GitOps on AWS — Real-World DevOps Pipeline with Argo CD, Terraform & EKS

Why I Chose GitOps#

GitOps is about control. Git becomes the one place that tells the truth about your system.

• Every change goes through a pull request.
• Every rollback is just a git revert.

No guesswork. Nobody asking who deployed what on Friday night. By 2025 this stopped being a trend. If your team is serious about infrastructure, it’s the floor you start from, not the ceiling you reach for.

So why does my setup look the way it does? Start with the stack.

My Stack at a Glance#

• At the core, I use Amazon EKS — Amazon’s managed Kubernetes
• Docker images are built and pushed to Amazon ECR
• Manifests live in Git. Argo CD syncs the cluster automatically
• Terraform provisions everything — from VPC to namespaces
• Secrets are managed securely with HashiCorp Vault
• GitHub Actions ties it all together

One terraform apply. That gets you a reproducible platform, codified end to end, with nothing done by hand.

Why Containers?#

A container is the smallest unit of reliability I know of. It runs the same way in dev, in staging, and in production. Isolated, predictable, pinned to a version. CI builds the image and tags it, say release-2025.04.16-prod, then pushes it to Amazon ECR. What runs in production is that exact artifact, byte for byte.

You know the old joke about how it works on my machine? Containers retire it. You ship systems instead of chaos.

The GitOps Mindset Shift#

GitOps asks you to rethink one thing, and it trips up plenty of experienced teams. Here’s the mistake I keep running into.

They assume CI should handle deployments. Under GitOps it doesn’t.

• CI’s job is simply to push changes to Git.
• Argo CD handles the deploy. On its own. On schedule. No manual triggers.

That split is the whole point. Git holds the truth. CI is just the courier that gets your change there.

How It All Connects#

• CI runs on GitHub Actions.
• It builds the Docker image, pushes it to Amazon ECR, updates Helm values, and commits to Git.
• Argo CD detects changes and applies them to the cluster.
• Terraform provisions the entire platform, Argo CD included.
• Vault integrates securely, providing secrets at runtime.

So there are no plain-text tokens sitting around. No unencrypted environment variables either.

This stack does the job, and it holds up when something goes wrong.

Hard-Earned Lessons#

Getting here took a while, and I paid for a few of these the hard way. Here’s what I’d tell you so you skip my mistakes.

Monitoring: The Non-Negotiable#

If your monitoring is users calling you at 3 AM, that isn’t monitoring. It’s a nightmare with a phone number.

For metrics I run Prometheus and Grafana. Loki handles logs, Alertmanager handles alerts. Argo CD exposes its own metrics too, so the moment the cluster drifts from Git, I see it.

Monitoring isn’t a bolt-on you add later. Skip it and you’re flying blind.

What Success Looks Like#

• Deployment time: minutes, not hours.
• Rollbacks: one click.
• New environments: one command.
• New developers: clone and go.
• Everything documented, repeatable, and under control.

None of that is hype. That’s the day-to-day.

Final Thoughts#

This is more than a list of tools. It’s a way of working. Containers, infrastructure as code, every change routed through Git: that’s what a mature system looks like in 2025. GitOps was never really about YAML. It’s about building something you can actually trust.

Thank you for reading! Don’t forget to check out the video version for additional insights and visuals.