A developer shared hard-won lessons from building a production-ready CI/CD pipeline for deploying Gatus to ECS Fargate. The key insight was splitting infrastructure into a persistent layer (OIDC, ECR, ACM) and an ephemeral layer (VPC, ALB, ECS). This separation prevents pipeline breakage when destroying compute resources for cost control, though wiring the layers via Terraform's remote state required careful contract design.

The project revealed the iterative reality of IAM least privilege. Instead of a one-time fix, the author repeatedly applied plans, checked CloudTrail for errors, and added permissions like `ec2:ModifySubnetAttribute`. Choosing a scratch Dockerfile also involved trade-offs, sacrificing a shell and runtime config fetching for a smaller attack surface and faster image pulls.

Beyond the architecture, practical pipeline fixes were critical. Using `ref: ${{ github.event.workflow_run.head_sha }}` ensured the CD stage deployed tested code. An approval gate broke the OIDC trust policy, requiring a policy update. The author now advocates for a README-first approach to prevent scope creep and plans to learn Go and Kubernetes next.