[jimangel]

There's a lot of noise when trying to learn the advanced features of each cloud provider's "way of doing XYZ." I think it helps to focus on the things worth protecting: secrets, credentials, code.

Who has access? How do we audit / rotate? How do we secure?

You can use this approach for each step along the way, how to secure secrets in your cloud? code? IaC? container deployments? CI/CD?

If we assume infra / app is code, the tooling matters a lot less. How do you provision certificates via IaC? How do you grant IAM to resources and how do you revoke?

There are examples like https://github.com/terraform-google-modules/terraform-exampl... of more advanced IaC architectures, but you can start as small or as complex as you want and evolve if done properly.

Personally, I love me some Kubernetes + ArgoCD (GitOps) + Google Workload Identity + Google Secret Manager, but I am 100% biased.

[fovc]

100% and going one step beyond: how do the answers to those Qs evolve as you grow from 1 engineer to 5 to 20 etc.

[denvrede]

> There are examples like https://github.com/terraform-google-modules/terraform-exampl... of more advanced IaC architectures, but you can start as small or as complex as you want and evolve if done properly.

Is there something like this for AWS?

[avtar]

https://github.com/terraform-aws-modules

Check out the ECS repository for more complete examples.