GitOps on AWS — Real-World DevOps Pipeline with Argo CD, Terraform & EKS

Why I Chose GitOps#

GitOps is about control. Git becomes your single source of truth.

• Every change goes through a pull request.
• Every rollback is just a git revert.

No guesswork. No “who deployed this on Friday night?” In 2025, GitOps isn’t a trend. It’s the baseline for any team that takes infrastructure seriously.

But why exactly did I choose GitOps? Let’s dive into my personal setup.

My Stack at a Glance#

• At the core, I use Amazon EKS — Amazon’s managed Kubernetes
• Docker images are built and pushed to Amazon ECR
• Manifests live in Git. Argo CD syncs the cluster automatically
• Terraform provisions everything — from VPC to namespaces
• Secrets are managed securely with HashiCorp Vault
• GitHub Actions ties it all together

Just one terraform apply, and you have a fully reproducible, codified platform. Zero manual steps.

Why Containers?#

A container is the smallest unit of reliability. It runs exactly the same in dev, staging, and production. It’s isolated. Predictable. Versioned. CI builds the image, tags it — like release-2025.04.16-prod — pushes it to Amazon ECR, and that’s exactly what runs in production.

Remember that old joke, “but it works on my machine”? Containers kill that excuse forever. You build systems, not chaos.

The GitOps Mindset Shift#

But there’s a key mindset shift you need for GitOps — let’s talk about it. Here’s a common mistake I see all the time, even from experienced teams:

They think CI should handle deployments. In GitOps, it doesn’t.

• CI’s job is simply to push changes to Git.
• Argo CD handles the deploy. On its own. On schedule. No manual triggers.

That’s the power of GitOps:

• Git is truth.
• CI is just logistics.

How It All Connects#

• CI runs on GitHub Actions.
• It builds the Docker image, pushes it to Amazon ECR, updates Helm values, and commits to Git.
• Argo CD detects changes and applies them to the cluster.
• Terraform provisions the entire platform — including Argo CD itself.
• Vault integrates securely, providing secrets at runtime.

No plain-text tokens. No unencrypted environment variables.

This stack isn’t just functional. It’s resilient.

Hard-Earned Lessons#

But getting here wasn’t simple. Let me share the lessons I’ve learned so you don’t repeat my mistakes.

Monitoring: The Non-Negotiable#

If your monitoring system is users calling you at 3 AM, it’s not monitoring—it’s a nightmare.

I use Prometheus + Grafana for metrics, Loki for logs, and Alertmanager for alerts. Argo CD also exposes metrics, so I instantly see if something drifts from Git.

Monitoring isn’t an add-on. It’s essential. Without it, you’re flying blind.

What Success Looks Like#

• Deployment time: minutes, not hours.
• Rollbacks: one click.
• New environments: one command.
• New developers: clone and go.
• Everything documented, repeatable, and under control.

This isn’t hype. This is reality.

Final Thoughts#

Let’s wrap this up. This isn’t just a technology stack. It’s a mindset. Containers, infrastructure as code, Git at the center of all changes — this is what mature systems look like in 2025. GitOps isn’t about YAML. It’s about building systems you can trust.

Thank you for reading! Don’t forget to check out the video version for additional insights and visuals.