Hey team! 👋
I was looking through your AWS deployment setup in the deploy/aws-dev/ folder and decided to run it through a static analysis tool my team is working on (InfraScan) just to see what pops up. Your overall infra actually scored a solid 'A', but it found a few things that could be optimized, mainly around preventing surprise AWS bills for people self-hosting and slightly hardening the k8s setup.
Here are the most practical quick-wins:
1. No AWS Budget configured (Cost Safety)
Since you allow users to self-host this engine, a surprise AWS bill from GPU instances is a real nightmare. Adding a simple aws_budgets_budget resource to config.tf would act as a much-needed safety net if workloads suddenly spike.
2. S3 Bucket Lifecycle (Cost Optimization)
The image_bucket in modules/cluster/main.tf doesn't have a lifecycle policy. Over time, things like cached container images, layers, and models will just accumulate and slowly creep up the AWS storage bill.
3. Kubernetes Default Namespace (Security/Best Practices)
The app_config Kubernetes secret in modules/k8s-resources/main.tf is currently being deployed to the default namespace. Moving this to a dedicated, isolated namespace is a standard k8s hardening practice to limit blast radius.
If you want to dig into the exact files and lines of code, the full interactive report is here:
👉 View Full InfraScan Report for Beta9
(Full disclosure: the link above is generated by our tool, but I manually reviewed the findings to make sure I'm only suggesting things that actually make sense for your repo).
If you're open to it, I'd be happy to submit a quick PR. Let me know what you think!
Hey team! 👋
I was looking through your AWS deployment setup in the
deploy/aws-dev/folder and decided to run it through a static analysis tool my team is working on (InfraScan) just to see what pops up. Your overall infra actually scored a solid 'A', but it found a few things that could be optimized, mainly around preventing surprise AWS bills for people self-hosting and slightly hardening the k8s setup.Here are the most practical quick-wins:
1. No AWS Budget configured (Cost Safety)
Since you allow users to self-host this engine, a surprise AWS bill from GPU instances is a real nightmare. Adding a simple
aws_budgets_budgetresource toconfig.tfwould act as a much-needed safety net if workloads suddenly spike.2. S3 Bucket Lifecycle (Cost Optimization)
The
image_bucketinmodules/cluster/main.tfdoesn't have a lifecycle policy. Over time, things like cached container images, layers, and models will just accumulate and slowly creep up the AWS storage bill.3. Kubernetes Default Namespace (Security/Best Practices)
The
app_configKubernetes secret inmodules/k8s-resources/main.tfis currently being deployed to thedefaultnamespace. Moving this to a dedicated, isolated namespace is a standard k8s hardening practice to limit blast radius.If you want to dig into the exact files and lines of code, the full interactive report is here:
👉 View Full InfraScan Report for Beta9
(Full disclosure: the link above is generated by our tool, but I manually reviewed the findings to make sure I'm only suggesting things that actually make sense for your repo).
If you're open to it, I'd be happy to submit a quick PR. Let me know what you think!