# EKS Cluster Module This module creates a new AWS VPC and deploys an Amazon EKS cluster with a single managed node group into private subnets. It can also reuse an existing VPC and existing private/public subnets instead of creating new networking. ## What it creates - A new VPC with DNS support enabled - Public and private subnets across at least two availability zones - An internet gateway and NAT gateway routing for private workloads - IAM roles for the EKS control plane and worker nodes - An EKS cluster - One EKS managed node group - Managed EKS addons for CoreDNS, kube-proxy, VPC CNI, and EKS Pod Identity Agent ## Usage ```hcl provider "aws" { region = "us-east-1" } module "eks" { source = "./tfmods" name = "demo-eks" region = "us-east-1" kubernetes_version = "1.35" availability_zone_count = 2 node_instance_types = ["t3.large"] node_desired_size = 2 node_min_size = 2 node_max_size = 4 cluster_admin_principal_arns = [ "arn:aws:iam::123456789012:role/platform-admin", "arn:aws:iam::123456789012:user/cluster-operator", ] tags = { Project = "platform" Owner = "infra" } } ``` To use existing networking instead of creating a new VPC: ```hcl module "eks" { source = "./tfmods" name = "demo-eks" region = "us-east-1" create_vpc = false existing_vpc_id = "vpc-0123456789abcdef0" existing_private_subnet_ids = ["subnet-aaa", "subnet-bbb"] existing_public_subnet_ids = ["subnet-ccc", "subnet-ddd"] } ``` After `terraform apply`, configure `kubectl` with: ```bash aws eks update-kubeconfig --region us-east-1 --name demo-eks ``` ## Notes - Private subnets are used for the cluster and worker nodes. - By default, the module creates a single NAT gateway to reduce cost. - When `create_vpc = false`, the module skips all VPC, subnet, NAT, IGW, and route table creation and uses the supplied subnet IDs instead. - The EKS API endpoint is public and private by default. Restrict `cluster_public_access_cidrs` in real environments. - Extra cluster admins are created with EKS access entries and the managed `AmazonEKSClusterAdminPolicy` at cluster scope. - The Pod Identity addon uses the EKS addon name `eks-pod-identity-agent`. - You must configure AWS credentials outside this module.