<br> Never skip this. Teams that migrate first and "sort out governance later" always regret it.</p></li> </ul> <p><strong>Phase 3: Pilot Migration (Noncritical workloads)</strong><br> Start small. Build confidence.</p> <ul> <li><p>Choose a non-critical, low traffic service</p></li> <li><p>Run full migration lifecycle: move → validate → monitor → optimize</p></li> <li><p>Document everything. This becomes your runbook for every subsequent migration</p></li> <li><p>Identify gaps in tooling and process while the stakes are low</p></li> </ul> <p><strong>Phase 4: Wave Based Migration</strong><br> Organize workloads into migration waves by complexity:</p> <ul> <li><p>Wave 1: Stateless apps (easiest)</p></li> <li><p>Wave 2: Stateful apps with managed DB alternatives</p></li> <li><p>Wave 3: Complex integrations and legacy services</p></li> <li><p>Wave 4 (optional): Services that require refactoring before migration</p></li> </ul> <p>Run each wave over 2–4-week sprints. Include a 2-week stabilization window after each wave before proceeding.</p> <p><strong>Phase 5: Cutover &amp; Traffic Management</strong><br> Zero-downtime means dual running, not big-bang.</p> <ul> <li><p>Use feature flags and DNS-based traffic shifting (Route 53 weighted routing or equivalent)</p></li> <li><p>Implement a circuit breaker to instantly roll back traffic if error rates spike</p></li> <li><p>Keep on prem running in parallel for 30–60 days post cutover</p></li> <li><p>Don't decommission anything until you've run at least one full billing cycle on cloud</p></li> </ul> <p><strong>Phase 6: Optimize &amp; Decommission</strong><br> The migration isn't over when the apps are running.</p> <ul> <li><p>Right-size instances based on real usage data (wait at least 2 weeks)</p></li> <li><p>Implement autoscaling where you were running fixed capacity</p></li> <li><p>Set up FinOps dashboards cloud spend will be surprising at first</p></li> <li><p>Decommission on prem systematically, not in a rush</p></li> <li><p>Run a migration retrospective with every team involved</p></li> </ul> <p><strong>The Rule I Never Break</strong><br> No service goes to production without observability in place (logs, metrics, traces), a documented runbook, an on-call rotation assigned, and a tested rollback procedure.</p> <p><strong>Save for your next migration kickoff</strong></p> cloudskills aws webpack webdev Terraform Modules That Actually Scale: Patterns from 20 Years varun varde Wed, 18 Mar 2026 08:47:03 +0000 https://dev.to/varunvarde/terraform-modules-that-actually-scale-patterns-from-20-years-35j7 https://dev.to/varunvarde/terraform-modules-that-actually-scale-patterns-from-20-years-35j7 <p>Provisioning was once an artisanal craft defined by shell scripts and fragile golden images. We've since pivoted to the declarative, idempotent paradigm of Terraform. But scaling isn't just about resource count it’s about managing the cognitive load of massive environments. At some point, the question stops being how do I write HCL? and becomes how do I stop this complexity from collapsing under its own weight?</p> <p><strong>The Monolith Trap: Why Large State Files Kill Velocity</strong></p> <p>The Mega State is the ultimate architectural debt. Dumping your VPC, EKS cluster, and RDS instances into one root module creates a catastrophic blast radius. One syntax error in a security group shouldn't lock the state file for your entire production database. Scaling demands decoupling. Infrastructure components must be treated as independent lifecycles. Networking is slow and steady app pods are ephemeral. Isolate them to minimize plan times and risk.</p> <p><strong>Strict Typing and Input Orthogonality</strong></p> <p>Ditch type = any. It’s lazy and dangerous. High utility modules require strict object validation to fail fast. If the calling code sends a malformed schema, the plan should die immediately not thirty minutes into a deployment.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"cluster_config"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"EKS spec"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">object</span><span class="p">({</span> <span class="nx">version</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">node_groups</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">capacity_type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}))</span> <span class="p">})</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">([</span><span class="s2">"1.28"</span><span class="p">,</span> <span class="s2">"1.29"</span><span class="p">,</span> <span class="s2">"1.30"</span><span class="p">],</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_config</span><span class="p">.</span><span class="nx">version</span><span class="p">)</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"K8s version restricted by organizational compliance."</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Compositional Strategy: Favoring Layering over Nesting</strong></p> <p>Nesting modules inside modules leads to Prop Drilling a nightmare where a variable is passed through five layers of code just to reach a single resource. It's brittle.</p> <p>Layering is the professional choice. Keep modules flat and use a Composition Root to stitch outputs to inputs. This keeps the logic readable and the dependencies explicit.</p> <p><strong>Cross Account Orchestration via Provider Aliasing</strong></p> <p>Enterprise scale means multiple regions and hundreds of AWS accounts. Never hardcode provider blocks inside a module; it makes them non portable. Use Provider Aliases. This allows you to instantiate the same module across different regions within a single run.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Instance in US-East</span> <span class="nx">module</span> <span class="s2">"s3_east"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/s3"</span> <span class="nx">providers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">us-east-1</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Instance in US-West</span> <span class="nx">module</span> <span class="s2">"s3_west"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/s3"</span> <span class="nx">providers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">us-west-2</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Immutable Versioning and Private Registries</strong></p> <p>Local file paths are for hobbyists. In production, referencing a local path means every save on your laptop could theoretically break a CI/CD pipeline. Scaling requires immutable versioning. Use Git tags or a Private Registry. It’s the only way to ensure Production stays on v1.2.0 while Dev experiments with v2.0.0 beta.</p> <p><strong>Automated Validation: Terratest and OPA Integration</strong></p> <p>If you aren't testing, you're guessing. For core modules, Terratest is the standard. It spins up real resources, pings them to ensure they work, and tears them down. Couple this with Open Policy Agent (OPA) to programmatically block anyone from creating an unencrypted volume or a public S3 bucket before the code even leaves the PR.</p> <p><strong>Day 2 Operations: Refactoring with moved Blocks</strong></p> <p>Refactoring used to mean terraform state mv commands that risked corrupting the remote backend. Now, we have the moved block. It allows you to move resources into modules without triggering a "destroy and recreate" cycle.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">moved</span> <span class="p">{</span> <span class="nx">from</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">legacy_app</span> <span class="nx">to</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">app_cluster</span><span class="p">.</span><span class="nx">aws_instance</span><span class="p">.</span><span class="nx">this</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>This is how you turn a tangled mess of HCL into a robust ecosystem. It’s about predictability, isolation, and strict interfaces.</p> terraform devops webdev tutorial