Provisioning AWS EKS Cluster with terraform-aws-modules/eks/aws

 terraform-aws-modules/terraform-aws-eks: Terraform module to create Amazon Elastic Kubernetes (EKS) resources is a popular Terraform module for provisioning AWS EKS cluster. 

In this article we want to explore and breakdown its key components and their purposes.

We'd typically use this module like here:

module "eks" {

  source  = "terraform-aws-modules/eks/aws"

  version = "21.15.1"

  ...

}

Let's explore this module's attributes.

1. Cluster Configuration

name,  version

Sets the name and Kubernetes version for the EKS cluster. Use local and variable values for flexibility.

endpoint_public_access

Set public (Internet) access to the Kubernetes API endpoint (via kubectl). Disable it for enhanced security. 

endpoint_private_access

Set private access to the API endpoint, whether only resources within the VPC can access it. If enabled, it is only reachable from within the VPC (Virtual Private Cloud) where your EKS cluster is deployed. There are few ways to access it:

How to Access the Kubernetes API from VPC

1. Use a Bastion Host or EC2 Instance in the VPC

Launch an EC2 instance (bastion host or jump box) in a subnet within the same VPC as your EKS cluster.

SSH into this instance, and from there, use kubectl to access the cluster.

Alternatively, use SSH port forwarding or a VPN to proxy kubectl commands from your local machine through the bastion.

2. Use AWS Systems Manager (SSM) Session Manager

If your EC2 instances have the SSM agent and the necessary IAM permissions, you can use AWS SSM Session Manager to start a shell session on an instance in the VPC, then run kubectl from there.

3. Use a VPN Connection

Set up a VPN (such as AWS Client VPN or OpenVPN, or Site-to-site VPN for office LAN) that connects your local network to the VPC. Once connected, your local machine will be able to reach the private endpoint.

4. Use AWS PrivateLink (Interface VPC Endpoints)

For advanced scenarios, you can use AWS PrivateLink to expose the Kubernetes API endpoint privately to other VPCs or on-premises networks.

enable_cluster_creator_admin_permissions

If enabled, grants admin permissions to the user who creates the cluster.

2. Logging and Add-ons

enabled_log_types

Enables logging for various Kubernetes components (API, audit, authenticator, controllerManager, scheduler) for monitoring and troubleshooting.

Example:

  enabled_log_types = [

    "api",

    "audit",

    "authenticator",

    "controllerManager",

    "scheduler"

  ]

addons

A dictionary-type attribute which installs and configures essential Kubernetes add-ons. Dictionary keys are addon names like:

• coredns
• kube-proxy
• aws-ebs-csi-driver
• vpc-cni

Dictionary values are objects which attributes are:

• most_recent - to set using the latest version (set it to false for version pinning)
• version - addon version (use it for version pinning)
• before_compute - set it to true if addon should be installed and set before nodes (compute layer)
• service_account_role_arn - to configure addon with IAM roles for service accounts, enabling secure integration with AWS services.

Example:

addons = {

    ...

    vpc-cni = {

      most_recent              = false

      version                  = "v1.21.1-eksbuild.7"

      before_compute           = true

      service_account_role_arn = module.k8s_default_vpc_cni_irsa.iam_role_arn

    }

    ...

}

VPC CNI (Container networking interface) is responsible for allocating IP addresses to the Kubernetes nodes and provides networking to pods. The plugin manage network interfaces (ENIs) on the nodes and uses it to assign IP addresses to pods.

3. Networking

We need to integrate the EKS cluster with existing VPC and subnets:

vpc_id 

VPC ID

subnet_ids

Subnets in which nodes (EC2 instances) will be created.

Where your worker nodes (EC2 instances) run.

control_plane_subnet_ids

Where the EKS control plane ENIs (network interfaces) are placed

Defines where the EKS control plane creates its Elastic Network Interfaces (ENIs)

What it controls:

• The EKS control plane runs in an AWS-managed VPC (you don't see it)
• To communicate with your worker nodes, it creates ENIs in your VPC
• These ENIs are placed in the subnets you specify here

Typical configuration:

module "eks" {

  source  = "terraform-aws-modules/eks/aws"

  

  name = "my-cluster"

  

  # Control plane ENIs go here

  control_plane_subnet_ids = [

    "subnet-private-1a",

    "subnet-private-1b",

    "subnet-private-1c"

  ]

}

Best practices:

• Usually private subnets
• Should span multiple AZs for high availability (AWS requires at least 2)
• Minimum of 2 subnets, maximum of 16
• Each subnet needs at least 5 available IP addresses

What these ENIs do:

• Allow the control plane to communicate with worker nodes
• Allow worker nodes to communicate with the API server
• Handle API server endpoint traffic

security_group_additional_rules

Adds custom security group rules for the cluster, such as allowing node-to-node communication and VPN access for kubectl.

node_security_group_additional_rules

Further customizes node security groups, allowing all node-to-node traffic and all outbound traffic.

Understanding EKS Architecture

An EKS cluster has two main components:

┌─────────────────────────────────────────────────────────┐

│                    EKS Cluster                          │

│                                                         │

│  ┌───────────────────────────────────────┐              │

│  │   Control Plane (AWS Managed)         │              │

│  │   - API Server                        │              │

│  │   - etcd                              │              │

│  │   - Scheduler                         │              │

│  │   - Controller Manager                │              │

│  │                                       │              │

│  │   Runs in AWS-managed account         │              │

│  └──────────────┬────────────────────────┘              │

│                 │                                       │

│                 │ ENIs in your VPC                      │

│                 │ (control_plane_subnet_ids)            │

│  ┌──────────────▼────────────────────────┐              │

│  │   Your VPC                            │              │

│  │   ┌─────────────────────────────┐     │              │

│  │   │  Worker Nodes (subnet_ids)  │     │              │

│  │   │  - EC2 instances            │     │              │

│  │   │  - Your pods run here       │     │              │

│  │   └─────────────────────────────┘     │              │

│  └───────────────────────────────────────┘              │

└─────────────────────────────────────────────────────────┘

ENI: elastic network interface. It is a logical networking component in a VPC that represents a virtual network card.

4. Node Group Configuration

node_security_group_tags

Adds a tag for Karpenter (an open-source Kubernetes node autoscaler) discovery.

eks_managed_node_group_defaults

Sets default properties for all managed node groups, including:

• Attaching the CNI policy for networking.
• Using a specific SSH key.
• Associating additional security groups.
• Defining block device mappings for EBS volumes.
• Attaching the AmazonSSMManagedInstanceCore policy for SSM access.

eks_managed_node_groups

Defines a default managed node group with:

• A specific AMI type.
• Desired, minimum, and maximum node counts.
• Instance types from a variable.
• On-demand capacity, EBS optimization, and disk size.
• Custom labels for node identification and environment.

The gold standard for production environments is explicit pinning. This ensures that our infrastructure only changes when we decide to change the code. In order to pin AMI version used in node groups we need to set two attributes:

• ami_release_version needs to be set. This prevents nodes from cycling unexpectedly during a routine deployment.
• use_latest_ami_release_version needs to be set to false (without this, terraform plan will still show that it wants to upgrade AMI version, even if we've set ami_release_version)

Example:

  eks_managed_node_groups = {

    "${local.cluster_name}-v1_33" = {

      ...

      ami_release_version            = "1.33.8-20260224"

      use_latest_ami_release_version = false

      ...

5. Tagging

tags

Applies custom tags to all AWS resources created by the module, supporting cost allocation and resource management.

Summary

Our configuration sets up a secure, private, and production-ready EKS cluster with managed node groups, essential add-ons, robust logging, and fine-grained network and IAM controls. It leverages best practices for security (private endpoints, IAM roles for service accounts), scalability (managed node groups, Karpenter tags), and maintainability (modular, versioned, and tagged infrastructure).

---

terraform-aws-iam/modules/iam-role-for-service-accounts-eks 

 

Integrating security into DevOps and software engineering, often called DevSecOps, is a critical shift from treating security as a final checkpoint to embedding it throughout the entire development lifecycle. 

Here are the best security practices, with a specific focus on secrets management and key rotation.

Core Security Practices in DevSecOps & Software Engineering

1. Shift Left

This is the foundational principle of DevSecOps. It means introducing security testing and considerations as early as possible in the software development life cycle (SDLC).

• Why: It is significantly cheaper and faster to fix a security flaw during the design or coding phase than it is after deployment.
• Action: Conduct threat modeling during design, use secure coding standards, and run security scans on every code commit.

2. Automate Security Testing

Manual security reviews cannot keep up with the speed of DevOps. Automation is essential.

• Static Application Security Testing (SAST): Scans your source code for known vulnerabilities (like SQL injection or cross-site scripting) without running the application. Tools: SonarQube, CodeQL.
• Dynamic Application Security Testing (DAST): Tests the running application from the outside, mimicking an attacker to find runtime vulnerabilities. Tools: OWASP ZAP, Burp Suite.
• Software Composition Analysis (SCA): Analyzes your application’s dependencies (open-source libraries) for known vulnerabilities. Tools: Snyk, Dependabot, OWASP Dependency-Check.

3. Implement the Principle of Least Privilege (PoLP)

Every user, process, and system should have only the minimum permissions necessary to perform its function.

Action:

• Developers should not have administrative access to production environments.
• CI/CD pipelines should use dedicated service accounts with tightly scoped permissions (e.g., a pipeline deploying to a specific AWS S3 bucket should only have s3:PutObject permissions on that bucket).
• Use Role-Based Access Control (RBAC) to manage permissions.

4. Secure the CI/CD Pipeline

The pipeline itself is a high-value target for attackers. If they compromise the pipeline, they can inject malicious code into your production application.

Action:

• Lock down pipeline configurations: Require code reviews for any changes to pipeline definition files (e.g., .github/workflows/*.yml).
• Use code signing: Digitally sign your build artifacts (containers, binaries) to ensure their integrity and origin.
• Monitor pipeline logs: Look for unauthorized changes or suspicious activity.

How to install and setup Claude Code on MacOS + VS Code

 

Let's follow steps from Quickstart - Claude Code Docs:

% curl -fsSL https://claude.ai/install.sh | bash

Setting up Claude Code...

✔ Claude Code successfully installed!        

                                                                       

  Version: 2.1.100

                                                                       

  Location: ~/.local/bin/claude

  Next: Run claude --help to get started

⚠ Setup notes:

  • Native installation exists but ~/.local/bin is not in your PATH. Run:

  echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.zshrc && source ~/.zshrc

✅ Installation complete!

Let's add path to bin to PATH, add it to zsh config and reload it:

% echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.zshrc && source ~/.zshrc

If you use Bash:

source ~/.bashrc 

Verification:

$HOME/.local/bin is now in $PATH:

% echo $PATH

/Users/bojan/.local/bin:....

Let's check Claude version:

% claude --version

2.1.100 (Claude Code)

Let's also see its CLI arguments:

% claude --help

Usage: claude [options] [command] [prompt]

Claude Code - starts an interactive session by default, use -p/--print for non-interactive output

Arguments:

  prompt                                            Your prompt

Options:

  --add-dir <directories...>                        Additional directories to allow tool access to

  --agent <agent>                                   Agent for the current session. Overrides the 'agent' setting.

  --agents <json>                                   JSON object defining custom agents (e.g. '{"reviewer": {"description": "Reviews code", "prompt": "You are a code

                                                    reviewer"}}')

  --allow-dangerously-skip-permissions              Enable bypassing all permission checks as an option, without it being enabled by default. Recommended only for

                                                    sandboxes with no internet access.

  --allowedTools, --allowed-tools <tools...>        Comma or space-separated list of tool names to allow (e.g. "Bash(git:*) Edit")

  --append-system-prompt <prompt>                   Append a system prompt to the default system prompt

  --bare                                            Minimal mode: skip hooks, LSP, plugin sync, attribution, auto-memory, background prefetches, keychain reads, and

                                                    CLAUDE.md auto-discovery. Sets CLAUDE_CODE_SIMPLE=1. Anthropic auth is strictly ANTHROPIC_API_KEY or apiKeyHelper via

                                                    --settings (OAuth and keychain are never read). 3P providers (Bedrock/Vertex/Foundry) use their own credentials.

                                                    Skills still resolve via /skill-name. Explicitly provide context via: --system-prompt[-file],

                                                    --append-system-prompt[-file], --add-dir (CLAUDE.md dirs), --mcp-config, --settings, --agents, --plugin-dir.

  --betas <betas...>                                Beta headers to include in API requests (API key users only)

  --brief                                           Enable SendUserMessage tool for agent-to-user communication

  --chrome                                          Enable Claude in Chrome integration

  -c, --continue                                    Continue the most recent conversation in the current directory

  --dangerously-skip-permissions                    Bypass all permission checks. Recommended only for sandboxes with no internet access.

  -d, --debug [filter]                              Enable debug mode with optional category filtering (e.g., "api,hooks" or "!1p,!file")

  --debug-file <path>                               Write debug logs to a specific file path (implicitly enables debug mode)

  --disable-slash-commands                          Disable all skills

  --disallowedTools, --disallowed-tools <tools...>  Comma or space-separated list of tool names to deny (e.g. "Bash(git:*) Edit")

  --effort <level>                                  Effort level for the current session (low, medium, high, max)

  --exclude-dynamic-system-prompt-sections          Move per-machine sections (cwd, env info, memory paths, git status) from the system prompt into the first user

                                                    message. Improves cross-user prompt-cache reuse. Only applies with the default system prompt (ignored with

                                                    --system-prompt). (default: false)

  --fallback-model <model>                          Enable automatic fallback to specified model when default model is overloaded (only works with --print)

  --file <specs...>                                 File resources to download at startup. Format: file_id:relative_path (e.g., --file file_abc:doc.txt file_def:img.png)

  --fork-session                                    When resuming, create a new session ID instead of reusing the original (use with --resume or --continue)

  --from-pr [value]                                 Resume a session linked to a PR by PR number/URL, or open interactive picker with optional search term

  -h, --help                                        Display help for command

  --ide                                             Automatically connect to IDE on startup if exactly one valid IDE is available

  --include-hook-events                             Include all hook lifecycle events in the output stream (only works with --output-format=stream-json)

  --include-partial-messages                        Include partial message chunks as they arrive (only works with --print and --output-format=stream-json)

  --input-format <format>                           Input format (only works with --print): "text" (default), or "stream-json" (realtime streaming input) (choices:

                                                    "text", "stream-json")

  --json-schema <schema>                            JSON Schema for structured output validation. Example:

                                                    {"type":"object","properties":{"name":{"type":"string"}},"required":["name"]}

  --max-budget-usd <amount>                         Maximum dollar amount to spend on API calls (only works with --print)

  --mcp-config <configs...>                         Load MCP servers from JSON files or strings (space-separated)

  --mcp-debug                                       [DEPRECATED. Use --debug instead] Enable MCP debug mode (shows MCP server errors)

  --model <model>                                   Model for the current session. Provide an alias for the latest model (e.g. 'sonnet' or 'opus') or a model's full name

                                                    (e.g. 'claude-sonnet-4-6').

  -n, --name <name>                                 Set a display name for this session (shown in /resume and terminal title)

  --no-chrome                                       Disable Claude in Chrome integration

  --no-session-persistence                          Disable session persistence - sessions will not be saved to disk and cannot be resumed (only works with --print)

  --output-format <format>                          Output format (only works with --print): "text" (default), "json" (single result), or "stream-json" (realtime

                                                    streaming) (choices: "text", "json", "stream-json")

  --permission-mode <mode>                          Permission mode to use for the session (choices: "acceptEdits", "auto", "bypassPermissions", "default", "dontAsk",

                                                    "plan")

  --plugin-dir <path>                               Load plugins from a directory for this session only (repeatable: --plugin-dir A --plugin-dir B) (default: [])

  -p, --print                                       Print response and exit (useful for pipes). Note: The workspace trust dialog is skipped when Claude is run with the

                                                    -p mode. Only use this flag in directories you trust.

  --remote-control-session-name-prefix <prefix>     Prefix for auto-generated Remote Control session names (default: hostname)

  --replay-user-messages                            Re-emit user messages from stdin back on stdout for acknowledgment (only works with --input-format=stream-json and

                                                    --output-format=stream-json)

  -r, --resume [value]                              Resume a conversation by session ID, or open interactive picker with optional search term

  --session-id <uuid>                               Use a specific session ID for the conversation (must be a valid UUID)

  --setting-sources <sources>                       Comma-separated list of setting sources to load (user, project, local).

  --settings <file-or-json>                         Path to a settings JSON file or a JSON string to load additional settings from

  --strict-mcp-config                               Only use MCP servers from --mcp-config, ignoring all other MCP configurations

  --system-prompt <prompt>                          System prompt to use for the session

  --tmux                                            Create a tmux session for the worktree (requires --worktree). Uses iTerm2 native panes when available; use

                                                    --tmux=classic for traditional tmux.

  --tools <tools...>                                Specify the list of available tools from the built-in set. Use "" to disable all tools, "default" to use all tools,

                                                    or specify tool names (e.g. "Bash,Edit,Read").

  --verbose                                         Override verbose mode setting from config

  -v, --version                                     Output the version number

  -w, --worktree [name]                             Create a new git worktree for this session (optionally specify a name)

Commands:

  agents [options]                                  List configured agents

  auth                                              Manage authentication

  auto-mode                                         Inspect auto mode classifier configuration

  doctor                                            Check the health of your Claude Code auto-updater. Note: The workspace trust dialog is skipped and stdio servers from

                                                    .mcp.json are spawned for health checks. Only use this command in directories you trust.

  install [options] [target]                        Install Claude Code native build. Use [target] to specify version (stable, latest, or specific version)

  mcp                                               Configure and manage MCP servers

  plugin|plugins                                    Manage Claude Code plugins

  setup-token                                       Set up a long-lived authentication token (requires Claude subscription)

  update|upgrade                                    Check for updates and install if available

And finally, let's launch it:

% claude

Welcome to Claude Code v2.1.100

…………………………………………………………………………………………………………………………………………………………

     *                                       █████▓▓░

                                 *         ███▓░     ░░

            ░░░░░░                        ███▓░

    ░░░   ░░░░░░░░░░                      ███▓░

   ░░░░░░░░░░░░░░░░░░░    *                ██▓░░      ▓

                                             ░▓▓███▓▓░

 *                                 ░░░░

                                 ░░░░░░░░

                               ░░░░░░░░░░░░░░░░

       █████████                                        *

      ██▄█████▄██                        *

       █████████      *

…………………█ █   █ █………………………………………………………………………………………………………………

 Let's get started.

 Choose the text style that looks best with your terminal

 To change this later, run /theme

 ❯ 1. Dark mode ✔

   2. Light mode

   3. Dark mode (colorblind-friendly)

   4. Light mode (colorblind-friendly)

   5. Dark mode (ANSI colors only)

   6. Light mode (ANSI colors only)

 ╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌

  1  function greet() {

  2 -  console.log("Hello, World!");                                   

  2 +  console.log("Hello, Claude!");                                  

  3  }

╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌

  Syntax theme: Monokai Extended (ctrl+t to disable)

After that we need to select a login method:

 ❯ 1. Claude account with subscription · Pro, Max, Team, or Enterprise

   2. Anthropic Console account · API usage billing

   3. 3rd-party platform · Amazon Bedrock, Microsoft Foundry, or Vertex AI

Option 1 - Claude Accounts are for the consumer/pro web interface (claude.ai) which is seat-based.

Option 2 - Anthropic Console account should be selected if your organization is on an API plan (pay-as-you-go billing based on token usage). Anthropic Console (platform.claude.com) is the hub for managing API keys, billing, and developer organizations.

Option 3 - 3rd-party platforms are only for when you want to route Claude's "brain" through your existing AWS (Bedrock) or Google Cloud (Vertex) bills.

After selecting Anthropic Console, you'll be taken to page which shows the following:

Claude Code would like to connect to your Anthropic organization MYORG

YOUR ACCOUNT WILL BE USED TO:

• Generate API keys on your behalf
• Access your Anthropic profile information
• Upload files on your behalf

Logged in as user@myorg.com

Switch account

After clicking on Authorize button, you'll be redirected to a page which shows:

Build something great

You’re all set up for Claude Code.

You can now close this window.

Back in terminal, you'll see:

Logged in as user@myorg.com                                           

Login successful. Press Enter to continue…   

After pressing Enter:

 Security notes:                                                        

 1. Claude can make mistakes                                          

    You should always review Claude's responses, especially when       

    running code.                                                                                                                             

 2. Due to prompt injection risks, only use it with code you trust    

    For more details see:                                              

    https://code.claude.com/docs/en/security

                                                                

 Press Enter to continue…   

After clicking on Enter:

Use Claude Code's terminal setup?                                                                                                   

 For the optimal coding experience, enable the recommended settings    

 for your terminal: Shift+Enter for newlines                            

 ❯ 1. Yes, use recommended settings                                    

   2. No, maybe later with /terminal-setup                                                                                                     

 Enter to confirm · Esc to skip   

After choosing 1 - recommended settings:

 Accessing workspace:

                                                     

 /Users/bojan/path/to/project

                                               

 Quick safety check: Is this a project you created or one you trust? (Like your own code, a well-known open source project, or work from your team). If not, take a

 moment to review what's in this folder first.         

                                                      

 Claude Code'll be able to read, edit, and execute files here.

                                                          

 Security guide                                           

                                                         

 ❯ 1. Yes, I trust this folder            

   2. No, exit         

                                                          

 Enter to confirm · Esc to cancel

After selecting 1:

╭─── Claude Code v2.1.100───────────────────────────────────────────────────────────────────────────────────────╮

│                                            │ Tips for getting started                                          

│             Welcome back User!             │ Run /init to create a CLAUDE.md file with instructions for Claude│

│                                            │ ─────────────────────────────────────────────────────────────────│

│                   ▐▛███▜▌                  │ Recent activity                                                  │

│                  ▝▜█████▛▘                 │ No recent activity                                               │

│                    ▘▘ ▝▝                   │                                                                  |

│                                            │                                                                  │

│   Sonnet 4.6 · API Usage Billing · MYORG   │                                                                   

│   ~/…/path/to/project                      │                                                                   

╰───────────────────────────────────────────────────────────────────────────────────────────────────────────────╯

                                                          

─────────────────────────────────────────────────────────────────────────────────────────────────────────────────

❯                                         

─────────────────────────────────────────────────────────────────────────────────────────────────────────────────

  ? for shortcuts                                                                                                                                       ● high · /effort

                                                                                                                                                                          

                                    

We can now run various commands, like:

────────────────────────────────────────────────────────────

❯ /stats                                  

────────────────────────────────────────────────────────────

/stats                  Show your Claude Code usage statistics and activity            

/status                 Show Claude Code status including version, model, account, API connectivity, and tool statuses  

/statusline             Set up Claude Code's status line UI

/ide                    Manage IDE integrations and show status    

If we execute /stats at this point, the output will show:

❯ /stats                                                                

────────────────────────────────────────────────────────────   

Status   Config   Usage   Stats                                        

No stats available yet. Start using Claude Code!   

In my case Status tab showed, among other things:

  IDE: ✘ Error installing VS Code extension: 1: Command failed with ERR_STREAM_PREMATURE_CLOSE: code --force --install-extension anthropic.claude-code

       Premature close

       Please restart your IDE and try again.

I restarted VS Code to no avail. I then manually installed Claude Code for VS Code plugin and restarted VD Code but the same error appeared again. There is a related bug, still with Open status: [BUG] Claude code VS Code extension error in MacOS · Issue #34639 · anthropics/claude-code

If we try /cost:

❯ /stats 

  ⎿  Status dialog dismissed

❯ /cost                                                                

  ⎿  Total cost:            $0.0000

     Total duration (API):  0s                                        

     Total duration (wall): 1h 16m 21s                                 

     Total code changes:    0 lines added, 0 lines removed            

     Usage:                 0 input, 0 output, 0 cache read, 0 cache write

Model Context Protocol (MCP)

 

Model Context Protocol (MCP)

The Model Context Protocol (MCP):

• Open-source standard
• Enables AI models to seamlessly connect with external data sources, tools, and software systems
• Acts as a universal "USB-C port" for AI, allowing LLMs to securely access local files, databases, and APIs to enhance context-aware responses. 
• Introduced by Anthropic in late 2024

Key Aspects of MCP:

• Purpose: Replaces fragmented, custom integrations with a single, open standard, making it easier to connect AI assistants to enterprise data, tools, and development environments.
• Components: Consists of:
• MCP Clients
• MCP Hosts - AI apps like Claude or coding agents 
• MCP Servers - programs that bridge specific data sources
• Security: MCP supports secure, two-way connections, allowing developers to control exactly what data is exposed to the AI.
• Functionality: Enables models to read files, query databases, use search engines, and call external APIs, providing live, relevant context for tasks.
• Open Standard: Hosted by the Linux Foundation, the protocol is designed for broad industry adoption. 

MCP differs from RAG (Retrieval-Augmented Generation) by focusing on active, two-way interaction with systems, whereas RAG is focused on retrieving documents for context.

For developers, it provides SDKs in Python and TypeScript.

MCP clients

MCP clients are the components within AI applications (AI Hosts) that manage one-to-one connections with MCP servers, translating AI requests into protocol-standardized messages. 

Popular MCP Client Applications

Several major AI-powered platforms and editors have integrated MCP client support to allow users to pull in their own tools and context: 

• Claude Desktop: Anthropic’s flagship app provides a built-in interface for managing local and remote MCP servers (e.g., Google Drive, Slack, GitHub).
• Cursor: An AI-native code editor that uses MCP to give its internal AI models direct access to project files, local databases, and custom developer tools.
• Windsurf Editor: A developer environment that supports tool invocation through MCP servers, allowing it to seamlessly interact with external scripts and APIs during coding sessions.
• Visual Studio Code (Agent Mode): Developers can use extensions to register MCP servers, enabling chat assistants to interact with internal enterprise tools directly within the editor.
• JetBrains IDEs: Platforms like IntelliJ IDEA feature an MCP-client UI where users can paste server configurations to bring external tool catalogues into the AI Assistant pane.
• BeeAI: An open-source desktop AI assistant from IBM that supports tool integration via built-in or custom MCP servers. 

Core Client Features

In the MCP architecture, clients don't just consume data; they provide specific features that enable complex, "agentic" workflows: 

• Sampling: Allows a server to request that the client (and its LLM) generate a completion, enabling the AI to "ask back" for clarification or more information.
• Elicitation: Provides a structured way for servers to ask users for specific information (like a password or preference) through the client’s UI.
• Roots: Allows the client to define specific file system boundaries, telling servers which directories they are permitted to access for safety and context scoping. 

Developer SDKs for Building Clients 

If you are building your own AI application, you can implement an MCP client using official software development kits: 

• TypeScript/Node.js SDK: The most comprehensive SDK for building web-based or local Node.js clients using standard JSON-RPC 2.0.
• Python SDK: Ideal for data science or automation workflows, allowing easy integration with Python-based AI agents.

MCP Hosts

Model Context Protocol (MCP) hosts are AI applications or environments that manage, connect, and run MCP clients to interact with external data sources (servers). Key examples include Claude Desktop, Claude Code, Zed, Replit, Cursor, and Sourcegraph. 

Key Roles of MCP Hosts:

• Orchestration: Act as the container for AI models to coordinate and communicate with multiple MCP servers.
• Security & Permissions: Manage user consent and enforce security policies (e.g., in sandboxed iframes) to control what data servers can access.
• Workflow Management: Aggregate user prompts, conversation state, and tool results from various sources to enable seamless interaction.
• Session Control: Initialize, maintain, and terminate connections between LLMs and tools via the MCP client. 

Primary MCP Host Examples:

• Claude Desktop: Anthropic's desktop application is a primary implementation of an MCP host, allowing the Claude model to utilize local tools and data.
• Claude Code: An AI agentic coding tool that acts as a host to interact with development-focused MCP servers.
• AI IDEs (Zed, Cursor, Replit): Integrated Development Environments that use MCP to connect coding assistants with files, documentation, and databases.
• Platforms & Agents: Other platforms like Workato or custom agents that orchestrate data access via the protocol.

What's the difference between mcp host and mcp client?

In the Model Context Protocol (MCP), the Host is the overall application you interact with, while the Client is the specific component inside that application that handles the technical connection to a server.

Key Differences at a Glance

• What it is
• MCP Host: The end-user application (e.g., Claude Desktop, Cursor).
• MCP Client: A protocol handler or "adapter" inside the host.
• Primary Role
• MCP Host: Manages the user interface and coordinates multiple clients.
• MCP Client: Maintains a 1:1 connection with a single MCP server.
• Responsibility
• MCP Host: Security policies, user consent, and aggregating data for the AI model
• MCP Client: Translating protocol messages (JSON-RPC) between the host and server.
• Hierarchy
• MCP Host: A single Host can contain multiple Clients.
• MCP Client: A Client is a subsidiary of the Host.

The "Restaurant" Analogy

To make it simpler, imagine a restaurant setting: 

• The Host is the Executive Chef: They decide what needs to be cooked and oversee everything, but they don't leave the kitchen to buy ingredients.
• The Client is the Waiter: They take the Chef's specific order, run to the source (the Server), and bring back exactly what was requested in a format the Chef can use. 

Why the distinction matters

While you will often hear people refer to applications like Claude Desktop as "the client," technically they are hosts. This architecture allows one app to connect to many different data sources (like Google Drive, Slack, and local files) simultaneously by instantiating a separate client for each one.

What is a MCP Client in Claude Desktop?

In Claude Desktop, the MCP client is the internal software layer that allows the app to "talk" to the tools you've added. While you might call the whole app "the client," it actually functions as a host that manages multiple individual client connections. 

How it works in Claude Desktop

• The Translator: When you ask Claude to "read a file," the client translates that human request into a technical JSON-RPC message that the Filesystem server understands.
• The Connection Manager: Claude Desktop can run several clients at once. For example, one client might be connected to a GitHub server while another is connected to a Google Drive server.
• Permission Gatekeeper: The client facilitates the security handshake. Before a tool executes, the client triggers the UI popup in Claude Desktop asking for your explicit permission. 

How to see them

You can see your active MCP clients and their available tools by clicking the "hammer" or "plug" icon (the MCP server indicator) in the bottom-right corner of the chat input box. 

Configuration

Claude Desktop's clients are configured via a local JSON file (claude_desktop_config.json). This file tells the internal clients exactly how to launch and communicate with your servers.

Config File Location:

• macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
• Windows: %APPDATA%\Claude\claude_desktop_config.json

MCP Servers

Model Context Protocol (MCP) servers:

• Lightweight programs that connect AI models (like Claude or ChatGPT) to external data sources and tools, such as local files, databases, GitHub, or Slack
• Provide a standardized interface, enabling AI agents to securely access, read, and manipulate data beyond their training sets. 

Key Aspects of MCP Servers:

• Functionality: They expose specific capabilities—resources, prompts, and tools—to AI applications.
• Use Cases: Common implementations include file system access for documentation, database querying, and API interactions for services like GitHub or Google Tasks.
• Security: They provide controlled, authorized access to local or remote resources, with user permission required for actions.
• Architecture: As part of the Model Context Protocol, they act as the "server" in a client-server model, connecting to "hosts" like desktop apps. 

Common MCP Server Examples:

• Local File System: Allows AI to read, write, and organize local documents.
• GitHub/GitLab: Enables AI to manage repositories, create issues, and pull code.
• Database/API Connectors: Connects AI to SQL databases, HubSpot CRM, or AWS services.
• Developer Tools: Includes servers for Terraform, Angular CLI, and Home Assistant. 

You can build your own MCP server using Python or TypeScript, often utilizing tools like uv for environment setup.

How to start using Agentic AI in DevOps and Platform Engineering

The next frontier of DevOps and Platform Engineering is Agentic AI. We need to learn how autonomous agents reason and adapt to reduce cognitive load and accelerate the SDLC as we want to move beyond simple automation to build self-optimizing ecosystems that scale with confidence, innovation, and enterprise governance.


We should be able to:

• Explain the shift from automation to agentic AI and articulate what makes an AI system truly
• “agentic”
• Design agent-aware workflows in GitHub Actions, integrating LLMs with events, logs, APIs, and quality gates to create intelligent CI/CD pipelines
• Build AI-powered diagnostic loops that ingest failure context, reason about root causes, and generate structured remediation proposals or self-healing fixes
• Implement intelligent release decisions using multi-signal quality gates (test coverage, performance, security, cost) and generate auditable release rationale reports
• Deploy our own end-to-end platform engineering agent, capable of diagnosing pipeline failures, evaluating release readiness, and autonomously opening a fix PR or escalating with structured context.

Learning while Doing

• Identify Platform engineering pain points and the AI opportunity
• How can we get from static scripts and CI/CD automation to agentic AI
• Make a comparison of manual vs. AI-driven diagnosis
• Understand how platform engineering is evolving from static automation toward AI-driven systems that proactively diagnose and resolve operational issues
• Agentic AI fundamentals - how agents reason and act?
• Learn about core agent components (LLMs, memory, and tools)
• Compare event-driven vs. polling architectures
• Balance autonomous actions with human oversight
• Understand how agentic systems combine reasoning, memory, and tools to perceive events, make decisions, and act within engineering workflows
• How to setup the environment and create our first agentic workflow
• Set up an agentic runtime that responds to CI/CD events
• Connect an AI agent to our pipeline's event stream and context
• Trigger our first agent run and interpret its reasoning logs
• Learn how to connect AI agents to CI/CD events and platform context to trigger automated reasoning and actions in real time
• AI-powered diagnosis and remediation
• Compare manual vs. AI-driven incident diagnosis 
• Build agents that read logs, reason about failures, and propose fixes 
• Define escalation boundaries: when the agent self-heals vs. asks a human
• Understand how AI agents analyze logs, diagnose failures, and determine whether to self-heal or escalate issues to humans
• Intelligent CI/CD & adaptive delivery
• How to move beyond pass/fail pipelines to AI-driven release decision
• Automate rollback decisions using AI quality gates
• Query pipeline state and release history using natural language
• How AI transforms CI/CD pipelines into adaptive systems that make context-aware release and rollback decisions
• Operational intelligence & conversational observability
• Replace complex dashboards with AI anomaly detection
• Check platform health via chat interfaces
• Shift from reactive alerts to predictive management
• Understand how AI enables conversational access to platform health and detects anomalies to support proactive operations.
• Multi-agent coordination & implementation strategy
• Architect multi-agent systems for our platform workflows
• Handle agent conflicts, failures, and graceful degradation 
• Design a phased enterprise rollout with guardrails and audit trails
• Build our platform engineering agent
• Learn how to design coordinated multi-agent systems that handle complex platform workflows with governance and reliability
• Wire together diagnosis, quality gates, and observability into one agent pipeline
• Implement self-healing PRs with confidence thresholds
• Shift our role from platform operator to AI supervisor
• Learn how to combine diagnosis, delivery intelligence, and observability into a unified agent that automates key platform workflows

---