Dev #3
Merged
Dev #3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Infrastructure - S3 backend for Terraform state (encrypted, versioned, lifecycle policy) - DynamoDB table for state locking - Backend configurations use GitHub Secrets (no hardcoded account IDs) ## GitHub Actions Workflows - terraform-plan.yml: Validates PRs with terraform plan - terraform-apply.yml: Auto-deploys on merge to main - terraform-destroy.yml: Manual destruction workflow with confirmation - secret-scanning.yml: Multi-layer secret detection (BLOCKS merges) - pre-commit-hooks.yml: Validates pre-commit setup ## Security Features - **Gitleaks**: Industry-standard secret scanner - **TruffleHog**: Additional secret detection layer - **Custom Pattern Matching**: Detects AWS keys, API tokens, passwords - **Auto-Revert**: Automatically reverts commits with secrets to main - **PR Blocking**: Prevents merging PRs containing secrets - **Security Issues**: Auto-creates issues when secrets detected ## Secret Protection - *.tfvars files gitignored (contain account IDs, domains, ARNs) - backend.tf files gitignored (contain sensitive S3/DynamoDB names) - *.tfstate files gitignored (contain infrastructure state) - tfplan files gitignored (contain planned changes) - Only .example files committed with placeholders ## Pre-commit Hooks - Local secret scanning before push - Terraform formatting and validation - Prevents commits to main branch - Large file detection ## Configuration Files - .gitleaks.toml: Custom rules for infrastructure secrets - .pre-commit-config.yaml: Local development hooks - .gitignore: Comprehensive ignore patterns ## Documentation - Backend setup guide - GitHub Secrets configuration - Secret scanning explanation - Pre-commit hook installation 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
- Migrate RDS to Aurora Serverless v2 (Coder & LiteLLM) with auto-scaling - Add VPC endpoints (S3, ECR) to reduce NAT Gateway costs - Optimize EKS with Graviton ARM instances and reduced storage (50GB→20GB) - Reduce Karpenter node volumes (1400Gi→500Gi) for cost efficiency - Add AWS Secrets Manager for secure credential management - Configure SSL termination at NLB with proper redirect handling - Add Karpenter feature gates for spot consolidation - Update workflows and pre-commit config formatting - Add cost optimization strategy documentation 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
## Infrastructure Improvements
### Load Balancer & Networking
- Enable cross-zone load balancing for reduced latency
- Add explicit subnet annotations for all 3 availability zones (us-east-2a/b/c)
- Disable deletion protection for easier testing/iteration
- Add post-deployment service patch to fix HTTPS→HTTP port mapping
### TLS & Security Configuration
- Configure Coder for TLS-terminating NLB:
- Set CODER_TLS_ENABLE=false (NLB handles TLS)
- Enable CODER_SECURE_AUTH_COOKIE=true for HTTPS
- Keep CODER_REDIRECT_TO_ACCESS_URL=false to prevent redirect loops
### OAuth & Authentication
- Enable oauth2 experiment for GitHub authentication
- Update GitHub App credentials
- Add GITHUB_APP_SETUP.md with correct callback URLs:
- /api/v2/users/oauth2/github/callback
- /api/v2/external-auth/primary-github/callback
### Provider Consistency
- Upgrade all Helm providers from 2.17.0 → 3.1.1 (22 files)
- Update Helm provider syntax for v3 compatibility (kubernetes { → kubernetes = {)
- Standardize versions across all regions (us-east-2, us-west-2, eu-west-2)
## Fixes
- Resolved "Target.NotInUse" errors (NLB/node AZ mismatch)
- Fixed HTTPS connectivity (port 443 now routes to HTTP backend correctly)
- Fixed GitHub OAuth redirect_uri errors
- Eliminated infinite page loading on HTTPS
## Files Changed
- 30 Terraform configurations updated
- 1 documentation file added (GITHUB_APP_SETUP.md)
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
- Changed title from "AI Demo Environment" to "Coder Demo Environment" - Updated all URL references from ai.coder.com to coderdemo.io - Simplified login flow to GitHub-only authentication (removed Okta flow) - Fixed outdated path reference from ./aidev/infra to ./infra - Updated introduction and getting started sections 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Updated architecture documentation to reflect actual infrastructure: - Changed from traditional RDS to Aurora Serverless v2 (0.5-16 ACU) - Added "Known Behaviors" section explaining: • Aurora cold start delay (5-10s after idle) • HTTP→HTTPS redirect delay due to missing port 80 listener - Updated ASCII diagram and storage layer details - Added load time expectations table for demos These behaviors are acceptable for demo environments where cost optimization (~$120/month savings) outweighs instant response time. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
…ructure This commit consolidates infrastructure changes for AWS-native certificate management and expands multi-region deployment capabilities. ## Infrastructure Changes ### Certificate Management - Remove unused Cloudflare API token configuration across all regions - Simplify cert-manager, coder-proxy, and coder-server deployments - All regions now use AWS ACM for SSL/TLS (kubernetes_create_ssl_secret=false) ### New Infrastructure - Add Route53 DNS configuration for us-east-2 and us-west-2 - Add AWS ACM certificate management for us-west-2 - Add VPC peering configuration for us-east-2 - Add coder-server deployment for us-west-2 region ### Module Updates - Update Kubernetes bootstrap modules (cert-manager, coder-proxy, coder-server) - Update infrastructure modules (EBS controller, Karpenter, LB controller, metrics-server) - Improve EKS configurations across eu-west-2, us-east-2, and us-west-2 ## Documentation - Add INFRASTRUCTURE_BEST_PRACTICES.md - Add MULTI_REGION_DEPLOYMENT.md - Update ARCHITECTURE_DIAGRAM.md with current infrastructure state ## Configuration - Update .gitignore to exclude *.log files, backend.hcl, and terraform.tfvars.example - Prevent accidental commits of sensitive logs and backend configurations 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Completely rewrote the README to accurately document the current production deployment of coderdemo.io with hub-and-spoke architecture across three regions. ## Major Changes ### Architecture Documentation - Add clear hub-and-spoke architecture explanation - Include ASCII diagram showing 3-region topology - Detail hub region (us-east-2) vs spoke regions (us-west-2, eu-west-2) - Clarify which infrastructure is repeatable vs non-repeatable ### Updated Repeatability Warning - Clarify us-east-2 as non-repeatable hub (database, terraform backend, VPC) - Identify eu-west-2 as clean repeatable spoke template for new regions - Note us-west-2 as hybrid deployment with both server and proxy ### Comprehensive Deployment Guide - Step-by-step hub region deployment (foundation layer) - Repeatable spoke region deployment process - Correct dependency order for Kubernetes applications - Real-world configuration examples ### New Sections - Multi-region architecture details (database strategy, proxy strategy, networking) - Security considerations (secrets management, network security, IAM) - Cost optimization strategies (Karpenter, Aurora Serverless v2, fck-nat) - Troubleshooting guide with common issues and solutions - Configuration examples for terraform.tfvars and backend.hcl ### Technical Accuracy Updates - Aurora Serverless v2 PostgreSQL (not generic RDS) - AWS ACM for SSL/TLS certificates (removed all Cloudflare references) - VPC peering for cross-region database connectivity - GitHub OAuth integration details - Karpenter autoscaling configuration ### Documentation Structure - Better organization with clear sections - Links to detailed docs (MULTI_REGION_DEPLOYMENT.md, INFRASTRUCTURE_BEST_PRACTICES.md) - Practical examples and commands - Prerequisites and version requirements This README now serves as a complete reference for deploying and understanding the coderdemo.io infrastructure. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Add clear IMPORTANT callout at the beginning of the README to emphasize that this infrastructure is exclusively designed for AWS and uses AWS-specific services throughout (EKS, Aurora Serverless v2, VPC, Route53, ACM, etc.). This makes it immediately clear to readers that while Coder is cloud-agnostic, this particular deployment requires AWS and cannot be easily adapted to other cloud providers without significant changes. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Add .gitleaksignore to suppress false positive secret scanning alerts for: - Route53 hosted zone IDs (public identifiers, not secrets) - Terraform sensitive variable declarations (not actual secret values) - AWS account IDs (non-sensitive identifiers) - Database connection string patterns (variable declarations, not credentials) All actual secrets are already protected via .gitignore (*.tfvars files). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
|
Potential secrets or API keys were detected in your changes. Please review and remove any sensitive data before merging. What to do:
Common secret patterns detected:
This PR cannot be merged until all secrets are removed. |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.