A few Terraform tweaks for AWS #1550
Description
Hey team! 👋
I was looking through your AWS deployment setup in the deploy/aws-dev/ folder and decided to run it through a static analysis tool my team is working on (InfraScan) just to see what pops up. Your overall infra actually scored a solid 'A', but it found a few things that could be optimized, mainly around preventing surprise AWS bills for people self-hosting and slightly hardening the k8s setup.
Here are the most practical quick-wins:
1. No AWS Budget configured (Cost Safety)
Since you allow users to self-host this engine, a surprise AWS bill from GPU instances is a real nightmare. Adding a simple aws_budgets_budget resource to config.tf would act as a much-needed safety net if workloads suddenly spike.
2. S3 Bucket Lifecycle (Cost Optimization)
The image_bucket in modules/cluster/main.tf doesn't have a lifecycle policy. Over time, things like cached container images, layers, and models will just accumulate and slowly creep up the AWS storage bill.
3. Kubernetes Default Namespace (Security/Best Practices)
The app_config Kubernetes secret in modules/k8s-resources/main.tf is currently being deployed to the default namespace. Moving this to a dedicated, isolated namespace is a standard k8s hardening practice to limit blast radius.
If you want to dig into the exact files and lines of code, the full interactive report is here:
👉 View Full InfraScan Report for Beta9
(Full disclosure: the link above is generated by our tool, but I manually reviewed the findings to make sure I'm only suggesting things that actually make sense for your repo).
If you're open to it, I'd be happy to submit a quick PR. Let me know what you think!