Conversation
Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
There was a problem hiding this comment.
Pull request overview
This PR adds a full “lab” environment spanning IaC (Terraform + Pulumi), monitoring (Prometheus/Grafana/Loki/Promtail via Docker Compose), Kubernetes manifests (Deployment/Service on Minikube), application instrumentation (FastAPI metrics + structured logging), plus CI workflows and Ansible automation to provision/deploy.
Changes:
- Introduces Terraform and Pulumi definitions to provision an AWS EC2 instance + security group.
- Adds a monitoring stack (Prometheus, Grafana, Loki, Promtail) configuration and documentation.
- Adds/updates Python and Java service code, tests, Dockerfiles, Ansible roles/playbooks, and CI workflows.
Reviewed changes
Copilot reviewed 85 out of 125 changed files in this pull request and generated 20 comments.
Show a summary per file
| File | Description |
|---|---|
| labs/terraform/variables.tf | Adds Terraform variables for region/instance settings. |
| labs/terraform/terraform.tf | Pins Terraform/provider version constraints. |
| labs/terraform/main.tf | Provisions EC2 + security group + output. |
| labs/terraform/.terraform.lock.hcl | Terraform provider lockfile for AWS provider. |
| labs/pulumi/tsconfig.json | TypeScript compiler config for Pulumi program. |
| labs/pulumi/package.json | Pulumi Node dependencies for AWS provisioning. |
| labs/pulumi/index.ts | Pulumi program to create EC2 + security group. |
| labs/pulumi/README.md | Pulumi project documentation/instructions. |
| labs/pulumi/Pulumi.yaml | Pulumi project metadata. |
| labs/pulumi/Pulumi.dev.yaml | Pulumi stack config values. |
| labs/pulumi/.gitignore | Ignores Pulumi build/deps dirs. |
| labs/monitoring/promtail/config.yaml | Promtail docker service discovery + relabeling. |
| labs/monitoring/prometheus/dashboard-my.json | Exported Grafana dashboard JSON. |
| labs/monitoring/prometheus/config.yaml | Prometheus scrape config (Prometheus + app). |
| labs/monitoring/loki/config.yaml | Loki single-node config (filesystem/tsdb). |
| labs/monitoring/docs/LAB08.md | Prometheus/Grafana lab documentation. |
| labs/monitoring/docs/LAB07.md | Loki/Promtail/Grafana lab documentation. |
| labs/monitoring/compose.yaml | Docker Compose stack for monitoring + app-python. |
| labs/monitoring/.env.sample | Sample env vars for Grafana admin credentials. |
| labs/k8s/service.yaml | Kubernetes NodePort Service for the Python app. |
| labs/k8s/deployment.yaml | Kubernetes Deployment for python-info-service (replicas/resources/probes). |
| labs/k8s/README.md | Lab09 Minikube usage + evidence writeup. |
| labs/app_python/tests/test_system-functions.py | Unit tests for system info + uptime helpers. |
| labs/app_python/tests/test_endpoints.py | Endpoint tests for FastAPI service. |
| labs/app_python/tests/init.py | Marks tests as a package. |
| labs/app_python/requirements.txt | Runtime Python dependencies (FastAPI, prometheus-client, etc.). |
| labs/app_python/requirements-dev.txt | Dev/test/lint dependencies (pytest, flake8, coverage, etc.). |
| labs/app_python/docs/LAB02.md | Docker containerization documentation. |
| labs/app_python/docs/LAB01.md | FastAPI service lab documentation. |
| labs/app_python/app.py | FastAPI app with structured logging + Prometheus metrics instrumentation. |
| labs/app_python/README.md | Python service README (usage, CI, Docker, testing). |
| labs/app_python/Dockerfile | Python service container build (non-root user). |
| labs/app_python/.idea/vcs.xml | IDE metadata committed for app_python project. |
| labs/app_python/.idea/modules.xml | IDE module configuration committed. |
| labs/app_python/.idea/misc.xml | IDE misc config committed. |
| labs/app_python/.idea/inspectionProfiles/profiles_settings.xml | IDE inspection profile settings committed. |
| labs/app_python/.idea/copilot.data.migration.ask2agent.xml | IDE/plugin migration metadata committed. |
| labs/app_python/.idea/app_python.iml | IDE module file committed. |
| labs/app_python/.idea/.gitignore | IDE-level ignores for app_python. |
| labs/app_python/.gitignore | Python-focused ignore rules for the subproject. |
| labs/app_python/.flake8 | Flake8 configuration for Python project. |
| labs/app_python/.dockerignore | Docker build context exclusions for Python app. |
| labs/app_java/target/spotless-index | Generated Spotless artifact committed. |
| labs/app_java/target/checkstyle-result.xml | Generated Checkstyle report committed. |
| labs/app_java/target/checkstyle-checker.xml | Generated Checkstyle config copy committed. |
| labs/app_java/target/checkstyle-cachefile | Generated Checkstyle cache committed. |
| labs/app_java/src/test/java/com/devops/infoservice/InfoServiceTest.java | Basic unit test for InfoService. |
| labs/app_java/src/test/java/com/devops/infoservice/InfoControllerTest.java | MVC tests for controller endpoints. |
| labs/app_java/src/main/resources/application.properties | Spring Boot server + actuator configuration. |
| labs/app_java/src/main/java/com/devops/infoservice/service/InfoService.java | Service layer assembling response data. |
| labs/app_java/src/main/java/com/devops/infoservice/model/SystemInfo.java | SystemInfo POJO model. |
| labs/app_java/src/main/java/com/devops/infoservice/model/ServiceResponse.java | Top-level response model. |
| labs/app_java/src/main/java/com/devops/infoservice/model/ServiceInfo.java | ServiceInfo POJO model. |
| labs/app_java/src/main/java/com/devops/infoservice/model/RuntimeInfo.java | RuntimeInfo POJO model. |
| labs/app_java/src/main/java/com/devops/infoservice/model/RequestInfo.java | RequestInfo POJO model. |
| labs/app_java/src/main/java/com/devops/infoservice/model/HealthResponse.java | HealthResponse POJO model. |
| labs/app_java/src/main/java/com/devops/infoservice/model/EndpointInfo.java | EndpointInfo POJO model. |
| labs/app_java/src/main/java/com/devops/infoservice/controller/InfoController.java | Spring REST controller for / and /health. |
| labs/app_java/src/main/java/com/devops/infoservice/InfoServiceApplication.java | Spring Boot application entrypoint. |
| labs/app_java/pom.xml | Maven build with Checkstyle/JaCoCo/Spotless and deps. |
| labs/app_java/docs/LAB03.md | Java CI/CD lab documentation. |
| labs/app_java/docs/LAB01.md | Java service implementation documentation. |
| labs/app_java/docs/JAVA.md | Java language justification documentation. |
| labs/app_java/checkstyle.xml | Checkstyle rules configuration. |
| labs/app_java/README.md | Java service README and usage docs. |
| labs/app_java/Dockerfile | Multi-stage Docker build producing distroless runtime image. |
| labs/app_java/.gitignore | Java/IDE ignore rules for the subproject. |
| labs/app_java/.dockerignore | Docker build context exclusions for Java app. |
| labs/ansible/roles/web_app/templates/compose.yaml.j2 | Templated compose file for app deployment. |
| labs/ansible/roles/web_app/tasks/wipe.yaml | Optional wipe/uninstall tasks for the app. |
| labs/ansible/roles/web_app/tasks/main.yaml | Deploy flow using docker_login + docker_compose_v2 + health check. |
| labs/ansible/roles/web_app/meta/main.yml | Declares dependency on docker role. |
| labs/ansible/roles/web_app/handlers/main.yaml | Handler to restart the application container. |
| labs/ansible/roles/web_app/defaults/main.yaml | Default vars for app deployment role. |
| labs/ansible/roles/docker/tasks/main.yaml | Docker install/config tasks on Ubuntu. |
| labs/ansible/roles/docker/handlers/main.yaml | Docker service restart handler. |
| labs/ansible/roles/docker/defaults/main.yaml | Default vars for docker role. |
| labs/ansible/roles/common/tasks/main.yaml | Common system setup tasks (packages/timezone). |
| labs/ansible/roles/common/defaults/main.yaml | Default vars for common role. |
| labs/ansible/playbooks/site.yaml | Orchestrates provision + deploy stages. |
| labs/ansible/playbooks/provision.yaml | Runs common + docker roles on webservers. |
| labs/ansible/playbooks/deploy.yaml | Runs web_app role on webservers. |
| labs/ansible/inventory/hosts.ini | Static inventory with host connection details. |
| labs/ansible/inventory/aws_ec2.yaml | Dynamic EC2 inventory plugin configuration. |
| labs/ansible/docs/LAB05.md | Ansible lab documentation (roles, vault, dynamic inventory). |
| labs/ansible/ansible.cfg | Ansible configuration (inventory, key path, become). |
| labs/ansible/README.md | Badge-only readme for ansible automation. |
| .gitignore | Replaces placeholder ignore with comprehensive multi-tool ignores. |
| .github/workflows/terraform-ci.yaml | Terraform fmt/init/validate + tflint CI. |
| .github/workflows/python-ci.yaml | Python lint/test + Snyk + Docker build/push workflow. |
| .github/workflows/java-ci.yml | Java build/test + checkstyle + Snyk + Docker build/push workflow. |
| .github/workflows/ansible-deploy.yaml | Ansible lint + self-hosted deploy workflow. |
Files not reviewed (9)
- labs/app_python/.idea/.gitignore: Language not supported
- labs/app_python/.idea/app_python.iml: Language not supported
- labs/app_python/.idea/copilot.data.migration.ask2agent.xml: Language not supported
- labs/app_python/.idea/inspectionProfiles/profiles_settings.xml: Language not supported
- labs/app_python/.idea/misc.xml: Language not supported
- labs/app_python/.idea/modules.xml: Language not supported
- labs/app_python/.idea/vcs.xml: Language not supported
- labs/pulumi/pnpm-lock.yaml: Language not supported
- labs/terraform/.terraform.lock.hcl: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // Создаем провайдер с отключенными проверками, чтобы обойти ограничения учебной среды | ||
| const awsProvider = new aws.Provider("aws-provider", { | ||
| region: "us-east-1", | ||
| skipCredentialsValidation: true, | ||
| skipRequestingAccountId: true, | ||
| skipMetadataApiCheck: true, | ||
| skipRegionValidation: true, | ||
| }); |
There was a problem hiding this comment.
The AWS provider configuration is hardcoded to us-east-1 and explicitly disables multiple safety checks (skipCredentialsValidation, skipRequestingAccountId, etc.), while the stack config includes aws:region. This makes stacks less portable and can hide real auth/region misconfigurations. Prefer reading the region from config and only disabling the minimum necessary checks (ideally behind a config flag for the constrained lab environment).
| ingress: [ | ||
| { | ||
| description: "ssh", | ||
| fromPort: 22, | ||
| toPort: 22, | ||
| protocol: "tcp", | ||
| cidrBlocks: ["0.0.0.0/0"], | ||
| }, |
There was a problem hiding this comment.
This Pulumi security group also opens SSH (22) to the world (0.0.0.0/0). To avoid accidental exposure, restrict SSH ingress to a configurable CIDR (e.g., your current public IP /32) or use a safer access mechanism (SSM) and drop port 22 entirely.
| ## Development | ||
|
|
||
| ## Development | ||
|
|
||
| ### Development Workflow |
There was a problem hiding this comment.
There are two consecutive ## Development headers here, which looks like an accidental duplication and breaks the document structure/ToC. Remove one of them.
| const config = new pulumi.Config(); | ||
| const instanceType = config.get("instanceType") || "t3.micro"; | ||
| const keyName = config.get("keyName") || "vockey"; | ||
| const volumeSize = config.getNumber("volumeSize") || 8; | ||
| const instanceName = config.get("instanceName") || "DevOps-Lab"; | ||
|
|
||
| const amiId = "ami-0136735c2bb5cf5bf"; | ||
|
|
There was a problem hiding this comment.
The AMI is hardcoded (ami-0136735c2bb5cf5bf). AMI IDs are region-specific and can be deprecated, which makes deployments brittle. Prefer looking up the latest Ubuntu AMI via aws.ec2.getAmi (similar to the Terraform config) and/or make the AMI an explicit stack config value.
| ## Configuration | ||
|
|
||
| The application supports configuration via environment variables and system properties: | ||
|
|
||
| | Environment Variable | System Property | Default | Description | | ||
| | -------------------- | ---------------- | ----------- | ------------------- | | ||
| | `HOST` | `server.address` | `127.0.0.1` | Server host address | | ||
| | `PORT` | `server.port` | `8080` | Server port number | | ||
|
|
There was a problem hiding this comment.
This README states the default bind is HOST=127.0.0.1 and PORT=8080, but application.properties sets defaults to server.address=${HOST:0.0.0.0} and server.port=${PORT:8000}. Update the documented defaults and example curl commands to match the actual runtime defaults (or change the defaults in config).
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <project version="4"> | ||
| <component name="VcsDirectoryMappings"> | ||
| <mapping directory="$PROJECT_DIR$/../.." vcs="Git" /> | ||
| </component> | ||
| </project> No newline at end of file |
There was a problem hiding this comment.
This PR adds IDE-specific .idea project files. These are machine/user specific and commonly cause noisy diffs and merge conflicts. Remove them from version control and rely on the existing .gitignore patterns to keep them untracked.
| Implemented production-oriented controls: | ||
|
|
||
| - Health checks for `app-python`, `grafana`, `loki`, `prometheus` | ||
| - Resource section present in Compose (`deploy.resources`) for limits/reservations policy | ||
| - Persistent volumes for stateful services: |
There was a problem hiding this comment.
This section claims Compose resource limits via deploy.resources. Note that deploy.* is ignored by regular docker compose up (it’s for Swarm), so the limits/reservations won’t actually be enforced in a typical local Compose run. Consider documenting that caveat or using alternatives that Compose honors (e.g., mem_limit / cpus where supported).
| - name: Install Ansible | ||
| run: | | ||
| python -m pip install --upgrade pip | ||
| pip install ansible | ||
|
|
||
| - name: Deploy with Ansible | ||
| env: | ||
| ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }} | ||
| run: | | ||
| cd labs/ansible | ||
| echo "$ANSIBLE_VAULT_PASSWORD" > /tmp/vault_pass | ||
| ansible-playbook playbooks/deploy.yaml \ | ||
| -i inventory/hosts.ini \ | ||
| --vault-password-file /tmp/vault_pass \ | ||
| --tags "app_deploy" | ||
| rm /tmp/vault_pass |
There was a problem hiding this comment.
The deploy job runs ansible-playbook but doesn’t install required collections. This repo uses community.docker.* modules in the roles, which will fail unless community.docker is installed on the runner (and potentially amazon.aws if using the dynamic inventory). Add an ansible-galaxy collection install step (or a collections/requirements.yml) before running the playbook.
| ansible_ssh_private_key_file: "'~/Projects/edu/DevOps-Core-Course/labs/terraform/labsuser.pem'" | ||
| ansible_ssh_common_args: "'-o IdentitiesOnly=yes'" No newline at end of file |
There was a problem hiding this comment.
In the dynamic inventory compose: section, ansible_ssh_private_key_file and ansible_ssh_common_args include extra quote characters inside the YAML string (e.g., "'~/...pem'"). This will make Ansible receive a path/args that literally contain quotes and can break SSH connectivity. Use plain strings without nested quotes.
| ansible_ssh_private_key_file: "'~/Projects/edu/DevOps-Core-Course/labs/terraform/labsuser.pem'" | |
| ansible_ssh_common_args: "'-o IdentitiesOnly=yes'" | |
| ansible_ssh_private_key_file: "~/Projects/edu/DevOps-Core-Course/labs/terraform/labsuser.pem" | |
| ansible_ssh_common_args: "-o IdentitiesOnly=yes" |
| # AWS TypeScript Pulumi Template | ||
|
|
||
| A minimal Pulumi template for provisioning AWS infrastructure using TypeScript. This template creates an Amazon S3 bucket and exports its name. | ||
|
|
||
| ## Prerequisites | ||
|
|
||
| - Pulumi CLI (>= v3): https://www.pulumi.com/docs/get-started/install/ | ||
| - Node.js (>= 14): https://nodejs.org/ | ||
| - AWS credentials configured (e.g., via `aws configure` or environment variables) | ||
|
|
||
| ## Getting Started | ||
|
|
||
| 1. Initialize a new Pulumi project: | ||
|
|
||
| ```bash | ||
| pulumi new aws-typescript | ||
| ``` | ||
|
|
||
| Follow the prompts to set your: | ||
| - Project name | ||
| - Project description | ||
| - AWS region (defaults to `us-east-1`) | ||
|
|
||
| 2. Preview and deploy your infrastructure: | ||
|
|
||
| ```bash | ||
| pulumi preview | ||
| pulumi up | ||
| ``` | ||
|
|
||
| 3. When you're finished, tear down your stack: | ||
|
|
||
| ```bash | ||
| pulumi destroy | ||
| pulumi stack rm | ||
| ``` | ||
|
|
||
| ## Project Layout | ||
|
|
||
| - `Pulumi.yaml` — Pulumi project and template metadata | ||
| - `index.ts` — Main Pulumi program (creates an S3 bucket) | ||
| - `package.json` — Node.js dependencies | ||
| - `tsconfig.json` — TypeScript compiler options |
There was a problem hiding this comment.
The Pulumi README describes creating an S3 bucket, but this project’s index.ts provisions an EC2 instance + security group and exports its public IP. This mismatch will confuse users following the instructions. Update the README (overview and layout bullets) to match the actual resources being deployed.
No description provided.