Skip to content

navarroman/terraform-eks-blueprint

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
envs/dev
envs/dev
 
 
modules
modules
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

Production-style EKS baseline with Terraform, IRSA, ALB ingress, and CloudWatch observability.

Kubernetes (EKS) Terraform Blueprint + CloudWatch Observability

This repo provisions a production-style Kubernetes baseline on AWS using EKS:

  • VPC with public/private subnets across AZs
  • EKS control plane + managed node group (private)
  • IRSA (IAM Roles for Service Accounts)
  • Core add-ons:
    • EKS managed add-ons: vpc-cni, coredns, kube-proxy, aws-ebs-csi-driver
    • AWS Load Balancer Controller (Ingress -> ALB) via Helm
  • Observability (CloudWatch):
    • CloudWatch Agent (metrics / Container Insights)
    • Fluent Bit (pod logs -> CloudWatch Logs)

This setup follows a common production pattern: private worker nodes, public ingress via ALB, and IRSA for least-privilege access.

Repo Layout

  • envs/dev: environment wrapper (backend, providers, variables)
  • modules/network: VPC + subnets + NAT
  • modules/eks: EKS cluster + node groups + OIDC provider
  • modules/addons: add-ons + IRSA + Helm releases

Quick Start (dev)

  1. Remote state
  • Create remote state (S3 bucket + DynamoDB table) OR keep backend.tf disabled.
  1. Copy tfvars:
  • cp terraform.tfvars.example terraform.tfvars
  1. Phase A — Create VPC + EKS (no Helm/Kubernetes providers yet)
  • terraform init
  • terraform apply -var="enable_k8s_providers=false"
  1. Phase B — Install add-ons (ALB Controller + CloudWatch) after cluster exists
  • Set enable_k8s_providers = true in terraform.tfvars
  • terraform apply

Bootstrap note: Kubernetes/Helm providers require the cluster endpoint + token, so add-ons are installed in Phase B.

Why two phases? The Kubernetes/Helm providers need the cluster endpoint and auth token, which only exist after EKS is created.

Cost note

This project provisions real AWS infrastructure:

  • EKS control plane (hourly)
  • EC2 worker nodes
  • NAT Gateway
  • CloudWatch metrics and log ingestion

Remember to destroy resources when finished:

  • terraform destroy

Feature toggles

Variable Purpose
enable_k8s_providers Enables Kubernetes/Helm providers + add-ons
enable_cloudwatch Enables CloudWatch Agent + Fluent Bit

Phase switch

  • enable_k8s_providers=false → only VPC + EKS
  • enable_k8s_providers=true → installs add-ons via Helm/Kubernetes providers

Access the cluster

After apply:

  • aws eks update-kubeconfig --region <region> --name <cluster_name>
  • kubectl get nodes
  • kubectl get pods -A

CloudWatch

  • Logs: CloudWatch Logs group defaults to /aws/eks/<cluster_name>/pods (via Fluent Bit config)
  • Metrics: Container Insights metrics via CloudWatch Agent in amazon-cloudwatch namespace

About

Production-style EKS baseline with Terraform, IRSA, ALB Controller, and CloudWatch observability

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages