AWS Production Architecture - Complete GitOps Infrastructure

Production-Ready EKS with IaC, GitOps, Security & Observability Best Practices
PRODUCTION TERRAFORM IaC ARGOCD GITOPS SECURITY HARDENED
Built by Brian Uckert - Be-Digital.biz | Region: us-east-2 (Ohio)
🔄 GitOps & Infrastructure as Code Layer GitLab CI/CD • Build & Test • Docker Build • Update Manifests GitOps Repositories gitops-deploy (manifests) gitops-infra (terraform) gitops-demo-app (code) ArgoCD • Auto-Sync • Health Checks • Rollback Terraform • VPC & Networking • EKS Cluster • IAM & Security Kustomize • Base Manifests • Env Overlays • Patches Grafana Cloud • Metrics • Logs • Dashboards Route 53 • DNS • Health Checks • Failover ACM • SSL/TLS Certs • Auto Renewal • *.thunk-it.com Docker Hub • Container • Registry • Multi-Arch ☁️ AWS Cloud - Region: us-east-2 (Ohio) PRODUCTION ENVIRONMENT 🔒 Security & Compliance Services GuardDuty Threat Detection 24/7 Monitoring CloudTrail Audit Logs API Tracking Compliance AWS Config Resource Compliance Change Tracking Security Hub Central Dashboard Findings VPC Flow Network Traffic Logs Analysis Inspector Vulnerability Scanning CVE Detection 💾 Backup & Disaster Recovery Velero K8s Backup to S3 Scheduled S3 Backups Versioned Cross-Region Lifecycle RDS Snapshots Automated PITR 7-day Retention Backup Vault Centralized Management Encrypted 🌐 VPC: gitops-prod-vpc (10.1.0.0/16) Terraform Managed | Multi-AZ High Availability WAF Protected Internet Gateway DDoS Shield 📍 Availability Zone A (us-east-2a) 📍 Availability Zone B (us-east-2b) Public Subnet A (10.1.101.0/24) HA NAT Gateway A Elastic IP Multi-AZ Terraform HTTPS:443 Application Load Balancer java.thunk-it.com ACM Certificate Health Checks HTTPS:443 Application Load Balancer demo.thunk-it.com ACM Certificate Health Checks HTTPS:443 Application Load Balancer api.thunk-it.com ACM Certificate Health Checks Public Subnet B (10.1.102.0/24) HA NAT Gateway B Elastic IP Multi-AZ Terraform HTTP:80 Application Load Balancer argocd.thunk-it.com ArgoCD UI GitOps Dashboard Private Subnet A (10.1.1.0/24) - EKS Worker Nodes ⚙️ EKS Cluster: gitops-prod (v1.31) 2 Managed + Karpenter SPOT Nodes Worker Node 1 t3.medium (2vCPU/4GB) Application Pods: java-app-prod (3 replicas) demo-app-prod (3 replicas) api-app-prod (3 replicas) GitOps: ArgoCD Server ArgoCD Repo Server External Secrets Operator Policy Engine: Kyverno v3.x (3 replicas) Monitoring: Grafana Alloy Agent Kube State Metrics Worker Node 2 t3.medium (2vCPU/4GB) Application Pods: java-app-prod (3 replicas) demo-app-prod (3 replicas) api-app-prod (3 replicas) Auto-Scaling: Karpenter (ISOLATED_VPC) KEDA Operator ALB Controller Monitoring: Grafana Alloy Agent Kepler (Carbon) Node Exporter Worker Node 3 t3.medium (2vCPU/4GB) Application Pods: java-app-prod (3 replicas) demo-app-prod (3 replicas) api-app-prod (3 replicas) Network: Calico Node (DaemonSet) Calico Typha CoreDNS Monitoring: Grafana Alloy Agent Kepler (Carbon) Node Exporter Private Subnet B (10.1.2.0/24) - AWS Services AWS MANAGED - MULTI-AZ HA EKS Control Plane API Server • etcd • Scheduler Controller Manager • Cloud Controller CSI Driver EFS CSI Driver v2.0.7 • IRSA Auth 2 Controllers + 5 Nodes Storage Classes efs-sc (RWX) ✓ gp3-encrypted (RWO) Dynamic Provisioning PVC (Bound) demo-app-html-pvc 5Gi • ReadWriteMany 3 pods sharing volume AWS Secrets Manager • java-app-secrets • demo-app-secrets KMS Encrypted | Auto-Rotation IRSA Integration ENCRYPTED • MULTI-AZ EFS Filesystem fs-02fb7b7e6800aac20 5GB • ReadWriteMany (RWX) EFS Mount Target A us-east-2a EFS Mount Target B us-east-2b 9 VPC ENDPOINTS VPC Endpoints • EKS, STS, EC2, EFS • SSM, SSM Messages, EC2 Messages • ELB, Secrets Manager Private AWS API Access AWS KMS Encryption Keys EKS Secrets EFS Encryption IAM (IRSA) Service Accounts EFS CSI Driver Pod-Level Auth CloudWatch Logs & Metrics Alarms Container Insights S3 Buckets Terraform State Velero Backups Versioned DynamoDB State Locking Terraform Consistency Systems Mgr Parameter Store Session Manager Patch Manager ECR Container Registry Image Scanning Vulnerability HTTPS Traffic Private API NFS (port 2049) IRSA Auth GitOps Sync 🔒 Security Groups: EKS Node SG | ALB SG | Control Plane SG | RDS SG | Network ACLs 📊 Data Flow Legend: Internet Traffic (HTTPS) Internal App Traffic AWS API / EFS Storage Monitoring Data GitOps Sync 🏗️ Infrastructure as Code ✓ Terraform manages all AWS resources ✓ State stored in S3 with DynamoDB locking ✓ Modular design (VPC, EKS, IAM modules) ✓ Version controlled & peer reviewed 🚀 Advanced Auto-Scaling & Networking • Calico CNI: Network policies, BGP routing • Karpenter: Fast node provisioning (seconds) • KEDA: Event-driven pod autoscaling Production-grade scalability & security 🔄 GitOps Workflow ✓ App of Apps pattern for cluster bootstrap ✓ Kustomize for environment overlays ✓ GitLab CI/CD builds & updates manifests ⚠️ NEVER auto-sync in production! 🔒 Security Hardening ✓ Kyverno v3.x policy engine (6 policies) ✓ Environment separation enforcement ✓ VPC endpoints (no NAT dependency) ✓ GuardDuty, CloudTrail, Config enabled ⚙️ EKS Best Practices ✓ Calico CNI for network policies ✓ Karpenter + AWS_ISOLATED_VPC=true ✓ aws-auth includes Karpenter role ✓ KEDA + HPA for pod auto-scaling 🌐 Production URLs • Demo: https://demo.thunk-it.com • API: https://api.thunk-it.com • Java: https://java.thunk-it.com (Basic Auth) • ArgoCD: http://argocd.thunk-it.com • Grafana: Grafana Cloud • GitLab: gitlab.com/devop212 ⚙️ Cluster Configuration • Cluster: gitops-prod (EKS 1.31) • Nodes: 4x t3.medium (2vCPU/4GB each) • CNI: Calico (Network Policies) • Storage: EFS (5GB RWX) • Pod AS: KEDA + HPA (3-11 replicas) • Region: us-east-2 (Ohio) 🛠️ Technology Stack • IaC: Terraform 1.5+ • GitOps: ArgoCD 2.9+ • CI/CD: GitLab CI/CD • Manifests: Kustomize • Monitoring: Grafana Cloud • Storage: EFS CSI Driver • Apps: Node.js, Java • Registry: Docker Hub • DNS: Route 53 Production-Ready GitOps Infrastructure with IaC, Security, Observability & High Availability Built by Brian Uckert - Be-Digital.biz | January 2026