Testing Environment Setup Checklist

Decide whether the test environment runs on a managed cloud (EKS, GKE, AKS, Vercel, Fly.io) or self-managed infra. Self-managed adds backup, patching, and capacity planning to the team's plate; managed shifts those to the provider but locks in pricing and IAM model.

Use the team's IaC module (Terraform / OpenTofu / Pulumi) — never click-ops the test VPC. Match the prod CIDR layout so peering and reachability tests behave the same way. Tag every resource with env=test and owner= so cost reports and orphan-resource sweeps work.

For self-managed: confirm CPU, RAM, and disk IOPS meet the load-test target. For managed: confirm instance types and autoscaling group min/max are sized for the heaviest expected suite (e.g., k6 / Locust runs against the canary).

Use the org's hardened AMI / golden image where one exists. Pin to a specific image SHA so test runs are reproducible — drifting from latest bites in week three when a kernel update changes container behavior.

Install PostgreSQL / Redis / message broker / language runtimes at the same major versions used in production. Version-mismatch defects (e.g., PG 14 vs 16 collation, Node 18 vs 20 fetch behavior) waste days when caught in test.

On the GitHub / GitLab repo, enable branch protection on main: required reviews via CODEOWNERS, required status checks, no force-push, no deletion. Without this, a flaky-CI culture takes hold and red merges become routine.

Wire GitHub Actions / GitLab CI / Buildkite to build, test, and push container images on every PR. Cache dependencies, parallelize the suite, and target a sub-15-minute total run — anything longer and engineers will start merging without waiting.

Use ArgoCD / Spinnaker / Octopus or the team's existing CD tool. Deploy on every merge to main, surface the deployed SHA in a status endpoint, and post the result to #engineering so failures aren't silent.

Default-deny on inbound; only allow office VPN / Tailscale / Cloudflare Access CIDRs. Public exposure of a test environment is how one ends up in shodan.io with default credentials.

Wire Okta / Google Workspace SSO via SAML or OIDC. Define k8s RBAC and AWS IAM roles that map to engineering groups, not individuals — SOC 2 access reviews are painful when permissions are granted per-person.

Use Vault, AWS Secrets Manager, or 1Password Connect. Enable pre-commit gitleaks or trufflehog so secrets never reach git history — once they do, rotating doesn't remove them; you need git-filter-repo or BFG.

Pin Jest / Vitest / pytest / RSpec / JUnit versions in the lockfile. Confirm the runner reports JUnit-XML so CI surfaces failures inline rather than buried in logs.

Run e2e against the deployed test environment, not localhost. Tag flaky specs and quarantine them with an owner and a deadline — flakes ignored long-term mask real regressions.

Pipe to Datadog / New Relic / Grafana+Loki+Tempo or the team's existing stack. Tag everything env=test so test traffic never pollutes production dashboards or burns the prod alert budget.

Latency, traffic, errors, saturation — one dashboard per service. Link each dashboard from the service catalog (Backstage) so on-call doesn't hunt during an incident.

Document in Confluence / Notion / Backstage: how to deploy, how to roll back, where logs live, how to refresh fixtures, and the on-call escalation path. The runbook is what makes the environment usable by someone who wasn't on the build team.

30-minute Loom or live demo: deploying a PR, reading dashboards, triggering a load test, restoring from a snapshot. Record it so new hires get it on day one.