SwiftDeploy: Automating Infrastructure with OPA Guardrails and Chaos Engineering

How I Built SwiftDeploy: A Tool That Writes Its Own Infrastructure

Anitaalicloud developed SwiftDeploy, a CLI tool that generates full deployment stacks from a single manifest.yaml file. The system utilizes Open Policy Agent (OPA) to enforce infrastructure requirements, such as blocking deployments if disk space is below 10GB.

Why This Matters

Manual configuration of Nginx and Docker Compose often leads to configuration drift where no single file remains the source of truth. SwiftDeploy addresses this technical reality by enforcing a declarative three-layer system consisting of values, structures, and generated files to eliminate manual errors and ensure consistency across stable and canary modes. By offloading logic to OPA, the system creates a hard gate that prevents unstable deployments, such as when CPU load exceeds a 2.0 threshold. This prevents the high cost of manual rollbacks and human error in production environments where documentation is often ignored in favor of automated enforcement.

Key Insights

• Single Source of Truth: SwiftDeploy uses a single manifest.yaml to generate nginx.conf and docker-compose.yml, preventing manual drift across configuration files (Anitaalicloud, 2026).
• Hard Gate Policy Enforcement: Infrastructure decisions are offloaded to Open Policy Agent (OPA), where Rego files define gates like ‘cpu_load > max_cpu_load’ to block deployments (2026).
• Resilience Testing: The tool includes a /chaos endpoint that allows operators to inject 50% error rates or 3-second latencies to test system resilience under Canary mode.
• Container Optimization: The API service uses Python’s standard library to keep Docker images under 60MB, significantly lower than the 300MB limit (Anitaalicloud, 2026).
• Separation of Concerns: The CLI surfaces result from OPA rather than owning the decision logic, allowing policy changes to be made in Rego files without touching the core tool.

Working Examples

Python logic for the ‘swiftdeploy init’ command which regenerates configuration files from a manifest.

m = yaml.safe_load(open("manifest.yaml"))
replacements = {"{{NGINX_PORT}}": str(m["nginx"]["port"]), "{{SERVICE_PORT}}": str(m["services"]["port"]),}
with open("templates/nginx.conf.tmpl") as f:
    content = f.read()
for placeholder, value in replacements.items():
    content = content.replace(placeholder, value)
with open("nginx.conf", "w") as f:
    f.write(content)

OPA policy written in Rego to block deployments when CPU load exceeds the threshold defined in data.json.

package infrastructure
import rego.v1
default allow := false
allow if {
    count(violations) == 0
}
violations contains msg if {
    input.cpu_load > data.infrastructure.max_cpu_load
    msg := sprintf("CPU load (%.2f) exceeds maximum threshold (%.2f)", [input.cpu_load, data.infrastructure.max_cpu_load])
}

Practical Applications

• Use case: Automated stack regeneration where a user deletes config files and runs ‘swiftdeploy init’ to restore the environment perfectly. Pitfall: Hardcoding thresholds in Rego files instead of externalizing them to data.json makes policy updates difficult.
• Use case: Canary safety monitoring where OPA blocks a ‘promote to stable’ action if the error rate exceeds 1%. Pitfall: Attempting to run policy checks before the OPA container has fully loaded its Rego policies leads to deployment failures.
• Use case: Chaos engineering drills where an operator injects error rates to verify if the status dashboard and policy gates correctly identify the failure. Pitfall: Using heavy third-party libraries for metrics can exceed Docker image size constraints.

References:

• https://dev.to/anitaalicloud/how-i-built-swiftdeploy-a-tool-that-writes-its-own-infrastructure-dma
• https://github.com/AnitaAliCloud/hng4-devops