Automating Amazon EKS Provisioning with Terraform & GitHub OIDC & Actions

Ayush Pant — Wed, 12 Mar 2025 14:49:15 +0000

🚀 Automating Amazon EKS Provisioning with Terraform & GitHub Actions

Managing Kubernetes clusters manually can be complex and error-prone. In this guide, we'll walk through how to automate Amazon EKS provisioning using Terraform and GitHub Actions, enabling a secure, scalable, and efficient deployment.
By the end of this tutorial, you'll have an EKS cluster running inside an existing VPC, provisioned via GitHub PR-based automation with built-in YAML & Terraform validation.
🔗 Check out the complete source code on GitHub: (https://github.com/ayushpant816/tf)

🛠 Prerequisites
Before we start, ensure you have:
✅ Existing AWS VPC & Subnets (fetch details using AWS CLI)
✅ Terraform installed on your local machine
✅ GitHub Secrets configured for secure authentication
✅ IAM Role with permissions for GitHub Actions
✅ Security Group Rules allowing access to the EKS cluster

📂 Project Directory Structure
📦 repo-root
┣ 📂 terraform
┃ ┣ 📜 main.tf
┃ ┣ 📜 variables.tf
┃ ┣ 📜 backend.tf
┃ ┣ 📜 outputs.tf
┃ ┗ 📜 providers.tf
┣ 📂 .github/workflows
┃ ┣ 📜 terraform.yaml
┃ ┗ 📜 tf-yaml-validator.yaml
┣ 📜 .yamllint
┣ 📜 README.md
┗ 📜 .gitignore

🚀 Automating EKS Deployment - Workflow Overview
🔍 Linting: Validates YAML & Terraform syntax
🛠️ Terraform Plan: Checks infrastructure changes
🚀 Terraform Apply: Deploys EKS
🔄 PR-Based Deployment: GitHub Actions auto-runs based on PR comments

🔑 Fetching Required AWS Details
Before deploying, fetch the VPC ID and Subnets where the EKS cluster will be created:

aws ec2 describe-vpcs - query "Vpcs[].VpcId"
aws ec2 describe-subnets - query "Subnets[].SubnetId"

- 🔐 IAM Role Creation for GitHub Actions To allow GitHub Actions to interact with AWS securely, create an IAM role with OIDC authentication. 1️⃣ Create IAM Role aws iam create-role - role-name eks-cluster-role \ - assume-role-policy-document file://trust-policy.json

📜 trust-policy.json
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRole", "Condition": { "StringLike": { "token.actions.githubusercontent.com:sub": "repo:<GITHUB_ORG>/:*" } } } ] }

2️⃣ Attach Required Policies to IAM Role
aws iam attach-role-policy - role-name eks-cluster-role \
- policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
aws iam attach-role-policy - role-name eks-cluster-role \
- policy-arn arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
aws iam attach-role-policy - role-name eks-cluster-role \
- policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
Verify role creation:
aws iam get-role - role-name eks-cluster-role

🚀 GitHub Actions Workflow for EKS Deployment
1️⃣ Terraform & YAML Validation
We ensure Terraform & YAML files are valid before deployment using .github/workflows/tf-yaml-validator.yml.
2️⃣ PR-Based Comment-Driven Provisioning
Users can trigger Terraform Plan/Apply/Destroy by commenting on a PR with:
terraform plan
terraform apply
terraform destroy

🔥 Troubleshooting Common Issues

🏆 Key Features & Security Best Practices
✔ GitHub Actions with OIDC (No AWS access keys stored)
✔ PR-Based Comment Triggering (Only applies changes after review)
✔ YAML & Terraform Validation (Prevents broken deployments)
✔ Terraform Backend with State Locking (Avoids conflicts)
✔ IAM Role-Based Authentication (Secure access to AWS & EKS)

📢 Contributors
👤 Ayush Pant- DevOps Engineer
If you found this helpful, feel free to like, comment, and share! 🚀

DEV Community: Ayush Pant

Automating Amazon EKS Provisioning with Terraform & GitHub OIDC & Actions