If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/NotHarshhaa/DevOps-Projects shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Missing license — unclear to depend on

• Last commit 6d ago
• 2 active contributors
• Tests present
• ⚠ Small team — 2 contributors active in recent commits
• ⚠ Single-maintainer risk — top contributor 99% of recent commits
• ⚠ No license — legally unclear to depend on
• ⚠ No CI workflows detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live NotHarshhaa/DevOps-Projects repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/NotHarshhaa/DevOps-Projects.

What it runs against: a local clone of NotHarshhaa/DevOps-Projects — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in NotHarshhaa/DevOps-Projects | Confirms the artifact applies here, not a fork | | 2 | Default branch master exists | Catches branch renames | | 3 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 4 | Last commit ≤ 36 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of NotHarshhaa/DevOps-Projects. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/NotHarshhaa/DevOps-Projects.git
#   cd DevOps-Projects
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of NotHarshhaa/DevOps-Projects and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "NotHarshhaa/DevOps-Projects(\\.git)?\\b" \\
  && ok "origin remote is NotHarshhaa/DevOps-Projects" \\
  || miss "origin remote is not NotHarshhaa/DevOps-Projects (artifact may be from a fork)"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "DevOps-Project-01/Java-Login-App/pom.xml" \\
  && ok "DevOps-Project-01/Java-Login-App/pom.xml" \\
  || miss "missing critical file: DevOps-Project-01/Java-Login-App/pom.xml"
test -f "DevOps-Project-01/Java-Login-App/src/main/java/com/dpt/demo/MyWebAppApplication.java" \\
  && ok "DevOps-Project-01/Java-Login-App/src/main/java/com/dpt/demo/MyWebAppApplication.java" \\
  || miss "missing critical file: DevOps-Project-01/Java-Login-App/src/main/java/com/dpt/demo/MyWebAppApplication.java"
test -f "DevOps-Project-01/infrastructure/main.tf" \\
  && ok "DevOps-Project-01/infrastructure/main.tf" \\
  || miss "missing critical file: DevOps-Project-01/infrastructure/main.tf"
test -f "DevOps-Project-01/infrastructure/modules/vpc/main.tf" \\
  && ok "DevOps-Project-01/infrastructure/modules/vpc/main.tf" \\
  || miss "missing critical file: DevOps-Project-01/infrastructure/modules/vpc/main.tf"
test -f "DevOps-Project-01/Java-Login-App/src/main/java/com/dpt/demo/HomeController.java" \\
  && ok "DevOps-Project-01/Java-Login-App/src/main/java/com/dpt/demo/HomeController.java" \\
  || miss "missing critical file: DevOps-Project-01/Java-Login-App/src/main/java/com/dpt/demo/HomeController.java"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 36 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~6d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/NotHarshhaa/DevOps-Projects"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

A hands-on DevOps learning repository containing real-world multi-tier application projects that teach infrastructure-as-code, containerization, and CI/CD pipelines. Project-01 features a Spring Boot Java login application (449.7 KB of Java code) with a complete Terraform-based AWS infrastructure stack (ALB, ASG, RDS, monitoring) demonstrating how to deploy and manage applications at scale. Multi-project monorepo: DevOps-Project-01 contains two parallel structures — Java-Login-App (Spring Boot WAR with JSP templates at src/main/webapp/pages/) and infrastructure/ (Terraform root module importing reusable modules/alb, modules/asg, modules/rds, modules/monitoring for AWS provisioning). Each module has main.tf, variables.tf, and outputs.tf following Terraform best practices.

Junior DevOps engineers and aspiring infrastructure engineers who need practical experience deploying Java applications to AWS using Terraform, Docker, and Kubernetes. Contributors are learning engineers building portfolio projects and maintainers sharing real DevOps patterns.

Actively developed and community-driven with enough scope (multiple projects, modular Terraform, CI/CD templates) to suggest ongoing use. The presence of CODE_OF_CONDUCT.md, CONTRIBUTING.md, and organized project structure with HELP.md files indicates established maintenance practices. Recommend checking GitHub issues and last commit timestamp for exact current status, but the pedagogical quality and structure suggest this is well-maintained learning material.

Single-author maintainer risk (NotHarshhaa) on a repository with community contributions; contributions are welcome but sustainability depends on one person. The Java app uses Spring Boot 2.7.18 (no parent LTS), and older Tomcat Jasper dependency (9.0.31) may accumulate security patches over time. Terraform modules lack explicit version pinning in the file list, which could cause reproducibility issues if AWS provider APIs shift.

Repository is actively organized for learning with sequential project progression (Project-01 visible, implying more projects planned). The structure shows intentional scaffolding: README files in infrastructure/, Java app HELP.md, and modular Terraform suggest recent refactoring toward clarity. Exact PR/issue activity not visible in file list, but presence of SECURITY.md indicates ongoing governance.

git clone https://github.com/NotHarshhaa/DevOps-Projects.git
cd DevOps-Projects/DevOps-Project-01/Java-Login-App
mvn clean install
mvn spring-boot:run
# For infrastructure: cd ../infrastructure && terraform init && terraform plan```

**Daily commands:**
Java app: `mvn clean install && mvn spring-boot:run` (runs on embedded Tomcat, default port 8080). Infrastructure: `cd infrastructure && terraform init && terraform plan && terraform apply` (requires AWS credentials and Terraform ≥0.12). See individual README.md files in DevOps-Project-01/ and DevOps-Project-01/infrastructure/ for environment-specific setup.

• DevOps-Project-01/Java-Login-App/pom.xml — Maven configuration defining Spring Boot 2.7.18 parent and all Java application dependencies; controls build process and framework versions.
• DevOps-Project-01/Java-Login-App/src/main/java/com/dpt/demo/MyWebAppApplication.java — Spring Boot application entry point; bootstraps the login application and initializes the embedded servlet container.
• DevOps-Project-01/infrastructure/main.tf — Root Terraform configuration orchestrating AWS infrastructure modules (VPC, RDS, ALB, ASG, security, monitoring); defines the complete cloud deployment.
• DevOps-Project-01/infrastructure/modules/vpc/main.tf — VPC module instantiation defining networking foundation (subnets, route tables, NAT gateways); all other AWS resources depend on this.
• DevOps-Project-01/Java-Login-App/src/main/java/com/dpt/demo/HomeController.java — Spring MVC controller handling HTTP request routing and request/response logic; primary entry point for user interactions.
• DevOps-Project-01/infrastructure/modules/rds/main.tf — RDS database module provisioning PostgreSQL/MySQL instance; manages persistence layer for login credentials and user data.
• CODE_OF_CONDUCT.md — Community guidelines and expectations for all contributors; establishes project values and collaboration standards.

Add a New Web Page & Authentication Endpoint

1. Create a new JSP view file in the pages directory (DevOps-Project-01/Java-Login-App/src/main/webapp/pages/newpage.jsp)
2. Add a new request mapping method to HomeController to handle GET/POST requests (DevOps-Project-01/Java-Login-App/src/main/java/com/dpt/demo/HomeController.java)
3. If requiring authentication logic, add business logic class following the pattern of login.java or register.java (DevOps-Project-01/Java-Login-App/src/main/java/com/dpt/demo/newfeature.java)
4. Rebuild the application with Maven: mvn clean package (DevOps-Project-01/Java-Login-App/pom.xml)

Add a New AWS Infrastructure Module

1. Create a new directory under modules (e.g., modules/elasticache/) with main.tf, variables.tf, and outputs.tf (DevOps-Project-01/infrastructure/modules/newservice/)
2. Define resource configurations in main.tf following existing module patterns (VPC, RDS, etc.) (DevOps-Project-01/infrastructure/modules/newservice/main.tf)
3. Define input variables in variables.tf (referencing values from parent main.tf) (DevOps-Project-01/infrastructure/modules/newservice/variables.tf)
4. Add module invocation and variable passing in root main.tf (DevOps-Project-01/infrastructure/main.tf)
5. Export resource attributes in outputs.tf for consumption by other modules (DevOps-Project-01/infrastructure/modules/newservice/outputs.tf)

Extend Database Schema & User Model

1. Modify login.java or register.java to add new user fields and validation logic (DevOps-Project-01/Java-Login-App/src/main/java/com/dpt/demo/login.java)
2. Update relevant JSP form pages to include new input fields (DevOps-Project-01/Java-Login-App/src/main/webapp/pages/register.jsp)
3. Configure database connection properties in application.properties (driver, URL, credentials) (DevOps-Project-01/Java-Login-App/src/main/resources/application.properties)
4. Update RDS module variables to adjust instance class or storage if needed (DevOps-Project-01/infrastructure/modules/rds/variables.tf)

• Spring Boot 2.7.18 — Provides rapid MVC web application development with embedded Tomcat, dependency injection, and production-ready features for login/auth use case.
• Terraform — Infrastructure-as-Code approach enables reproducible, version-controlled AWS deployments across VPC, RDS, ALB, and ASG; idempotent and auditable.
• AWS Auto Scaling Group (ASG) — Automatically scales EC2 instances running the Java application based on demand; integrates with ALB for zero-downtime deployments.
• AWS RDS — Managed relational database (PostgreSQL/MySQL) handles user credentials and profile data with automated backups, high availability, and encryption.
• Application Load Balancer (ALB) — Layer 7 load balancer distributes HTTP/HTTPS traffic across ASG instances with path-based routing and health checks.
• CloudWatch — Centralized monitoring and alerting on application metrics, logs, and infrastructure health; triggers ASG scaling policies.

• Spring Boot 2.7.18 (not latest 3.x)

  • Why: Java 11 compatibility requirement and production stability vs. Spring 3 which requires Java 17+.
  • Consequence: Slightly older dependency versions; long-term maintenance window shorter than Spring 3, but mature ecosystem.

• Monolithic Spring Boot application (not microservices)

  • Why: Simpler DevOps learning curve for beginners; single deployment unit easier to manage than distributed services.
  • Consequence: Scaling limited to horizontal scaling at application level; harder to update auth logic independently from business logic.

• JSP-based UI (not modern SPA/React)

  • Why: Server-side rendering simplifies deployment; reduces JavaScript complexity for educational focus on DevOps fundamentals.
  • Consequence: Less responsive UI experience; frontend tightly coupled to backend; harder to decouple later.

Environment variables: application.properties likely references DB_HOST, DB_USER, DB_PASS (not visible in snippet) — must be injected at runtime or externalized to Kubernetes ConfigMap/Secrets. Tomcat Jasper version mismatch: Tomcat 9.0.31 is deprecated; may cause compatibility issues with newer Spring Boot patches. Terraform state: No .gitignore or remote backend (S3/Terraform Cloud) mentioned; local state file will accumulate secrets and create merge conflicts in multi-developer workflows. Java 11 EOL: Java 11 mainstream support ended Sept 2023; recommend upgrading to Java 17 LTS. Database migrations: No Flyway/Liquibase visible; schema must be manually initialized before first run. No SSL/TLS: application.properties missing server.ssl config; ALB must terminate HTTPS, not the app.

• Infrastructure as Code (IaC) and Terraform Modules — This repo's core pattern: modularizing Terraform (alb, asg, rds, monitoring) teaches reusability, testability, and team collaboration on infrastructure — essential for scaling from ad-hoc scripts to enterprise DevOps.
• Auto Scaling Groups (ASG) and Load Balancing — DevOps-Project-01 demonstrates horizontal scaling (ASG with target groups) and traffic distribution (ALB); understanding these patterns is critical for building resilient, self-healing applications.
• Spring Security and OAuth2/JWT Authentication — The login.java and register.java classes depend on spring-boot-starter-security; learning how credentials are validated and sessions managed is foundational for securing web applications in DevOps contexts.
• Containerization and WAR vs. JAR packaging — Project uses WAR (legacy servlet container) not JAR (modern Cloud Native); understanding the tradeoff between traditional Tomcat deployment and containerized Spring Boot is key for deciding deployment architecture.
• Database Persistence and RDS Networking — The RDS module (modules/rds/main.tf) shows how to provision MySQL in a VPC with security groups; mastering DB layer separation and connection pooling is critical for production reliability.
• CloudWatch Monitoring and Observability — modules/monitoring/ demonstrates metric collection and alerting; DevOps engineers must understand how to instrument applications and infrastructure for visibility into production behavior.
• Immutable Infrastructure and GitOps Patterns — ASG + ALB pattern enables rolling deployments without manual server management; understanding declarative, version-controlled infrastructure is the bridge between DevOps and Site Reliability Engineering.

• aws/aws-cdk-examples — Alternative to Terraform for AWS infrastructure-as-code; useful if team prefers Python/TypeScript IaC instead of HCL.
• kubernetes/kubernetes — Complement to this repo's AWS ASG/ALB pattern; DevOps-Projects repo mentions Kubernetes in scope but this project uses VMs — K8s examples are the next maturity level.
• spring-projects/spring-boot — Canonical Spring Boot documentation and examples; reference for CustomSecurityConfig, JSP servlet initialization, and WAR deployment patterns used in this project.
• hashicorp/terraform-aws-modules — Official HashiCorp AWS Terraform modules (vpc, alb, autoscaling, rds); DevOps-Projects repo implements custom modules but these are production-hardened alternatives.
• bridgecrewio/checkov — Infrastructure-as-code scanning tool; DevOps-Projects could integrate pre-commit hooks to validate Terraform for AWS security best practices.

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add GitHub Actions CI/CD workflow for Java-Login-App Maven builds and testing

The Java-Login-App (DevOps-Project-01/Java-Login-App) has a complete pom.xml with Maven configuration but no CI/CD pipeline defined. This is a critical gap for a DevOps learning repo—contributors building on this project have no automated way to verify their changes work. A GitHub Actions workflow would: (1) build the Maven project on every PR, (2) run the existing unit test in MyWebAppApplicationTests.java, (3) generate a WAR artifact, and (4) fail builds on compilation/test failures. This directly supports the repo's educational mission.

• [ ] Create .github/workflows/java-login-app-ci.yml with Maven build job
• [ ] Configure job to run 'mvn clean test package' for JDK 11
• [ ] Add artifact upload step to store generated WAR file
• [ ] Document the workflow in DevOps-Project-01/README.md with expected behavior
• [ ] Verify workflow runs successfully on sample PR

Add integration tests for Terraform modules in DevOps-Project-01/infrastructure

The infrastructure directory contains well-structured Terraform modules (vpc, rds, alb, asg, security, monitoring) with main.tf, variables.tf, and outputs.tf files, but no test coverage. For a DevOps learning repo, this is a missed opportunity to teach IaC testing best practices. Adding terraform validate checks and basic tftest or terratest suites would: (1) catch syntax/logic errors early, (2) document expected module behavior, (3) provide learners with runnable examples of infrastructure testing patterns.

• [ ] Create DevOps-Project-01/infrastructure/tests/ directory
• [ ] Add terraform fmt and terraform validate checks in a GitHub Actions workflow (.github/workflows/terraform-validate.yml)
• [ ] Write basic unit tests (e.g., validate required variables, check outputs exist) for each module
• [ ] Document testing instructions in DevOps-Project-01/infrastructure/README.md
• [ ] Ensure workflow runs on all .tf file changes in the infrastructure directory

Create a Spring Boot application test suite for login/register controllers in Java-Login-App

The Java-Login-App has controllers (HomeController.java, login.java, register.java) and JSP views but only a minimal MyWebAppApplicationTests.java placeholder. Without controller/integration tests, learners don't see how to test secured Spring endpoints or form submissions—critical for DevOps engineers validating application behavior. Adding @SpringBootTest integration tests would demonstrate: (1) testing authentication flows, (2) mocking database interactions, (3) validating JSP rendering, helping contributors understand full-stack testing.

• [ ] Expand src/test/java/com/dpt/demo/MyWebAppApplicationTests.java with @SpringBootTest annotations
• [ ] Add test cases for HomeController GET /home endpoint
• [ ] Add test cases for login.java POST /login with valid/invalid credentials
• [ ] Add test cases for register.java POST /register with validation
• [ ] Update pom.xml to include spring-boot-starter-test and Mockito if not already present
• [ ] Document test execution in DevOps-Project-01/Java-Login-App/README.md

• Add integration tests for login.java and register.java endpoints using MockMvc; currently only MyWebAppApplicationTests.java exists with no controller-level tests.
• Document the database schema and initialization steps in DevOps-Project-01/infrastructure/README.md; RDS module creates instance but no guidance on table creation or seed data.
• Create a Makefile in DevOps-Project-01/ to codify common commands (mvn clean install, terraform init, docker build) and standardize developer workflows across projects.

• High · Outdated Tomcat Jasper Dependency — DevOps-Project-01/Java-Login-App/pom.xml. The pom.xml includes tomcat-jasper version 9.0.31, which is significantly outdated and contains known security vulnerabilities. This version was released in 2019 and has multiple CVEs including remote code execution vulnerabilities. Fix: Update tomcat-jasper to the latest stable version (9.0.70+) or allow Spring Boot to manage the version through spring-boot-starter-tomcat.
• High · Outdated Spring Boot Version — DevOps-Project-01/Java-Login-App/pom.xml. Spring Boot 2.7.18 is a legacy version with limited security updates. Spring Boot 2.7.x reached end-of-support. This exposes the application to known vulnerabilities that are no longer being patched. Fix: Upgrade to Spring Boot 3.x (latest stable version) which has active security maintenance and patches.
• High · Outdated MySQL Connector — DevOps-Project-01/Java-Login-App/pom.xml. The pom.xml uses mysql-connector-java without specifying a version, which could pull an outdated connector with known vulnerabilities. MySQL Connector/J versions before 8.0.33 have multiple CVEs. Fix: Explicitly specify mysql-connector-java version 8.0.33+ or migrate to mysql-connector-j which is the actively maintained driver.
• High · Potential SQL Injection Risk — DevOps-Project-01/Java-Login-App/src/main/java/com/dpt/demo/login.java and register.java. The presence of login.java and register.java classes suggests direct database interactions. Without viewing the source code, common patterns indicate potential SQL injection vulnerabilities if raw SQL queries are constructed with user input. Fix: Use parameterized queries, prepared statements, or an ORM framework (Hibernate, JPA) instead of string concatenation for SQL queries.
• High · Potential XSS Vulnerability in JSP Pages — DevOps-Project-01/Java-Login-App/src/main/webapp/pages/. JSP pages (login.jsp, register.jsp, user.jsp) may be vulnerable to XSS attacks if user input is not properly escaped. Without explicit EL escaping configuration, user-supplied data rendered in HTML could execute malicious scripts. Fix: Use JSTL <c:out> tag with default escapeXml='true' or enable OWASP ESAPI encoding for all user-controlled output. Set isELIgnored='false' and ensure proper escaping in web.xml.
• Medium · Missing CSRF Protection Configuration — DevOps-Project-01/Java-Login-App/. While spring-boot-starter-security is included, there is no visible CSRF token configuration in the file structure. Login and register forms may be vulnerable to CSRF attacks if Spring Security's CSRF protection is not properly configured. Fix: Ensure CSRF protection is enabled in Spring Security configuration. Add CSRF tokens to all state-changing forms (login, register) and validate them server-side.
• Medium · Insufficient Input Validation — DevOps-Project-01/Java-Login-App/src/main/java/com/dpt/demo/. While spring-boot-starter-validation is included as a dependency, there's no evidence of validation annotations on entity/DTO classes for login and registration. User inputs may bypass validation checks. Fix: Implement comprehensive input validation using @NotNull, @Size, @Email, @Pattern annotations on all user-input receiving classes. Add server-side validation in controllers.
• Medium · Missing Security Headers Configuration — DevOps-Project-01/Java-Login-App/src/main/resources/application.properties. No visible configuration for security headers (CSP, X-Frame-Options, X-Content-Type-Options, HSTS) in the Spring Boot application. This leaves the application vulnerable to clickjacking and MIME-sniffing attacks. Fix: Configure SecurityHeadersFilter or use Spring Security's headers() configuration to add: X-

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.