Ben Allen
34908b7420
first commit
|
hai 1 mes | |
|---|---|---|
| examples | hai 1 mes | |
| .gitignore | hai 1 mes | |
| .terraform.lock.hcl | hai 1 mes | |
| README.md | hai 1 mes | |
| eks.tf | hai 1 mes | |
| iam.tf | hai 1 mes | |
| locals.tf | hai 1 mes | |
| networking.tf | hai 1 mes | |
| outputs.tf | hai 1 mes | |
| variables.tf | hai 1 mes | |
| versions.tf | hai 1 mes | |
| vpc.tf | hai 1 mes |
README.md
EKS Cluster Module
This module creates a new AWS VPC and deploys an Amazon EKS cluster with a single managed node group into private subnets.
It can also reuse an existing VPC and existing private/public subnets instead of creating new networking.
What it creates
- A new VPC with DNS support enabled
- Public and private subnets across at least two availability zones
- An internet gateway and NAT gateway routing for private workloads
- IAM roles for the EKS control plane and worker nodes
- An EKS cluster
- One EKS managed node group
- Managed EKS addons for CoreDNS, kube-proxy, VPC CNI, and EKS Pod Identity Agent
Usage
provider "aws" {
region = "us-east-1"
}
module "eks" {
source = "./tfmods"
name = "demo-eks"
region = "us-east-1"
kubernetes_version = "1.35"
availability_zone_count = 2
node_instance_types = ["t3.large"]
node_desired_size = 2
node_min_size = 2
node_max_size = 4
cluster_admin_principal_arns = [
"arn:aws:iam::123456789012:role/platform-admin",
"arn:aws:iam::123456789012:user/cluster-operator",
]
tags = {
Project = "platform"
Owner = "infra"
}
}
To use existing networking instead of creating a new VPC:
module "eks" {
source = "./tfmods"
name = "demo-eks"
region = "us-east-1"
create_vpc = false
existing_vpc_id = "vpc-0123456789abcdef0"
existing_private_subnet_ids = ["subnet-aaa", "subnet-bbb"]
existing_public_subnet_ids = ["subnet-ccc", "subnet-ddd"]
}
After terraform apply, configure kubectl with:
aws eks update-kubeconfig --region us-east-1 --name demo-eks
Notes
- Private subnets are used for the cluster and worker nodes.
- By default, the module creates a single NAT gateway to reduce cost.
- When
create_vpc = false, the module skips all VPC, subnet, NAT, IGW, and route table creation and uses the supplied subnet IDs instead. - The EKS API endpoint is public and private by default. Restrict
cluster_public_access_cidrsin real environments. - Extra cluster admins are created with EKS access entries and the managed
AmazonEKSClusterAdminPolicyat cluster scope. - The Pod Identity addon uses the EKS addon name
eks-pod-identity-agent. - You must configure AWS credentials outside this module.