DEV Community: Asmaa Elalfy The latest articles on DEV Community by Asmaa Elalfy (@asma_elalfy). https://dev.to/asma_elalfy https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3795292%2F5d7e0793-64a9-4af7-8616-a71b9b2b5c4a.jpg DEV Community: Asmaa Elalfy https://dev.to/asma_elalfy en Building a Production-Grade Private EKS Cluster with OpenVPN, Prometheus & Grafana Asmaa Elalfy Fri, 13 Mar 2026 22:49:24 +0000 https://dev.to/aws-builders/building-a-production-grade-private-eks-cluster-with-openvpn-prometheus-grafana-419 https://dev.to/aws-builders/building-a-production-grade-private-eks-cluster-with-openvpn-prometheus-grafana-419 <p>Step-by-step guide to deploying a private Amazon EKS cluster with zero public API exposure, self-hosted OpenVPN access, kube-prometheus-stack monitoring, and Route 53 private DNS — all automated with Terraform.</p> <h2> The Problem with Public Kubernetes Clusters </h2> <p>Every time I see an EKS cluster with a public API endpoint, it felt like a risk waiting to happen. <br> Sure, it's convenient. But it means your Kubernetes API server — the brain of your entire cluster — is reachable from anywhere on the internet. One misconfigured IAM policy, one leaked credential, and you have a very bad day.</p> <p>In this guide, I'll walk you through building a <strong>fully private EKS cluster</strong> where:</p> <ul> <li>The Kubernetes API has <strong>zero internet exposure</strong> </li> <li>Access is gated through a <strong>self-hosted OpenVPN server</strong> </li> <li> <strong>Prometheus + Grafana</strong> monitor everything, exposed via an internal load balancer</li> <li> <strong>Route 53 private DNS</strong> gives us <code>grafana.devops.private</code> </li> <li> <strong>Everything is Terraform</strong> — one <code>terraform apply</code> to rule them all</li> </ul> <p>Let's build this.</p> <h2> Architecture </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyfldh4uuc2hwd059apt5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyfldh4uuc2hwd059apt5.png" alt=" " width="800" height="595"></a></p> <h3> What's in the box: </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Role</th> </tr> </thead> <tbody> <tr> <td> <strong>VPC</strong> (10.0.0.0/16)</td> <td>Isolated network — 2 public subnets, 2 private subnets across 2 AZs</td> </tr> <tr> <td> <strong>EKS</strong> (Private API)</td> <td>Kubernetes control plane — API endpoint only accessible within VPC</td> </tr> <tr> <td><strong>OpenVPN EC2</strong></td> <td>Self-hosted VPN in public subnet — the single entry point</td> </tr> <tr> <td><strong>NAT Gateway</strong></td> <td>Outbound internet for private subnets (pulling container images)</td> </tr> <tr> <td><strong>kube-prometheus-stack</strong></td> <td>Prometheus (metrics) + Grafana (dashboards) + Alertmanager</td> </tr> <tr> <td><strong>Internal Load Balancer</strong></td> <td>Exposes Grafana inside VPC only</td> </tr> <tr> <td><strong>Route 53 Private Zone</strong></td> <td> <code>grafana.devops.private</code> → Internal LB CNAME</td> </tr> </tbody> </table></div> <h3> The traffic flow </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Your Laptop │ │ OpenVPN (UDP:1194) ▼ ┌──────────────┐ ┌─────────────────────────────┐ │ OpenVPN EC2 │──────▶ │ EKS Private API (HTTPS:443)│ │ Public │ NAT │ Worker Node 1 │ │ Subnet │Masq. │ Worker Node 2 │ │ │ │ ┌─────────────────────┐ │ │ │───────▶│ │ Grafana (Internal LB)│ │ │ │ │ │ grafana.devops.private│ │ │ │ │ └─────────────────────┘ │ └──────────────┘ └─────────────────────────────┘ Public Subnet Private Subnets </code></pre> </div> <p>The OpenVPN server uses <strong>iptables NAT masquerade</strong> to rewrite VPN client IPs (10.8.0.0/24) to its own VPC address. This means all VPC services see traffic from a legitimate VPC IP — not an unknown external range.</p> <h2> Project Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>eks-private-vpn/ ├── main.tf # VPC, EKS, OpenVPN EC2, Security Groups ├── monitoring.tf # kube-prometheus-stack (Prometheus + Grafana) ├── dns.tf # Route 53 private zone + Grafana CNAME ├── providers.tf # AWS, Helm, Kubernetes providers ├── variables.tf # Input variables ├── outputs.tf # Useful outputs ├── openvpn_userdata.sh # OpenVPN server bootstrap script └── terraform.tfvars # Your configuration values </code></pre> </div> <h2> Step 1 — Provider Configuration </h2> <p>We need four providers. The <strong>Helm and Kubernetes providers</strong> use exec-based authentication to talk to the private EKS cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># providers.tf</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"&gt;= 1.5.0"</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span><span class="p">,</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="p">}</span> <span class="nx">tls</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/tls"</span><span class="p">,</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 4.0"</span> <span class="p">}</span> <span class="nx">helm</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/helm"</span><span class="p">,</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 2.0"</span> <span class="p">}</span> <span class="nx">kubernetes</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/kubernetes"</span><span class="p">,</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 2.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">aws_region</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"helm"</span> <span class="p">{</span> <span class="nx">kubernetes</span> <span class="p">{</span> <span class="nx">host</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_endpoint</span> <span class="nx">cluster_ca_certificate</span> <span class="p">=</span> <span class="nx">base64decode</span><span class="p">(</span><span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_certificate_authority_data</span><span class="p">)</span> <span class="nx">exec</span> <span class="p">{</span> <span class="nx">api_version</span> <span class="p">=</span> <span class="s2">"client.authentication.k8s.io/v1beta1"</span> <span class="nx">command</span> <span class="p">=</span> <span class="s2">"aws"</span> <span class="nx">args</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"eks"</span><span class="p">,</span> <span class="s2">"get-token"</span><span class="p">,</span> <span class="s2">"--cluster-name"</span><span class="p">,</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_name</span><span class="p">,</span> <span class="s2">"--region"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">aws_region</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"kubernetes"</span> <span class="p">{</span> <span class="nx">host</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_endpoint</span> <span class="nx">cluster_ca_certificate</span> <span class="p">=</span> <span class="nx">base64decode</span><span class="p">(</span><span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_certificate_authority_data</span><span class="p">)</span> <span class="nx">exec</span> <span class="p">{</span> <span class="nx">api_version</span> <span class="p">=</span> <span class="s2">"client.authentication.k8s.io/v1beta1"</span> <span class="nx">command</span> <span class="p">=</span> <span class="s2">"aws"</span> <span class="nx">args</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"eks"</span><span class="p">,</span> <span class="s2">"get-token"</span><span class="p">,</span> <span class="s2">"--cluster-name"</span><span class="p">,</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_name</span><span class="p">,</span> <span class="s2">"--region"</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">aws_region</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>Why exec-based auth?</strong> The <code>aws eks get-token</code> command generates short-lived tokens via IAM. This is more secure than static kubeconfig tokens and works seamlessly with the private endpoint.</p> </blockquote> <h2> Step 2 — VPC &amp; Networking </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf</span> <span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/vpc/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.project_name}-vpc"</span> <span class="nx">cidr</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span> <span class="c1"># 10.0.0.0/16</span> <span class="nx">azs</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">availability_zones</span> <span class="c1"># ["us-east-1a", "us-east-1b"]</span> <span class="nx">private_subnets</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnet_cidrs</span> <span class="c1"># ["10.0.1.0/24", "10.0.2.0/24"]</span> <span class="nx">public_subnets</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">public_subnet_cidrs</span> <span class="c1"># ["10.0.101.0/24", "10.0.102.0/24"]</span> <span class="nx">enable_nat_gateway</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">single_nat_gateway</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Required tags for EKS load balancer discovery</span> <span class="nx">public_subnet_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/role/elb"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="p">}</span> <span class="nx">private_subnet_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/role/internal-elb"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The <code>kubernetes.io/role/internal-elb</code> tag on private subnets is what tells the AWS Load Balancer Controller where to place internal load balancers — this is how our Grafana LB ends up in the right subnet.</p> <h2> Step 3 — Private EKS Cluster </h2> <p>This is where the magic happens. Two settings change everything:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/eks/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 20.0"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"${var.project_name}-cluster"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">kubernetes_version</span> <span class="c1"># "1.31"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="c1"># ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━</span> <span class="c1"># THE TWO SETTINGS THAT MAKE THIS PRIVATE</span> <span class="nx">cluster_endpoint_public_access</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">cluster_endpoint_private_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━</span> <span class="c1"># Required in EKS module v20+ — without this, kubectl fails</span> <span class="nx">enable_cluster_creator_admin_permissions</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">eks_managed_node_groups</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">node_instance_types</span> <span class="c1"># ["t3.medium"]</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">node_min_size</span> <span class="c1"># 1</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">node_max_size</span> <span class="c1"># 3</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">node_desired_size</span> <span class="c1"># 2</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>We also need to let the VPN server talk to the EKS API on port 443:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"vpn_to_eks_api"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow VPN server to access EKS API"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ingress"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_security_group_id</span> <span class="nx">source_security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">vpn</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>EKS Module v20 Breaking Change:</strong> The <code>enable_cluster_creator_admin_permissions</code> flag is new in module v20. In older versions, the cluster creator automatically got admin access via <code>aws-auth</code> ConfigMap. In v20+, this was replaced with <strong>EKS Access Entries</strong> — a more secure, IAM-native RBAC mechanism. Without this flag, you'll get the cryptic error: <code>"You must be logged in to the server"</code>.</p> </blockquote> <h2> Step 4 — OpenVPN Server </h2> <p>The VPN server lives in the <strong>public subnet</strong> — it's the bridge between the internet and your private infrastructure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"aws_ami"</span> <span class="s2">"ubuntu"</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">owners</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"099720109477"</span><span class="p">]</span> <span class="c1"># Canonical</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"name"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"virtualization-type"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"hvm"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"vpn"</span> <span class="p">{</span> <span class="nx">name_prefix</span> <span class="p">=</span> <span class="s2">"${var.project_name}-vpn-"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"OpenVPN server security group"</span> <span class="c1"># OpenVPN — open to the world (authentication via certificates)</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"OpenVPN"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">1194</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">1194</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"udp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># SSH — restricted to your IP only</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"SSH"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">admin_ingress_cidr</span><span class="p">]</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">create_before_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"vpn"</span> <span class="p">{</span> <span class="nx">ami</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_ami</span><span class="p">.</span><span class="nx">ubuntu</span><span class="p">.</span><span class="nx">id</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">openvpn_instance_type</span> <span class="c1"># t3.small</span> <span class="nx">key_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">ssh_key_name</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">public_subnets</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">vpn</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">associate_public_ip_address</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">source_dest_check</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># ← Critical for VPN routing!</span> <span class="nx">root_block_device</span> <span class="p">{</span> <span class="nx">volume_size</span> <span class="p">=</span> <span class="mi">20</span> <span class="nx">volume_type</span> <span class="p">=</span> <span class="s2">"gp3"</span> <span class="p">}</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="nx">templatefile</span><span class="p">(</span><span class="s2">"${path.module}/openvpn_userdata.sh"</span><span class="p">,</span> <span class="p">{</span> <span class="nx">vpc_cidr</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span> <span class="nx">vpn_client_cidr</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpn_client_cidr</span> <span class="p">})</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.project_name}-openvpn"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_eip"</span> <span class="s2">"vpn"</span> <span class="p">{</span> <span class="nx">instance</span> <span class="p">=</span> <span class="nx">aws_instance</span><span class="p">.</span><span class="nx">vpn</span><span class="p">.</span><span class="nx">id</span> <span class="nx">domain</span> <span class="p">=</span> <span class="s2">"vpc"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.project_name}-vpn-eip"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>Why <code>source_dest_check = false</code>?</strong> By default, AWS drops traffic where the EC2 instance isn't the source or destination. Since the VPN server forwards traffic between VPN clients (10.8.0.0/24) and VPC resources (10.0.0.0/16), we must disable this check. Without it, all forwarded packets get silently dropped — your VPN connects but nothing works.</p> </blockquote> <h2> Step 5 — OpenVPN Bootstrap Script </h2> <p>This user data script does everything automatically on first boot: installs OpenVPN, generates a full PKI, configures the server, sets up NAT rules, and generates a ready-to-use <code>.ovpn</code> client profile:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nb">set</span> <span class="nt">-euo</span> pipefail <span class="nb">exec</span> <span class="o">&gt;</span> /var/log/openvpn-setup.log 2&gt;&amp;1 <span class="nb">export </span><span class="nv">DEBIAN_FRONTEND</span><span class="o">=</span>noninteractive apt-get update <span class="nt">-y</span> <span class="o">&amp;&amp;</span> apt-get upgrade <span class="nt">-y</span> <span class="c"># Pre-seed iptables-persistent to avoid interactive prompts</span> <span class="nb">echo </span>iptables-persistent iptables-persistent/autosave_v4 boolean <span class="nb">true</span> | debconf-set-selections <span class="nb">echo </span>iptables-persistent iptables-persistent/autosave_v6 boolean <span class="nb">true</span> | debconf-set-selections apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="nt">-o</span> Dpkg::Options::<span class="o">=</span><span class="s1">'--force-confdef'</span> <span class="se">\</span> <span class="nt">-o</span> Dpkg::Options::<span class="o">=</span><span class="s1">'--force-confold'</span> openvpn easy-rsa iptables-persistent <span class="c"># Enable IP forwarding</span> <span class="nb">echo</span> <span class="s1">'net.ipv4.ip_forward = 1'</span> <span class="o">&gt;&gt;</span> /etc/sysctl.conf sysctl <span class="nt">-p</span> <span class="c"># ── PKI setup ──────────────────────────────────────────────────────</span> <span class="nv">EASY_RSA</span><span class="o">=</span><span class="s2">"/etc/openvpn/easy-rsa"</span> <span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$EASY_RSA</span><span class="s2">"</span> <span class="nb">cp</span> <span class="nt">-r</span> /usr/share/easy-rsa/<span class="k">*</span> <span class="s2">"</span><span class="nv">$EASY_RSA</span><span class="s2">/"</span> <span class="nb">cd</span> <span class="s2">"</span><span class="nv">$EASY_RSA</span><span class="s2">"</span> ./easyrsa init-pki <span class="nv">EASYRSA_BATCH</span><span class="o">=</span>1 ./easyrsa build-ca nopass <span class="nv">EASYRSA_BATCH</span><span class="o">=</span>1 ./easyrsa build-server-full server nopass <span class="nv">EASYRSA_BATCH</span><span class="o">=</span>1 ./easyrsa build-client-full client1 nopass ./easyrsa gen-dh openvpn <span class="nt">--genkey</span> secret /etc/openvpn/ta.key <span class="nb">cp </span>pki/ca.crt pki/issued/server.crt pki/private/server.key pki/dh.pem /etc/openvpn/ <span class="c"># ── Server config ─────────────────────────────────────────────────</span> <span class="nb">cat</span> <span class="o">&gt;</span> /etc/openvpn/server.conf <span class="o">&lt;&lt;</span><span class="sh">'</span><span class="no">EOF</span><span class="sh">' port 1194 proto udp dev tun ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key dh /etc/openvpn/dh.pem tls-auth /etc/openvpn/ta.key 0 server </span><span class="k">${</span><span class="nv">vpn_client_cidr</span><span class="k">}</span><span class="sh"> 255.255.255.0 topology subnet push "route </span><span class="k">${</span><span class="nv">vpc_cidr</span><span class="k">}</span><span class="sh"> 255.255.0.0" push "dhcp-option DNS 10.0.0.2" keepalive 10 120 cipher AES-256-GCM auth SHA256 user nobody group nogroup persist-key persist-tun status /var/log/openvpn-status.log log-append /var/log/openvpn.log verb 3 </span><span class="no">EOF </span><span class="c"># ── NAT / forwarding rules ────────────────────────────────────────</span> <span class="nv">PRIMARY_IF</span><span class="o">=</span><span class="si">$(</span>ip route | <span class="nb">grep </span>default | <span class="nb">awk</span> <span class="s1">'{print $5}'</span><span class="si">)</span> iptables <span class="nt">-t</span> nat <span class="nt">-A</span> POSTROUTING <span class="nt">-s</span> <span class="k">${</span><span class="nv">vpn_client_cidr</span><span class="k">}</span>/24 <span class="se">\</span> <span class="nt">-o</span> <span class="s2">"</span><span class="nv">$PRIMARY_IF</span><span class="s2">"</span> <span class="nt">-j</span> MASQUERADE iptables <span class="nt">-A</span> FORWARD <span class="nt">-i</span> tun0 <span class="nt">-o</span> <span class="s2">"</span><span class="nv">$PRIMARY_IF</span><span class="s2">"</span> <span class="nt">-j</span> ACCEPT iptables <span class="nt">-A</span> FORWARD <span class="nt">-i</span> <span class="s2">"</span><span class="nv">$PRIMARY_IF</span><span class="s2">"</span> <span class="nt">-o</span> tun0 <span class="se">\</span> <span class="nt">-m</span> state <span class="nt">--state</span> RELATED,ESTABLISHED <span class="nt">-j</span> ACCEPT netfilter-persistent save systemctl <span class="nb">enable </span>openvpn@server systemctl start openvpn@server <span class="c"># ── Generate client .ovpn profile ─────────────────────────────────</span> <span class="nv">PUBLIC_IP</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> http://169.254.169.254/latest/meta-data/public-ipv4 <span class="se">\</span> <span class="o">||</span> curl <span class="nt">-s</span> http://checkip.amazonaws.com<span class="si">)</span> <span class="nb">mkdir</span> <span class="nt">-p</span> /home/ubuntu/client-configs <span class="nb">cat</span> <span class="o">&gt;</span> /home/ubuntu/client-configs/client1.ovpn <span class="o">&lt;&lt;</span><span class="no">CLIENTCONF</span><span class="sh"> client dev tun proto udp remote </span><span class="nv">$PUBLIC_IP</span><span class="sh"> 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-256-GCM auth SHA256 key-direction 1 verb 3 &lt;ca&gt; </span><span class="si">$(</span><span class="nb">cat</span> /etc/openvpn/ca.crt<span class="si">)</span><span class="sh"> &lt;/ca&gt; &lt;cert&gt; </span><span class="si">$(</span>openssl x509 <span class="nt">-in</span> <span class="s2">"</span><span class="nv">$EASY_RSA</span><span class="s2">/pki/issued/client1.crt"</span><span class="si">)</span><span class="sh"> &lt;/cert&gt; &lt;key&gt; </span><span class="si">$(</span><span class="nb">cat</span> <span class="s2">"</span><span class="nv">$EASY_RSA</span><span class="s2">/pki/private/client1.key"</span><span class="si">)</span><span class="sh"> &lt;/key&gt; &lt;tls-auth&gt; </span><span class="si">$(</span><span class="nb">cat</span> /etc/openvpn/ta.key<span class="si">)</span><span class="sh"> &lt;/tls-auth&gt; </span><span class="no">CLIENTCONF </span><span class="nb">chown</span> <span class="nt">-R</span> ubuntu:ubuntu /home/ubuntu/client-configs <span class="nb">chmod </span>600 /home/ubuntu/client-configs/client1.ovpn <span class="nb">echo</span> <span class="s2">"=== OpenVPN setup complete ==="</span> </code></pre> </div> <p>Key details to highlight:</p> <ul> <li> <strong><code>push "route ${vpc_cidr} 255.255.0.0"</code></strong> — tells VPN clients to route all VPC traffic (10.0.0.0/16) through the tunnel</li> <li> <strong><code>push "dhcp-option DNS 10.0.0.2"</code></strong> — pushes the VPC DNS resolver to clients. <code>10.0.0.2</code> is the Amazon-provided DNS (always VPC CIDR base + 2). This is how <code>grafana.devops.private</code> resolves!</li> <li> <strong><code>MASQUERADE</code></strong> — rewrites VPN client source IPs to the server's VPC IP, so EKS and internal services accept the traffic</li> <li> <strong><code>DEBIAN_FRONTEND=noninteractive</code></strong> + <strong><code>debconf-set-selections</code></strong> — prevents <code>iptables-persistent</code> from hanging on interactive prompts in user data</li> </ul> <h2> Step 6 — Monitoring Stack (Prometheus + Grafana) </h2> <p>We deploy the <code>kube-prometheus-stack</code> Helm chart — the industry-standard monitoring bundle:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># monitoring.tf</span> <span class="nx">resource</span> <span class="s2">"kubernetes_namespace"</span> <span class="s2">"monitoring"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"monitoring"</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">]</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"helm_release"</span> <span class="s2">"kube_prometheus_stack"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"kube-prometheus-stack"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">monitoring</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="nx">repository</span> <span class="p">=</span> <span class="s2">"https://prometheus-community.github.io/helm-charts"</span> <span class="nx">chart</span> <span class="p">=</span> <span class="s2">"kube-prometheus-stack"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"65.1.0"</span> <span class="c1"># ── Grafana ─────────────────────────────────────────────────────</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"grafana.enabled"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"grafana.adminPassword"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">grafana_admin_password</span> <span class="p">}</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"grafana.service.type"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"LoadBalancer"</span> <span class="p">}</span> <span class="c1"># Internal LB annotations — type = "string" is critical!</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"grafana.service.annotations.service</span><span class="err">\\</span><span class="s2">.beta</span><span class="err">\\</span><span class="s2">.kubernetes</span><span class="err">\\</span><span class="s2">.io/aws-load-balancer-internal"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"string"</span> <span class="p">}</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"grafana.service.annotations.service</span><span class="err">\\</span><span class="s2">.beta</span><span class="err">\\</span><span class="s2">.kubernetes</span><span class="err">\\</span><span class="s2">.io/aws-load-balancer-scheme"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"internal"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"string"</span> <span class="p">}</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"grafana.service.port"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"80"</span> <span class="p">}</span> <span class="c1"># ── Prometheus ──────────────────────────────────────────────────</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"prometheus.prometheusSpec.retention"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"7d"</span> <span class="p">}</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.accessModes[0]"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"ReadWriteOnce"</span> <span class="p">}</span> <span class="nx">set</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"20Gi"</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>Gotcha: <code>type = "string"</code> is mandatory on annotation set blocks.</strong> Without it, Terraform passes <code>"true"</code> as a boolean. Kubernetes annotations are <code>map[string]string</code> — you'll get <code>json: cannot unmarshal bool into Go struct field ObjectMeta.metadata.annotations of type string</code>. This one cost me 30 minutes of debugging.</p> </blockquote> <h2> Step 7 — Private DNS (Route 53) </h2> <p>The final piece — a private hosted zone that maps a clean domain to Grafana's internal load balancer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># dns.tf</span> <span class="nx">resource</span> <span class="s2">"aws_route53_zone"</span> <span class="s2">"private"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"devops.private"</span> <span class="nx">vpc</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.project_name}-private-zone"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Read the LB hostname after Helm deploys Grafana</span> <span class="nx">data</span> <span class="s2">"kubernetes_service"</span> <span class="s2">"grafana"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"kube-prometheus-stack-grafana"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"monitoring"</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">helm_release</span><span class="p">.</span><span class="nx">kube_prometheus_stack</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># CNAME: grafana.devops.private → internal-xxx.elb.amazonaws.com</span> <span class="nx">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"grafana"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">private</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"grafana.devops.private"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"CNAME"</span> <span class="nx">ttl</span> <span class="p">=</span> <span class="mi">300</span> <span class="nx">records</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">data</span><span class="p">.</span><span class="nx">kubernetes_service</span><span class="p">.</span><span class="nx">grafana</span><span class="p">.</span><span class="nx">status</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">load_balancer</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">ingress</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">hostname</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>The <code>data "kubernetes_service"</code> block reads the hostname that AWS assigns to Grafana's internal load balancer after the Helm chart deploys. This hostname becomes the CNAME target.</p> <h2> Step 8 — Variables &amp; Outputs </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># variables.tf</span> <span class="nx">variable</span> <span class="s2">"aws_region"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"project_name"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"eks-private"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"vpc_cidr"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"availability_zones"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"us-east-1a"</span><span class="p">,</span> <span class="s2">"us-east-1b"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"private_subnet_cidrs"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.0.1.0/24"</span><span class="p">,</span> <span class="s2">"10.0.2.0/24"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"public_subnet_cidrs"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.0.101.0/24"</span><span class="p">,</span> <span class="s2">"10.0.102.0/24"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"kubernetes_version"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"node_instance_types"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"t3.medium"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"node_desired_size"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">2</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"node_min_size"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"node_max_size"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">3</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"openvpn_instance_type"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"t3.small"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"vpn_client_cidr"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"10.8.0.0/24"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"ssh_key_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Name of an existing EC2 key pair"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"admin_ingress_cidr"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Your public IP/32 for SSH access"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"grafana_admin_password"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Admin password for Grafana"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"admin"</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># outputs.tf</span> <span class="nx">output</span> <span class="s2">"openvpn_public_ip"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">vpn</span><span class="p">.</span><span class="nx">public_ip</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"ssh_to_vpn"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"ssh -i &lt;your-key.pem&gt; ubuntu@${aws_eip.vpn.public_ip}"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"configure_kubectl"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Run after connecting to VPN"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"aws eks update-kubeconfig --region ${var.aws_region} --name ${module.eks.cluster_name}"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"grafana_url"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Grafana URL (accessible only through VPN)"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"http://grafana.devops.private"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"grafana_lb_hostname"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">kubernetes_service</span><span class="p">.</span><span class="nx">grafana</span><span class="p">.</span><span class="nx">status</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">load_balancer</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">ingress</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">hostname</span> <span class="p">}</span> </code></pre> </div> <h2> Deploying &amp; Connecting </h2> <h3> 1. Initialize and Apply </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create terraform.tfvars</span> <span class="nb">cat</span> <span class="o">&gt;</span> terraform.tfvars <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> aws_region = "us-east-1" project_name = "eks-private" ssh_key_name = "your-keypair-name" admin_ingress_cidr = "YOUR_PUBLIC_IP/32" grafana_admin_password = "YourSecurePassword" </span><span class="no">EOF </span>terraform init terraform apply </code></pre> </div> <p>This creates approximately <strong>60 resources</strong> — VPC, subnets, NAT gateway, EKS cluster, managed node group, OpenVPN EC2, security groups, Elastic IP, Helm releases, Route 53 zone, and DNS records.</p> <h3> 2. Download VPN Profile &amp; Connect </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Get the VPN public IP from outputs</span> <span class="nv">VPN_IP</span><span class="o">=</span><span class="si">$(</span>terraform output <span class="nt">-raw</span> openvpn_public_ip<span class="si">)</span> <span class="c"># Download the auto-generated client profile</span> scp <span class="nt">-i</span> your-key.pem ubuntu@<span class="k">${</span><span class="nv">VPN_IP</span><span class="k">}</span>:/home/ubuntu/client-configs/client1.ovpn <span class="nb">.</span> <span class="c"># Connect to VPN</span> <span class="nb">sudo </span>openvpn <span class="nt">--config</span> client1.ovpn </code></pre> </div> <p>Wait for <code>Initialization Sequence Completed</code>. You now have a tunnel into the VPC.</p> <h3> 3. Configure DNS Resolution </h3> <p>Your local DNS resolver doesn't know about Route 53 private zones. Fix that:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Route DNS through the VPN tunnel to VPC DNS</span> <span class="nb">sudo </span>resolvectl dns tun0 10.0.0.2 <span class="nb">sudo </span>resolvectl domain tun0 <span class="s2">"~."</span> </code></pre> </div> <h3> 4. Access Your Cluster </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Configure kubectl</span> aws eks update-kubeconfig <span class="nt">--region</span> us-east-1 <span class="nt">--name</span> eks-private-cluster <span class="c"># Verify</span> kubectl get nodes </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">NAME STATUS ROLES AGE VERSION </span><span class="gp">ip-10-0-1-xxx.ec2.internal Ready &lt;none&gt;</span><span class="w"> </span>15m v1.31.x <span class="gp">ip-10-0-2-xxx.ec2.internal Ready &lt;none&gt;</span><span class="w"> </span>15m v1.31.x </code></pre> </div> <h3> 5. Open Grafana </h3> <p>Navigate to <strong><code>http://grafana.devops.private</code></strong> in your browser.</p> <p>Login: <code>admin</code> / your configured password.</p> <p>You get pre-built dashboards for:</p> <ul> <li>Kubernetes cluster health and resource utilization</li> <li>Node CPU, memory, disk, and network metrics</li> <li>Pod-level resource consumption</li> <li>Prometheus self-monitoring</li> </ul> <h2> Gotchas I Hit (So You Don't Have To) </h2> <h3> 1. "You must be logged in to the server" </h3> <p><strong>Cause:</strong> EKS module v20+ no longer auto-grants admin access to the cluster creator.<br> <strong>Fix:</strong> Add <code>enable_cluster_creator_admin_permissions = true</code> to the EKS module.</p> <h3> 2. Helm annotation boolean marshaling error </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>json: cannot unmarshal bool into Go struct field ObjectMeta.metadata.annotations of type string </code></pre> </div> <p><strong>Cause:</strong> Terraform passes <code>"true"</code> as a boolean, but K8s annotations must be strings.<br> <strong>Fix:</strong> Add <code>type = "string"</code> to annotation <code>set</code> blocks.</p> <h3> 3. iptables-persistent hangs during user data </h3> <p><strong>Cause:</strong> The package prompts interactively — even in automated scripts.<br> <strong>Fix:</strong> Pre-seed with <code>debconf-set-selections</code> and use <code>DEBIAN_FRONTEND=noninteractive</code>.</p> <h3> 4. Private DNS doesn't resolve on your machine </h3> <p><strong>Cause:</strong> Your local DNS resolver (127.0.0.53) doesn't know about VPC private zones.<br> <strong>Fix:</strong> <code>sudo resolvectl dns tun0 10.0.0.2 &amp;&amp; sudo resolvectl domain tun0 "~."</code> — routes DNS through VPN to the VPC DNS server.</p> <h2> Security Posture </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Attack Surface</th> <th>Status</th> </tr> </thead> <tbody> <tr> <td>Kubernetes API</td> <td> <strong>Not internet-facing</strong> — private endpoint only</td> </tr> <tr> <td>Grafana / Prometheus</td> <td> <strong>Not internet-facing</strong> — internal LB only</td> </tr> <tr> <td>OpenVPN</td> <td>UDP:1194 open, but <strong>certificate-authenticated</strong> (PKI + TLS-auth HMAC)</td> </tr> <tr> <td>SSH to VPN server</td> <td> <strong>Restricted to admin IP</strong> (<code>admin_ingress_cidr</code>)</td> </tr> <tr> <td>DNS records</td> <td> <strong>Private hosted zone</strong> — not resolvable outside VPC</td> </tr> <tr> <td>IAM / RBAC</td> <td> <strong>EKS Access Entries</strong> — IAM-native, auditable</td> </tr> </tbody> </table></div> <p><strong>The only internet-facing resource is the OpenVPN server on UDP:1194</strong>, protected by mutual TLS authentication with a pre-shared HMAC key.</p> <h2> Wrapping Up </h2> <p>We built a <strong>production-grade, fully private EKS cluster</strong> with:</p> <ul> <li><strong>Zero public Kubernetes API exposure</strong></li> <li> <strong>Self-hosted OpenVPN</strong> with automated PKI and client profile generation</li> <li> <strong>Prometheus + Grafana</strong> monitoring via internal load balancer</li> <li> <strong>Route 53 private DNS</strong> — <code>grafana.devops.private</code> </li> <li> <strong>100% Terraform</strong> — reproducible, version-controlled, auditable</li> </ul> <p>This architecture eliminates an entire class of attack vectors by making the Kubernetes API server unreachable from the internet. Combined with certificate-based VPN authentication and private DNS, it provides a secure, practical setup for teams that take infrastructure security seriously.</p> <p>The complete source code is on <a href="https://github.com/asmaaelalfy123/production-eks-private" rel="noopener noreferrer">GitHub</a></p> devops aws eks terraform Stop Managing Kubernetes Infrastructure Manually — Use EKS Capabilities Instead Asmaa Elalfy Thu, 26 Feb 2026 19:31:31 +0000 https://dev.to/aws-builders/stop-managing-kubernetes-infrastructure-manually-use-eks-capabilities-instead-2ap2 https://dev.to/aws-builders/stop-managing-kubernetes-infrastructure-manually-use-eks-capabilities-instead-2ap2 <p>If you've ever spent hours wiring Helm charts, debugging IRSA roles, controller upgrades in your Kubernetes cluster, this article is for you.<br> I recently built a developer platform on Amazon EKS where a single YAML manifest creates a complete application stack — Kubernetes Deployment, Service, and an AWS SQS Queue — all managed through <code>kubectl</code>. No Terraform for the queue. No Helm chart for the controller. No controller pods eating cluster resources.<br> The secret? <strong>EKS Capabilities</strong> — a GA feature (November 2025) that runs ACK and KRO as fully managed services on AWS infrastructure, outside your cluster.</p> <p>Here's exactly how I did it, including the RBAC gotcha that took me a while to figure out.</p> <h2> What Are EKS Capabilities? </h2> <p>Traditional approach: you install ACK controllers and KRO into your cluster using Helm. You manage versions, node resources, IRSA roles, and upgrades yourself.</p> <p>EKS Capabilities approach: AWS runs the controllers in their own accounts. You enable them with a single API call. AWS handles scaling, patching, and upgrading. You pay per capability (hourly base + usage).</p> <p>Think of it like the difference between self-managing a database on EC2 versus using RDS. Same technology, zero ops.</p> <p>I used three capabilities in this project:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Capability</th> <th>What It Does</th> </tr> </thead> <tbody> <tr> <td> <strong>ACK</strong> (AWS Controllers for Kubernetes)</td> <td>Manages AWS resources (DynamoDB, SQS) through Kubernetes CRDs</td> </tr> <tr> <td> <strong>KRO</strong> (Kube Resource Orchestrator)</td> <td>Defines reusable resource bundles as custom Kubernetes APIs</td> </tr> <tr> <td> <strong>RBAC</strong> (manual)</td> <td>Grants KRO the permissions it needs to manage child resources</td> </tr> </tbody> </table></div> <h2> The Architecture </h2> <p>Here's what the final system looks like:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faagxluxmblxblapwltrn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faagxluxmblxblapwltrn.png" alt=" " width="800" height="1044"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Developer applies one WebApp manifest | v KRO (managed by AWS) Decomposes "WebApp" into: |-- Deployment (2 nginx pods) |-- Service (ClusterIP:80) |-- SQS Queue (via ACK) | v ACK (managed by AWS) Creates real AWS resources: |-- SQS queue in us-east-1 |-- DynamoDB table in us-east-1 </code></pre> </div> <p>The developer writes some lines of YAML. KRO turns it into three resources. ACK provisions the AWS infrastructure. All reconciled continuously.</p> <h2> Step 1: Infrastructure with Terraform </h2> <p>I used the <code>terraform-aws-modules/eks</code> module to set up the foundation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/eks/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 20.0"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"Eks-Capabilities"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.34"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">cluster_endpoint_public_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_cluster_creator_admin_permissions</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">eks_managed_node_groups</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">main</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="mi">4</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"t3.medium"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Terraform also creates the IAM role that EKS Capabilities will assume:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"eks_capabilities"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"Eks-Capabilities-capabilities-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"capabilities.eks.amazonaws.com"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRole"</span><span class="p">,</span> <span class="s2">"sts:TagSession"</span><span class="p">]</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>The role gets an inline policy with DynamoDB and SQS permissions — the minimum ACK needs to manage those services.</p> <h2> Step 2: Enable Capabilities with One Command Each </h2> <p>After <code>terraform apply</code> and <code>aws eks update-kubeconfig</code>, enabling capabilities is two API calls:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">ACCOUNT_ID</span><span class="o">=</span><span class="si">$(</span>aws sts get-caller-identity <span class="nt">--query</span> Account <span class="nt">--output</span> text<span class="si">)</span> <span class="nv">ROLE_ARN</span><span class="o">=</span><span class="s2">"arn:aws:iam::</span><span class="k">${</span><span class="nv">ACCOUNT_ID</span><span class="k">}</span><span class="s2">:role/Eks-Capabilities-capabilities-role"</span> <span class="c"># Enable ACK</span> aws eks create-capability <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--cluster-name</span> Eks-Capabilities <span class="se">\</span> <span class="nt">--capability-name</span> ack <span class="se">\</span> <span class="nt">--type</span> ACK <span class="se">\</span> <span class="nt">--role-arn</span> <span class="nv">$ROLE_ARN</span> <span class="se">\</span> <span class="nt">--delete-propagation-policy</span> RETAIN <span class="c"># Enable KRO</span> aws eks create-capability <span class="se">\</span> <span class="nt">--region</span> us-east-1 <span class="se">\</span> <span class="nt">--cluster-name</span> Eks-Capabilities <span class="se">\</span> <span class="nt">--capability-name</span> kro <span class="se">\</span> <span class="nt">--type</span> KRO <span class="se">\</span> <span class="nt">--role-arn</span> <span class="nv">$ROLE_ARN</span> <span class="se">\</span> <span class="nt">--delete-propagation-policy</span> RETAIN </code></pre> </div> <p>Wait about a minute for each to reach <code>ACTIVE</code> status. That's it — no Helm, no controller pods, no IRSA configuration.</p> <h2> Step 3: Create AWS Resources with kubectl </h2> <p>With ACK active, creating AWS resources feels like creating any Kubernetes resource:</p> <p><strong>DynamoDB Table:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">dynamodb.services.k8s.aws/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Table</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-orders-table</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">tableName</span><span class="pi">:</span> <span class="s">Eks-Dev-orders</span> <span class="na">attributeDefinitions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">attributeName</span><span class="pi">:</span> <span class="s">orderId</span> <span class="na">attributeType</span><span class="pi">:</span> <span class="s">S</span> <span class="pi">-</span> <span class="na">attributeName</span><span class="pi">:</span> <span class="s">customerId</span> <span class="na">attributeType</span><span class="pi">:</span> <span class="s">S</span> <span class="na">keySchema</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">attributeName</span><span class="pi">:</span> <span class="s">orderId</span> <span class="na">keyType</span><span class="pi">:</span> <span class="s">HASH</span> <span class="pi">-</span> <span class="na">attributeName</span><span class="pi">:</span> <span class="s">customerId</span> <span class="na">keyType</span><span class="pi">:</span> <span class="s">RANGE</span> <span class="na">billingMode</span><span class="pi">:</span> <span class="s">PAY_PER_REQUEST</span> </code></pre> </div> <p><strong>SQS Queue:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">sqs.services.k8s.aws/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Queue</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-notifications-queue</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">queueName</span><span class="pi">:</span> <span class="s">Eks-Dev-notifications</span> <span class="na">visibilityTimeout</span><span class="pi">:</span> <span class="s2">"</span><span class="s">30"</span> <span class="na">messageRetentionPeriod</span><span class="pi">:</span> <span class="s2">"</span><span class="s">345600"</span> <span class="na">receiveMessageWaitTimeSeconds</span><span class="pi">:</span> <span class="s2">"</span><span class="s">10"</span> </code></pre> </div> <p><code>kubectl apply</code> and within seconds, real AWS resources appear in your account. <code>kubectl get table</code> and <code>kubectl get queue</code> show their status. If someone deletes the queue manually in the AWS console, ACK recreates it. That's Kubernetes reconciliation applied to cloud infrastructure.</p> <h2> Step 4: Define a Platform API with KRO </h2> <p>This is where it gets interesting. Instead of writing separate Deployment, Service, and Queue manifests every time, I can define a single WebApp custom resource that bundles them all together. One manifest in, three resources out.</p> <p>KRO lets me define a <code>ResourceGraphDefinition</code> — essentially a template that registers a new Kubernetes API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kro.run/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ResourceGraphDefinition</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webapp</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">schema</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">WebApp</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">appName</span><span class="pi">:</span> <span class="s">string</span> <span class="na">image</span><span class="pi">:</span> <span class="s">string</span> <span class="na">replicas</span><span class="pi">:</span> <span class="s">integer</span> <span class="na">serviceName</span><span class="pi">:</span> <span class="s">string</span> <span class="na">queueName</span><span class="pi">:</span> <span class="s">string</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">deployment</span> <span class="na">template</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">${schema.spec.appName}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="s">${schema.spec.replicas}</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">${schema.spec.appName}</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">${schema.spec.appName}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app</span> <span class="na">image</span><span class="pi">:</span> <span class="s">${schema.spec.image}</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">service</span> <span class="na">template</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">${schema.spec.serviceName}</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">${schema.spec.appName}</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">queue</span> <span class="na">template</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">sqs.services.k8s.aws/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Queue</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">${schema.spec.appName}-queue</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">queueName</span><span class="pi">:</span> <span class="s">${schema.spec.queueName}</span> <span class="na">visibilityTimeout</span><span class="pi">:</span> <span class="s2">"</span><span class="s">30"</span> <span class="na">messageRetentionPeriod</span><span class="pi">:</span> <span class="s2">"</span><span class="s">345600"</span> </code></pre> </div> <p>After <code>kubectl apply</code>, KRO registers <code>WebApp</code> as a first-class Kubernetes resource. Developers can now <code>kubectl get webapp</code> just like they'd <code>kubectl get deployment</code>.</p> <h2> Step 5: The RBAC Gotcha (The Part That Took Me Hours) </h2> <p>Here's what nobody tells you about EKS Capabilities with KRO.</p> <p>The capabilities IAM role gets an EKS access entry with two policies:</p> <ul> <li> <code>AmazonEKSACKPolicy</code> — manages ACK custom resources</li> <li> <code>AmazonEKSKROPolicy</code> — manages KRO's own CRDs (ResourceGraphDefinitions, WebApp instances)</li> </ul> <p>But <strong>neither policy grants KRO permission to manage the child Kubernetes resources it creates</strong>. When KRO tries to create a Deployment or Service on behalf of the WebApp, it fails silently with permission errors.</p> <p>The fix: a <code>ClusterRole</code> and <code>ClusterRoleBinding</code> that grants KRO's identity the permissions it needs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kro-resource-manager</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">apps"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">deployments"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">list"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">watch"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">create"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">update"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">patch"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">delete"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">services"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">list"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">watch"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">create"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">update"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">patch"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">delete"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">sqs.services.k8s.aws"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">queues"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">list"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">watch"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">create"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">update"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">patch"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">delete"</span><span class="pi">]</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kro-resource-manager-binding</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kro-resource-manager</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">User</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:sts::&lt;ACCOUNT_ID&gt;:assumed-role/Eks-Capabilities-capabilities-role/KRO"</span> </code></pre> </div> <p>The key insight: KRO's Kubernetes identity is the STS assumed-role ARN with <code>/KRO</code> appended. You can find this by checking the EKS access entries for your cluster.</p> <p>After applying this RBAC manifest, KRO can create and manage Deployments, Services, and SQS Queues — exactly what the WebApp ResourceGraphDefinition requires.</p> <h2> Step 6: Deploy — 13 Lines of YAML </h2> <p>Now the developer experience:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kro.run/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">WebApp</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">orders-app</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">appName</span><span class="pi">:</span> <span class="s">orders-app</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:1.27</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">serviceName</span><span class="pi">:</span> <span class="s">orders-app-svc</span> <span class="na">queueName</span><span class="pi">:</span> <span class="s">Eks-Dev-notifications</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> kro-webapp-instance.yaml </code></pre> </div> <p>Within seconds:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl describe webapp orders-app State: ACTIVE Conditions: ResourcesReady: True - all resources are created and ready Ready: True <span class="nv">$ </span>kubectl get deployment orders-app NAME READY UP-TO-DATE AVAILABLE orders-app 2/2 2 2 <span class="nv">$ </span>kubectl get service orders-app-svc NAME TYPE CLUSTER-IP PORT<span class="o">(</span>S<span class="o">)</span> orders-app-svc ClusterIP 172.20.159.171 80/TCP <span class="nv">$ </span>kubectl get queue orders-app-queue NAME SYNCED AGE orders-app-queue True 30s </code></pre> </div> <p>One manifest. Three resources. Cloud infrastructure included.</p> <h2> Using the WebApp </h2> <p>Once deployed, here's how to interact with your application:</p> <p><strong>Access locally via port-forward:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl port-forward svc/orders-app-svc 8080:80 <span class="c"># Open http://localhost:8080</span> </code></pre> </div> <p><strong>Test from inside the cluster:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl run test-curl <span class="nt">--rm</span> <span class="nt">-it</span> <span class="nt">--image</span><span class="o">=</span>curlimages/curl <span class="se">\</span> <span class="nt">--</span> curl http://orders-app-svc.default.svc.cluster.local </code></pre> </div> <p><strong>Scale up or down:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl patch webapp orders-app <span class="nt">--type</span> merge <span class="nt">-p</span> <span class="s1">'{"spec":{"replicas":4}}'</span> </code></pre> </div> <p><strong>Update the image:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl patch webapp orders-app <span class="nt">--type</span> merge <span class="nt">-p</span> <span class="s1">'{"spec":{"image":"nginx:1.28"}}'</span> </code></pre> </div> <p><strong>Deploy another app using the same template:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kro.run/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">WebApp</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">payments-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">appName</span><span class="pi">:</span> <span class="s">payments-app</span> <span class="na">image</span><span class="pi">:</span> <span class="s">node:20-slim</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">serviceName</span><span class="pi">:</span> <span class="s">payments-svc</span> <span class="na">queueName</span><span class="pi">:</span> <span class="s">Eks-Dev-payments</span> </code></pre> </div> <p>Same command, different app, full stack created automatically.</p> <p><strong>Delete everything (app + infrastructure):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl delete webapp orders-app </code></pre> </div> <p>KRO removes the Deployment, Service, and SQS Queue in the correct order.</p> <h2> Second Gotcha: Kubernetes Naming Rules </h2> <p>When KRO creates child resources, the Kubernetes <code>metadata.name</code> must follow RFC 1123 — lowercase alphanumeric characters, dashes, and dots only.</p> <p>My original ResourceGraphDefinition used <code>${schema.spec.queueName}</code> for both the Queue's <code>metadata.name</code> and <code>spec.queueName</code> (the actual AWS queue name). Since the AWS queue was named <code>Eks-Dev-notifications</code> (with uppercase), Kubernetes rejected the resource.</p> <p>The fix: use <code>${schema.spec.appName}-queue</code> for <code>metadata.name</code> (always lowercase) and keep <code>${schema.spec.queueName}</code> for <code>spec.queueName</code> (the AWS-side name that supports mixed case).</p> <p>Small detail, but it will save you 30 minutes of debugging.</p> <h2> What I'd Add Next </h2> <ul> <li> <strong>Argo CD</strong> — EKS Capabilities supports managed Argo CD, but it requires IAM Identity Center (SSO). For teams without SSO, self-managed Argo CD works just as well and eliminates manual <code>kubectl apply</code> entirely.</li> <li> <strong>External Secrets Operator</strong> — sync secrets from AWS Secrets Manager into Kubernetes automatically, so developers never handle credentials.</li> <li> <strong>More KRO templates</strong> — a <code>WorkerApp</code> (Deployment + SQS Queue, no Service), a <code>CronJob</code> bundle, an <code>API</code> bundle with Ingress.</li> </ul> <h2> Key Takeaways </h2> <ol> <li><p><strong>EKS Capabilities eliminate controller management.</strong> No Helm charts, no version tracking, no controller pods. AWS runs them for you.</p></li> <li><p><strong>ACK makes AWS resources Kubernetes-native.</strong> DynamoDB tables and SQS queues become just another <code>kubectl get</code>.</p></li> <li><p><strong>KRO is a platform engineering accelerator.</strong> Define your golden paths as ResourceGraphDefinitions. Developers get simple APIs. Platform teams enforce standards.</p></li> <li><p><strong>RBAC for managed capabilities is not automatic.</strong> KRO needs explicit Kubernetes permissions to create child resources. This is the most common setup issue I've seen.</p></li> <li><p><strong>Kubernetes naming rules apply everywhere.</strong> Even when you're creating AWS resources through Kubernetes, the <code>metadata.name</code> must be lowercase RFC 1123 compliant.</p></li> </ol> <p>The complete code for this project is available on <a href="https://github.com/asmaaelalfy123/EKS-Capabilities" rel="noopener noreferrer">GitHub</a>.</p> <p><em>Built with Amazon EKS, ACK, KRO, and Terraform. Infrastructure provisioned in us-east-1.</em></p> aws k8s eks devops