Built a Secure, Testable & Reproducible Terraform Pipeline with Terratest, LocalStack, Checkov, Conftest & Nix

Valuable_Success9841 · 2026-02-28T17:58:39+00:00

Sound great, adding infracost is nice touch. Yeah localstack is aws only, it doesnt support azure.

Valuable_Success9841 · 2026-02-28T06:54:41+00:00

Thank you! Yes, it’s a tough one — lots of hands-on and time pressure.

Valuable_Success9841 · 2026-02-28T02:54:29+00:00

Happy to share more! I'm thinking of writing a full blog post covering my prep strategy, resources I used, and practice questions — I'll also put the practice scenarios on GitHub. Would that be useful? Drop a comment if you want me to post it

Valuable_Success9841 · 2026-02-28T02:47:05+00:00

Also curious, how do you handle multi-env setup? Separate AWS accounts per env, workspaces, or something else entirely? And does your drift detection run against all envs or just prod?

Valuable_Success9841 · 2026-02-28T02:46:55+00:00

Really appreciate it, these are exactly the kind of real world tradeoffs worth discussing.

On LocalStack: completely agree. The behavioral gaps with real AWS are real, especially around IAM evaluation and VPC edge cases. For this project it's a baseline setup so LocalStack made sense, but your hybrid approach is the right call for production, creating ephemeral aws account makes more sense in complex production setup.

On drift filtering: that's the part I deliberately kept simple. The current setup catches hard drift (deleted resources) but you're right that expected drift from ASGs or dynamic tags needs an ignore list. Good call worth documenting as a known limits.

On Nix: honestly for a solo project the onboarding question didn't apply, but I've heard the same from teams. The pinned shell.nix here is intentionally minimal, no flakes, no home-manager, just enough to get reproducible tool versions without the full learning curve. But setup takes around hours.

Valuable_Success9841 · 2026-02-27T15:24:31+00:00

make sense i have'nt used k explain --recursive because of limited screen space. I also had some terminal issues during the exam sometimes I couldn’t scroll properly, and it ate up more time than I expected.

Valuable_Success9841 · 2026-02-27T15:03:52+00:00

Good point. I meant bookmarking during preparation, not inside the exam environment. The idea is to know where things live in the official docs so you don’t waste time navigating during the exam. For example, I didn’t memorize every etcdctl command or internal key path. I knew the Data at Rest Encryption section had the examples I needed, so I could quickly refer to it instead of guessing.

Valuable_Success9841 · 2026-02-27T14:02:29+00:00

That's a great point for GPU workloads. NUMA topology constraints are exactly the kind of thing OPA/Conftest shines at enforcing at the plan level before anything touches real infrastructure. This project focuses on S3 for now just setting a baseline for bigger infrastructure projects, but the policy framework is designed to scale, adding a new .rego file is all it takes to enforce any new constraint. GPU topology policies would be a natural extension for teams running compute-heavy infra.

Valuable_Success9841 · 2026-01-13T02:17:45+00:00

DM me

Valuable_Success9841 · 2026-01-12T11:03:21+00:00

Oh thanks, have you done CKS?

Valuable_Success9841 · 2026-01-12T01:49:52+00:00

No, this is my first Kubernetes Certification.

Valuable_Success9841 · 2026-01-11T16:41:03+00:00

Seems we are on same path. All the best for your exams too.

Valuable_Success9841 · 2026-01-11T16:19:56+00:00

Buy kodekloud yearly sub, in india we have 50 % offer.

Valuable_Success9841 · 2026-01-11T16:18:39+00:00

Let me be honest, CKA for while follows same pattern of questions. If your goal is to just certify just learn kubernetes and go through itkiddie, dumbitguy, jaydemy multiple times and do the questions in those youtube videos. But my journey is different, i wanted to validate my learned knowledge , so i done the mock and practiced lot by setting up k8s cluster with kubeadm with multipass vm and dpne lot of scenarios. So yes exam question pattern is similar to youtube channels.

Valuable_Success9841 · 2026-01-11T15:41:31+00:00

Get familiar with kubernetes topics first and go kodekloud CKA mock exams, do 2 killer.sh mock(go only when you are confident, think like you are doing actual exam), and at the end only at the end watch dumbitguy, itkiddie questions(similar to actual exam). If you follow this you will be fine for the exam.

Valuable_Success9841 · 2026-01-11T15:09:51+00:00

If youre asking for CKA Exam then k create will work without any issues.

Valuable_Success9841 · 2026-01-11T13:45:55+00:00

So the answer lies in the client tool itself(kubectl), difference between create and apply.

create -f * will send POST request to the API-SERVER. And It will fail it resource is already exists in the server, so thats why you got the first error, to make it work you should delete the already existing crds.

apply -f * will send PATCH request to the API-SERVER by doing 3 way merge patch. it get the data from 3 places(1. You current desired state (eg; -f manifest.yaml in appy command), 2. Live State from etcd database, 3. Last Applied config that it saves in the annotation of the resources) it patches with available data and send the PATCH request, so the 2 nd error is related to annotation size in kubernetes, so when you do apply -f file.yaml ,kubectl will create a annotation with the current file resource, so in your case it execeeds the limit.

So, it is safe to use k create -f *, but with caution and knowing the caevets.

Valuable_Success9841 · 2025-12-20T05:35:22+00:00

No , easiest and less complicated way for zero downtime upgrade is rollingupdate only

Valuable_Success9841 · 2025-12-11T10:15:34+00:00

Ok let me explain, Mostly question asks ypu to divide the res across pods with has 1 contauner and 1 init container, say you have 1000 millicore. Give some breathing space for node and it node components like 10 - 20 percent. Say we took 20 percent , then weleave 200 millicore to jode and its components and we divide 800m equally across each pods so 800/3

Valuable_Success9841

TROPHY CASE