RuleSync
Enterprise

AI Rules for DevOps Teams

DevOps teams bridge development and operations. AI rules must encode CI/CD pipeline patterns, infrastructure as code conventions, deployment strategies, and the automation practices that enable rapid, reliable delivery.

6 min read·July 5, 2025

Everything is code. Infrastructure, pipelines, configuration, dashboards. AI rules generate automation, never manual procedures.

CI/CD pipelines, Terraform conventions, immutable infrastructure, canary deployments, and container security

DevOps: Automate Everything, Trust Nothing Manual

DevOps teams automate the path from code commit to production: build (compile, lint, test), package (container image, artifact), deploy (to environments), and operate (monitor, alert, respond). The DevOps AI rules encode: pipeline patterns (multi-stage, parallel, cached), infrastructure conventions (IaC, immutable infrastructure, configuration management), deployment strategies (blue-green, canary, rolling), and operational practices (log aggregation, metrics, alerting).

The fundamental DevOps AI rule: everything is code. Infrastructure: Terraform or Pulumi (not manual console clicks). CI/CD pipelines: YAML or code (not GUI-configured jobs). Configuration: environment variables or config management (not manual file edits on servers). Monitoring: dashboards-as-code (not manually created charts). AI rule: 'The AI generates automation, never manual procedures. If a step requires a human to click, type, or remember: it should be automated.'

The DevOps team's AI rules serve two audiences: the DevOps team itself (conventions for writing pipelines, IaC, and automation) and product teams (standards for how applications should be built and deployed to work with the DevOps platform).

CI/CD Pipeline Patterns

Pipeline structure: AI rule: 'Multi-stage pipeline: lint → test → build → security scan → deploy to staging → integration test → deploy to production. Each stage gates the next — failure stops the pipeline. Stages are independent jobs when possible (lint and test can run in parallel). Generate the pipeline YAML (GitHub Actions, GitLab CI, or Jenkins) alongside the application code.'

Caching: CI builds without caching: install dependencies on every run (2-5 minutes wasted). AI rule: 'Cache dependencies between runs: node_modules (keyed by lockfile hash), Go module cache, Docker layer cache, and build artifacts. The AI generates cache keys based on lockfile hashes so the cache invalidates when dependencies change but persists otherwise.'

Secrets in CI: pipelines need secrets (API keys, deployment credentials, registry tokens). AI rule: 'CI secrets: stored in the CI platform's secrets manager (GitHub Secrets, GitLab CI Variables). Never hardcoded in pipeline YAML. Never logged in pipeline output (mask sensitive values). Rotate regularly. The AI generates pipeline YAML with secret references (${{ secrets.DEPLOY_KEY }}), never secret values.'

💡 Cache Keys Based on Lockfile Hashes

The perfect cache key for node_modules: hash of pnpm-lock.yaml (or package-lock.json). Dependencies change = lockfile changes = cache key changes = fresh install. Dependencies unchanged = same lockfile hash = cache hit = skip install (saves 2-5 minutes per run). The AI should generate cache configurations with hash-based keys: hashFiles('**/pnpm-lock.yaml') for GitHub Actions, or equivalent for other CI platforms.

Infrastructure as Code and Deployment Strategies

Terraform conventions: AI rule: 'Terraform project structure: modules/ (reusable modules), environments/ (per-environment configurations), and main.tf/variables.tf/outputs.tf at each level. State: remote (S3, GCS, or Terraform Cloud). Never local state for shared infrastructure. Locking: enabled to prevent concurrent modifications. The AI generates Terraform code with: remote state, locking, and modular structure.'

Immutable infrastructure: AI rule: 'Servers are never modified in place. Changes: build a new image (Docker, AMI), deploy it alongside the existing version, shift traffic, and terminate the old version. Never SSH into production to make changes. Never run apt-get upgrade on a running server. The AI generates deployment workflows that create new instances, not modify existing ones.'

Deployment strategies: Blue-green: two identical environments. Deploy to inactive (green), switch traffic, keep blue as rollback. Canary: deploy to a small subset (5%), monitor, gradually increase. Rolling: update instances one at a time. AI rule: 'Default: canary deployment for production (lowest risk). Blue-green: for databases and stateful services. Rolling: for stateless services that tolerate mixed versions. The AI generates the deployment strategy configuration alongside the application deployment.'

⚠️ Never Use Local Terraform State for Shared Infrastructure

Local Terraform state (terraform.tfstate on your laptop): if your laptop dies, the state is lost. Terraform cannot manage the infrastructure anymore. If two people run terraform apply simultaneously: state corruption. Remote state (S3 bucket with DynamoDB locking, or Terraform Cloud): single source of truth, locking prevents concurrent modifications, backup and versioning built in. The AI must generate Terraform configurations with remote backend, never local state.

Container Best Practices and Operations

Dockerfile best practices: AI rule: 'Multi-stage builds (build stage with dev dependencies → production stage with runtime only). Minimal base images (alpine or distroless). Non-root user (USER node, not root). Layer ordering: OS packages → dependencies → application code (least to most frequently changing for cache efficiency). Pin versions (.node:20.11-alpine, not :latest). HEALTHCHECK instruction for container orchestration.'

Container security: AI rule: 'Scan images for vulnerabilities (Trivy, Grype) in the CI pipeline. No secrets in Docker images (use runtime injection). Read-only filesystem where possible. Drop all capabilities, add only what is needed. The AI generates Dockerfiles that follow security best practices: non-root user, minimal base image, no secrets baked in.'

Operational automation: AI rule: 'Generate operational automation alongside application code. Log rotation: configured (not unbounded growth). Backup: automated and tested. Monitoring: health checks, metrics endpoints, alerting rules. Scaling: auto-scaling configuration based on CPU/memory/request count. The AI generates the full operational configuration, not just the application code.'

ℹ️ Multi-Stage Docker Builds Cut Image Size by 10x

Single-stage: install build tools + dev dependencies + compile + copy result. Image: 1.2GB. Multi-stage: Stage 1 (build): install everything, compile. Stage 2 (production): copy only the compiled output and runtime dependencies. Image: 120MB. The smaller image: deploys faster, starts faster, has a smaller attack surface (fewer packages = fewer vulnerabilities), and costs less to store. The AI should always generate multi-stage Dockerfiles for compiled languages.

DevOps AI Rules Summary

Summary of AI rules for DevOps teams automating the build-deploy-operate cycle.

  • Everything as code: infrastructure, pipelines, configuration, dashboards. No manual steps
  • CI/CD: multi-stage pipeline (lint→test→build→scan→deploy). Parallel stages. Cache dependencies
  • Secrets: CI platform secrets manager. Never in YAML. Never logged. Mask sensitive output
  • Terraform: remote state, locking, modular structure. environments/ for per-env config
  • Immutable infrastructure: build new, deploy new, terminate old. Never modify in place
  • Deployment: canary (default), blue-green (stateful), rolling (stateless). Monitor at each stage
  • Containers: multi-stage, minimal base, non-root, pinned versions, vulnerability scanning
  • Operations: log rotation, automated backup, health checks, auto-scaling. Generated alongside code

Related articles

Canary vs Blue-Green DeploymentAI Rules for SRE TeamsAI Rules for DockerAI Rules for Kubernetes