Skip to content

hallllow29/gitops-devsecops-aws

BranchesTags

Repository files navigation

GitOps DevSecOps AWS

A production-ready, security-first GitOps template for small teams and companies. Deploy a fully automated infrastructure across 3 AWS regions with built-in security scanning, policy enforcement, and secret management.

Architecture

Frankfurt (eu-central-1) β†’ Production workloads
Ireland (eu-west-1)      β†’ Ephemeral dev environment (destroyed after testing)
Paris (eu-west-3)        β†’ Security tools hub

Security Tools (Paris)

  • SonarQube β€” SAST and code quality
  • Harbor β€” Private container registry
  • DefectDojo β€” Vulnerability management
  • Dependency Track β€” Software composition analysis
  • Vault β€” Secrets management
  • Prometheus + Grafana β€” Monitoring and observability
  • Atlantis β€” Terraform pull request automation

GitOps Flow

push to dev
    β”‚
    β–Ό
Security Scan (TruffleHog, KICS, Checkov)
    β”‚
    β–Ό
Open PR to main
    β”‚
    β–Ό
PR Checks (fmt, validate, plan, OPA, SonarQube, Trivy)
    β”‚
    β–Ό
Manual approval
    β”‚
    β–Ό
Deploy to Ireland (dev)
    β”‚
    β–Ό
Smoke tests + Manual testing
    β”‚
    β–Ό
Manual approval
    β”‚
    β–Ό
Destroy Ireland β†’ Deploy to Frankfurt (prod)

Prerequisites

Quick Start

1. Clone the repository

git clone https://github.com/YOUR_ORG/gitops-devsecops-aws
cd gitops-devsecops-aws

2. Configure AWS credentials

aws configure

3. Run bootstrap (once only)

Creates S3 backends and DynamoDB lock tables across all 3 regions.

make bootstrap

4. Deploy security tools (Paris)

make up-security

5. Deploy production (Frankfurt)

make up-prod

GitHub Setup

Secrets required

Secret Description
AWS_ROLE_ARN IAM role ARN for GitHub Actions OIDC
DEFECTDOJO_TOKEN DefectDojo API token
DEFECTDOJO_URL DefectDojo URL (Paris)
SONAR_TOKEN SonarQube authentication token
SONAR_HOST_URL SonarQube URL (Paris)
SLACK_WEBHOOK Slack webhook for notifications

Environments required

Environment Purpose
dev-approval Manual approval gate before promoting to prod
production Manual approval gate before deploying to Frankfurt

Go to Settings β†’ Environments β†’ New environment to create them.

Branch protection

Enable branch protection on main:

  • Require pull request reviews
  • Require status checks to pass (security-scan, pr-checks)
  • Restrict pushes to main

Cost Estimate

Resource Cost
EKS control plane Γ— 3 ~$216/month
EC2 nodes (spot, t3.medium) Γ— 3 ~$30/month
S3 + DynamoDB ~$5/month
Total ~$250/month

Tip: Stop EC2 nodes when not in use to reduce costs significantly. For learning purposes, spin up one region at a time.

Makefile Commands

make help           # List all available commands
make bootstrap      # Create S3 backends and DynamoDB tables (run once)
make up-all         # Deploy all environments
make down-all       # Destroy all environments
make up-prod        # Deploy Frankfurt (prod)
make up-dev         # Deploy Ireland (dev)
make up-security    # Deploy Paris (security tools)
make fmt            # Format all Terraform files
make validate       # Validate all Terraform files
make scan           # Run security scans locally
make test-policies  # Run OPA policy tests

Security Gates

Every change goes through multiple security gates:

Gate Tool When
Secrets scan TruffleHog Every push to dev
IaC scan KICS Every push to dev
IaC scan Checkov Every push to dev
Code quality SonarQube Every PR
Policy enforcement OPA/Conftest Every PR
Container scan Trivy Every PR
Vulnerability mgmt DefectDojo Aggregates all results

OPA Policies

Policies are enforced on every PR via Conftest:

Policy Description
no_public_s3 S3 buckets must have public access blocked
enforce_imdsv2 EC2 instances must use IMDSv2
require_encryption EBS volumes must be encrypted
eks_private_endpoint EKS clusters must have private endpoint
no_privileged_containers EKS node groups must have launch template
require_tags All resources must have Name and Environment tags
no_wide_ingress SSH must not be open to 0.0.0.0/0
eks_secrets_encryption EKS clusters must encrypt secrets

Module Structure

modules/
β”œβ”€β”€ networking/      # VPC, subnets, IGW, fck-nat, route tables
β”œβ”€β”€ eks/             # EKS cluster, node groups, IAM roles
β”œβ”€β”€ eks-addons/      # EBS CSI, CoreDNS, kube-proxy, LBC
β”œβ”€β”€ security-tools/  # IAM roles for security tools, Harbor S3
└── prod-services/   # Generic IAM role for production workloads

Customisation

Adding your own production service

  1. Update modules/prod-services/main.tf with your application resources
  2. Add required IAM permissions to aws_iam_role.app
  3. Create Kubernetes manifests in kubernetes/manifests/prod-services/
  4. Push to dev branch and follow the GitOps flow

Scaling security tools

Default instance sizes are optimised for small teams. To scale:

# environments/security/eks/terragrunt.hcl
inputs = {
  instance_types = ["t3.large"]  # upgrade from t3.medium
}

Contributing

  1. Fork the repository
  2. Create a feature branch from dev
  3. Make your changes
  4. Push to your fork and open a PR to dev
  5. Security scans run automatically
  6. Once approved, changes flow through the full GitOps pipeline

License

MIT β€” free to use, modify, and distribute.

About

πŸš€ Production-ready GitOps template for AWS with built-in security scanning, policy enforcement, and multi-region deployment automation. Deploy secure infrastructure across 3 AWS regions with zero-touch GitOps workflow.

Topics

kubernetes aws vault terraform sonarqube infrastructure-as-code harbor terragrunt devsecops multi-region cost-optimization gitops eks github-actions defectdojo

Resources

Readme
Activity

Stars

4 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages