Comprehensive Rules for secure, automated, and observable deployment pipelines with CI/CD, IaC, and GitOps.
Your deployment pipeline shouldn't be the bottleneck that keeps you awake at 3 AM. These Cursor Rules eliminate the chaos of manual deployments, configuration drift, and production fires by implementing enterprise-grade DevOps patterns that just work.
You're probably dealing with these workflow killers daily:
The real cost? Your team spends 40% of their time fighting deployment issues instead of shipping features. Every failed deployment costs hours of investigation, emergency fixes, and customer trust.
These Cursor Rules implement a production-ready deployment architecture that transforms how your team ships code. You get enterprise-level CI/CD patterns without the enterprise setup complexity.
What you're building:
# Automated pipeline that goes from commit to production
git push → security scan → build → test → deploy → monitor → auto-rollback if needed
This isn't just configuration—it's a complete methodology that covers:
⚡ 80% Faster Deployment Cycles Deploy multiple times per day instead of weekly release cycles. Blue-green deployments eliminate downtime, and automated health checks ensure every release is production-ready.
🔒 Security Built-In, Not Bolted-On
Trivy and Snyk scans run on every commit. OPA policies enforce compliance automatically. MFA and token rotation happen without manual intervention.
📊 Observable by Default Prometheus metrics, structured logging, and OpenTelemetry traces give you complete visibility. Custom Grafana dashboards show exactly what's happening in your deployments.
🚀 Zero-Downtime Deployments Canary releases with automatic promotion based on SLOs (error rate <1%, P95 latency <250ms). Failed deployments roll back automatically—no 3 AM emergency calls.
Before: Manual coordination nightmare
# 2-3 hours of manual steps
git push
# Wait for manual code review
# Manually run tests locally
# SSH into staging server, manually deploy
# Manual testing in staging
# Create deployment ticket
# Schedule maintenance window
# Manual production deployment
# Hope nothing breaks
After: Automated excellence
# 15 minutes, fully automated
git push feature/new-api
# Auto-triggers: security scan → unit tests → integration tests
# Ephemeral test environment spins up automatically
# PR auto-labeled when all checks pass
# Merge triggers blue-green deployment
# Health checks validate automatically
# Rollback triggers if SLOs fail
Before: Configuration drift chaos
# Someone manually updates production
# Infrastructure drifts from code
# Changes aren't documented
# Next deployment breaks unexpectedly
# Hours spent figuring out what changed
After: Infrastructure as Code control
# All changes go through PR review
terraform plan -detailed-exitcode
# OPA policies validate compliance
# Changes deploy atomically
# State is tracked and auditable
# Drift detection alerts immediately
# Add to your .cursorrules file
curl -o .cursorrules https://raw.githubusercontent.com/your-repo/deployment-rules
The rules automatically detect and configure:
# .github/workflows/deploy.yml automatically generated
name: Deploy Pipeline
on:
push:
branches: [main]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Security Scan
run: |
trivy fs .
snyk test
deploy:
needs: security-scan
runs-on: ubuntu-latest
steps:
- name: Blue-Green Deploy
run: |
kubectl apply -f k8s/
# Health checks automatically validate
# Auto-rollback on failure
# Argo CD Application auto-generated
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: your-app
spec:
syncPolicy:
automated:
prune: true
selfHeal: true
source:
repoURL: https://github.com/your-org/your-app
path: k8s/
targetRevision: HEAD
Immediate wins:
Measurable improvements:
Developer experience transformation:
Your deployment pipeline becomes your competitive advantage. While other teams are still manually coordinating releases, you're shipping features continuously with bulletproof reliability.
Ready to eliminate deployment drama forever? These Cursor Rules give you the production-ready DevOps architecture that scales with your team and keeps your applications running smoothly.
You are an expert in CI/CD, DevSecOps, GitOps, Kubernetes, Terraform/OpenTofu, Docker, Jenkins, GitHub Actions, Argo CD, Flux, Spacelift.
Technology Stack Declaration
- CI/CD: Jenkins, GitHub Actions, Spacelift.
- IaC: Terraform (>=1.6) or OpenTofu for OSS compliance.
- Containerization: Docker + OCI images.
- Orchestration: Kubernetes (v1.29+) with blue-green & canary strategies.
- GitOps: Argo CD, Flux.
- Observability: Prometheus, Grafana, Loki, OpenTelemetry.
- Security: Trivy, Snyk, OPA (Rego) policies, MFA enforced via SSO (e.g., Okta).
Key Principles
- Shift-left security: integrate security scans in the earliest pipeline stage.
- Everything as Code: pipelines, infrastructure, policies, docs.
- Immutable artifacts & declarative deployments; never mutate running containers.
- One commit → one pipeline → one artifact → one promotion flow.
- Environments are cattle, not pets: recreate, don’t patch.
- Short-lived feature branches; main is always releasable.
- Idempotency: any pipeline step can safely re-run.
- Least privilege: scoped service accounts, token rotation ≤90 days.
Language-Specific Rules
YAML (Pipelines & K8s Manifests)
- Use 2-space indentation; no tabs.
- Anchor/reuse common blocks via &aliases and *references to DRY.
- Explicitly tag booleans (true/false) & ints (>0) to avoid string coercion.
- Place environment variables under env:, secrets under envFrom/secretRef.
- Use kebab-case for resource names (e.g., api-gateway-service).
HCL (Terraform/OpenTofu)
- One module per directory; outputs.tf, variables.tf, main.tf, versions.tf, README.md.
- Pin provider & module versions (>=) but < next major.
- Use descriptive resource names: <service>_<tier> (e.g., redis_cache).
- Enable terraform fmt & tflint in pre-commit.
Dockerfile
- Multi-stage builds; final stage FROM distroless or Alpine.
- Pin digest (sha256) instead of latest tags.
- RUN commands must be non-interactive (apk add --no-cache ...).
- Use USER nonrootuser; never run as root in production images.
Shell Scripts (entrypoints)
- Use set -euo pipefail.
- Validate required env vars at script start.
Error Handling and Validation
- Every pipeline stage returns non-zero exit code on failure; abort immediately.
- Integrate unit, integration, security, and policy tests before deploy stage.
- Canary/blue-green releases: automated health checks; auto-promote only if SLOs pass (error rate <1%, latency P95 <250 ms for ≥5 min).
- Implement automatic rollback: if health checks fail post-promote, revert to previous stable release.
- Record every deployment in a changelog ConfigMap with commit SHA, timestamp, author.
Framework-Specific Rules
Jenkins
- Use declarative Jenkinsfile (pipeline {} syntax).
- Libraries: versioned, semantic-released shared libraries under /vars.
- Agents run in Kubernetes pods; each step executes in its own container.
- Secrets injected via credentials-binding plugin + Kubernetes secrets, never hard-coded.
GitHub Actions
- One workflow per domain (build.yml, test.yml, deploy.yml).
- Use concurrency: group: ${{ github.ref }} cancel-in-progress: true.
- Re-use composite actions for repeated logic (e.g., login-to-registry).
- Require CODEOWNERS review before workflow file changes.
Kubernetes
- Use Deployment or Argo Rollout for blue-green/canary.
- Resource limits & requests mandatory; enforce via LimitRange + OPA gatekeeper.
- Readiness & liveness probes must succeed before Service routing.
- Labels: app, env, version, managed-by=argo-cd.
Terraform/OpenTofu
- Remote state stored in backend with encryption & versioning (e.g., S3 + DynamoDB lock).
- Include terraform validate & terraform plan ‑detailed-exitcode in CI.
- Use OPA policies (e.g., TFSEC) for security/regulatory compliance.
Argo CD / Flux
- One Application per microservice per environment.
- Sync policy: automated, prune=true, selfHeal=true.
- Image updater configured to track semver ranges; manual promotion via PR when major.
- Health checks: custom Argo AnalysisTemplate referencing Prometheus.
Additional Sections
Testing
- Unit tests: ≥80% coverage gate.
- Integration tests run against ephemeral namespace triggered via PR label.
- Smoke tests executed post-deploy with Newman or k6.
Security
- Static scanning: Trivy fs . && tfsec .
- Dependency scanning: snyk test.
- Secrets detection: gitleaks pre-commit.
- Enforce MFA & signed commits (git commit-sign-off + GPG/SSO).
Performance
- Auto-tune Kubernetes HPA based on CPU & custom latency metrics.
- Cache Docker layers with registry cache; use --cache-from on rebuilds.
- Use AWS/GCP spot instances for non-prod to reduce cost.
Observability
- Emit structured JSON logs; stdout only.
- Apply OpenTelemetry traces with traceID propagated via B3 headers.
- Dashboards & alerts version-controlled in Grafana JSON; CI validates with grafana-dashboard-linter.
Compliance & Auditing
- All pipeline & infrastructure changes occur via PR with two reviewers.
- Store audit logs (CloudTrail/GKE Audit) for ≥365 days in immutable storage.