The latest articles on DEV Community by Oluwafemi Lawal (@femilawal). https://dev.to/femilawal https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F479581%2F32d3c6da-e0e6-4d0e-8d42-f8489a32396c.png https://dev.to/femilawal en Oluwafemi Lawal Thu, 18 Dec 2025 23:52:37 +0000 https://dev.to/aws-builders/go-vs-python-on-aws-lambda-a-practical-terraform-shootout-with-function-urls-4hf0 https://dev.to/aws-builders/go-vs-python-on-aws-lambda-a-practical-terraform-shootout-with-function-urls-4hf0 <p>If you've been living in AWS for a while, you've probably seen a pattern:</p> <ul> <li> <strong>Python</strong> becomes the "default Lambda language" because it's quick to write and easy to ship.</li> <li> <strong>Go</strong> shows up when someone says, "This Lambda is basically a tiny compute worker… why is it slow and expensive?"</li> </ul> <p>In this post, we'll build the same Lambda <strong>twice</strong> (Go and Python), deploy both with <strong>Terraform</strong>, put them behind <strong>Lambda Function URLs</strong>, and run a simple benchmark that makes Go look <em>unfair</em>, on purpose.</p> <blockquote> <p><strong>Use case:</strong> <em>Telemetry burst aggregation</em><br><br> A client sends an array of events (endpoint, status code, duration). The function returns:</p> <ul> <li>total events</li> <li>unique users</li> <li>status code counts</li> <li> <strong>p95 duration</strong> (requires sorting a big slice/list)</li> <li>top endpoints by hit count</li> </ul> <p>This is a very "Lambda-ish" job: bursty, CPU-heavy, and latency-sensitive.</p> </blockquote> <h2> Heads-up: Go's managed runtime is deprecated </h2> <p>AWS deprecated the <strong><code>go1.x</code></strong> managed runtime. Go is still supported on Lambda, but you run it through an <strong>OS-only runtime</strong> such as <strong><code>provided.al2023</code></strong> (custom runtime) and ship a <code>bootstrap</code> executable in your zip.<br><br> Docs:</p> <ul> <li>Lambda runtimes: <a href="https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html" rel="noopener noreferrer">https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html</a> </li> <li>Go on Lambda: <a href="https://docs.aws.amazon.com/lambda/latest/dg/lambda-golang.html" rel="noopener noreferrer">https://docs.aws.amazon.com/lambda/latest/dg/lambda-golang.html</a> </li> <li>Custom runtime entrypoint: <a href="https://docs.aws.amazon.com/lambda/latest/dg/runtimes-custom.html" rel="noopener noreferrer">https://docs.aws.amazon.com/lambda/latest/dg/runtimes-custom.html</a> </li> </ul> <p>This matters because it slightly changes packaging (but you still write normal Go with <code>aws-lambda-go</code>).</p> <h2> What you'll build </h2> <p><a href="https://github.com/Femi-lawal/go_v_py_lambda" rel="noopener noreferrer">Project available at https://github.com/Femi-lawal/go_v_py_lambda</a></p> <p>Two endpoints:</p> <ul> <li> <code>telemetry-go</code> → <code>provided.al2023</code> → compiled <code>bootstrap</code> </li> <li> <code>telemetry-py</code> → <code>python3.12</code> → <code>app.handler</code> </li> </ul> <p>Both exposed through <strong>Function URLs</strong> so you can <code>curl</code> them without API Gateway.</p> <blockquote> <p>⚠️ For a real system, do <strong>not</strong> use <code>AuthType = NONE</code> in production. Use <code>AWS_IAM</code> or put CloudFront/WAF in front.<br><br> Function URL docs: <a href="https://docs.aws.amazon.com/lambda/latest/dg/urls-configuration.html" rel="noopener noreferrer">https://docs.aws.amazon.com/lambda/latest/dg/urls-configuration.html</a></p> </blockquote> <h2> Why Go outshines Python in this specific setup </h2> <h3> Go advantages (for this use case) </h3> <ul> <li> <strong>Faster cold starts</strong> (compiled binary, minimal runtime overhead)</li> <li> <strong>CPU-bound speed</strong> (JSON decode + sorting + maps)</li> <li> <strong>Lower memory pressure</strong> (often fewer "surprise" allocations)</li> <li>Easy to parallelize parsing/aggregation with goroutines when it makes sense</li> </ul> <h3> Python advantages (in general) </h3> <ul> <li> <strong>Fast iteration</strong> and fewer steps to "get something running"</li> <li>Huge ecosystem (data parsing, scientific libs, AWS tooling)</li> <li>Great when your Lambda is mostly orchestration (glue code) or IO-bound work</li> </ul> <h3> The trade-off </h3> <p>Go is fantastic when your Lambda is:</p> <ul> <li>hot path</li> <li>CPU-heavy</li> <li>cost-sensitive at scale</li> </ul> <p>Python is fantastic when your Lambda is:</p> <ul> <li>mostly IO (calling APIs, DynamoDB, S3, etc.)</li> <li>rapidly changing</li> <li>maintained by teams who live in Python day-to-day</li> </ul> <h2> Project layout </h2> <p>Here's a small repo layout you can copy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>. ├── infra │ ├── main.tf │ ├── versions.tf │ └── outputs.tf ├── lambda-go │ ├── go.mod │ ├── go.sum # auto-generated by go mod tidy │ └── main.go ├── lambda-py │ └── app.py └── scripts ├── gen_payload.py └── bench.sh </code></pre> </div> <h2> The Lambda code (same logic, two languages) </h2> <h3> 1) Python: <code>lambda-py/app.py</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">time</span> <span class="k">def</span> <span class="nf">handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="n">start</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="n">body</span> <span class="o">=</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="sh">""</span> <span class="k">if</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">isBase64Encoded</span><span class="sh">"</span><span class="p">):</span> <span class="kn">import</span> <span class="n">base64</span> <span class="n">body</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64decode</span><span class="p">(</span><span class="n">body</span><span class="p">)</span> <span class="k">if</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">body</span><span class="p">,</span> <span class="p">(</span><span class="nb">bytes</span><span class="p">,</span> <span class="nb">bytearray</span><span class="p">)):</span> <span class="n">body</span> <span class="o">=</span> <span class="n">body</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="sh">"</span><span class="s">utf-8</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">events_</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">body</span><span class="p">)</span> <span class="k">if</span> <span class="n">body</span> <span class="k">else</span> <span class="p">[]</span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">events_</span><span class="p">,</span> <span class="nb">list</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">Expected a JSON array</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">400</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">content-type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">},</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">invalid request</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">detail</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)}),</span> <span class="p">}</span> <span class="n">counts</span> <span class="o">=</span> <span class="p">{}</span> <span class="n">status_counts</span> <span class="o">=</span> <span class="p">{}</span> <span class="n">unique_users</span> <span class="o">=</span> <span class="nf">set</span><span class="p">()</span> <span class="n">durations</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">ev</span> <span class="ow">in</span> <span class="n">events_</span><span class="p">:</span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">ev</span><span class="p">,</span> <span class="nb">dict</span><span class="p">):</span> <span class="k">continue</span> <span class="n">endpoint</span> <span class="o">=</span> <span class="n">ev</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">endpoint</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">unknown</span><span class="sh">"</span><span class="p">)</span> <span class="n">counts</span><span class="p">[</span><span class="n">endpoint</span><span class="p">]</span> <span class="o">=</span> <span class="n">counts</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">endpoint</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span> <span class="n">status</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="n">ev</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">unknown</span><span class="sh">"</span><span class="p">))</span> <span class="n">status_counts</span><span class="p">[</span><span class="n">status</span><span class="p">]</span> <span class="o">=</span> <span class="n">status_counts</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">status</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span> <span class="n">uid</span> <span class="o">=</span> <span class="n">ev</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">uid</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span><span class="p">:</span> <span class="n">unique_users</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="nf">str</span><span class="p">(</span><span class="n">uid</span><span class="p">))</span> <span class="n">d</span> <span class="o">=</span> <span class="n">ev</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">duration_ms</span><span class="sh">"</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">durations</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="nf">int</span><span class="p">(</span><span class="n">d</span><span class="p">))</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="n">durations</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">durations</span><span class="p">.</span><span class="nf">sort</span><span class="p">()</span> <span class="n">p95</span> <span class="o">=</span> <span class="n">durations</span><span class="p">[</span><span class="nf">int</span><span class="p">(</span><span class="mf">0.95</span> <span class="o">*</span> <span class="p">(</span><span class="nf">len</span><span class="p">(</span><span class="n">durations</span><span class="p">)</span> <span class="o">-</span> <span class="mi">1</span><span class="p">))]</span> <span class="k">if</span> <span class="n">durations</span> <span class="k">else</span> <span class="mi">0</span> <span class="n">top_endpoints</span> <span class="o">=</span> <span class="nf">sorted</span><span class="p">(</span><span class="n">counts</span><span class="p">.</span><span class="nf">items</span><span class="p">(),</span> <span class="n">key</span><span class="o">=</span><span class="k">lambda</span> <span class="n">kv</span><span class="p">:</span> <span class="n">kv</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="n">reverse</span><span class="o">=</span><span class="bp">True</span><span class="p">)[:</span><span class="mi">5</span><span class="p">]</span> <span class="n">compute_ms</span> <span class="o">=</span> <span class="nf">int</span><span class="p">((</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">-</span> <span class="n">start</span><span class="p">)</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">content-type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">},</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span> <span class="p">{</span> <span class="sh">"</span><span class="s">total_events</span><span class="sh">"</span><span class="p">:</span> <span class="nf">len</span><span class="p">(</span><span class="n">events_</span><span class="p">),</span> <span class="sh">"</span><span class="s">unique_users</span><span class="sh">"</span><span class="p">:</span> <span class="nf">len</span><span class="p">(</span><span class="n">unique_users</span><span class="p">),</span> <span class="sh">"</span><span class="s">p95_duration_ms</span><span class="sh">"</span><span class="p">:</span> <span class="n">p95</span><span class="p">,</span> <span class="sh">"</span><span class="s">top_endpoints</span><span class="sh">"</span><span class="p">:</span> <span class="n">top_endpoints</span><span class="p">,</span> <span class="sh">"</span><span class="s">status_counts</span><span class="sh">"</span><span class="p">:</span> <span class="n">status_counts</span><span class="p">,</span> <span class="sh">"</span><span class="s">compute_ms</span><span class="sh">"</span><span class="p">:</span> <span class="n">compute_ms</span><span class="p">,</span> <span class="sh">"</span><span class="s">language</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">python</span><span class="sh">"</span><span class="p">,</span> <span class="p">}</span> <span class="p">),</span> <span class="p">}</span> </code></pre> </div> <h3> 2) Go: <code>lambda-go/main.go</code> </h3> <blockquote> <p>Go on <code>provided.al2023</code> expects your deployment zip to contain an executable named <strong><code>bootstrap</code></strong> at the root.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"context"</span> <span class="s">"encoding/json"</span> <span class="s">"sort"</span> <span class="s">"time"</span> <span class="s">"github.com/aws/aws-lambda-go/events"</span> <span class="s">"github.com/aws/aws-lambda-go/lambda"</span> <span class="p">)</span> <span class="k">type</span> <span class="n">TelemetryEvent</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Endpoint</span> <span class="kt">string</span> <span class="s">`json:"endpoint"`</span> <span class="n">Status</span> <span class="kt">int</span> <span class="s">`json:"status"`</span> <span class="n">DurationMS</span> <span class="kt">int</span> <span class="s">`json:"duration_ms"`</span> <span class="n">UserID</span> <span class="kt">string</span> <span class="s">`json:"user_id"`</span> <span class="p">}</span> <span class="k">type</span> <span class="n">Response</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">TotalEvents</span> <span class="kt">int</span> <span class="s">`json:"total_events"`</span> <span class="n">UniqueUsers</span> <span class="kt">int</span> <span class="s">`json:"unique_users"`</span> <span class="n">P95DurationMS</span> <span class="kt">int</span> <span class="s">`json:"p95_duration_ms"`</span> <span class="n">TopEndpoints</span> <span class="p">[][</span><span class="m">2</span><span class="p">]</span><span class="k">interface</span><span class="p">{}</span> <span class="s">`json:"top_endpoints"`</span> <span class="n">StatusCounts</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="kt">int</span> <span class="s">`json:"status_counts"`</span> <span class="n">ComputeMS</span> <span class="kt">int64</span> <span class="s">`json:"compute_ms"`</span> <span class="n">Language</span> <span class="kt">string</span> <span class="s">`json:"language"`</span> <span class="n">Error</span> <span class="kt">string</span> <span class="s">`json:"error,omitempty"`</span> <span class="n">ErrorDetail</span> <span class="kt">string</span> <span class="s">`json:"detail,omitempty"`</span> <span class="p">}</span> <span class="k">func</span> <span class="n">handler</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">req</span> <span class="n">events</span><span class="o">.</span><span class="n">LambdaFunctionURLRequest</span><span class="p">)</span> <span class="p">(</span><span class="n">events</span><span class="o">.</span><span class="n">LambdaFunctionURLResponse</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">start</span> <span class="o">:=</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span> <span class="k">var</span> <span class="n">items</span> <span class="p">[]</span><span class="n">TelemetryEvent</span> <span class="k">if</span> <span class="n">req</span><span class="o">.</span><span class="n">Body</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">Unmarshal</span><span class="p">([]</span><span class="kt">byte</span><span class="p">(</span><span class="n">req</span><span class="o">.</span><span class="n">Body</span><span class="p">),</span> <span class="o">&amp;</span><span class="n">items</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">out</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">Marshal</span><span class="p">(</span><span class="n">Response</span><span class="p">{</span><span class="n">Error</span><span class="o">:</span> <span class="s">"invalid request"</span><span class="p">,</span> <span class="n">ErrorDetail</span><span class="o">:</span> <span class="n">err</span><span class="o">.</span><span class="n">Error</span><span class="p">(),</span> <span class="n">Language</span><span class="o">:</span> <span class="s">"go"</span><span class="p">})</span> <span class="k">return</span> <span class="n">events</span><span class="o">.</span><span class="n">LambdaFunctionURLResponse</span><span class="p">{</span> <span class="n">StatusCode</span><span class="o">:</span> <span class="m">400</span><span class="p">,</span> <span class="n">Headers</span><span class="o">:</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="kt">string</span><span class="p">{</span><span class="s">"content-type"</span><span class="o">:</span> <span class="s">"application/json"</span><span class="p">},</span> <span class="n">Body</span><span class="o">:</span> <span class="kt">string</span><span class="p">(</span><span class="n">out</span><span class="p">),</span> <span class="p">},</span> <span class="no">nil</span> <span class="p">}</span> <span class="p">}</span> <span class="n">counts</span> <span class="o">:=</span> <span class="nb">make</span><span class="p">(</span><span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="kt">int</span><span class="p">,</span> <span class="m">64</span><span class="p">)</span> <span class="n">statusCounts</span> <span class="o">:=</span> <span class="nb">make</span><span class="p">(</span><span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="kt">int</span><span class="p">,</span> <span class="m">16</span><span class="p">)</span> <span class="n">unique</span> <span class="o">:=</span> <span class="nb">make</span><span class="p">(</span><span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">struct</span><span class="p">{},</span> <span class="m">128</span><span class="p">)</span> <span class="n">durations</span> <span class="o">:=</span> <span class="nb">make</span><span class="p">([]</span><span class="kt">int</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">items</span><span class="p">))</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">ev</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">items</span> <span class="p">{</span> <span class="n">ep</span> <span class="o">:=</span> <span class="n">ev</span><span class="o">.</span><span class="n">Endpoint</span> <span class="k">if</span> <span class="n">ep</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="n">ep</span> <span class="o">=</span> <span class="s">"unknown"</span> <span class="p">}</span> <span class="n">counts</span><span class="p">[</span><span class="n">ep</span><span class="p">]</span><span class="o">++</span> <span class="n">statusCounts</span><span class="p">[</span><span class="n">itoa</span><span class="p">(</span><span class="n">ev</span><span class="o">.</span><span class="n">Status</span><span class="p">)]</span><span class="o">++</span> <span class="k">if</span> <span class="n">ev</span><span class="o">.</span><span class="n">UserID</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="n">unique</span><span class="p">[</span><span class="n">ev</span><span class="o">.</span><span class="n">UserID</span><span class="p">]</span> <span class="o">=</span> <span class="k">struct</span><span class="p">{}{}</span> <span class="p">}</span> <span class="n">durations</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">durations</span><span class="p">,</span> <span class="n">ev</span><span class="o">.</span><span class="n">DurationMS</span><span class="p">)</span> <span class="p">}</span> <span class="n">sort</span><span class="o">.</span><span class="n">Ints</span><span class="p">(</span><span class="n">durations</span><span class="p">)</span> <span class="n">p95</span> <span class="o">:=</span> <span class="m">0</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">durations</span><span class="p">)</span> <span class="o">&gt;</span> <span class="m">0</span> <span class="p">{</span> <span class="n">p95</span> <span class="o">=</span> <span class="n">durations</span><span class="p">[</span><span class="kt">int</span><span class="p">(</span><span class="m">0.95</span><span class="o">*</span><span class="kt">float64</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">durations</span><span class="p">)</span><span class="o">-</span><span class="m">1</span><span class="p">))]</span> <span class="p">}</span> <span class="c">// Top 5 endpoints</span> <span class="k">type</span> <span class="n">kv</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">k</span> <span class="kt">string</span> <span class="n">v</span> <span class="kt">int</span> <span class="p">}</span> <span class="n">tmp</span> <span class="o">:=</span> <span class="nb">make</span><span class="p">([]</span><span class="n">kv</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">counts</span><span class="p">))</span> <span class="k">for</span> <span class="n">k</span><span class="p">,</span> <span class="n">v</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">counts</span> <span class="p">{</span> <span class="n">tmp</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">tmp</span><span class="p">,</span> <span class="n">kv</span><span class="p">{</span><span class="n">k</span><span class="o">:</span> <span class="n">k</span><span class="p">,</span> <span class="n">v</span><span class="o">:</span> <span class="n">v</span><span class="p">})</span> <span class="p">}</span> <span class="n">sort</span><span class="o">.</span><span class="n">Slice</span><span class="p">(</span><span class="n">tmp</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">i</span><span class="p">,</span> <span class="n">j</span> <span class="kt">int</span><span class="p">)</span> <span class="kt">bool</span> <span class="p">{</span> <span class="k">return</span> <span class="n">tmp</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="o">.</span><span class="n">v</span> <span class="o">&gt;</span> <span class="n">tmp</span><span class="p">[</span><span class="n">j</span><span class="p">]</span><span class="o">.</span><span class="n">v</span> <span class="p">})</span> <span class="n">topN</span> <span class="o">:=</span> <span class="m">5</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">tmp</span><span class="p">)</span> <span class="o">&lt;</span> <span class="n">topN</span> <span class="p">{</span> <span class="n">topN</span> <span class="o">=</span> <span class="nb">len</span><span class="p">(</span><span class="n">tmp</span><span class="p">)</span> <span class="p">}</span> <span class="n">top</span> <span class="o">:=</span> <span class="nb">make</span><span class="p">([][</span><span class="m">2</span><span class="p">]</span><span class="k">interface</span><span class="p">{},</span> <span class="m">0</span><span class="p">,</span> <span class="n">topN</span><span class="p">)</span> <span class="k">for</span> <span class="n">i</span> <span class="o">:=</span> <span class="m">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">topN</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span> <span class="p">{</span> <span class="n">top</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">top</span><span class="p">,</span> <span class="p">[</span><span class="m">2</span><span class="p">]</span><span class="k">interface</span><span class="p">{}{</span><span class="n">tmp</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="o">.</span><span class="n">k</span><span class="p">,</span> <span class="n">tmp</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="o">.</span><span class="n">v</span><span class="p">})</span> <span class="p">}</span> <span class="n">out</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">Marshal</span><span class="p">(</span><span class="n">Response</span><span class="p">{</span> <span class="n">TotalEvents</span><span class="o">:</span> <span class="nb">len</span><span class="p">(</span><span class="n">items</span><span class="p">),</span> <span class="n">UniqueUsers</span><span class="o">:</span> <span class="nb">len</span><span class="p">(</span><span class="n">unique</span><span class="p">),</span> <span class="n">P95DurationMS</span><span class="o">:</span> <span class="n">p95</span><span class="p">,</span> <span class="n">TopEndpoints</span><span class="o">:</span> <span class="n">top</span><span class="p">,</span> <span class="n">StatusCounts</span><span class="o">:</span> <span class="n">statusCounts</span><span class="p">,</span> <span class="n">ComputeMS</span><span class="o">:</span> <span class="n">time</span><span class="o">.</span><span class="n">Since</span><span class="p">(</span><span class="n">start</span><span class="p">)</span><span class="o">.</span><span class="n">Milliseconds</span><span class="p">(),</span> <span class="n">Language</span><span class="o">:</span> <span class="s">"go"</span><span class="p">,</span> <span class="p">})</span> <span class="k">return</span> <span class="n">events</span><span class="o">.</span><span class="n">LambdaFunctionURLResponse</span><span class="p">{</span> <span class="n">StatusCode</span><span class="o">:</span> <span class="m">200</span><span class="p">,</span> <span class="n">Headers</span><span class="o">:</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="kt">string</span><span class="p">{</span><span class="s">"content-type"</span><span class="o">:</span> <span class="s">"application/json"</span><span class="p">},</span> <span class="n">Body</span><span class="o">:</span> <span class="kt">string</span><span class="p">(</span><span class="n">out</span><span class="p">),</span> <span class="p">},</span> <span class="no">nil</span> <span class="p">}</span> <span class="c">// tiny int-&gt;string helper (avoids fmt.Sprintf)</span> <span class="k">func</span> <span class="n">itoa</span><span class="p">(</span><span class="n">n</span> <span class="kt">int</span><span class="p">)</span> <span class="kt">string</span> <span class="p">{</span> <span class="k">if</span> <span class="n">n</span> <span class="o">==</span> <span class="m">0</span> <span class="p">{</span> <span class="k">return</span> <span class="s">"0"</span> <span class="p">}</span> <span class="n">neg</span> <span class="o">:=</span> <span class="no">false</span> <span class="k">if</span> <span class="n">n</span> <span class="o">&lt;</span> <span class="m">0</span> <span class="p">{</span> <span class="n">neg</span> <span class="o">=</span> <span class="no">true</span> <span class="n">n</span> <span class="o">=</span> <span class="o">-</span><span class="n">n</span> <span class="p">}</span> <span class="k">var</span> <span class="n">buf</span> <span class="p">[</span><span class="m">12</span><span class="p">]</span><span class="kt">byte</span> <span class="n">i</span> <span class="o">:=</span> <span class="nb">len</span><span class="p">(</span><span class="n">buf</span><span class="p">)</span> <span class="k">for</span> <span class="n">n</span> <span class="o">&gt;</span> <span class="m">0</span> <span class="p">{</span> <span class="n">i</span><span class="o">--</span> <span class="n">buf</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="kt">byte</span><span class="p">(</span><span class="sc">'0'</span> <span class="o">+</span> <span class="n">n</span><span class="o">%</span><span class="m">10</span><span class="p">)</span> <span class="n">n</span> <span class="o">/=</span> <span class="m">10</span> <span class="p">}</span> <span class="k">if</span> <span class="n">neg</span> <span class="p">{</span> <span class="n">i</span><span class="o">--</span> <span class="n">buf</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="sc">'-'</span> <span class="p">}</span> <span class="k">return</span> <span class="kt">string</span><span class="p">(</span><span class="n">buf</span><span class="p">[</span><span class="n">i</span><span class="o">:</span><span class="p">])</span> <span class="p">}</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">lambda</span><span class="o">.</span><span class="n">Start</span><span class="p">(</span><span class="n">handler</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><code>lambda-go/go.mod</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">module</span> <span class="n">telemetry</span><span class="o">-</span><span class="k">go</span> <span class="k">go</span> <span class="m">1.22</span> <span class="n">require</span> <span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">aws</span><span class="o">/</span><span class="n">aws</span><span class="o">-</span><span class="n">lambda</span><span class="o">-</span><span class="k">go</span> <span class="n">v1</span><span class="m">.48.0</span> </code></pre> </div> <h2> Terraform: deploy both functions the same way </h2> <h3> <code>infra/versions.tf</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"&gt;= 1.5.0"</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="c1"># Needs support for provided.al2023 and modern runtimes.</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"&gt;= 5.26.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">aws_region</span> <span class="p">}</span> </code></pre> </div> <h3> <code>infra/main.tf</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"aws_region"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">project</span> <span class="p">=</span> <span class="s2">"go-vs-python-lambda"</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"aws_caller_identity"</span> <span class="s2">"current"</span> <span class="p">{}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"lambda_exec"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${local.project}-exec"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"lambda.amazonaws.com"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"basic"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">lambda_exec</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"</span> <span class="p">}</span> <span class="c1"># --------------------</span> <span class="c1"># Packaging</span> <span class="c1"># --------------------</span> <span class="c1"># Python zip: just zip the folder</span> <span class="nx">data</span> <span class="s2">"archive_file"</span> <span class="s2">"py_zip"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"zip"</span> <span class="nx">source_dir</span> <span class="p">=</span> <span class="s2">"${path.module}/../lambda-py"</span> <span class="nx">output_path</span> <span class="p">=</span> <span class="s2">"${path.module}/dist/lambda-py.zip"</span> <span class="p">}</span> <span class="c1"># Go zip: expects dist/bootstrap already built</span> <span class="nx">data</span> <span class="s2">"archive_file"</span> <span class="s2">"go_zip"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"zip"</span> <span class="nx">source_file</span> <span class="p">=</span> <span class="s2">"${path.module}/dist/bootstrap"</span> <span class="nx">output_path</span> <span class="p">=</span> <span class="s2">"${path.module}/dist/lambda-go.zip"</span> <span class="p">}</span> <span class="c1"># --------------------</span> <span class="c1"># Lambdas</span> <span class="c1"># --------------------</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_function"</span> <span class="s2">"py"</span> <span class="p">{</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="s2">"${local.project}-py"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">lambda_exec</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">filename</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">archive_file</span><span class="p">.</span><span class="nx">py_zip</span><span class="p">.</span><span class="nx">output_path</span> <span class="nx">source_code_hash</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">archive_file</span><span class="p">.</span><span class="nx">py_zip</span><span class="p">.</span><span class="nx">output_base64sha256</span> <span class="nx">runtime</span> <span class="p">=</span> <span class="s2">"python3.12"</span> <span class="nx">handler</span> <span class="p">=</span> <span class="s2">"app.handler"</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">memory_size</span> <span class="p">=</span> <span class="mi">512</span> <span class="nx">architectures</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"arm64"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_function"</span> <span class="s2">"go"</span> <span class="p">{</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="s2">"${local.project}-go"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">lambda_exec</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">filename</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">archive_file</span><span class="p">.</span><span class="nx">go_zip</span><span class="p">.</span><span class="nx">output_path</span> <span class="nx">source_code_hash</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">archive_file</span><span class="p">.</span><span class="nx">go_zip</span><span class="p">.</span><span class="nx">output_base64sha256</span> <span class="nx">runtime</span> <span class="p">=</span> <span class="s2">"provided.al2023"</span> <span class="nx">handler</span> <span class="p">=</span> <span class="s2">"bootstrap"</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">memory_size</span> <span class="p">=</span> <span class="mi">512</span> <span class="nx">architectures</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"arm64"</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># --------------------</span> <span class="c1"># Function URLs (public for demo)</span> <span class="c1"># --------------------</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_function_url"</span> <span class="s2">"py"</span> <span class="p">{</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">py</span><span class="p">.</span><span class="nx">function_name</span> <span class="nx">authorization_type</span> <span class="p">=</span> <span class="s2">"NONE"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_function_url"</span> <span class="s2">"go"</span> <span class="p">{</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">go</span><span class="p">.</span><span class="nx">function_name</span> <span class="nx">authorization_type</span> <span class="p">=</span> <span class="s2">"NONE"</span> <span class="p">}</span> <span class="c1"># As of late 2024, Function URLs may require BOTH InvokeFunctionUrl and InvokeFunction permissions</span> <span class="c1"># depending on your account settings. We grant both for compatibility.</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_permission"</span> <span class="s2">"py_url"</span> <span class="p">{</span> <span class="nx">statement_id</span> <span class="p">=</span> <span class="s2">"AllowPublicInvokeUrlPy"</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"lambda:InvokeFunctionUrl"</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">py</span><span class="p">.</span><span class="nx">function_name</span> <span class="nx">principal</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">function_url_auth_type</span> <span class="p">=</span> <span class="s2">"NONE"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_permission"</span> <span class="s2">"py_invoke"</span> <span class="p">{</span> <span class="nx">statement_id</span> <span class="p">=</span> <span class="s2">"AllowPublicInvokePy"</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"lambda:InvokeFunction"</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">py</span><span class="p">.</span><span class="nx">function_name</span> <span class="nx">principal</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_permission"</span> <span class="s2">"go_url"</span> <span class="p">{</span> <span class="nx">statement_id</span> <span class="p">=</span> <span class="s2">"AllowPublicInvokeUrlGo"</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"lambda:InvokeFunctionUrl"</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">go</span><span class="p">.</span><span class="nx">function_name</span> <span class="nx">principal</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">function_url_auth_type</span> <span class="p">=</span> <span class="s2">"NONE"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_lambda_permission"</span> <span class="s2">"go_invoke"</span> <span class="p">{</span> <span class="nx">statement_id</span> <span class="p">=</span> <span class="s2">"AllowPublicInvokeGo"</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"lambda:InvokeFunction"</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">go</span><span class="p">.</span><span class="nx">function_name</span> <span class="nx">principal</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> </code></pre> </div> <h3> <code>infra/outputs.tf</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"python_url"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_lambda_function_url</span><span class="p">.</span><span class="nx">py</span><span class="p">.</span><span class="nx">function_url</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"go_url"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_lambda_function_url</span><span class="p">.</span><span class="nx">go</span><span class="p">.</span><span class="nx">function_url</span> <span class="p">}</span> </code></pre> </div> <h2> Build &amp; deploy </h2> <h3> 1) Build the Go <code>bootstrap</code> for arm64 </h3> <p>From the repo root:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> infra/dist <span class="nb">cd </span>lambda-go <span class="nv">GOOS</span><span class="o">=</span>linux <span class="nv">GOARCH</span><span class="o">=</span>arm64 <span class="nv">CGO_ENABLED</span><span class="o">=</span>0 go build <span class="nt">-ldflags</span> <span class="s2">"-s -w"</span> <span class="nt">-o</span> ../infra/dist/bootstrap <span class="nb">.</span> <span class="nb">cd</span> .. <span class="nb">chmod</span> +x infra/dist/bootstrap </code></pre> </div> <h3> 2) Terraform apply </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>infra terraform init terraform apply </code></pre> </div> <p>Terraform will output both URLs.</p> <h2> Generate a payload and hit both endpoints </h2> <h3> <code>scripts/gen_payload.py</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">random</span> <span class="kn">import</span> <span class="n">string</span> <span class="k">def</span> <span class="nf">rand_user</span><span class="p">():</span> <span class="k">return</span> <span class="sh">"</span><span class="s">u_</span><span class="sh">"</span> <span class="o">+</span> <span class="sh">""</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">random</span><span class="p">.</span><span class="nf">choices</span><span class="p">(</span><span class="n">string</span><span class="p">.</span><span class="n">ascii_lowercase</span> <span class="o">+</span> <span class="n">string</span><span class="p">.</span><span class="n">digits</span><span class="p">,</span> <span class="n">k</span><span class="o">=</span><span class="mi">8</span><span class="p">))</span> <span class="k">def</span> <span class="nf">main</span><span class="p">(</span><span class="n">n</span><span class="o">=</span><span class="mi">20000</span><span class="p">):</span> <span class="n">endpoints</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">/login</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/search</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/checkout</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/profile</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/feed</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/ping</span><span class="sh">"</span><span class="p">]</span> <span class="n">out</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="n">n</span><span class="p">):</span> <span class="n">out</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span> <span class="sh">"</span><span class="s">endpoint</span><span class="sh">"</span><span class="p">:</span> <span class="n">random</span><span class="p">.</span><span class="nf">choice</span><span class="p">(</span><span class="n">endpoints</span><span class="p">),</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="n">random</span><span class="p">.</span><span class="nf">choice</span><span class="p">([</span><span class="mi">200</span><span class="p">,</span> <span class="mi">200</span><span class="p">,</span> <span class="mi">200</span><span class="p">,</span> <span class="mi">201</span><span class="p">,</span> <span class="mi">400</span><span class="p">,</span> <span class="mi">401</span><span class="p">,</span> <span class="mi">403</span><span class="p">,</span> <span class="mi">500</span><span class="p">]),</span> <span class="sh">"</span><span class="s">duration_ms</span><span class="sh">"</span><span class="p">:</span> <span class="nf">int</span><span class="p">(</span><span class="n">random</span><span class="p">.</span><span class="nf">expovariate</span><span class="p">(</span><span class="mi">1</span><span class="o">/</span><span class="mi">120</span><span class="p">))</span> <span class="o">+</span> <span class="n">random</span><span class="p">.</span><span class="nf">randint</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">30</span><span class="p">),</span> <span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">:</span> <span class="nf">rand_user</span><span class="p">(),</span> <span class="p">})</span> <span class="nf">print</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">out</span><span class="p">))</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="nf">main</span><span class="p">()</span> </code></pre> </div> <p>Run it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 scripts/gen_payload.py <span class="o">&gt;</span> payload.json </code></pre> </div> <p>Invoke:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">PY_URL</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">cd </span>infra <span class="o">&amp;&amp;</span> terraform output <span class="nt">-raw</span> python_url<span class="si">)</span><span class="s2">"</span> <span class="nv">GO_URL</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">cd </span>infra <span class="o">&amp;&amp;</span> terraform output <span class="nt">-raw</span> go_url<span class="si">)</span><span class="s2">"</span> curl <span class="nt">-s</span> <span class="nt">-X</span> POST <span class="s2">"</span><span class="nv">$PY_URL</span><span class="s2">"</span> <span class="nt">-H</span> <span class="s2">"content-type: application/json"</span> <span class="nt">--data-binary</span> @payload.json | jq curl <span class="nt">-s</span> <span class="nt">-X</span> POST <span class="s2">"</span><span class="nv">$GO_URL</span><span class="s2">"</span> <span class="nt">-H</span> <span class="s2">"content-type: application/json"</span> <span class="nt">--data-binary</span> @payload.json | jq </code></pre> </div> <h2> Quick benchmark (side-by-side) </h2> <h3> Option A: <code>hey</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install hey (if you don't have it)</span> <span class="c"># macOS: brew install hey</span> <span class="c"># Linux: https://github.com/rakyll/hey</span> hey <span class="nt">-n</span> 200 <span class="nt">-c</span> 20 <span class="nt">-m</span> POST <span class="nt">-H</span> <span class="s2">"content-type: application/json"</span> <span class="nt">-D</span> payload.json <span class="s2">"</span><span class="nv">$PY_URL</span><span class="s2">"</span> hey <span class="nt">-n</span> 200 <span class="nt">-c</span> 20 <span class="nt">-m</span> POST <span class="nt">-H</span> <span class="s2">"content-type: application/json"</span> <span class="nt">-D</span> payload.json <span class="s2">"</span><span class="nv">$GO_URL</span><span class="s2">"</span> </code></pre> </div> <h3> Option B: a tiny <code>bench.sh</code> </h3> <p><code>scripts/bench.sh</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="nb">set</span> <span class="nt">-euo</span> pipefail <span class="nv">PY_URL</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">cd </span>infra <span class="o">&amp;&amp;</span> terraform output <span class="nt">-raw</span> python_url<span class="si">)</span><span class="s2">"</span> <span class="nv">GO_URL</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">cd </span>infra <span class="o">&amp;&amp;</span> terraform output <span class="nt">-raw</span> go_url<span class="si">)</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Python URL: </span><span class="nv">$PY_URL</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Go URL: </span><span class="nv">$GO_URL</span><span class="s2">"</span> <span class="k">for </span>url <span class="k">in</span> <span class="s2">"</span><span class="nv">$PY_URL</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$GO_URL</span><span class="s2">"</span><span class="p">;</span> <span class="k">do </span><span class="nb">echo echo</span> <span class="s2">"== Benchmarking: </span><span class="nv">$url</span><span class="s2">"</span> hey <span class="nt">-n</span> 200 <span class="nt">-c</span> 20 <span class="nt">-m</span> POST <span class="nt">-H</span> <span class="s2">"content-type: application/json"</span> <span class="nt">-D</span> payload.json <span class="s2">"</span><span class="nv">$url</span><span class="s2">"</span> <span class="k">done</span> </code></pre> </div> <h2> What to look for in the results </h2> <p>When you benchmark:</p> <ul> <li> <strong>p95 / p99 latency</strong>: Go often wins when the handler is CPU-heavy.</li> <li> <strong>cold start</strong>: run once after no traffic for a while and compare first-hit latency.</li> <li> <strong>cost</strong>: Lambda charges for GB-seconds. If Go finishes faster at the same memory size, your bill can drop.</li> </ul> <p>Also look at CloudWatch logs and metrics:</p> <ul> <li>Duration</li> <li>Max memory used</li> <li>Init duration (cold start)</li> </ul> <h2> Actual Benchmark Results </h2> <p>We ran a comprehensive benchmark with the following configuration:</p> <ul> <li> <strong>Memory</strong>: 512 MB (both functions)</li> <li> <strong>Architecture</strong>: ARM64 (Graviton2)</li> <li> <strong>Region</strong>: us-east-1</li> <li> <strong>Iterations per test</strong>: 30</li> <li> <strong>Payload sizes</strong>: 100, 1,000, 5,000, 10,000, and 20,000 events</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsqlh84vl6mt8fqy7v1lg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsqlh84vl6mt8fqy7v1lg.png" alt="Latency Chart" width="800" height="480"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjd4kd44cf1grn0n3qmve.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjd4kd44cf1grn0n3qmve.png" alt="Cold Start Chart" width="800" height="480"></a></p> <h3> Latency Summary (all times in milliseconds) </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Events</th> <th>Payload Size</th> <th>Language</th> <th>Cold Start</th> <th>Avg Latency</th> <th>P50</th> <th>P95</th> <th>P99</th> </tr> </thead> <tbody> <tr> <td>100</td> <td>8 KB</td> <td>Python</td> <td>272</td> <td>70</td> <td>66</td> <td>89</td> <td>98</td> </tr> <tr> <td>100</td> <td>8 KB</td> <td><strong>Go</strong></td> <td><strong>136</strong></td> <td><strong>41</strong></td> <td><strong>39</strong></td> <td><strong>54</strong></td> <td><strong>55</strong></td> </tr> <tr> <td>1,000</td> <td>82 KB</td> <td>Python</td> <td>68</td> <td>72</td> <td>70</td> <td>82</td> <td>107</td> </tr> <tr> <td>1,000</td> <td>82 KB</td> <td><strong>Go</strong></td> <td><strong>46</strong></td> <td><strong>53</strong></td> <td><strong>52</strong></td> <td><strong>68</strong></td> <td><strong>74</strong></td> </tr> <tr> <td>5,000</td> <td>411 KB</td> <td>Python</td> <td>124</td> <td>124</td> <td>121</td> <td>151</td> <td>160</td> </tr> <tr> <td>5,000</td> <td>411 KB</td> <td><strong>Go</strong></td> <td><strong>135</strong></td> <td><strong>108</strong></td> <td><strong>102</strong></td> <td><strong>130</strong></td> <td><strong>140</strong></td> </tr> <tr> <td>10,000</td> <td>822 KB</td> <td>Python</td> <td>220</td> <td>205</td> <td>202</td> <td>236</td> <td>263</td> </tr> <tr> <td>10,000</td> <td>822 KB</td> <td><strong>Go</strong></td> <td><strong>190</strong></td> <td><strong>197</strong></td> <td><strong>199</strong></td> <td><strong>221</strong></td> <td><strong>261</strong></td> </tr> <tr> <td>20,000</td> <td>1.6 MB</td> <td>Python</td> <td>422</td> <td>473</td> <td>460</td> <td>573</td> <td>595</td> </tr> <tr> <td>20,000</td> <td>1.6 MB</td> <td><strong>Go</strong></td> <td><strong>357</strong></td> <td><strong>359</strong></td> <td><strong>359</strong></td> <td><strong>391</strong></td> <td><strong>396</strong></td> </tr> </tbody> </table></div> <h3> Go vs Python Speedup Factor </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Payload</th> <th>Avg Latency Speedup</th> <th>P95 Latency Speedup</th> <th>Cold Start Speedup</th> </tr> </thead> <tbody> <tr> <td>100 events (8 KB)</td> <td><strong>1.70x faster</strong></td> <td><strong>1.66x faster</strong></td> <td><strong>2.00x faster</strong></td> </tr> <tr> <td>1,000 events (82 KB)</td> <td><strong>1.35x faster</strong></td> <td><strong>1.21x faster</strong></td> <td><strong>1.47x faster</strong></td> </tr> <tr> <td>5,000 events (411 KB)</td> <td><strong>1.15x faster</strong></td> <td><strong>1.16x faster</strong></td> <td>0.92x</td> </tr> <tr> <td>10,000 events (822 KB)</td> <td><strong>1.04x faster</strong></td> <td><strong>1.07x faster</strong></td> <td><strong>1.16x faster</strong></td> </tr> <tr> <td>20,000 events (1.6 MB)</td> <td><strong>1.32x faster</strong></td> <td><strong>1.46x faster</strong></td> <td><strong>1.18x faster</strong></td> </tr> </tbody> </table></div> <h3> Key Observations </h3> <ol> <li><p><strong>Cold Starts</strong>: Go's cold start is <strong>up to 2x faster</strong> for small payloads. At 100 events, Go cold starts at ~136ms vs Python's ~272ms. This matters for bursty, event-driven workloads.</p></li> <li><p><strong>Small Payloads Win Big</strong>: For small to medium payloads (100-1000 events), Go's advantage is most pronounced (1.35x-1.70x faster). This is where the JSON parsing and initial setup overhead dominates.</p></li> <li><p><strong>Large Payloads Converge</strong>: At 10,000+ events, the speedup narrows (1.04x-1.32x) because the actual computation time dominates over runtime overhead. However, Go maintains a consistent advantage in tail latencies (P95/P99).</p></li> <li> <p><strong>Predictable Tail Latencies</strong>: Go's P95 to P99 spread is tighter. For 20,000 events:</p> <ul> <li>Python: P95=573ms, P99=595ms (22ms spread)</li> <li>Go: P95=391ms, P99=396ms (5ms spread)</li> </ul> </li> </ol> <p>This predictability is critical for SLO compliance.</p> <ol> <li> <strong>Internal Compute Time</strong>: At larger payloads, Python's internal compute time (<code>compute_ms</code> from the response) is actually slightly lower than Go's for sorting operations (20K events: Python=117ms, Go=140ms). This is because Python's <code>timsort</code> is highly optimized C code, while Go's <code>sort.Ints</code> is pure Go. <strong>However</strong>, the <code>compute_ms</code> metric only measures post-JSON-parse processing. Go's faster JSON deserialization (which dominates at scale) isn't captured in this number. The total end-to-end latency still favors Go due to faster JSON parsing and lower runtime overhead.</li> </ol> <h3> Cost Implications </h3> <p>With Lambda <strong>ARM64 (Graviton2)</strong> pricing at <strong>$0.0000133334 per GB-second</strong> (20% cheaper than x86):</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>Python (avg)</th> <th>Go (avg)</th> <th>Monthly Savings (1M invocations)</th> </tr> </thead> <tbody> <tr> <td>100 events</td> <td>70ms</td> <td>41ms</td> <td><strong>$0.20</strong></td> </tr> <tr> <td>1,000 events</td> <td>72ms</td> <td>53ms</td> <td><strong>$0.13</strong></td> </tr> <tr> <td>20,000 events</td> <td>473ms</td> <td>359ms</td> <td><strong>$0.76</strong></td> </tr> </tbody> </table></div> <p><em>Calculation: (Python_ms - Go_ms) / 1000 × 0.5 GB × $0.0000133334 × 1,000,000 invocations</em></p> <p>At scale (100M invocations/month with 20,000-event payloads), that's approximately <strong>$76/month savings</strong> just by choosing Go, plus the inherent 20% ARM64 discount on top of x86 pricing.</p> <h2> When I'd choose Go vs Python for Lambda </h2> <h3> I reach for Go when: </h3> <ul> <li>this function is on the hot path (lots of traffic)</li> <li>it does non-trivial compute (parsing, compression, crypto, transforms)</li> <li>I care about predictable latency at scale</li> <li>I want small deployment packages and simple dependencies</li> </ul> <h3> I reach for Python when: </h3> <ul> <li>the function mostly orchestrates AWS services</li> <li>the logic changes often (product iteration)</li> <li>I need a library ecosystem advantage</li> <li>it's a glue script with real business value and low perf pressure</li> </ul> <h2> Final notes and improvements </h2> <p>If you want to make this "production-ish":</p> <ul> <li>flip Function URLs to <code>AWS_IAM</code> auth (or front with CloudFront/WAF)</li> <li>set log retention (so you don't pay forever)</li> <li>add structured logging + tracing</li> <li>add provisioned concurrency if you need consistent latency under cold starts</li> </ul> <h2> Additional Benchmark Scenarios to Try </h2> <h3> 1. Memory Configuration Comparison </h3> <p>Try running the same benchmarks at different memory levels:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># In main.tf, change memory_size to test:</span> <span class="nx">memory_size</span> <span class="err">=</span> <span class="mi">256</span> <span class="c1"># Minimum viable</span> <span class="nx">memory_size</span> <span class="err">=</span> <span class="mi">512</span> <span class="c1"># Balanced (our test)</span> <span class="nx">memory_size</span> <span class="err">=</span> <span class="mi">1024</span> <span class="c1"># 2x CPU</span> <span class="nx">memory_size</span> <span class="err">=</span> <span class="mi">1769</span> <span class="c1"># Full vCPU</span> <span class="nx">memory_size</span> <span class="err">=</span> <span class="mi">3008</span> <span class="c1"># 2 vCPUs</span> </code></pre> </div> <p><strong>Expected behavior</strong>: Go benefits less from extra memory since it's already efficient. Python may see bigger gains from more CPU (Lambda CPU scales with memory).</p> <h3> 2. Concurrent Request Simulation </h3> <p>Test how each handles concurrent bursts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Using hey for concurrency testing</span> hey <span class="nt">-n</span> 500 <span class="nt">-c</span> 50 <span class="nt">-m</span> POST <span class="nt">-H</span> <span class="s2">"content-type: application/json"</span> <span class="nt">-D</span> payload.json <span class="s2">"</span><span class="nv">$GO_URL</span><span class="s2">"</span> hey <span class="nt">-n</span> 500 <span class="nt">-c</span> 50 <span class="nt">-m</span> POST <span class="nt">-H</span> <span class="s2">"content-type: application/json"</span> <span class="nt">-D</span> payload.json <span class="s2">"</span><span class="nv">$PY_URL</span><span class="s2">"</span> </code></pre> </div> <p>Watch for:</p> <ul> <li>Error rates under load</li> <li>Latency distribution (P50 vs P99 gap)</li> <li>Throttling behavior</li> </ul> <h3> 3. I/O-Bound Workload Comparison </h3> <p>Modify the Lambda to include DynamoDB or S3 calls:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># In app.py - add I/O operation </span><span class="kn">import</span> <span class="n">boto3</span> <span class="n">dynamodb</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">resource</span><span class="p">(</span><span class="sh">'</span><span class="s">dynamodb</span><span class="sh">'</span><span class="p">)</span> <span class="n">table</span> <span class="o">=</span> <span class="n">dynamodb</span><span class="p">.</span><span class="nc">Table</span><span class="p">(</span><span class="sh">'</span><span class="s">telemetry-events</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Write aggregated result to DynamoDB </span><span class="n">table</span><span class="p">.</span><span class="nf">put_item</span><span class="p">(</span><span class="n">Item</span><span class="o">=</span><span class="p">{</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">uuid</span><span class="p">.</span><span class="nf">uuid4</span><span class="p">()),</span> <span class="sh">'</span><span class="s">result</span><span class="sh">'</span><span class="p">:</span> <span class="n">result</span><span class="p">})</span> </code></pre> </div> <p><strong>Expected result</strong>: The Go vs Python gap narrows significantly when I/O dominates. For pure I/O workloads, Python's simplicity often wins.</p> <h3> 4. Package Size Impact </h3> <p>Compare deployment package sizes:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Language</th> <th>Package Size</th> <th>Contains</th> </tr> </thead> <tbody> <tr> <td>Go</td> <td>6.3 MB</td> <td>Single static binary</td> </tr> <tr> <td>Python</td> <td>1.2 KB</td> <td>Just <code>app.py</code> </td> </tr> </tbody> </table></div> <p>But with dependencies:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Language</th> <th>Package Size</th> <th>Contains</th> </tr> </thead> <tbody> <tr> <td>Go</td> <td>6.3 MB</td> <td>Still just the binary</td> </tr> <tr> <td>Python + pandas + numpy</td> <td>50+ MB</td> <td>Requires layers or container</td> </tr> </tbody> </table></div> <h3> 5. Provisioned Concurrency Test </h3> <p>To eliminate cold starts entirely:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_lambda_provisioned_concurrency_config"</span> <span class="s2">"go"</span> <span class="p">{</span> <span class="nx">function_name</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">go</span><span class="p">.</span><span class="nx">function_name</span> <span class="nx">provisioned_concurrent_executions</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">qualifier</span> <span class="p">=</span> <span class="nx">aws_lambda_function</span><span class="p">.</span><span class="nx">go</span><span class="p">.</span><span class="nx">version</span> <span class="p">}</span> </code></pre> </div> <p>This adds ~$0.000004463 per GB-second for provisioned capacity.</p> <h2> Real-World Use Cases Where These Results Matter </h2> <h3> ✅ Good fit for Go Lambda: </h3> <ul> <li> <strong>API Gateway backends</strong> - Low latency matters for user-facing APIs</li> <li> <strong>Kinesis/SQS processors</strong> - High throughput event processing</li> <li> <strong>Real-time data aggregation</strong> - Like our telemetry example</li> <li> <strong>Image/video thumbnail generation</strong> - CPU-bound transforms</li> <li> <strong>JWT validation layers</strong> - Crypto operations benefit from Go</li> </ul> <h3> ✅ Good fit for Python Lambda: </h3> <ul> <li> <strong>ML inference with SageMaker</strong> - Rich SDK ecosystem</li> <li> <strong>Data pipeline orchestration</strong> - Step Functions triggers</li> <li> <strong>S3 event handlers</strong> - boto3 makes this trivial</li> <li> <strong>Slack/Discord bots</strong> - Rapid iteration matters more</li> <li> <strong>One-off automation scripts</strong> - Time-to-deployment wins</li> </ul> <h2> Cleanup </h2> <p>Don't forget to tear down your infrastructure when done:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>infra terraform destroy <span class="nt">-auto-approve</span> </code></pre> </div> <h2> Reproducibility </h2> <p>To reproduce these benchmarks yourself:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Clone and enter the project</span> git clone https://github.com/Femi-lawal/go_v_py_lambda <span class="nb">cd </span>go_v_py_lambda <span class="c"># 2. Build the Go binary for ARM64 Lambda</span> <span class="nb">cd </span>lambda-go go mod tidy <span class="nv">GOOS</span><span class="o">=</span>linux <span class="nv">GOARCH</span><span class="o">=</span>arm64 <span class="nv">CGO_ENABLED</span><span class="o">=</span>0 go build <span class="nt">-ldflags</span> <span class="s2">"-s -w"</span> <span class="nt">-o</span> ../infra/dist/bootstrap <span class="nb">.</span> <span class="nb">cd</span> .. <span class="c"># 3. Deploy with Terraform</span> <span class="nb">cd </span>infra terraform init terraform apply <span class="nt">-auto-approve</span> <span class="c"># 4. Generate test payload</span> python3 scripts/gen_payload.py 20000 <span class="o">&gt;</span> payload.json <span class="c"># 5. Run benchmarks (requires 'hey' - install via: go install github.com/rakyll/hey@latest)</span> <span class="nv">PY_URL</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span>terraform output <span class="nt">-raw</span> python_url<span class="si">)</span><span class="s2">"</span> <span class="nv">GO_URL</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span>terraform output <span class="nt">-raw</span> go_url<span class="si">)</span><span class="s2">"</span> hey <span class="nt">-n</span> 100 <span class="nt">-c</span> 10 <span class="nt">-m</span> POST <span class="nt">-H</span> <span class="s2">"content-type: application/json"</span> <span class="nt">-D</span> ../payload.json <span class="s2">"</span><span class="nv">$PY_URL</span><span class="s2">"</span> hey <span class="nt">-n</span> 100 <span class="nt">-c</span> 10 <span class="nt">-m</span> POST <span class="nt">-H</span> <span class="s2">"content-type: application/json"</span> <span class="nt">-D</span> ../payload.json <span class="s2">"</span><span class="nv">$GO_URL</span><span class="s2">"</span> <span class="c"># 6. Cleanup when done</span> terraform destroy <span class="nt">-auto-approve</span> </code></pre> </div> <h2> Summary </h2> <p>Our benchmarks confirm the conventional wisdom with hard numbers:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Go Advantage</th> </tr> </thead> <tbody> <tr> <td>Cold Start (small payload)</td> <td><strong>2x faster</strong></td> </tr> <tr> <td>Warm Latency (small payload)</td> <td><strong>1.7x faster</strong></td> </tr> <tr> <td>Warm Latency (large payload)</td> <td><strong>1.3x faster</strong></td> </tr> <tr> <td>P95 Tail Latency</td> <td><strong>1.2x-1.7x tighter</strong></td> </tr> <tr> <td>Monthly Cost Savings (ARM64)</td> <td><strong>~$76 at 100M requests</strong></td> </tr> </tbody> </table></div> <p><strong>The takeaway</strong>: If your Lambda is on the hot path, does CPU work, and you care about cost or latency SLOs, Go is worth the learning curve. If you're gluing AWS services together or iterating rapidly, Python's ergonomics win.</p> <p>Happy building</p> Oluwafemi Lawal Thu, 20 Nov 2025 23:08:41 +0000 https://dev.to/aws-builders/navigating-aws-eks-with-terraform-configuring-karpenter-for-just-in-time-node-provisioning-5g45 https://dev.to/aws-builders/navigating-aws-eks-with-terraform-configuring-karpenter-for-just-in-time-node-provisioning-5g45 <p>In this article, we will integrate Karpenter, which will enable our cluster to provision nodes dynamically based on actual workload requirements. Unlike Cluster Autoscaler which scales existing node groups, Karpenter provisions exactly the right-sized nodes on demand. We will need to make some adjustments to our EKS module.</p> <h2> Prerequisites </h2> <p>Ensure you have:</p> <ul> <li>An active AWS account</li> <li>Terraform installed and configured</li> <li>Helm installed</li> <li>kubectl</li> </ul> <h2> Setup Overview </h2> <p>In the <a href="https://dev.to/aws-builders/navigating-aws-eks-with-terraform-implementing-cluster-auoscaler-in-your-eks-cluster-p54">previous part of the series</a>, we installed and configured the <strong>Kubernetes Cluster Autoscaler (CA)</strong> on an EKS cluster provisioned with Terraform. That article showed how to let Kubernetes resize <strong>existing</strong> node groups when Pods can't be scheduled.</p> <p>Karpenter takes a different approach; it's an open-source autoscaling solution from AWS that goes beyond resizing existing node groups. Instead, <strong>Karpenter talks directly to AWS and launches the <em>right</em> EC2 instances on demand</strong> to fit the Pods that are actually pending.</p> <h2> Key Architectural Difference: Self-Managed Nodes </h2> <p><strong>Important:</strong> Nodes provisioned by Karpenter will appear as <strong>"Self-managed"</strong> in the AWS EKS console, while Cluster Autoscaler nodes show as part of <strong>"Managed Node Groups"</strong>. This is by design:</p> <ul> <li> <strong>Cluster Autoscaler</strong>: Works within existing Auto Scaling Groups (ASGs) or EKS Managed Node Groups. It scales by adjusting the desired capacity of predefined node groups.</li> <li> <strong>Karpenter</strong>: Provisions nodes as individual EC2 instances directly using the AWS API, bypassing ASGs and node groups entirely. This gives Karpenter the flexibility to dynamically select instance types, launch nodes faster, and optimize costs.</li> </ul> <p>Both approaches result in fully functional nodes in your cluster - the "self-managed" designation simply indicates that Karpenter manages the instance lifecycle independently. This architecture enables Karpenter's key advantages: faster provisioning (30-60 seconds vs 2-5 minutes), dynamic instance type selection, and more efficient resource utilization.</p> <p>For more details, see:</p> <ul> <li><a href="https://karpenter.sh/docs/concepts/" rel="noopener noreferrer">Karpenter Architecture Documentation</a></li> <li><a href="https://aws.amazon.com/blogs/aws/introducing-karpenter-an-open-source-high-performance-kubernetes-cluster-autoscaler/" rel="noopener noreferrer">AWS Blog: Introducing Karpenter</a></li> </ul> <h2> Prepare Your EKS Cluster </h2> <p>Ensure your EKS cluster is ready. If needed, <a href="https://dev.to/aws-builders/navigating-aws-eks-with-terraform-understanding-eks-cluster-configuration-2f6o">refer back to our guide on setting up an EKS cluster using Terraform</a></p> <h2> Modifications </h2> <p>To support Karpenter's auto-discovery feature, we need to update the tags on our EKS resources. Unlike Cluster Autoscaler which used <code>k8s.io/cluster-autoscaler/*</code> tags, Karpenter uses <code>karpenter.sh/discovery</code> tags to identify the subnets and security groups it can use when provisioning nodes.</p> <h3> Update EKS Module to Support New Parameters </h3> <p>First, we need to extend our EKS module to support the parameters required for Karpenter. Add these variables to <code>modules/aws/eks/v1/variables.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"eks_cluster_version"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Kubernetes version for the EKS cluster"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="kc">null</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"additional_role_mappings"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Additional IAM role mappings for aws-auth ConfigMap"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">rolearn</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">username</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">groups</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}))</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[]</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"additional_launch_template_tags"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Additional tags to add to the launch template"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{}</span> <span class="p">}</span> </code></pre> </div> <p>Update <code>modules/aws/eks/v1/main.tf</code> to use these variables:</p> <ol> <li>Add version to the EKS cluster: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_eks_cluster"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eks_cluster_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">enabled_cluster_log_types</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">enabled_cluster_log_types</span> <span class="nx">version</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">eks_cluster_version</span> <span class="c1"># Add this line</span> <span class="c1"># ... rest of configuration</span> <span class="p">}</span> </code></pre> </div> <ol> <li>Update the launch template tags to merge additional tags: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_launch_template"</span> <span class="s2">"eks_node_group"</span> <span class="p">{</span> <span class="c1"># ... existing configuration ...</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="p">{</span> <span class="s2">"Name"</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-eks-node-group"</span> <span class="s2">"kubernetes.io/cluster/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">"</span> <span class="p">=</span> <span class="s2">"owned"</span> <span class="p">},</span> <span class="kd">var</span><span class="p">.</span><span class="nx">additional_launch_template_tags</span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <ol> <li>Update the aws-auth ConfigMap to include additional role mappings: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"kubernetes_config_map"</span> <span class="s2">"aws_auth"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"aws-auth"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"kube-system"</span> <span class="p">}</span> <span class="k">data</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">mapRoles</span> <span class="p">=</span> <span class="nx">yamlencode</span><span class="p">(</span><span class="nx">concat</span><span class="p">(</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">rolearn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eks_admins_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">username</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eks_admins_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">groups</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"system:masters"</span><span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">rolearn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">node_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">username</span> <span class="p">=</span> <span class="s2">"system:node:{{EC2PrivateDNSName}}"</span> <span class="nx">groups</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"system:bootstrappers"</span><span class="p">,</span> <span class="s2">"system:nodes"</span><span class="p">]</span> <span class="p">}</span> <span class="p">],</span> <span class="kd">var</span><span class="p">.</span><span class="nx">additional_role_mappings</span> <span class="p">))</span> <span class="c1"># ... rest of configuration</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <ol> <li>Update the nodes security group to include additional tags: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"eks_nodes_sg"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-eks-nodes-sg"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Security group for all nodes in the cluster"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-eks-nodes-sg"</span> <span class="s2">"kubernetes.io/cluster/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">"</span> <span class="p">=</span> <span class="s2">"owned"</span> <span class="p">},</span> <span class="kd">var</span><span class="p">.</span><span class="nx">additional_launch_template_tags</span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <ol> <li>Add new outputs to <code>modules/aws/eks/v1/outputs.tf</code>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">output</span> <span class="s2">"oidc_provider_url"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The OIDC URL of the Cluster"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_iam_openid_connect_provider</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">url</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"node_instance_role_arn"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The ARN of the node instance role"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">node_role</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <h3> Update VPC and EKS Configuration </h3> <p><strong>Critical:</strong> Karpenter needs to discover subnets and security groups using tags. You must add the <code>karpenter.sh/discovery</code> tag to <strong>private subnets only</strong> (not public subnets) and to the node security group.</p> <p><strong>Why private subnets only?</strong> Karpenter-provisioned nodes need outbound internet access to download container images and communicate with the EKS control plane. Private subnets with NAT gateway provide this access. If you tag public subnets, Karpenter might launch nodes there without public IPs, causing them to fail to join the cluster.</p> <p>Update <code>vpc.tf</code> to add Karpenter discovery tags:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/aws/vpc/v1"</span> <span class="nx">vpc_name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-vpc"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">nat_gateway</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">public_subnet_count</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">private_subnet_count</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">public_subnet_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/cluster/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">"</span> <span class="p">=</span> <span class="s2">"shared"</span> <span class="s2">"kubernetes.io/role/elb"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="c1"># DO NOT add karpenter.sh/discovery tag to public subnets</span> <span class="p">}</span> <span class="nx">private_subnet_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/cluster/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">"</span> <span class="p">=</span> <span class="s2">"shared"</span> <span class="s2">"kubernetes.io/role/internal-elb"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="s2">"karpenter.sh/discovery"</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="c1"># Only tag private subnets</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now update <code>eks.tf</code> to configure the EKS cluster with Karpenter support:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">module</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/aws/eks/v1"</span> <span class="nx">region</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">private_subnets</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">public_subnets</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">public_subnets</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">eks_cluster_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="nx">managed_node_groups</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">demo_group</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"demo-node-group"</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"t3a.small"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">additional_role_mappings</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">rolearn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">karpenter_controller_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">username</span> <span class="p">=</span> <span class="s2">"system:serviceaccount:karpenter:karpenter"</span> <span class="nx">groups</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"system:masters"</span><span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="nx">additional_launch_template_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"karpenter.sh/discovery"</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Note on Hybrid Architecture:</strong> This configuration uses a <strong>best practice approach</strong> where:</p> <ul> <li>The managed node group (2 small nodes) hosts critical system components (CoreDNS, kube-proxy, etc.)</li> <li>Karpenter dynamically provisions additional nodes for application workloads</li> </ul> <p>This hybrid model provides stability for system pods while giving you Karpenter's flexibility and cost optimization for your applications.</p> <h2> Create IAM Role for Karpenter </h2> <p>The Karpenter controller needs specific permissions to interact with EC2 instances and AWS services. We'll create an IAM role that uses IRSA (IAM Roles for Service Accounts) to allow the Karpenter pods to assume this role securely.</p> <p>Create a new file called <code>karpenter.tf</code> at the root of your repository:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">############################################################################################################</span> <span class="c1">### KARPENTER</span> <span class="c1">############################################################################################################</span> <span class="c1"># IAM Role for Karpenter Controller</span> <span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"karpenter_assume_role_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRoleWithWebIdentity"</span><span class="p">]</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">test</span> <span class="p">=</span> <span class="s2">"StringEquals"</span> <span class="k">variable</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="nx">replace</span><span class="p">(</span><span class="k">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">oidc_provider_url</span><span class="p">,</span> <span class="s2">"https://"</span><span class="p">,</span> <span class="s2">""</span><span class="p">)</span><span class="k">}</span><span class="s2">:sub"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"system:serviceaccount:karpenter:karpenter"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="k">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">oidc_provider_arn</span><span class="p">]</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Federated"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"karpenter_controller_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-karpenter-controller"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">karpenter_assume_role_policy</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="c1"># Karpenter Controller Policy</span> <span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"karpenter_controller_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"AllowScopedEC2InstanceAccessActions"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2:RunInstances"</span><span class="p">,</span> <span class="s2">"ec2:CreateFleet"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"arn:aws:ec2:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">::image/*"</span><span class="p">,</span> <span class="s2">"arn:aws:ec2:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">::snapshot/*"</span><span class="p">,</span> <span class="s2">"arn:aws:ec2:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">:*:security-group/*"</span><span class="p">,</span> <span class="s2">"arn:aws:ec2:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">:*:subnet/*"</span><span class="p">,</span> <span class="s2">"arn:aws:ec2:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">:*:launch-template/*"</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"AllowScopedEC2InstanceActionsWithTags"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2:RunInstances"</span><span class="p">,</span> <span class="s2">"ec2:CreateFleet"</span><span class="p">,</span> <span class="s2">"ec2:CreateLaunchTemplate"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"arn:aws:ec2:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">:*:fleet/*"</span><span class="p">,</span> <span class="s2">"arn:aws:ec2:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">:*:instance/*"</span><span class="p">,</span> <span class="s2">"arn:aws:ec2:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">:*:volume/*"</span><span class="p">,</span> <span class="s2">"arn:aws:ec2:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">:*:network-interface/*"</span><span class="p">,</span> <span class="s2">"arn:aws:ec2:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">:*:launch-template/*"</span><span class="p">,</span> <span class="s2">"arn:aws:ec2:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">:*:spot-instances-request/*"</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"AllowScopedResourceCreationTagging"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2:CreateTags"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"arn:aws:ec2:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">:*:fleet/*"</span><span class="p">,</span> <span class="s2">"arn:aws:ec2:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">:*:instance/*"</span><span class="p">,</span> <span class="s2">"arn:aws:ec2:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">:*:volume/*"</span><span class="p">,</span> <span class="s2">"arn:aws:ec2:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">:*:network-interface/*"</span><span class="p">,</span> <span class="s2">"arn:aws:ec2:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">:*:launch-template/*"</span><span class="p">,</span> <span class="s2">"arn:aws:ec2:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">:*:spot-instances-request/*"</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"AllowScopedResourceTagging"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2:CreateTags"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"arn:aws:ec2:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">:*:instance/*"</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"AllowScopedDeletion"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2:TerminateInstances"</span><span class="p">,</span> <span class="s2">"ec2:DeleteLaunchTemplate"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"arn:aws:ec2:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">:*:instance/*"</span><span class="p">,</span> <span class="s2">"arn:aws:ec2:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">:*:launch-template/*"</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"AllowRegionalReadActions"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2:DescribeAvailabilityZones"</span><span class="p">,</span> <span class="s2">"ec2:DescribeImages"</span><span class="p">,</span> <span class="s2">"ec2:DescribeInstances"</span><span class="p">,</span> <span class="s2">"ec2:DescribeInstanceTypeOfferings"</span><span class="p">,</span> <span class="s2">"ec2:DescribeInstanceTypes"</span><span class="p">,</span> <span class="s2">"ec2:DescribeLaunchTemplates"</span><span class="p">,</span> <span class="s2">"ec2:DescribeSecurityGroups"</span><span class="p">,</span> <span class="s2">"ec2:DescribeSpotPriceHistory"</span><span class="p">,</span> <span class="s2">"ec2:DescribeSubnets"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"AllowSSMReadActions"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ssm:GetParameter"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"arn:aws:ssm:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">::parameter/aws/service/*"</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"AllowPricingReadActions"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"pricing:GetProducts"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"AllowInterruptionQueueActions"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"sqs:DeleteMessage"</span><span class="p">,</span> <span class="s2">"sqs:GetQueueUrl"</span><span class="p">,</span> <span class="s2">"sqs:GetQueueAttributes"</span><span class="p">,</span> <span class="s2">"sqs:ReceiveMessage"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"arn:aws:sqs:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">:*:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"AllowPassNodeIAMRole"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"iam:PassRole"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="k">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">node_instance_role_arn</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"AllowScopedInstanceProfileCreationActions"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"iam:CreateInstanceProfile"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"arn:aws:iam::*:instance-profile/*"</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"AllowScopedInstanceProfileTagActions"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"iam:TagInstanceProfile"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"arn:aws:iam::*:instance-profile/*"</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"AllowScopedInstanceProfileActions"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"iam:AddRoleToInstanceProfile"</span><span class="p">,</span> <span class="s2">"iam:RemoveRoleFromInstanceProfile"</span><span class="p">,</span> <span class="s2">"iam:DeleteInstanceProfile"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"arn:aws:iam::*:instance-profile/*"</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"AllowInstanceProfileReadActions"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"iam:GetInstanceProfile"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"arn:aws:iam::*:instance-profile/*"</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"AllowAPIServerEndpointDiscovery"</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"eks:DescribeCluster"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"arn:aws:eks:</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">:*:cluster/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"karpenter_controller_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-karpenter-controller-policy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">karpenter_controller_role</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">karpenter_controller_policy</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> </code></pre> </div> <p>The Karpenter controller policy gives Karpenter the permissions it needs to:</p> <ul> <li>Launch and terminate EC2 instances</li> <li>Create and manage launch templates</li> <li>Describe EC2 resources (subnets, security groups, instance types, etc.)</li> <li>Manage instance profiles</li> <li>Tag resources appropriately</li> </ul> <p>We also pass the role mapping to the config map in the EKS module (shown in the <code>eks.tf</code> above), which allows the Karpenter service account to assume this IAM role.</p> <p>We also need to update our Terraform outputs in <code>ouput.tf</code> to expose values needed by our deployment scripts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">output</span> <span class="s2">"karpenter_controller_role_arn"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The ARN of the Karpenter controller IAM role"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">karpenter_controller_role</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"aws_region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The AWS region where the EKS cluster is deployed"</span> <span class="nx">value</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">region</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"cluster_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the EKS cluster"</span> <span class="nx">value</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"cluster_endpoint"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The endpoint for the EKS cluster"</span> <span class="nx">value</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_endpoint</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"node_instance_role_arn"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The ARN of the node instance role"</span> <span class="nx">value</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">node_instance_role_arn</span> <span class="p">}</span> </code></pre> </div> <p>We can then apply our changes with terraform:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs94f8yr4kkqlhzf5lnug.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs94f8yr4kkqlhzf5lnug.png" alt="Terraform Apply Output" width="800" height="685"></a></p> <p>We can confirm our cluster is up and running in the AWS console.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1b8195s86b8blx0ki0ke.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1b8195s86b8blx0ki0ke.png" alt="Cluster in AWS Console" width="800" height="352"></a></p> <h2> Install Karpenter using Helm </h2> <p>We have created the role mapping that the karpenter service account will use, but we still need to create the actual service account. The manifest to create that will look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">karpenter</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">karpenter</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">eks.amazonaws.com/role-arn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::&lt;ACCOUNT_ID&gt;:role/&lt;IAM_ROLE_NAME&gt;"</span> </code></pre> </div> <p>For simplicity (or just because I'm lazy), I have created scripts to help with the rest of the article. They make use of terraform outputs to avoid having to put placeholders or keep track of which command to run first.</p> <p>The script <code>scripts/deploy_karpenter.sh</code> updates our kubectl context to that of the cluster, creates the service account for Karpenter with the IRSA annotation, and deploys Karpenter using helm:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nb">set</span> <span class="nt">-euxo</span> pipefail <span class="c"># Retrieve Terraform outputs</span> <span class="nv">REGION</span><span class="o">=</span><span class="si">$(</span>terraform output <span class="nt">-raw</span> aws_region<span class="si">)</span> <span class="nv">CLUSTER_NAME</span><span class="o">=</span><span class="si">$(</span>terraform output <span class="nt">-raw</span> cluster_name<span class="si">)</span> <span class="nv">KARPENTER_ROLE_ARN</span><span class="o">=</span><span class="si">$(</span>terraform output <span class="nt">-raw</span> karpenter_controller_role_arn<span class="si">)</span> <span class="nv">CLUSTER_ENDPOINT</span><span class="o">=</span><span class="si">$(</span>terraform output <span class="nt">-raw</span> cluster_endpoint<span class="si">)</span> <span class="nv">NODE_INSTANCE_ROLE_ARN</span><span class="o">=</span><span class="si">$(</span>terraform output <span class="nt">-raw</span> node_instance_role_arn<span class="si">)</span> <span class="c"># Extract the role name from the ARN</span> <span class="nv">NODE_INSTANCE_ROLE_NAME</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="nv">$NODE_INSTANCE_ROLE_ARN</span> | <span class="nb">awk</span> <span class="nt">-F</span><span class="s1">'/'</span> <span class="s1">'{print $NF}'</span><span class="si">)</span> <span class="c"># Update kubeconfig</span> aws eks update-kubeconfig <span class="nt">--region</span> <span class="nv">$REGION</span> <span class="nt">--name</span> <span class="nv">$CLUSTER_NAME</span> <span class="c"># Create the karpenter namespace</span> kubectl create namespace karpenter <span class="o">||</span> <span class="nb">true</span> <span class="c"># Create the service account for Karpenter</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> | kubectl apply -f - apiVersion: v1 kind: ServiceAccount metadata: name: karpenter namespace: karpenter annotations: eks.amazonaws.com/role-arn: </span><span class="nv">$KARPENTER_ROLE_ARN</span><span class="sh"> </span><span class="no">EOF </span><span class="c"># Install Karpenter using Helm</span> <span class="nb">export </span><span class="nv">KARPENTER_VERSION</span><span class="o">=</span><span class="s2">"0.16.3"</span> helm repo add karpenter https://charts.karpenter.sh/ <span class="o">||</span> <span class="nb">true </span>helm repo update helm upgrade <span class="nt">--install</span> karpenter karpenter/karpenter <span class="se">\</span> <span class="nt">--namespace</span> karpenter <span class="se">\</span> <span class="nt">--create-namespace</span> <span class="se">\</span> <span class="nt">--version</span> <span class="k">${</span><span class="nv">KARPENTER_VERSION</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--set</span> serviceAccount.create<span class="o">=</span><span class="nb">false</span> <span class="se">\</span> <span class="nt">--set</span> serviceAccount.name<span class="o">=</span>karpenter <span class="se">\</span> <span class="nt">--set</span> <span class="nv">clusterName</span><span class="o">=</span><span class="k">${</span><span class="nv">CLUSTER_NAME</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--set</span> <span class="nv">clusterEndpoint</span><span class="o">=</span><span class="k">${</span><span class="nv">CLUSTER_ENDPOINT</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--set</span> aws.defaultInstanceProfile<span class="o">=</span><span class="k">${</span><span class="nv">NODE_INSTANCE_ROLE_NAME</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--set</span> controller.resources.requests.cpu<span class="o">=</span>500m <span class="se">\</span> <span class="nt">--set</span> controller.resources.requests.memory<span class="o">=</span>512Mi <span class="se">\</span> <span class="nt">--set</span> controller.resources.limits.cpu<span class="o">=</span>1 <span class="se">\</span> <span class="nt">--set</span> controller.resources.limits.memory<span class="o">=</span>1Gi <span class="se">\</span> <span class="nt">--set</span> <span class="nv">replicas</span><span class="o">=</span>1 <span class="se">\</span> <span class="nt">--wait</span> <span class="o">||</span> <span class="nb">true</span> <span class="c"># Wait for Karpenter to be ready</span> kubectl <span class="nb">wait</span> <span class="nt">--for</span><span class="o">=</span><span class="nv">condition</span><span class="o">=</span>available <span class="nt">--timeout</span><span class="o">=</span>300s deployment/karpenter <span class="nt">-n</span> karpenter <span class="o">||</span> <span class="nb">true</span> <span class="c"># Create EC2NodeClass</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> | kubectl apply -f - apiVersion: karpenter.k8s.aws/v1alpha1 kind: AWSNodeTemplate metadata: name: default spec: amiFamily: AL2 instanceProfile: </span><span class="k">${</span><span class="nv">NODE_INSTANCE_ROLE_NAME</span><span class="k">}</span><span class="sh"> subnetSelector: karpenter.sh/discovery: </span><span class="k">${</span><span class="nv">CLUSTER_NAME</span><span class="k">}</span><span class="sh"> securityGroupSelector: karpenter.sh/discovery: </span><span class="k">${</span><span class="nv">CLUSTER_NAME</span><span class="k">}</span><span class="sh"> tags: karpenter.sh/discovery: </span><span class="k">${</span><span class="nv">CLUSTER_NAME</span><span class="k">}</span><span class="sh"> </span><span class="no">EOF </span><span class="c"># Create NodePool</span> kubectl apply <span class="nt">-f</span> kubernetes/karpenter/nodepool.yaml <span class="c"># Deploy test deployment (starts at 0 replicas)</span> kubectl apply <span class="nt">-f</span> kubernetes/karpenter/test-deployment.yaml <span class="nb">echo</span> <span class="s2">"Karpenter installation completed successfully!"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"To verify Karpenter is running:"</span> <span class="nb">echo</span> <span class="s2">"kubectl get pods -n karpenter"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"To view Karpenter logs:"</span> <span class="nb">echo</span> <span class="s2">"kubectl logs -f -n karpenter -l app.kubernetes.io/name=karpenter"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"To test autoscaling, run:"</span> <span class="nb">echo</span> <span class="s2">"./scripts/test_karpenter.sh"</span> </code></pre> </div> <p>The script also creates the Karpenter <code>AWSNodeTemplate</code> (which tells Karpenter how to configure EC2 instances) and applies the <code>Provisioner</code> configuration from <code>kubernetes/karpenter/nodepool.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">karpenter.sh/v1alpha5</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Provisioner</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">requirements</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">kubernetes.io/arch</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">amd64"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">kubernetes.io/os</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">linux"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">karpenter.sh/capacity-type</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">on-demand"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">karpenter.k8s.aws/instance-category</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">t"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">karpenter.k8s.aws/instance-generation</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">Gt</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">2"</span><span class="pi">]</span> <span class="na">providerRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">default</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="m">10</span> <span class="na">ttlSecondsAfterEmpty</span><span class="pi">:</span> <span class="m">30</span> <span class="na">ttlSecondsUntilExpired</span><span class="pi">:</span> <span class="m">2592000</span> <span class="c1"># 30 days</span> </code></pre> </div> <p>This Provisioner configuration:</p> <ul> <li>Only provisions <strong>amd64 Linux</strong> nodes</li> <li>Uses <strong>on-demand</strong> instances (you can add "spot" for cost savings)</li> <li>Restricts to <strong>t-family</strong> instances (t3, t3a, etc.) <strong>generation 3 or higher</strong> </li> <li>Sets a CPU limit of <strong>10 vCPUs</strong> total across all Karpenter-provisioned nodes</li> <li>Automatically deprovisions nodes <strong>30 seconds</strong> after they become empty</li> <li>Expires nodes after <strong>30 days</strong> for security patching</li> </ul> <p>Run the deployment script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod</span> +x scripts/deploy_karpenter.sh ./scripts/deploy_karpenter.sh </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcf7hfg2egu71vp755ykc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcf7hfg2egu71vp755ykc.png" alt="Karpenter Deployment Script Output" width="800" height="486"></a></p> <p>Verify Karpenter is running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods <span class="nt">-n</span> karpenter </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4tnq709qo0oughiunyse.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4tnq709qo0oughiunyse.png" alt="Karpenter Pod Running" width="584" height="57"></a></p> <p>You will notice that we only have two nodes at the moment.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fglae7y9wpurwytgriqxe.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fglae7y9wpurwytgriqxe.png" alt="Initial Node Count" width="775" height="86"></a></p> <h2> Deploy Applications To Trigger Scale Up Operation </h2> <p>Next, we will deploy a test workload to the cluster. The test deployment requests resources that our two small EC2 instances cannot fully accommodate. Karpenter will come to the rescue and provision an additional node to make our cluster healthy again.</p> <p>The test deployment <code>kubernetes/karpenter/test-deployment.yaml</code> looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">inflate</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">0</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">inflate</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">inflate</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">terminationGracePeriodSeconds</span><span class="pi">:</span> <span class="m">0</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">inflate</span> <span class="na">image</span><span class="pi">:</span> <span class="s">public.ecr.aws/eks-distro/kubernetes/pause:3.7</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.5Gi"</span> </code></pre> </div> <p>The script <code>scripts/test_karpenter.sh</code> scales this deployment from 0 to 5 replicas:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nb">set</span> <span class="nt">-euxo</span> pipefail <span class="nb">echo</span> <span class="s2">"Scaling up the inflate deployment to trigger Karpenter provisioning..."</span> <span class="c"># Scale up the deployment to trigger node provisioning</span> kubectl scale deployment inflate <span class="nt">--replicas</span><span class="o">=</span>5 <span class="nt">-n</span> default <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"Deployment scaled to 5 replicas. Monitoring cluster events..."</span> </code></pre> </div> <p>Run the test script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod</span> +x scripts/test_karpenter.sh ./scripts/test_karpenter.sh </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frtfgaesui1a9ig2riurf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frtfgaesui1a9ig2riurf.png" alt="test_karpenter output" width="657" height="161"></a></p> <p>Watch Karpenter logs to see it making provisioning decisions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs <span class="nt">-f</span> <span class="nt">-n</span> karpenter <span class="nt">-l</span> app.kubernetes.io/name<span class="o">=</span>karpenter <span class="nt">-c</span> controller </code></pre> </div> <p>You'll see logs like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>INFO controller.provisioner found provisionable pod(s) INFO controller.provisioner computed new node(s) to fit pod(s) INFO controller.provisioner created node with 1 pods requesting cpu=1000m, memory=1536Mi </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4gfm9912kohhxnuabxgh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4gfm9912kohhxnuabxgh.png" alt="Karpenter Scale up evidence" width="800" height="458"></a></p> <p>You will notice that Karpenter did its job and added an extra node to our cluster. The deployments were able to succeed.</p> <p><strong>Important Note:</strong> In the AWS EKS console, you'll see the new node listed as <strong>"Self-managed"</strong> under the Compute tab, while your original 2 nodes show as part of the <strong>"Managed Node Group"</strong>. This is expected! Karpenter provisions nodes as individual EC2 instances directly (not through node groups), which is why they appear as self-managed. You can verify these are Karpenter nodes by checking their labels:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get nodes <span class="nt">--show-labels</span> | <span class="nb">grep </span>karpenter </code></pre> </div> <p>You'll see labels like <code>karpenter.sh/capacity-type=on-demand</code>, <code>karpenter.k8s.aws/instance-category=t</code>, etc.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F57cwiyszvojtac0e4gv2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F57cwiyszvojtac0e4gv2.png" alt="nodes with labels" width="800" height="183"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyrnygn9x5s76jhouxo9v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyrnygn9x5s76jhouxo9v.png" alt="Annotations in console" width="800" height="553"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwivw2x8lo238ycpoxjoc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwivw2x8lo238ycpoxjoc.png" alt="AWS Console View After Scale-Up" width="800" height="614"></a></p> <p>If you check the events of your cluster, you will be able to find the scale up events.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F58tadf689gkr8pmjd9c9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F58tadf689gkr8pmjd9c9.png" alt="Scale up events" width="800" height="302"></a></p> <h2> Scale Down Operation </h2> <p>Now we will scale down the test deployment and watch to see if Karpenter automatically removes the node.</p> <p>The cleanup script <code>scripts/cleanup_karpenter_test.sh</code> scales the deployment back to 0:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nb">set</span> <span class="nt">-euxo</span> pipefail <span class="nb">echo</span> <span class="s2">"Scaling down the inflate deployment..."</span> <span class="c"># Scale down the deployment</span> kubectl scale deployment inflate <span class="nt">--replicas</span><span class="o">=</span>0 <span class="nt">-n</span> default <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"Deployment scaled to 0 replicas."</span> <span class="nb">echo</span> <span class="s2">"Watch nodes with: kubectl get nodes -w"</span> <span class="nb">echo</span> <span class="s2">"Karpenter should remove the empty node in about 30 seconds (ttlSecondsAfterEmpty)"</span> </code></pre> </div> <p>Run the cleanup script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod</span> +x scripts/cleanup_karpenter_test.sh ./scripts/cleanup_karpenter_test.sh </code></pre> </div> <p>Monitor the nodes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get nodes <span class="nt">-w</span> </code></pre> </div> <p>After about 30 seconds (the <code>ttlSecondsAfterEmpty</code> setting in our Provisioner), Karpenter will:</p> <ol> <li>Cordon the empty node</li> <li>Drain any remaining system pods</li> <li>Terminate the EC2 instance</li> </ol> <p>You'll see this in the Karpenter logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>INFO controller.deprovisioning deprovisioning via emptiness delete INFO controller.deprovisioning cordoned node INFO controller.deprovisioning deleted node </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F27zf7vggr27v6sljoib8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F27zf7vggr27v6sljoib8.png" alt="Running ./scripts/delete_all.sh " width="800" height="601"></a></p> <p>Karpenter scales down the cluster back to two nodes much faster than Cluster Autoscaler (30-60 seconds vs 10+ minutes).</p> <h2> Understanding Karpenter's Advantages </h2> <p>Through this exercise, you've seen several advantages of Karpenter over Cluster Autoscaler:</p> <h3> Faster Provisioning </h3> <p>Karpenter provisions nodes in <strong>30-60 seconds</strong> because it launches instances directly rather than scaling Auto Scaling Groups.</p> <h3> No Pre-defined Node Groups </h3> <p>You don't need to define multiple node groups for different instance types. Karpenter chooses the best fit automatically based on pending pod requirements.</p> <h3> Better Bin Packing </h3> <p>Karpenter looks at all pending pods together and provisions nodes that maximize utilization.</p> <h3> Faster Scale Down </h3> <p>Karpenter can deprovision nodes in <strong>30-60 seconds</strong> vs 10+ minutes for Cluster Autoscaler.</p> <h3> Consolidation </h3> <p>Karpenter actively consolidates nodes to reduce costs, even moving pods to smaller instances when possible.</p> <h3> Spot Instance Support </h3> <p>Adding spot instances is as simple as adding <code>"spot"</code> to the <code>karpenter.sh/capacity-type</code> values in your Provisioner.</p> <h2> Comparison: Cluster Autoscaler vs Karpenter </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Cluster Autoscaler</th> <th>Karpenter</th> </tr> </thead> <tbody> <tr> <td><strong>Provisioning Time</strong></td> <td>2-5 minutes</td> <td>30-60 seconds</td> </tr> <tr> <td><strong>Node Management</strong></td> <td>Auto Scaling Groups / Managed Node Groups</td> <td>Individual EC2 instances (self-managed)</td> </tr> <tr> <td><strong>Instance Selection</strong></td> <td>Predefined in node group</td> <td>Dynamic based on pod requirements</td> </tr> <tr> <td><strong>Scale Down Time</strong></td> <td>10+ minutes</td> <td>30-60 seconds</td> </tr> <tr> <td><strong>Spot Support</strong></td> <td>Via ASG configuration</td> <td>Native, simple toggle</td> </tr> <tr> <td><strong>Bin Packing</strong></td> <td>Limited (per node group)</td> <td>Advanced (across all options)</td> </tr> <tr> <td><strong>Consolidation</strong></td> <td>No</td> <td>Yes (active rebalancing)</td> </tr> <tr> <td><strong>Configuration</strong></td> <td>Via ASG/node group settings</td> <td>Via Kubernetes CRDs</td> </tr> <tr> <td><strong>Console Display</strong></td> <td>Shows as "Managed Node Group"</td> <td>Shows as "Self-managed"</td> </tr> </tbody> </table></div> <p>The complete code used in this article can be found on <a href="https://github.com/Femi-lawal/demo-eks-cluster/tree/feature/karpenter" rel="noopener noreferrer">this branch of the repository</a></p> <h2> Troubleshooting Common Issues </h2> <h3> Issue: Nodes Stuck in NotReady State </h3> <p><strong>Symptom:</strong> Karpenter provisions a node, but it never becomes Ready. Kubelet never starts.</p> <p><strong>Cause:</strong> The node was likely launched in a public subnet without a public IP, preventing it from reaching the EKS API server.</p> <p><strong>Solution:</strong> Ensure only <strong>private subnets</strong> are tagged with <code>karpenter.sh/discovery</code>. Remove this tag from public subnets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">public_subnet_tags</span> <span class="err">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/cluster/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">"</span> <span class="p">=</span> <span class="s2">"shared"</span> <span class="s2">"kubernetes.io/role/elb"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="c1"># DO NOT add karpenter.sh/discovery tag here</span> <span class="p">}</span> <span class="nx">private_subnet_tags</span> <span class="err">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/cluster/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">"</span> <span class="p">=</span> <span class="s2">"shared"</span> <span class="s2">"kubernetes.io/role/internal-elb"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="s2">"karpenter.sh/discovery"</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="c1"># Only here</span> <span class="p">}</span> </code></pre> </div> <p>After fixing the tags, run <code>terraform apply</code>, then delete any stuck nodes and let Karpenter recreate them.</p> <h3> Issue: Capacity-Block Warnings in Logs </h3> <p><strong>Symptom:</strong> Karpenter logs show errors like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ERROR controller Reconciler error {"commit": "...", "reconciler": "capacity-block", ...} </code></pre> </div> <p><strong>Cause:</strong> This is a harmless warning in Karpenter v0.16.3. The controller tries to query newer GPU instance types (P5, P6, Trn2) that didn't exist when this version was released.</p> <p><strong>Impact:</strong> None - these warnings don't affect Karpenter's functionality for standard instance types.</p> <p><strong>Solution:</strong> Either ignore the warnings or filter them out:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs <span class="nt">-n</span> karpenter <span class="nt">-l</span> app.kubernetes.io/name<span class="o">=</span>karpenter <span class="nt">-f</span> | <span class="nb">grep</span> <span class="nt">-v</span> <span class="s2">"capacity-block"</span> </code></pre> </div> <p>To permanently suppress, you could upgrade to a newer Karpenter version, but test thoroughly as newer versions may introduce breaking changes.</p> <h3> Issue: Why Are My Nodes "Self-Managed" in AWS Console? </h3> <p><strong>Symptom:</strong> New nodes appear as "Self-managed" in the EKS console instead of being part of a managed node group.</p> <p><strong>Explanation:</strong> This is <strong>expected behavior</strong> for Karpenter. Unlike Cluster Autoscaler which scales existing node groups, Karpenter provisions individual EC2 instances directly using the AWS API. These appear as "self-managed" because they're not part of an EKS Managed Node Group or Auto Scaling Group.</p> <p><strong>Verification:</strong> Check that the nodes have Karpenter labels:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get nodes <span class="nt">--show-labels</span> | <span class="nb">grep </span>karpenter </code></pre> </div> <p>You should see labels like <code>karpenter.sh/capacity-type=on-demand</code>, <code>karpenter.k8s.aws/instance-category=t</code>, etc.</p> <p><strong>Reference:</strong> See <a href="https://karpenter.sh/docs/concepts/" rel="noopener noreferrer">Karpenter documentation</a> for architectural details.</p> <h2> Conclusion </h2> <p>Your EKS cluster now has a functioning Karpenter setup that is adept at provisioning node resources in response to workload changes. Karpenter provides faster scaling, smarter instance selection, and better cost optimization compared to traditional Cluster Autoscaler.</p> <p>Don't forget to clean up any resources you are not using, it can get quite expensive.</p> <p>To clean up Karpenter resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod</span> +x scripts/delete_all.sh ./scripts/delete_all.sh </code></pre> </div> <p>If you want to destroy all infrastructure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvqlbahrn0h5bf69upq67.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvqlbahrn0h5bf69upq67.png" alt="Terraform destroy output" width="800" height="394"></a></p> <p><strong>Important:</strong> Karpenter-provisioned nodes should be cleaned up automatically when you delete the Provisioner, but you may want to verify in the AWS console that no orphaned instances remain.</p> <p>For more advanced configurations and best practices, refer to:</p> <ul> <li><a href="https://karpenter.sh/" rel="noopener noreferrer">Karpenter Documentation</a></li> <li><a href="https://aws.github.io/aws-eks-best-practices/karpenter/" rel="noopener noreferrer">AWS EKS Best Practices Guide - Karpenter</a></li> </ul> aws kubernetes terraform eks Oluwafemi Lawal Tue, 14 Jan 2025 01:34:17 +0000 https://dev.to/aws-builders/navigating-aws-eks-with-terraform-implementing-cluster-auoscaler-in-your-eks-cluster-p54 https://dev.to/aws-builders/navigating-aws-eks-with-terraform-implementing-cluster-auoscaler-in-your-eks-cluster-p54 <p>In this article, we will integrate Cluster Autoscaler, which will enable our cluster to adjust the number of nodes based on demand. We will need to make some adjustments to our EKS module.</p> <h2> Prerequisites </h2> <p>Ensure you have:</p> <ul> <li>An active AWS account</li> <li>Terraform installed and configured</li> <li>Helm installed</li> <li>kubectl</li> </ul> <h2> Setup Overview </h2> <h2> Prepare Your EKS Cluster </h2> <p>Ensure your EKS cluster is ready. If needed, <a href="https://dev.to/aws-builders/navigating-aws-eks-with-terraform-understanding-eks-cluster-configuration-2f6o">refer back to our guide on setting up an EKS cluster using Terraform</a></p> <h2> Modifications </h2> <p>To enhance flexibility and customization, we've introduced new variables that streamline the addition of role and user mappings to the Kubernetes aws-auth ConfigMap. Additionally, to support Cluster Autoscaler's auto-discovery feature, it is essential to include specific tags in the launch configuration. We have also incorporated a variable to manage the Kubernetes version for the EKS cluster, allowing for more controlled upgrades and maintenance.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"additional_role_mappings"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Additional role mappings for aws-auth ConfigMap"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">rolearn</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">username</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">groups</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}))</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[]</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"additional_user_mappings"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Additional user mappings for aws-auth ConfigMap"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">userarn</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">username</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">groups</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">}))</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[]</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"eks_cluster_version"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The desired Kubernetes version for the EKS cluster"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"1.29"</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"additional_launch_template_tags"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Additional tags to apply to the launch template"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{}</span> <span class="p">}</span> </code></pre> </div> <h2> Create IAM Role for Cluster Autoscaler </h2> <p>The autoscaler needs specific permissions to interact with EC2 instances and AWS services.<br> We will use recommended permissions from <a href="https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md#full-cluster-autoscaler-features-policy-recommended" rel="noopener noreferrer">the documentation</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">############################################################################################################</span> <span class="c1">### AUTOSCALING</span> <span class="c1">############################################################################################################</span> <span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"cluster_autoscaler_assume_role_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRoleWithWebIdentity"</span><span class="p">]</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">test</span> <span class="p">=</span> <span class="s2">"StringEquals"</span> <span class="k">variable</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="nx">replace</span><span class="p">(</span><span class="k">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">oidc_provider_url</span><span class="p">,</span> <span class="s2">"https://"</span><span class="p">,</span> <span class="s2">""</span><span class="p">)</span><span class="k">}</span><span class="s2">:sub"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"system:serviceaccount:kube-system:cluster-autoscaler"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"</span><span class="k">${module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">oidc_provider_arn</span><span class="k">}</span><span class="s2">"</span><span class="p">]</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Federated"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># IAM Role for Cluster Autoscaler</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"cluster_autoscaler_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-cluster-autoscaler"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">cluster_autoscaler_assume_role_policy</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="c1"># Custom policy for Cluster Autoscaler</span> <span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"cluster_autoscaler_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"autoscaling:DescribeAutoScalingGroups"</span><span class="p">,</span> <span class="s2">"autoscaling:DescribeAutoScalingInstances"</span><span class="p">,</span> <span class="s2">"autoscaling:DescribeLaunchConfigurations"</span><span class="p">,</span> <span class="s2">"autoscaling:DescribeScalingActivities"</span><span class="p">,</span> <span class="s2">"ec2:DescribeImages"</span><span class="p">,</span> <span class="s2">"ec2:DescribeInstanceTypes"</span><span class="p">,</span> <span class="s2">"ec2:DescribeLaunchTemplateVersions"</span><span class="p">,</span> <span class="s2">"ec2:GetInstanceTypesFromInstanceRequirements"</span><span class="p">,</span> <span class="s2">"eks:DescribeNodegroup"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"autoscaling:SetDesiredCapacity"</span><span class="p">,</span> <span class="s2">"autoscaling:TerminateInstanceInAutoScalingGroup"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"cluster_autoscaler_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-cluster-autoscaler-policy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">cluster_autoscaler_role</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">cluster_autoscaler_policy</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> </code></pre> </div> <p>We can then pass the role mapping to the config map in the module, as well as the tags needed for auto-discovery<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">module</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/aws/eks/v1"</span> <span class="nx">region</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">private_subnets</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">public_subnets</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">public_subnets</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">managed_node_groups</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">demo_group</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"demo-node-group"</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"t3a.small"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">additional_role_mappings</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">rolearn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">cluster_autoscaler_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">username</span> <span class="p">=</span> <span class="s2">"system:serviceaccount:kube-system:cluster-autoscaler"</span> <span class="nx">groups</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"system:masters"</span><span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="nx">additional_launch_template_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"k8s.io/cluster-autoscaler/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">"</span> <span class="p">=</span> <span class="s2">"owned"</span> <span class="s2">"k8s.io/cluster-autoscaler/enabled"</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>We can then apply our changes with terraform<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform apply </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F39q6pnb1082dto674xkf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F39q6pnb1082dto674xkf.png" alt="Successful terraform apply" width="800" height="251"></a></p> <p>We can confirm our cluster is up and running in the AWS console.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxnzcg5v0pua2w7dj3d60.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxnzcg5v0pua2w7dj3d60.png" alt="Cluster in AWS" width="800" height="242"></a></p> <h2> Install Cluster Autoscaler using Helm </h2> <p>We have created the role mapping that the cluster-autoscaler service account will use, but we still need to create the actual service account, the manifest to create that will look like this<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-autoscaler</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kube-system</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">eks.amazonaws.com/role-arn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::&lt;ACCOUNT_ID&gt;:role/&lt;IAM_ROLE_NAME&gt;"</span> </code></pre> </div> <p>For simplicity (or just because I'm lazy), I have created four scripts to help with the rest of the article. They make use of terraform outputs to avoid me having to put placeholders or keep track of which command I have to run first.</p> <p>An explanation of what is happening is that our kubectl context is updated to that of the cluster, the service account for cluster autoscaler is created, and cluster autoscaler is deployed using helm.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nb">set</span> <span class="nt">-euxo</span> pipefail <span class="c"># Retrieve Terraform outputs</span> <span class="nv">REGION</span><span class="o">=</span><span class="si">$(</span>terraform output <span class="nt">-raw</span> aws_region<span class="si">)</span> <span class="nv">CLUSTER_NAME</span><span class="o">=</span><span class="si">$(</span>terraform output <span class="nt">-raw</span> cluster_name<span class="si">)</span> <span class="nv">CLUSTER_AUTOSCALER_ROLE_ARN</span><span class="o">=</span><span class="si">$(</span>terraform output <span class="nt">-raw</span> cluster_autoscaler_role_arn<span class="si">)</span> <span class="c"># Update kubeconfig</span> aws eks update-kubeconfig <span class="nt">--region</span> <span class="nv">$REGION</span> <span class="nt">--name</span> <span class="nv">$CLUSTER_NAME</span> <span class="c"># Create the service account for cluster autoscaler</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> | kubectl apply -f - apiVersion: v1 kind: ServiceAccount metadata: name: cluster-autoscaler namespace: kube-system annotations: eks.amazonaws.com/role-arn: </span><span class="nv">$CLUSTER_AUTOSCALER_ROLE_ARN</span><span class="sh"> </span><span class="no">EOF </span><span class="c"># Deploy the cluster autoscaler Helm chart</span> helm repo add autoscaler https://kubernetes.github.io/autoscaler <span class="o">||</span> <span class="nb">true </span>helm repo update helm upgrade <span class="nt">--install</span> cluster-autoscaler autoscaler/cluster-autoscaler <span class="se">\</span> <span class="nt">--namespace</span> kube-system <span class="se">\</span> <span class="nt">--set</span> autoDiscovery.clusterName<span class="o">=</span><span class="nv">$CLUSTER_NAME</span> <span class="se">\</span> <span class="nt">--set</span> rbac.serviceAccount.create<span class="o">=</span><span class="nb">false</span> <span class="se">\</span> <span class="nt">--set</span> rbac.serviceAccount.name<span class="o">=</span>cluster-autoscaler <span class="se">\</span> <span class="nt">--set</span> <span class="nv">awsRegion</span><span class="o">=</span><span class="nv">$REGION</span> <span class="se">\</span> <span class="nt">--set</span> extraArgs.balance-similar-node-groups<span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--set</span> extraArgs.skip-nodes-with-system-pods<span class="o">=</span><span class="nb">false</span> <span class="se">\</span> <span class="nt">--set</span> extraArgs.expander<span class="o">=</span>least-waste <span class="o">||</span> <span class="nb">true</span> </code></pre> </div> <p>I also deployed kubernetes dashboard just so we can have an application with a user interface we can interact with running on the cluster, and to confirm what we are seeing on the AWS dashboard regarding our cluster. This where the kube proxy add on comes in handy.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Deploy the Kubernetes Dashboard</span> kubectl apply <span class="nt">-f</span> https://raw.githubusercontent.com/kubernetes/dashboard/v2.5.1/aio/deploy/recommended.yaml <span class="o">||</span> <span class="nb">true</span> <span class="c"># Create the admin-user service account and cluster role binding</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> | kubectl apply -f - apiVersion: v1 kind: ServiceAccount metadata: name: admin-user namespace: kubernetes-dashboard --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin-user namespace: kubernetes-dashboard </span><span class="no">EOF </span><span class="c"># Get the token for the admin-user</span> kubectl <span class="nt">-n</span> kubernetes-dashboard create token admin-user <span class="o">||</span> <span class="nb">true</span> <span class="c"># Print the Kubernetes Dashboard URL</span> <span class="nb">echo</span> <span class="s2">"Kubernetes Dashboard URL: http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/"</span> <span class="c"># Start a kubectl proxy to access the Kubernetes Dashboard</span> kubectl proxy <span class="nt">--port</span><span class="o">=</span>8001 </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpq5tbs080pmcwbadb36j.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpq5tbs080pmcwbadb36j.png" alt="Token and link" width="800" height="131"></a></p> <p>We can see the token and a link to view the dashboard via kube proxy</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F61uyqfvoleyqiw4wc63k.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F61uyqfvoleyqiw4wc63k.png" alt="kubernetes Dashboard login" width="800" height="244"></a></p> <p>You can follow the link in the command and enter the token to access the dashboard and keep track of events. You will notice that we only have two nodes at the moment.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbtoko39ysn2wzsx3jkph.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbtoko39ysn2wzsx3jkph.png" alt="Kubernetes Dashboard Nodes" width="800" height="350"></a></p> <p>This matches what we see in the AWS console.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3facbjf3hsfh24strpwy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3facbjf3hsfh24strpwy.png" alt="AWS Console Nodes" width="800" height="276"></a></p> <h2> Deploy Applications To Trigger Scale Up Operation </h2> <p>Next, we will deploy Prometheus and Grafana to the cluster, but because of how little CPU and Memory the EC2 type we selected has, the deployments will fail to reach a healthy state. Cluster autoscale will come to the rescue and deploy an additional node to make our cluster healthy again.</p> <p>I am also using a script to accomplish the deployments with helm<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nb">set</span> <span class="nt">-euxo</span> pipefail <span class="c"># Deploy the metrics server Helm chart</span> helm repo add metrics-server https://kubernetes-sigs.github.io/metrics-server <span class="o">||</span> <span class="nb">true </span>helm repo update helm upgrade <span class="nt">--install</span> metrics-server metrics-server/metrics-server <span class="se">\</span> <span class="nt">--namespace</span> kube-system <span class="se">\</span> <span class="nt">--set</span> args[0]<span class="o">=</span><span class="s2">"--kubelet-insecure-tls"</span> <span class="se">\</span> <span class="nt">--set</span> args[1]<span class="o">=</span><span class="s2">"--kubelet-preferred-address-types=InternalIP"</span> <span class="o">||</span> <span class="nb">true</span> <span class="c"># Deploy Prometheus and Grafana using the kube-prometheus-stack Helm chart</span> helm repo add prometheus-community https://prometheus-community.github.io/helm-charts <span class="o">||</span> <span class="nb">true </span>helm repo add grafana https://grafana.github.io/helm-charts <span class="o">||</span> <span class="nb">true </span>helm repo update helm upgrade <span class="nt">--install</span> prometheus prometheus-community/kube-prometheus-stack <span class="se">\</span> <span class="nt">--namespace</span> monitoring <span class="se">\</span> <span class="nt">--create-namespace</span> <span class="se">\</span> <span class="nt">--set</span> grafana.enabled<span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--set</span> grafana.adminPassword<span class="o">=</span><span class="s1">'admin'</span> <span class="se">\</span> <span class="nt">--set</span> prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues<span class="o">=</span><span class="nb">false</span> <span class="se">\</span> <span class="nt">--set</span> defaultRules.create<span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--set</span> alertmanager.enabled<span class="o">=</span><span class="nb">false</span> <span class="o">||</span> <span class="nb">true</span> <span class="c"># Ensure Prometheus is scraping metrics from the cluster autoscaler and metrics server</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> | kubectl apply -f - apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: cluster-autoscaler namespace: kube-system labels: release: prometheus spec: selector: matchLabels: app: cluster-autoscaler endpoints: - port: http interval: 30s </span><span class="no">EOF </span><span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> | kubectl apply -f - apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: metrics-server namespace: kube-system labels: release: prometheus spec: selector: matchLabels: k8s-app: metrics-server endpoints: - port: https interval: 30s tlsConfig: insecureSkipVerify: true </span><span class="no">EOF </span></code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3cup83w57qvj2yubh2jt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3cup83w57qvj2yubh2jt.png" alt="Command Result" width="800" height="330"></a></p> <p>You will notice that cluster autoscaler did it's job and added an extra node to our cluster, the deployments were able to succeed after their initial failure</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftt4k7mpec0tdw0n0g3em.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftt4k7mpec0tdw0n0g3em.png" alt="AWS Console View" width="800" height="322"></a></p> <p>If you check the events of your cluster, you will be able to find the scale up events.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgwesq65md6umq1dt83y9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgwesq65md6umq1dt83y9.png" alt="Scale Up Event" width="800" height="384"></a></p> <h2> Scale Down Operation </h2> <p>Now we will delete the Prometheus and Grafana applications and watch to see if cluster autoscaler scales down the cluster.<br> Once again I am using a script for the deletes<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nb">set</span> <span class="nt">-euxo</span> pipefail <span class="c"># Delete the metrics server Helm release</span> helm uninstall metrics-server <span class="nt">--namespace</span> kube-system <span class="o">||</span> <span class="nb">true</span> <span class="c"># Delete Prometheus and Grafana Helm release</span> helm uninstall prometheus <span class="nt">--namespace</span> monitoring <span class="o">||</span> <span class="nb">true</span> <span class="c"># Delete the ServiceMonitor for cluster autoscaler</span> kubectl delete servicemonitor cluster-autoscaler <span class="nt">--namespace</span> kube-system <span class="nt">--ignore-not-found</span><span class="o">=</span><span class="nb">true</span> <span class="c"># Delete the ServiceMonitor for metrics server</span> kubectl delete servicemonitor metrics-server <span class="nt">--namespace</span> kube-system <span class="nt">--ignore-not-found</span><span class="o">=</span><span class="nb">true</span> <span class="c"># Delete the monitoring namespace</span> kubectl delete namespace monitoring <span class="nt">--ignore-not-found</span><span class="o">=</span><span class="nb">true</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fit2mnr4s9s468g7srsg1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fit2mnr4s9s468g7srsg1.png" alt="Command Result" width="800" height="114"></a></p> <p>Cluster Autoscaler might scale down our cluster back to two Nodes immediately, or it might modify our desired number of nodes in our node group to require three nodes because of how weak the EC2 instance types we selected are, which is what happened in this case.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs08bf8mi3mi7gzy7fq0y.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs08bf8mi3mi7gzy7fq0y.png" alt="AWS Console" width="800" height="317"></a></p> <p>After some minutes of no new activity, cluster autoscaler scales down the cluster back to two Nodes.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4raedhno2c52ddzj1s5z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4raedhno2c52ddzj1s5z.png" alt="Scale Down Event" width="800" height="269"></a></p> <p>It also changes the desired size of our node group back to two nodes.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F792ovgtq5isy1siljdxc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F792ovgtq5isy1siljdxc.png" alt="AWS Console View" width="800" height="277"></a></p> <p>The complete code used in this article can be found on <a href="https://github.com/Femi-lawal/demo-eks-cluster/tree/feature/cluster-autoscaler" rel="noopener noreferrer">this branch of the repository</a></p> <h2> Conclusion </h2> <p>Your EKS cluster now has a functioning Cluster Autoscaler that is adept at scaling node resources in response to workload changes.<br> Don't forget to clean up any resources you are not using, it can get quite expensive.</p> <ul> <li>For advanced configurations and best practices, refer to the <a href="https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md" rel="noopener noreferrer">Cluster Autoscaler documentation on AWS</a>.</li> </ul> eks aws kubernetes terraform Oluwafemi Lawal Tue, 12 Mar 2024 22:03:15 +0000 https://dev.to/aws-builders/navigating-aws-eks-with-terraform-understanding-eks-cluster-configuration-2f6o https://dev.to/aws-builders/navigating-aws-eks-with-terraform-understanding-eks-cluster-configuration-2f6o <p>In our journey through the AWS EKS ecosystem, we have laid a solid foundation with VPC networking and security groups. Now we will discuss the Terraform resources required to implement a working cluster.</p> <p>The entire project will look like this by the end:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">.</span> ├── eks.tf ├── modules │ └── aws │ ├── eks │ │ ├── main.tf │ │ ├── outputs.tf │ │ ├── versions.tf │ │ └── variables.tf │ └── vpc │ ├── main.tf │ ├── outputs.tf │ ├── versions.tf │ └── variables.tf ├── versions.tf ├── variables.tf └── vpc.tf </code></pre> </div> <h2> Cluster Resource </h2> <p>The Terraform configuration creates an Amazon EKS cluster with enhanced security and logging features:</p> <ul> <li> <p><strong>Cluster Configuration</strong>: </p> <ul> <li> <code>name</code>: Sets the cluster's name to a variable, allowing for customizable deployments.</li> <li> <code>role_arn</code>: Specifies the IAM role that EKS will assume to create AWS resources for the cluster.</li> <li> <code>enabled_cluster_log_types</code>: Enables logging for audit, API, and authenticator logs, enhancing security and compliance.</li> </ul> </li> <li> <p><strong>VPC Configuration</strong>: </p> <ul> <li>Integrates the cluster with specified private and public subnets, allowing workloads to be placed accordingly for both security and accessibility.</li> <li>Associates the cluster with a specific security group to control inbound and outbound traffic.</li> </ul> </li> <li> <p><strong>Encryption Configuration</strong>: </p> <ul> <li>Utilizes a KMS key for encrypting Kubernetes secrets, safeguarding sensitive information.</li> <li>Specifies that the encryption applies to Kubernetes <code>secrets</code>, ensuring that secret data stored in the cluster is encrypted at rest.</li> </ul> </li> <li> <p><strong>Dependencies</strong>: </p> <ul> <li>Ensures the cluster is created after the necessary IAM role and policy attachments are in place, maintaining the deployment order and security posture.</li> </ul> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="c1"># Fetch current AWS account details</span> <span class="k">data</span> <span class="s2">"aws_caller_identity"</span> <span class="s2">"current"</span> <span class="p">{}</span> <span class="c1">############################################################################################################</span> <span class="c1">### EKS CLUSTER</span> <span class="c1">############################################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_eks_cluster"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eks_cluster_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">enabled_cluster_log_types</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">enabled_cluster_log_types</span> <span class="nx">vpc_config</span> <span class="p">{</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">concat</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">private_subnets</span><span class="p">,</span> <span class="kd">var</span><span class="p">.</span><span class="nx">public_subnets</span><span class="p">)</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">eks_cluster_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">endpoint_public_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">encryption_config</span> <span class="p">{</span> <span class="k">provider</span> <span class="p">{</span> <span class="nx">key_arn</span> <span class="p">=</span> <span class="nx">aws_kms_key</span><span class="p">.</span><span class="nx">eks_encryption</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"secrets"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_iam_role_policy_attachment</span><span class="p">.</span><span class="nx">eks_cluster_policy</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>The Kubernetes provider configuration is necessary for Terraform to interact with your Amazon EKS cluster's Kubernetes API</p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="k">data</span> <span class="s2">"aws_eks_cluster_auth"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="p">}</span> <span class="k">provider</span> <span class="s2">"kubernetes"</span> <span class="p">{</span> <span class="nx">host</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">endpoint</span> <span class="nx">cluster_ca_certificate</span> <span class="p">=</span> <span class="nx">base64decode</span><span class="p">(</span><span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">certificate_authority</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="k">data</span><span class="p">)</span> <span class="nx">token</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_eks_cluster_auth</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">token</span> <span class="p">}</span> </code></pre> </div> <h2> <strong>OIDC for EKS: Secure Access Management</strong> </h2> <p>Integrating OIDC with your EKS cluster enhances security by facilitating identity federation between AWS and Kubernetes. This configuration allows for secure role-based access control, which is crucial for managing access to your cluster.</p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="c1">############################################################################################################</span> <span class="c1">### OIDC CONFIGURATION</span> <span class="c1">############################################################################################################</span> <span class="k">data</span> <span class="s2">"tls_certificate"</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">identity</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">oidc</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">issuer</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_openid_connect_provider"</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">client_id_list</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts.amazonaws.com"</span><span class="p">]</span> <span class="nx">thumbprint_list</span> <span class="p">=</span> <span class="p">[</span><span class="k">data</span><span class="p">.</span><span class="nx">tls_certificate</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">certificates</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">sha1_fingerprint</span><span class="p">]</span> <span class="nx">url</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">identity</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">oidc</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">issuer</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmucmpv35cji1jnmsgo3t.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmucmpv35cji1jnmsgo3t.png" alt="EKS Cluster on AWS"></a></p> <h2> Secrets Encryption </h2> <p>In the EKS cluster resource above, this KMS key is referenced. It is needed to encrypt Kubernetes secrets in the cluster. </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="c1">############################################################################################################</span> <span class="c1">### KMS KEY</span> <span class="c1">############################################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_kms_key"</span> <span class="s2">"eks_encryption"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"KMS key for EKS cluster encryption"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">kms_key_policy</span><span class="p">.</span><span class="nx">json</span> <span class="nx">enable_key_rotation</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="c1"># alias</span> <span class="k">resource</span> <span class="s2">"aws_kms_alias"</span> <span class="s2">"eks_encryption"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"alias/eks/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">"</span> <span class="nx">target_key_id</span> <span class="p">=</span> <span class="nx">aws_kms_key</span><span class="p">.</span><span class="nx">eks_encryption</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"kms_key_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">sid</span> <span class="p">=</span> <span class="s2">"Key Administrators"</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"kms:Create*"</span><span class="p">,</span> <span class="s2">"kms:Describe*"</span><span class="p">,</span> <span class="s2">"kms:Enable*"</span><span class="p">,</span> <span class="s2">"kms:List*"</span><span class="p">,</span> <span class="s2">"kms:Put*"</span><span class="p">,</span> <span class="s2">"kms:Update*"</span><span class="p">,</span> <span class="s2">"kms:Revoke*"</span><span class="p">,</span> <span class="s2">"kms:Disable*"</span><span class="p">,</span> <span class="s2">"kms:Get*"</span><span class="p">,</span> <span class="s2">"kms:Delete*"</span><span class="p">,</span> <span class="s2">"kms:ScheduleKeyDeletion"</span><span class="p">,</span> <span class="s2">"kms:CancelKeyDeletion"</span><span class="p">,</span> <span class="s2">"kms:Decrypt"</span><span class="p">,</span> <span class="s2">"kms:DescribeKey"</span><span class="p">,</span> <span class="s2">"kms:Encrypt"</span><span class="p">,</span> <span class="s2">"kms:ReEncrypt*"</span><span class="p">,</span> <span class="s2">"kms:GenerateDataKey*"</span><span class="p">,</span> <span class="s2">"kms:TagResource"</span> <span class="p">]</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"arn:aws:iam::</span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">account_id</span><span class="k">}</span><span class="s2">:root"</span><span class="p">,</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">arn</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"kms:Encrypt"</span><span class="p">,</span> <span class="s2">"kms:Decrypt"</span><span class="p">,</span> <span class="s2">"kms:ReEncrypt*"</span><span class="p">,</span> <span class="s2">"kms:GenerateDataKey*"</span><span class="p">,</span> <span class="s2">"kms:DescribeKey"</span> <span class="p">]</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Service"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"eks.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"cluster_encryption"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-encryption-policy"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"IAM policy for EKS cluster encryption"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">cluster_encryption</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"cluster_encryption"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"kms:Encrypt"</span><span class="p">,</span> <span class="s2">"kms:Decrypt"</span><span class="p">,</span> <span class="s2">"kms:ListGrants"</span><span class="p">,</span> <span class="s2">"kms:DescribeKey"</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_kms_key</span><span class="p">.</span><span class="nx">eks_encryption</span><span class="p">.</span><span class="nx">arn</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Granting the EKS Cluster role the ability to use the KMS key</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"cluster_encryption"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">cluster_encryption</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eks_cluster_role</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz0xcg7jfo9asb9qkpe9p.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz0xcg7jfo9asb9qkpe9p.png" alt="KMS Encryption of Cluster"></a></p> <h2> Node Groups: Scaling and Optimization with Amazon EKS </h2> <p>Node Groups in Amazon EKS allow the management of EC2 instances as Kubernetes nodes. These are critical for running your applications and can be customized to suit specific workload needs through AWS Managed Node Groups, Self-Managed Node Groups, and AWS Fargate.</p> <h3> AWS Managed Node Groups </h3> <p>Managed Node Groups simplify node management by automating provisioning, lifecycle management, and scaling. They offer:</p> <ul> <li> <strong>Automated Updates</strong>: Automatic application of security patches and OS updates.</li> <li> <strong>Customization</strong>: Via Launch Templates for AMIs, instance types, etc.</li> <li> <strong>Scalability</strong>: Directly adjustable scaling configurations, Kubernetes labels, and AWS tags.</li> </ul> <h3> Self-Managed Node Groups </h3> <p>Offering full control over configuration, Self-Managed Node Groups require manual scaling and updates but allow for:</p> <ul> <li> <strong>Custom AMIs</strong>: For specific compliance or policy requirements.</li> <li> <strong>Manual Management</strong>: Users handle software and OS updates, leveraging AWS CloudFormation for operations.</li> </ul> <h3> Serverless Option: AWS Fargate with Amazon EKS </h3> <p>AWS Fargate abstracts server management, allowing specifications for CPU and RAM without considering instance types. This offers a simplified, serverless option for running containers in EKS.</p> <h3> Comparison Table </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Criteria</th> <th>Managed Node Groups</th> <th>Self-Managed Nodes</th> <th>AWS Fargate</th> </tr> </thead> <tbody> <tr> <td>Deployment to AWS Outposts</td> <td>No</td> <td>Yes</td> <td>No</td> </tr> <tr> <td>Windows Container Support</td> <td>Yes</td> <td>Yes (but with at least one compulsory Linux node)</td> <td>No</td> </tr> <tr> <td>Linux Container Support</td> <td>Yes</td> <td>Yes</td> <td>Yes</td> </tr> <tr> <td>GPU Workloads</td> <td>Yes (Amazon Linux)</td> <td>Yes (Amazon Linux)</td> <td>No</td> </tr> <tr> <td>Custom AMI Deployment</td> <td>Yes (via Launch Template)</td> <td>Yes</td> <td>No</td> </tr> <tr> <td>Operating System Maintenance</td> <td>Automated by AWS</td> <td>Manual</td> <td>N/A</td> </tr> <tr> <td>SSH Access</td> <td>Yes</td> <td>Yes</td> <td>No (No node OS)</td> </tr> <tr> <td>Kubernetes DaemonSets</td> <td>Yes</td> <td>Yes</td> <td>No</td> </tr> <tr> <td>Pricing</td> <td>EC2 instance cost</td> <td>EC2 instance cost</td> <td>Fargate pricing per Pod</td> </tr> <tr> <td>Update Node AMI</td> <td>Automated notification &amp; one-click update in EKS console for EKS AMI; manual for custom AMI</td> <td>Can not be done from EKS console. Manual process using external tools</td> <td>N/A</td> </tr> <tr> <td>Update Node Kubernetes Version</td> <td>Automated notification &amp; one-click update in EKS console for EKS AMI; manual for custom AMI</td> <td>Can not be done from EKS console. Manual process using external tools</td> <td>N/A</td> </tr> <tr> <td>Use Amazon EBS with Pods</td> <td>Yes</td> <td>Yes</td> <td>No</td> </tr> <tr> <td>Use Amazon EFS with Pods</td> <td>Yes</td> <td>Yes</td> <td>Yes</td> </tr> <tr> <td>Use Amazon FSx for Lustre with Pods</td> <td>Yes</td> <td>Yes</td> <td>No</td> </tr> </tbody> </table></div> <p>AWS Fargate for EKS provides a higher level of abstraction, managing more server aspects for you. It eliminates the need to select instance types, focusing solely on the required CPU and RAM for your workloads.</p> <h3> Our Managed Node Groups Configuration </h3> <p>For our EKS module, we will use the managed node group Terraform resource.<br> Our terraform resources below creates a series of node groups for an EKS cluster, where each group's configuration is based on user-defined variables. These node groups are essential for running your Kubernetes workloads on AWS, providing the compute capacity as EC2 instances.</p> <ul> <li>Specifies the EKS cluster to which these node groups belong.</li> <li>Defines the size (min, max, desired) of each node group, allowing for scalability.</li> <li>Associates a launch template to dictate the configuration of EC2 instances within the node group.</li> <li>Allows selection of instance types, AMI types, and capacity types (e.g., On-Demand or Spot Instances) for flexibility and cost optimization.</li> <li>Includes a mechanism to force updates to node groups when the launch template changes.</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="c1">############################################################################################################</span> <span class="c1">### MANAGED NODE GROUPS</span> <span class="c1">############################################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_eks_node_group"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">managed_node_groups</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">name</span> <span class="nx">node_group_name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span> <span class="nx">node_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">node_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">scaling_config</span> <span class="p">{</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">desired_size</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">max_size</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">min_size</span> <span class="p">}</span> <span class="nx">launch_template</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">=</span> <span class="nx">aws_launch_template</span><span class="p">.</span><span class="nx">eks_node_group</span><span class="p">.</span><span class="nx">id</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"</span><span class="err">$</span><span class="s2">Default"</span> <span class="p">}</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">instance_types</span> <span class="nx">ami_type</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">default_ami_type</span> <span class="nx">capacity_type</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">default_capacity_type</span> <span class="nx">force_update_version</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7qnep1cn7msg57f0r6me.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7qnep1cn7msg57f0r6me.png" alt="EKS Node Group in Cluster"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7zenbdhrwtqldd05t0q2.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7zenbdhrwtqldd05t0q2.png" alt="EKS Node group"></a></p> <h3> Launch Template </h3> <p>This defines a blueprint for the EC2 instances that will be launched as part of the node groups. This template encapsulates various settings and configurations for the instances.</p> <ul> <li>Configures instance networking, including security groups for controlling access to/from the instances.</li> <li>Sets instance metadata options to enhance security, like enforcing IMDSv2 for metadata access.</li> <li>Details the block device mappings for instance storage, including the root EBS volume size, type, and deletion policy.</li> <li>Automatically tags instances for easier management, cost tracking, and integration with Kubernetes.</li> <li>Ensures that the launch template is created with a lifecycle policy that avoids conflicts and dangling resources.</li> </ul> <p>This combined setup allows for automated management of the underlying infrastructure for Kubernetes workloads, leveraging EKS-managed node groups and EC2 launch templates for fine-grained control over instance properties and scaling behaviours.</p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="c1">############################################################################################################</span> <span class="c1">### LAUNCH TEMPLATE</span> <span class="c1">############################################################################################################ </span> <span class="k">resource</span> <span class="s2">"aws_launch_template"</span> <span class="s2">"eks_node_group"</span> <span class="p">{</span> <span class="nx">name_prefix</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-eks-node-group-lt"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Launch template for </span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2"> EKS node group"</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">eks_nodes_sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">metadata_options</span> <span class="p">{</span> <span class="nx">http_endpoint</span> <span class="p">=</span> <span class="s2">"enabled"</span> <span class="nx">http_tokens</span> <span class="p">=</span> <span class="s2">"required"</span> <span class="nx">http_put_response_hop_limit</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">instance_metadata_tags</span> <span class="p">=</span> <span class="s2">"enabled"</span> <span class="p">}</span> <span class="nx">block_device_mappings</span> <span class="p">{</span> <span class="nx">device_name</span> <span class="p">=</span> <span class="s2">"/dev/xvda"</span> <span class="c1"># Adjusted to the common root device name for Linux AMIs</span> <span class="nx">ebs</span> <span class="p">{</span> <span class="nx">volume_size</span> <span class="p">=</span> <span class="mi">20</span> <span class="c1"># Disk size specified here</span> <span class="nx">volume_type</span> <span class="p">=</span> <span class="s2">"gp3"</span> <span class="c1"># Example volume type, adjust as necessary</span> <span class="nx">delete_on_termination</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"Name"</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-eks-node-group"</span> <span class="s2">"kubernetes.io/cluster/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">"</span> <span class="p">=</span> <span class="s2">"owned"</span> <span class="p">}</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">create_before_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx3lxv4ypmabna5bbybw8.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx3lxv4ypmabna5bbybw8.png" alt="Launch Template"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3p6hqi535gmi35mxlo2o.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3p6hqi535gmi35mxlo2o.png" alt="Tags for an instance in the managed node group"></a></p> <h2> <strong>EKS Add-ons: Enhancing Cluster Capabilities</strong> </h2> <p>With the <code>aws_eks_addon</code> resource we can pass a list of addons to install. The defaults for this project will be vpc-cni, kube-proxy, coredns and aws-ebs-csi-driver</p> <h3> EKS Add-ons Explanation </h3> <ul> <li><p><strong>vpc-cni</strong>: The Amazon VPC CNI (Container Network Interface) plugin allows Kubernetes pods to have the same IP address inside the pod as they do on the VPC network. This plugin is responsible for providing high-performance networking for Amazon EKS clusters, enabling native VPC networking for Kubernetes pods.</p></li> <li><p><strong>kube-proxy</strong>: Manages network rules on each node. This allows network communication to your pods from network sessions inside or outside of your cluster. It makes sure that each node has the latest network rules for communicating with other nodes in the cluster.</p></li> <li><p><strong>coredns</strong>: A flexible, extensible DNS server that can serve as the Kubernetes cluster DNS. It translates human-readable hostnames like <code>www.example.com</code> into IP addresses. CoreDNS is used for service discovery within the cluster, allowing pods to find each other and services to scale up and down.</p></li> <li><p><strong>aws-ebs-csi-driver</strong>: The Amazon EBS CSI (Container Storage Interface) Driver provides a way to configure and manage Amazon EBS volumes. It allows you to use Amazon EBS volume as persistent storage for stateful applications in EKS. This driver supports dynamic provisioning, snapshots, and resizing of volumes.</p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="c1">############################################################################################################</span> <span class="c1"># PLUGINS</span> <span class="c1">############################################################################################################</span> <span class="k">data</span> <span class="s2">"aws_eks_addon_version"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_addons</span><span class="p">)</span> <span class="nx">addon_name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">kubernetes_version</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">version</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_eks_addon"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_addons</span><span class="p">)</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">name</span> <span class="nx">addon_name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">addon_version</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_eks_addon_version</span><span class="p">.</span><span class="nx">main</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="p">].</span><span class="nx">version</span> <span class="nx">resolve_conflicts_on_create</span> <span class="p">=</span> <span class="s2">"OVERWRITE"</span> <span class="nx">resolve_conflicts_on_update</span> <span class="p">=</span> <span class="s2">"OVERWRITE"</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_eks_node_group</span><span class="p">.</span><span class="nx">main</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1r24p8ygsc9x8dgkh4x1.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1r24p8ygsc9x8dgkh4x1.png" alt="EKS Addons"></a></p> <h2> <strong>IAM Roles and Policies: Securing EKS</strong> </h2> <h3> IAM Roles for EKS </h3> <p>Securing your EKS clusters involves creating and associating specific IAM roles and policies, ensuring least privilege access to AWS resources. This step is fundamental in protecting your cluster's interactions with other AWS services.</p> <ul> <li> <p><strong>EKS Cluster Role and Policies</strong>:</p> <ul> <li>A role (<code>eks_cluster_role</code>) is created for the EKS cluster to interact with other AWS services.</li> <li>The role trusts the <code>eks.amazonaws.com</code> service to assume the role.</li> <li>Attached policies: <ul> <li> <strong>CloudWatchFullAccess</strong>: Grants full access to CloudWatch, allowing the cluster to log and monitor.</li> <li> <strong>AmazonEKSClusterPolicy</strong>: Provides permissions that Amazon EKS requires to manage clusters.</li> <li> <strong>AmazonEKSVPCResourceController</strong>: Allows the cluster to manage VPC resources for the cluster.</li> </ul> </li> </ul> </li> <li> <p><strong>Node Group Role and Policies</strong>:</p> <ul> <li>An instance profile (<code>eks_node</code>) is created for EKS node groups, associating them with a role (<code>node_role</code>) that nodes assume for AWS service interaction.</li> <li>The role trusts the <code>ec2.amazonaws.com</code> service to assume the role.</li> <li>Attached policies: <ul> <li> <strong>AmazonEKSWorkerNodePolicy</strong>: Grants nodes in the node group the permissions required to operate within an EKS cluster.</li> <li> <strong>AmazonEKS_CNI_Policy</strong>: Allows nodes to manage network resources, which is necessary for the Amazon VPC CNI plugin to operate.</li> <li> <strong>AmazonEBSCSIDriverPolicy</strong>: Allows nodes to manage EBS volumes, enabling dynamic volume provisioning.</li> <li> <strong>AmazonEC2ContainerRegistryReadOnly</strong>: Provides read-only access to AWS Container Registry, allowing nodes to pull container images.</li> </ul> </li> </ul> </li> <li> <p><strong>VPC CNI Plugin Role</strong>:</p> <ul> <li>A specific role (<code>vpc_cni_role</code>) is created for the VPC CNI plugin to operate within the EKS cluster.</li> <li>The role trusts federated access via the cluster's OIDC provider, specifically for the <code>aws-node</code> Kubernetes service account within the <code>kube-system</code> namespace.</li> <li>Attached policy: <ul> <li> <strong>AmazonEKS_CNI_Policy</strong>: Grants the necessary permissions for the VPC CNI plugin to manage AWS network resources.</li> </ul> </li> </ul> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="c1">############################################################################################################</span> <span class="c1">### IAM ROLES</span> <span class="c1">############################################################################################################</span> <span class="c1"># EKS Cluster role</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"eks_cluster_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-eks-cluster-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">eks_assume_role_policy</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"eks_assume_role_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRole"</span><span class="p">]</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Service"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"eks.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># EKS Cluster Policies</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"eks_cloudwatch_policy"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/CloudWatchFullAccess"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eks_cluster_role</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"eks_cluster_policy"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eks_cluster_role</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"eks_vpc_resource_controller_policy"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eks_cluster_role</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="c1"># Managed Node Group role</span> <span class="k">resource</span> <span class="s2">"aws_iam_instance_profile"</span> <span class="s2">"eks_node"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-node-role"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">node_role</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"node_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-node-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">assume_role_policy</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"assume_role_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"sts:AssumeRole"</span> <span class="p">]</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Service"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ec2.amazonaws.com"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Node Group Policies</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"eks_worker_node_policy"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">node_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"eks_cni_policy"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">node_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"eks_ebs_csi_policy"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">node_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"eks_registry_policy"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">node_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"</span> <span class="p">}</span> <span class="c1"># VPC CNI Plugin Role</span> <span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"vpc_cni_assume_role_policy"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRoleWithWebIdentity"</span><span class="p">]</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">test</span> <span class="p">=</span> <span class="s2">"StringEquals"</span> <span class="k">variable</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="nx">replace</span><span class="p">(</span><span class="nx">aws_iam_openid_connect_provider</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">url</span><span class="p">,</span> <span class="s2">"https://"</span><span class="p">,</span> <span class="s2">""</span><span class="p">)</span><span class="k">}</span><span class="s2">:sub"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"system:serviceaccount:kube-system:aws-node"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_iam_openid_connect_provider</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">arn</span><span class="p">]</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Federated"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"vpc_cni_role"</span> <span class="p">{</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">vpc_cni_assume_role_policy</span><span class="p">.</span><span class="nx">json</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-vpc-cni-role"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"vpc_cni_policy"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">vpc_cni_role</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu3ig95gf29c42d5guqkm.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu3ig95gf29c42d5guqkm.png" alt="Roles in AWS"></a></p> <h2> Cluster Access and Role Based Access Control </h2> <p>When an Amazon EKS cluster is created, the AWS identity (user or role) that creates the cluster is automatically granted <code>system:masters</code> permissions, providing full administrative access to the cluster. This ensures immediate operational control without additional configuration steps.</p> <p>However, in collaborative environments or larger organizations, more than one individual or service may need administrative access to manage the cluster effectively. To extend administrative privileges securely, additional IAM roles can be created and configured with permissions similar to the cluster creator.</p> <p>This Terraform configuration defines an IAM role (<code>aws_iam_role.eks_admins_role</code>) designed for EKS Administrators, granting them similar administrative capabilities over the EKS cluster. It uses an IAM policy document (<code>data.aws_iam_policy_document.eks_admins_assume_role_policy_doc</code>) to specify that the role can be assumed by specified AWS principals. This approach adheres to the principle of least privilege, allowing for controlled access to the EKS cluster based on organizational requirements.</p> <p>It's best to also add the node role with the username <code>system:node:{{EC2PrivateDNSName}}</code> in groups <code>"system:bootstrappers", "system:nodes"</code>, though it is actually added to the ConfigMap automatically, it will get removed by your next <code>terraform apply</code> command if not defined explicitly.</p> <p>Lastly, the <code>kubernetes_config_map.aws_auth</code> resource updates the <code>aws-auth</code> ConfigMap in the EKS cluster. This action registers the role with the cluster, mapping it to <code>system:masters</code>, thus granting it administrative access similar to the cluster creator. This setup ensures that designated administrators can manage the cluster without using the credentials of the original creator, enhancing security and operational flexibility.</p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="c1">############################################################################################################</span> <span class="c1">### CLUSTER ROLE BASE ACCESS CONTROL</span> <span class="c1">############################################################################################################</span> <span class="c1"># Define IAM Role for EKS Administrators</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"eks_admins_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-eks-admins-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">eks_admins_assume_role_policy_doc</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="c1"># IAM Policy Document for assuming the eks-admins role</span> <span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"eks_admins_assume_role_policy_doc"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRole"</span><span class="p">]</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"arn:aws:iam::</span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">account_id</span><span class="k">}</span><span class="s2">:root"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Define IAM Policy for administrative actions on EKS</span> <span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"eks_admin_policy_doc"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"eks:*"</span><span class="p">,</span> <span class="s2">"ec2:Describe*"</span><span class="p">,</span> <span class="s2">"iam:ListRoles"</span><span class="p">,</span> <span class="s2">"iam:ListRolePolicies"</span><span class="p">,</span> <span class="s2">"iam:GetRole"</span><span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Create IAM Policy based on the above document</span> <span class="k">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"eks_admin_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-eks-admin-policy"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">eks_admin_policy_doc</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="c1"># Attach IAM Policy to the EKS Administrators Role</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"eks_admin_role_policy_attach"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eks_admins_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">eks_admin_policy</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="c1"># Update the aws-auth ConfigMap to include the IAM group</span> <span class="k">resource</span> <span class="s2">"kubernetes_config_map"</span> <span class="s2">"aws_auth"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"aws-auth"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"kube-system"</span> <span class="p">}</span> <span class="k">data</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">mapRoles</span> <span class="p">=</span> <span class="nx">yamlencode</span><span class="p">([</span> <span class="p">{</span> <span class="nx">rolearn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eks_admins_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">username</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eks_admins_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">groups</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"system:masters"</span><span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">rolearn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">node_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">username</span> <span class="p">=</span> <span class="s2">"system:node:{{EC2PrivateDNSName}}"</span> <span class="nx">groups</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"system:bootstrappers"</span><span class="p">,</span> <span class="s2">"system:nodes"</span><span class="p">]</span> <span class="p">}</span> <span class="p">])</span> <span class="nx">mapUsers</span> <span class="p">=</span> <span class="nx">yamlencode</span><span class="p">([</span> <span class="p">{</span> <span class="nx">userarn</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">username</span> <span class="p">=</span> <span class="nx">split</span><span class="p">(</span><span class="s2">"/"</span><span class="p">,</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">arn</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> <span class="nx">groups</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"system:masters"</span><span class="p">]</span> <span class="p">}</span> <span class="p">])</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn66l0hphy7imuw0qtm4z.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn66l0hphy7imuw0qtm4z.png" alt="AWS Auth Config Map"></a></p> <h2> Conclusion: Mastering EKS Management </h2> <p>By delving into advanced configuration options, securing your clusters with IAM, and employing effective logging, monitoring, and scaling strategies, you can create Kubernetes clusters that are not only robust and scalable but also optimized for cost, performance, and security. The journey to mastering AWS EKS with Terraform is ongoing, and each step forward enhances your ability to manage complex cloud-native ecosystems effectively.</p> <p>The complete project can be found here:<br> <a href="https://github.com/Femi-lawal/demo-eks-cluster" rel="noopener noreferrer">Sample Implementation GitHub Repo</a></p> aws kubernetes terraform cloud Oluwafemi Lawal Mon, 04 Mar 2024 22:11:09 +0000 https://dev.to/aws-builders/navigating-aws-eks-with-terraform-understanding-vpc-essentials-for-eks-cluster-management-51e3 https://dev.to/aws-builders/navigating-aws-eks-with-terraform-understanding-vpc-essentials-for-eks-cluster-management-51e3 <p>AWS EKS (Elastic Kubernetes Service) offers a lighthouse for those navigating the complex waters of cloud computing, providing a managed Kubernetes service that simplifies running containerized applications. While EKS alleviates much of the heavy lifting associated with setting up a Kubernetes cluster, a deeper understanding of its components and requirements can significantly enhance your cloud infrastructure's efficiency and security.</p> <h2> Prerequisites </h2> <p>Embarking on this journey requires:</p> <ul> <li>A grasp of AWS services and Kubernetes fundamentals</li> <li>The AWS CLI, configured with your credentials</li> <li>Terraform, to define infrastructure as code</li> </ul> <p>Project directory structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">.</span> ├── modules │ └── aws │ └── vpc │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── variables.tf ├── versions.tf └── vpc.tf </code></pre> </div> <p>versions.tf file content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">terraform</span> <span class="p">{</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"1.5.1"</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"5.20.0"</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">""</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">""</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">""</span> <span class="nx">dynamodb_table</span> <span class="p">=</span> <span class="s2">""</span> <span class="nx">encrypt</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">default_tags</span> <span class="p">{</span> <span class="nx">tags</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">global_tags</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>You can remove the S3 backend configuration if you want to store state locally, otherwise you should ensure you have created an S3 bucket and DynamoDB table to use as values for the backend.</p> <p>variables.tf file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Target AWS region"</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"cluster_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"demo-cluster"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Name of the EKS cluster"</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"aws_account_number"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"AWS account number used for deployment."</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"global_tags"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"ManagedBy"</span> <span class="p">=</span> <span class="s2">"Terraform"</span> <span class="s2">"Environment"</span> <span class="p">=</span> <span class="s2">"dev"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Mastering VPC Networking for AWS EKS Clusters </h2> <p>When deploying a Kubernetes cluster in AWS using the Elastic Kubernetes Service (EKS), understanding the underlying Virtual Private Cloud (VPC) networking is crucial. It not only ensures secure communication within your cluster but also affects your cluster's interaction with the outside world, including how services are exposed and how resources are accessed.</p> <h2> The Importance of VPC Networking in EKS </h2> <p>VPC networking forms the backbone of your EKS cluster, dictating everything from pod communication to external access via load balancers. Here’s why getting your VPC setup right is critical:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8b4cwnq4nujiusxt1tse.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8b4cwnq4nujiusxt1tse.png" alt="EKS Cluster architecture" width="800" height="450"></a></p> <ul> <li> <strong>Security:</strong> Properly configured VPCs contain and protect your cluster, allowing only authorized access.</li> <li> <strong>Connectivity:</strong> Your VPC setup determines how your cluster communicates with other AWS services, the internet, and on-premises networks.</li> <li> <strong>Service Discovery &amp; Load Balancing:</strong> Integrating with AWS services like Elastic Load Balancers (ELB) requires specific VPC configurations for seamless operation.</li> </ul> <h2> Architecting Your VPC: Public and Private Subnets </h2> <p>A well-architected VPC for EKS typically involves both public and private subnets:</p> <ul> <li><p><strong>Private Subnets</strong> are used for your worker nodes. This ensures that your workloads run securely, isolated from direct access to and from the internet. Private subnets connect to the internet through a NAT Gateway, allowing outbound traffic (e.g., for pulling container images) without exposing the nodes to inbound traffic.</p></li> <li><p><strong>Public Subnets</strong> are utilized for resources that need to be accessible from the internet, like ELBs that route external traffic to your services.</p></li> </ul> <h2> Understanding NAT Gateways and Route Tables in Your VPC </h2> <h3> NAT Gateway </h3> <p>A NAT Gateway in your VPC enables instances in a private subnet to initiate outbound traffic to the internet (for updates, downloading software, etc.) without allowing inbound traffic from the internet. This is crucial for the security and integrity of your Kubernetes nodes, ensuring they have access to necessary resources while maintaining a strong security posture.</p> <h3> Route Tables </h3> <p>Route tables in AWS VPC define rules, known as routes, which determine where network traffic from your subnets or gateways is directed. In the context of EKS:</p> <ul> <li> <strong>Public Route Table</strong>: Directs traffic from the public subnet to the internet gateway, allowing resources in the public subnet (like ELBs) to be accessible from the internet.</li> <li> <strong>Private Route Table</strong>: Uses the NAT Gateway for routing outbound traffic from private subnets, ensuring that worker nodes can access the internet for essential tasks while remaining unreachable directly from the internet.</li> </ul> <h3> Importance of Tags </h3> <p>Tags in AWS serve as identifiers for your resources, enabling you to organize, track, and manage your infrastructure components efficiently. For EKS, tagging subnets correctly is crucial:</p> <ul> <li><p><strong><code>Kubernetes.io/cluster/&lt;cluster-name&gt;</code></strong>: This tag, with the value of either <code>shared</code> or <code>owned</code>, is essential for the Kubernetes cluster to identify which VPC resources it can manage and utilize for deploying services like Load Balancers.</p></li> <li><p><strong><code>kubernetes.io/role/elb</code></strong>: This tag, set to <code>1</code>, identifies subnets that should be considered for hosting internet-facing ELBs. By tagging a subnet with <code>kubernetes.io/role/elb</code>, you're explicitly allowing Kubernetes to provision external load balancers in these subnets, facilitating access from the internet to services running in your cluster.</p></li> <li><p><strong><code>kubernetes.io/role/internal-elb</code></strong>: Similarly, this tag, set to <code>1</code>, designates subnets for hosting internal ELBs. Internal load balancers are used to route traffic within your VPC, offering a method to expose services within your cluster to other components or services in your VPC without exposing them to the internet.</p></li> </ul> <h3> Why Tagging Matters </h3> <p>Tagging subnets with these roles guides the EKS control plane and the AWS Cloud Provider implementation in Kubernetes when automatically creating ELBs for services of type LoadBalancer. Without these tags:</p> <ul> <li>Kubernetes may not be able to correctly provision an ELB for your service, leading to deployment issues or accessibility problems.</li> <li>You could manually manage load balancer provisioning and association, which increases operational overhead and complexity.</li> </ul> <p>Our completed VPC module will look something like this:</p> <p>versions.tf:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">terraform</span> <span class="p">{</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"&gt;= 1.5.1"</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"&gt;= 5.20.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>variables.tf:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"nat_gateway"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">bool</span> <span class="nx">default</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"A boolean flag to deploy NAT Gateway."</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"vpc_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">nullable</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Name of the VPC."</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"cidr_block"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The IPv4 CIDR block for the VPC."</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">cidrnetmask</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">cidr_block</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Must be a valid IPv4 CIDR block address."</span> <span class="p">}</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"enable_dns_support"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">bool</span> <span class="nx">default</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"A boolean flag to enable/disable DNS support in the VPC."</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"enable_dns_hostnames"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">bool</span> <span class="nx">default</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"A boolean flag to enable/disable DNS hostnames in the VPC."</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"default_tags"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{}</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"A map of tags to add to all resources."</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"public_subnet_count"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Number of Public subnets."</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"public_subnet_additional_bits"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">4</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Number of additional bits with which to extend the prefix."</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"public_subnet_tags"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{}</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"A map of tags to add to all public subnets."</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"private_subnet_count"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Number of Private subnets."</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"private_subnet_additional_bits"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">4</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Number of additional bits with which to extend the prefix."</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"private_subnet_tags"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{}</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"A map of tags to add to all private subnets."</span> <span class="p">}</span> </code></pre> </div> <p>main.tf:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_availability_zones"</span> <span class="s2">"available"</span> <span class="p">{}</span> <span class="c1">############################################################################################################</span> <span class="c1">### VPC </span> <span class="c1">############################################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cidr_block</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">enable_dns_support</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">enable_dns_hostnames</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="kd">var</span><span class="p">.</span><span class="nx">default_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">vpc_name</span> <span class="p">}</span> <span class="p">)</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_default_security_group"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="c1">############################################################################################################</span> <span class="c1">### SUBNETS </span> <span class="c1">############################################################################################################</span> <span class="c1">## Public subnets</span> <span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">public_subnet_count</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">cidr_block</span><span class="p">,</span> <span class="kd">var</span><span class="p">.</span><span class="nx">public_subnet_additional_bits</span><span class="p">,</span> <span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">)</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_availability_zones</span><span class="p">.</span><span class="nx">available</span><span class="p">.</span><span class="nx">names</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="kd">var</span><span class="p">.</span><span class="nx">default_tags</span><span class="p">,</span> <span class="kd">var</span><span class="p">.</span><span class="nx">public_subnet_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">vpc_name</span><span class="k">}</span><span class="s2">-public-subnet-</span><span class="k">${</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span> <span class="o">+</span> <span class="mi">1</span><span class="k">}</span><span class="s2">"</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">## Private Subnets</span> <span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"private"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">private_subnet_count</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">cidrsubnet</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">cidr_block</span><span class="p">,</span> <span class="kd">var</span><span class="p">.</span><span class="nx">private_subnet_additional_bits</span><span class="p">,</span> <span class="nx">count</span><span class="p">.</span><span class="nx">index</span> <span class="err">+</span> <span class="kd">var</span><span class="p">.</span><span class="nx">public_subnet_count</span><span class="p">)</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_availability_zones</span><span class="p">.</span><span class="nx">available</span><span class="p">.</span><span class="nx">names</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="kd">var</span><span class="p">.</span><span class="nx">default_tags</span><span class="p">,</span> <span class="kd">var</span><span class="p">.</span><span class="nx">private_subnet_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">vpc_name</span><span class="k">}</span><span class="s2">-private-subnet-</span><span class="k">${</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span> <span class="o">+</span> <span class="mi">1</span><span class="k">}</span><span class="s2">"</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">############################################################################################################</span> <span class="c1">### INTERNET GATEWAY</span> <span class="c1">############################################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_internet_gateway"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="kd">var</span><span class="p">.</span><span class="nx">default_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">vpc_name</span><span class="k">}</span><span class="s2">-internetgateway"</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">############################################################################################################</span> <span class="c1">### NAT GATEWAY </span> <span class="c1">############################################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_eip"</span> <span class="s2">"nat_gateway"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">nat_gateway</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">domain</span> <span class="p">=</span> <span class="s2">"vpc"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_nat_gateway"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">nat_gateway</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">allocation_id</span> <span class="p">=</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">nat_gateway</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="kd">var</span><span class="p">.</span><span class="nx">default_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">vpc_name</span><span class="k">}</span><span class="s2">-natgateway-default"</span> <span class="p">})</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">main</span> <span class="p">]</span> <span class="p">}</span> <span class="c1">############################################################################################################</span> <span class="c1">### ROUTE TABLES </span> <span class="c1">############################################################################################################</span> <span class="c1"># Public Route table</span> <span class="k">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="kd">var</span><span class="p">.</span><span class="nx">default_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">vpc_name</span><span class="k">}</span><span class="s2">-routetable-public"</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">## Public Route Table rules</span> <span class="k">resource</span> <span class="s2">"aws_route"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">public</span><span class="p">.</span><span class="nx">id</span> <span class="nx">gateway_id</span> <span class="p">=</span> <span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">destination_cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="p">}</span> <span class="c1">## Public Route table associations</span> <span class="k">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public</span><span class="p">)</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">].</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">public</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="c1"># Private Route table</span> <span class="k">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"private"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="kd">var</span><span class="p">.</span><span class="nx">default_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">vpc_name</span><span class="k">}</span><span class="s2">-routetable-private"</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">## Private Route Table rules</span> <span class="k">resource</span> <span class="s2">"aws_route"</span> <span class="s2">"private"</span> <span class="p">{</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">private</span><span class="p">.</span><span class="nx">id</span> <span class="nx">nat_gateway_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">nat_gateway</span> <span class="err">?</span> <span class="nx">aws_nat_gateway</span><span class="p">.</span><span class="nx">main</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="err">:</span> <span class="kc">null</span> <span class="nx">destination_cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="p">}</span> <span class="c1">## Private Route table associations</span> <span class="k">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"private"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private</span><span class="p">)</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">].</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">private</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>outputs.tf<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">output</span> <span class="s2">"vpc_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"public_subnets"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">[</span><span class="nx">for</span> <span class="nx">subnet</span> <span class="nx">in</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public</span> <span class="err">:</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"private_subnets"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">[</span><span class="nx">for</span> <span class="nx">subnet</span> <span class="nx">in</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private</span> <span class="err">:</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"aws_internet_gateway"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">main</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"aws_route_table_public"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The ID of the public route table"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">public</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"aws_route_table_private"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The ID of the private route table"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">private</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"nat_gateway_ipv4_address"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">nat_gateway</span> <span class="err">?</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">nat_gateway</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">public_ip</span> <span class="err">:</span> <span class="kc">null</span> <span class="p">}</span> </code></pre> </div> <p>The usage of the module will look like this:</p> <p>vpc.tf:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"./modules/aws/vpc/v1"</span> <span class="nx">vpc_name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-vpc"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">nat_gateway</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">public_subnet_count</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">private_subnet_count</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">public_subnet_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/cluster/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">"</span> <span class="p">=</span> <span class="s2">"shared"</span> <span class="s2">"kubernetes.io/role/elb"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="p">}</span> <span class="nx">private_subnet_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/cluster/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">"</span> <span class="p">=</span> <span class="s2">"shared"</span> <span class="s2">"kubernetes.io/role/internal-elb"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Securing AWS EKS Networking with Security Groups </h2> <p>In the realm of AWS EKS, securing the network traffic to and from your Kubernetes cluster is paramount. Security groups serve as the first line of defence, defining the rules that allow or deny network traffic to your EKS cluster and worker nodes. This article explores the role of security groups in EKS and outlines the necessary rules for secure communication within your cluster.</p> <h2> Security Groups: The Gatekeepers </h2> <h3> EKS Cluster Security Group </h3> <p>The EKS Cluster Security Group acts as a shield for the control plane, governing the traffic to the Kubernetes API server, which is hosted by AWS. It's critical for enabling secure communication between the worker nodes and the control plane.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"eks_cluster_sg"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-eks-cluster-sg"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Security group for EKS cluster control plane communication with worker nodes"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-eks-cluster-sg"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Key Rules:</strong></p> <ul> <li> <strong>Ingress from Worker Nodes:</strong> Allows inbound traffic on port 443 from worker nodes to the control plane, facilitating Kubernetes API calls. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"eks_cluster_ingress_nodes"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ingress"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">eks_cluster_sg</span><span class="p">.</span><span class="nx">id</span> <span class="nx">source_security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">eks_nodes_sg</span><span class="p">.</span><span class="nx">id</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow inbound traffic from the worker nodes on the Kubernetes API endpoint port"</span> <span class="p">}</span> </code></pre> </div> <ul> <li> <strong>Egress to Kublet:</strong> Permits the control plane to initiate traffic to the kubelet running on each worker node, crucial for log collection and commands execution. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"eks_cluster_egress_kublet"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"egress"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">10250</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">10250</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">eks_cluster_sg</span><span class="p">.</span><span class="nx">id</span> <span class="nx">source_security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">eks_nodes_sg</span><span class="p">.</span><span class="nx">id</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow control plane to node egress for kubelet"</span> <span class="p">}</span> </code></pre> </div> <h3> Worker Nodes Security Group </h3> <p>Worker Nodes Security Group safeguards your worker nodes, which run your applications. It controls both inbound and outbound traffic to ensure only legitimate and secure communication occurs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"eks_nodes_sg"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-eks-nodes-sg"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Security group for all nodes in the cluster"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-eks-nodes-sg"</span> <span class="s2">"kubernetes.io/cluster/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">"</span> <span class="p">=</span> <span class="s2">"owned"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Key Rules:</strong></p> <ul> <li> <strong>Control to Worker Node</strong>: Even though we gave the Cluster security group an egress rule to the Worker Nodes on the kubelet port <code>10250</code>, the Worker Nodes security group still has actually to allow that traffic. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"worker_node_ingress_kublet"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ingress"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">10250</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">10250</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">eks_nodes_sg</span><span class="p">.</span><span class="nx">id</span> <span class="nx">source_security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">eks_cluster_sg</span><span class="p">.</span><span class="nx">id</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow control plane to node ingress for kubelet"</span> <span class="p">}</span> </code></pre> </div> <ul> <li> <strong>Node-to-Node Communication:</strong> Allows nodes to communicate among themselves, which is essential for distributed systems like Kubernetes. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"worker_node_to_worker_node_ingress_ephemeral"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ingress"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">1025</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">65535</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">self</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">eks_nodes_sg</span><span class="p">.</span><span class="nx">id</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow workers nodes to communicate with each other on ephemeral ports"</span> <span class="p">}</span> </code></pre> </div> <ul> <li> <strong>Egress to the Internet:</strong> Enables nodes to initiate outbound connections to the internet via the NAT Gateway, vital for pulling container images or reaching external services. This also covers any other extra egress rules that would be needed, such as being able to communicate to the control plane on port 443. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"worker_node_egress_internet"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"egress"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">eks_nodes_sg</span><span class="p">.</span><span class="nx">id</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow outbound internet access"</span> <span class="p">}</span> </code></pre> </div> <p><strong>CoreDNS Rules:</strong><br> When deploying a Kubernetes cluster on AWS EKS, managing DNS resolution and traffic flow between pods is crucial for the stability and performance of your applications. CoreDNS plays a vital role in this ecosystem, serving as the cluster DNS service that enables DNS-based service discovery in Kubernetes. Its integration into an EKS cluster facilitates seamless communication between service endpoints within and outside your cluster. It also has dynamic DNS updates with pod state changes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"worker_node_to_worker_node_ingress_coredns_tcp"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ingress"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">53</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">53</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">eks_nodes_sg</span><span class="p">.</span><span class="nx">id</span> <span class="nx">self</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow workers nodes to communicate with each other for coredns TCP"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"worker_node_to_worker_node_ingress_coredns_udp"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ingress"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">53</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">53</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"udp"</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">eks_nodes_sg</span><span class="p">.</span><span class="nx">id</span> <span class="nx">self</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow workers nodes to communicate with each other for coredns UDP"</span> <span class="p">}</span> </code></pre> </div> <p>You can then deploy your project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>terraform init <span class="nv">$ </span>terraform plan <span class="nv">$ </span>terraform apply </code></pre> </div> <p>The output will look something like this:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmlnulh2figtnl8leag8c.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmlnulh2figtnl8leag8c.png" alt="Sample Terraform apply output" width="745" height="1049"></a></p> <p>Our deployed VPC:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn3vhh3afuvad147m3qlo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn3vhh3afuvad147m3qlo.png" alt="Deployed VPC" width="800" height="450"></a></p> <h2> Conclusion </h2> <p>As we conclude our exploration of VPC essentials for EKS cluster management with Terraform, it's clear that a well-architected network foundation is pivotal for the successful deployment and operation of Kubernetes clusters on AWS. Through the thoughtful configuration of NAT Gateways, Route Tables, and appropriate tagging, we ensure our EKS clusters are both secure and efficient, positioned to leverage the best of AWS infrastructure.</p> <p>Security groups are essential for crafting a secure environment for your AWS EKS cluster. By meticulously defining ingress and egress rules, you ensure that your cluster communicates securely within its components and the outside world. Implementing these security measures lays the foundation for a robust and secure Kubernetes ecosystem on AWS.</p> aws networking cloud kubernetes Oluwafemi Lawal Sat, 10 Feb 2024 09:02:38 +0000 https://dev.to/femilawal/karpenter-vs-cluster-autoscaler-in-eks-a-comparative-guide-4o71 https://dev.to/femilawal/karpenter-vs-cluster-autoscaler-in-eks-a-comparative-guide-4o71 <p>When it comes to managing applications in Kubernetes, it is crucial to balance resource availability without over-provisioning. Autoscaling is the solution to this dilemma, which allows resources to be dynamically adjusted based on the workload requirements. In this regard, let's delve into the intricacies of autoscaling in Kubernetes, with a particular focus on two significant players, namely Cluster Autoscaler and Karpenter, in the context of Amazon EKS.<br> <a href="https://i.giphy.com/media/v1.Y2lkPTc5MGI3NjExajFuNGpnODIxb21oN3AwbjhncGNjaHNkaGp0NnhtbTNna2k4Y3JjaCZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/5QRl3L2KPicz0bGBXW/giphy.gif" class="article-body-image-wrapper"><img src="https://i.giphy.com/media/v1.Y2lkPTc5MGI3NjExajFuNGpnODIxb21oN3AwbjhncGNjaHNkaGp0NnhtbTNna2k4Y3JjaCZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/5QRl3L2KPicz0bGBXW/giphy.gif"></a></p> <h2> What is Autoscaling? </h2> <p>Autoscaling refers to the automatic adjustment of computing resources in a server farm, which is usually a cloud environment, to match the current demand. It's similar to having a smart thermostat for your cloud infrastructure that increases the computing power during peak times and reduces it when the demand lessens.<br> <a href="https://i.giphy.com/media/v1.Y2lkPTc5MGI3NjExa29weTY2bmIzb2UweTdxcjV5a2podnZ4NWJ1dXE0NzRmZW9lajF3dCZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/xT8qBit7YomT80d0M8/giphy.gif" class="article-body-image-wrapper"><img src="https://i.giphy.com/media/v1.Y2lkPTc5MGI3NjExa29weTY2bmIzb2UweTdxcjV5a2podnZ4NWJ1dXE0NzRmZW9lajF3dCZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/xT8qBit7YomT80d0M8/giphy.gif"></a></p> <h2> How it Works in Non-EKS Kubernetes Clusters </h2> <p>In vanilla Kubernetes clusters, autoscaling can happen at different levels:</p> <ul> <li> <strong>Horizontal Pod Autoscaler (HPA)</strong>: adjusts the number of pods in a deployment or replica set.</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpflbvtebkkzssgaud071.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpflbvtebkkzssgaud071.png" alt="HPA"></a></p> <ul> <li> <strong>Vertical Pod Autoscaler (VPA)</strong>: adjusts the CPU and memory reservations for pods. <a href="https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler" rel="noopener noreferrer">https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler</a> </li> <li> <strong>Cluster Autoscaler (CA)</strong>: adjusts the number of nodes in a cluster.</li> </ul> <h2> Cluster Autoscaler: The Kubernetes Classic </h2> <p>Cluster Autoscaler (CA) is like your reliable old hatchback. It's been around since the early days of Kubernetes, ensuring that clusters scale out when needed and scale in when the demand wanes.</p> <h3> History of Cluster Autoscaler </h3> <p>Developed as part of the Kubernetes project, CA has been the go-to for Kubernetes users needing to implement node-level autoscaling. It monitors for pods that couldn't be scheduled due to resource constraints and adjusts the cluster size accordingly.</p> <h3> How Cluster Autoscaler Works </h3> <p>Cluster Autoscaler dynamically optimizes the number of nodes in your EKS cluster. It scales up when it detects unscheduled pods due to resource constraints and scales down when nodes have been underutilized for an extended period.</p> <h4> Scaling Up with Cluster Autoscaler </h4> <p>Cluster Autoscaler checks for unscheduled pods approximately every 10 seconds. If it finds any, it triggers the provisioning of new EC2 instances with specifications mirroring existing nodes, ensuring pods are scheduled promptly.</p> <h4> Scaling Down </h4> <p>It also identifies nodes with low resource utilization and marks them as unnecessary. If these nodes remain unneeded for about 10 minutes, Cluster Autoscaler will terminate them, optimizing resource usage and cost.</p> <h4> Issues Faced with Cluster Autoscaler </h4> <p>Despite its functionality, we encountered challenges with Cluster Autoscaler, especially with volume node affinity conflicts. Stateful pods requiring EBS Volume Storage faced scheduling issues due to node termination and subsequent provisioning in different AWS zones.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frflki10wtmy6cryzfw5d.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frflki10wtmy6cryzfw5d.png" alt="Cluster Autoscaler functionality"></a></p> <h2> Karpenter: The New Kid on the Block </h2> <p>Karpenter is AWS's response to next-generation cluster autoscaling, focusing on optimizing resource utilization and reducing costs through intelligent provisioning.<br> <a href="https://i.giphy.com/media/v1.Y2lkPTc5MGI3NjExcnpldWJ0dXgzMWoyOXFhZTg1ZHE3eHEwZHNjazh3dWl2cWFzaWlnMSZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/zioSZDwyCEbv9jZhUu/giphy.gifhttps://i.giphy.com/media/v1.Y2lkPTc5MGI3NjExajFuNGpnODIxb21oN3AwbjhncGNjaHNkaGp0NnhtbTNna2k4Y3JjaCZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/5QRl3L2KPicz0bGBXW/giphy.gif" class="article-body-image-wrapper"><img src="https://i.giphy.com/media/v1.Y2lkPTc5MGI3NjExcnpldWJ0dXgzMWoyOXFhZTg1ZHE3eHEwZHNjazh3dWl2cWFzaWlnMSZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/zioSZDwyCEbv9jZhUu/giphy.gifhttps://i.giphy.com/media/v1.Y2lkPTc5MGI3NjExajFuNGpnODIxb21oN3AwbjhncGNjaHNkaGp0NnhtbTNna2k4Y3JjaCZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/5QRl3L2KPicz0bGBXW/giphy.gif"></a></p> <h3> History of Karpenter </h3> <p>Introduced in late 2021, Karpenter was created to improve the efficiency of resource allocation within Kubernetes. Karpenter emerged as a solution to the limitations of Cluster Autoscaler, offering intelligent node provisioning based on actual workload requirements, significantly optimizing resource utilization and cost.</p> <h3> How Karpenter Works </h3> <p>Karpenter takes a proactive approach to autoscaling, using custom Kubernetes resources called “provisioners” to define and manage resource provisioning based on application requirements. This method ensures optimal resource utilization, as Karpenter can tailor provision nodes to the workload's specific needs.</p> <h3> Key Features of Karpenter </h3> <ul> <li> <strong>Elimination of Multiple Autoscaling Groups</strong>: Karpenter is zone-aware, capable of provisioning nodes in required zones without managing numerous autoscaling groups.</li> <li> <strong>Intelligent Node Allocation</strong>: It provisions nodes based on precise workload requirements, optimizing costs and system availability.</li> <li> <strong>Versatile Node Configuration</strong>: Supports diverse configurations, allowing for an optimal match between instance types and pod requirements.</li> <li> <strong>Enhanced Scaling and Scheduling</strong>: Offers fast, efficient scaling based on workload and resource utilization, maintaining optimal performance.</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fllbswdrtmdyk3f8sy5aj.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fllbswdrtmdyk3f8sy5aj.png" alt="Karpenter functionality"></a></p> <h2> Comparing Karpenter to Cluster Autoscaler </h2> <p><strong>User Friendliness:</strong> Karpenter simplifies setup and integration with Kubernetes, contrasting with the Cluster Autoscaler's potentially complex configuration.</p> <p><strong>Optimal Resource Utilization:</strong> Karpenter's ability to provision nodes based on application requirements leads to more efficient use of resources.</p> <p><strong>Customization:</strong> Karpenter allows for detailed scaling configurations, such as scaling based on custom metrics.</p> <p><strong>Optimized Compute Costs</strong>: Unlike Cluster Autoscaler, Karpenter's efficient bin packing and workload consolidation can reduce computation costs.</p> <p><strong>Volume Node Affinity Conflict</strong>: Karpenter's intelligent scheduling resolves the challenge of stateful pods by ensuring node and volume affinity, mitigating unscheduled pod issues.</p> <h2> Conclusion </h2> <p>While the Cluster Autoscaler provides a reliable, time-tested solution for autoscaling, Karpenter introduces a more dynamic and cost-effective approach when paired with AWS EKS. By understanding the unique features and capabilities of each, you can choose the right tool for your Kubernetes environment, ensuring efficient resource management and cost savings.</p> eks kubernetes containers sre Oluwafemi Lawal Fri, 09 Feb 2024 14:37:03 +0000 https://dev.to/femilawal/unraveling-kubernetes-from-ec2-to-eks-1ce4 https://dev.to/femilawal/unraveling-kubernetes-from-ec2-to-eks-1ce4 <h3> What is Kubernetes? </h3> <p>The concept of isolating application code is something that has been around since the 1970s. By the year 2012, containers running on Linux platforms were transformed into an operating system-level virtualization technology, the need to manage multiple interconnected containers at scale became increasingly evident, and multiple technologies were created to solve just that.</p> <p>Kubernetes was released in September of 2014 (almost two most after Terraform 👀). At its core, it is an open-source platform designed to automate the deployment, scaling, and operation of application containers across clusters of hosts. It provides the framework to run distributed systems resiliently, taking care of scaling and failover for your application, providing deployment patterns, and more. Essentially, Kubernetes is about abstracting away the complexity of managing a fleet of containers, which are lightweight, portable, self-sufficient packages that can run cloud-native applications.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgy12tjdqdefx4hb9uehe.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgy12tjdqdefx4hb9uehe.png" alt="Kubernetes at work" width="800" height="280"></a></p> <h3> The Benefits of Kubernetes </h3> <p>Kubernetes offers a plethora of benefits that have made it the de facto standard for container orchestration:</p> <ul> <li> <strong>Scalability</strong>: Effortlessly scale your applications up or down based on demand, with Kubernetes handling the complexity of managing container distribution across the cluster.</li> <li> <strong>High Availability</strong>: Kubernetes ensures your application is always available, regardless of individual server failures, by distributing containers across multiple nodes.</li> <li> <strong>Portability</strong>: Run your applications on any public cloud, private cloud, or on-premises server.</li> <li> <strong>Self-healing</strong>: Automatically restarts containers that fail, replaces and reschedules containers when nodes die, kills containers that don't respond to user-defined health checks, and doesn't advertise them to clients until they are ready to serve.</li> </ul> <h3> Historical Need to Run Kubernetes on EC2 VMs </h3> <p>Before the advent of Kubernetes as a managed service in AWS, deploying it on virtual machines, such as AWS EC2, was the norm. This setup involved manually installing Kubernetes on each VM, configuring the network, setting up storage, and ensuring security and isolation between the containers. The process was intricate, involving:</p> <ol> <li>Setting up an EC2 instance for the Kubernetes master.</li> <li>Configuring additional EC2 instances to serve as worker nodes.</li> <li>Installing Kubernetes on all instances and configuring them to communicate with each other.</li> <li>Setting up networking to allow containers to communicate within the cluster and with the outside world.</li> </ol> <p>This manual setup was time-consuming and required a deep understanding of Kubernetes internals.</p> <h3> What is EKS? </h3> <p>Amazon Elastic Kubernetes Service (EKS) is AWS's managed service, making it easy to run Kubernetes on AWS and on-premises with Amazon EKS Anywhere. EKS abstracts away the complexity of installing and managing Kubernetes, providing a highly available and secure Kubernetes control plane. With EKS, AWS manages the Kubernetes master nodes, relieving developers and sysadmins from the operational overhead of managing the Kubernetes infrastructure.</p> <h3> Differences between EKS vs Running your own Kubernetes Cluster on EC2 VMs </h3> <p>The choice between EKS and self-managed Kubernetes on EC2 boils down to the trade-off between control and convenience:</p> <ul> <li> <strong>Managed Service vs Manual Configuration</strong>: EKS provides a managed Kubernetes service where the control plane is managed by AWS, reducing the operational complexity. In contrast, running Kubernetes on EC2 requires manual setup and management.</li> <li> <strong>Scalability and Availability</strong>: EKS automatically scales the Kubernetes control plane, ensuring high availability without manual intervention. Running Kubernetes on EC2 requires manual scaling and failover management.</li> <li> <strong>Security and Compliance</strong>: EKS is integrated with AWS security services, such as IAM, for authentication, simplifying compliance and security management. A self-managed Kubernetes setup requires manual configuration of security policies and networking rules.</li> <li> <strong>Cost</strong>: While EKS simplifies Kubernetes management, it comes with additional costs for the managed control plane. Running Kubernetes on EC2 gives you more control over costs, especially if you can optimize your cluster's utilization and manage its complexity.The EKS control plane requires nodes in multiple availability zones to ensure high availability, this translates to a minimal cost of $75 a month for each Amazon EKS cluster with a standard 3-node configuration.</li> </ul> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fawq73jfjpnzkyq4g6qv3.jpeg" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fawq73jfjpnzkyq4g6qv3.jpeg" alt="EKS Control Plane" width="800" height="450"></a></p> <h3> Conclusion </h3> <p>Kubernetes has significantly simplified containerised applications' deployment, scaling, and management. While running Kubernetes on EC2 VMs offers full control over the Kubernetes cluster, it comes with the added complexity of manual management. EKS, on the other hand, provides a managed Kubernetes service that abstracts much of this complexity, allowing developers to focus on building their applications rather than managing the underlying infrastructure. Ultimately, choosing between EKS and a self-managed Kubernetes cluster on EC2 depends on your specific needs, skills, and budget constraints. Regardless of the path chosen, Kubernetes remains a powerful tool in the cloud-native ecosystem, enabling businesses to deploy and manage applications at scale efficiently.</p> aws containers kubernetes eks Oluwafemi Lawal Sat, 18 Feb 2023 14:27:02 +0000 https://dev.to/aws-builders/how-to-deploy-to-aws-from-fargate-backed-gitlab-runners-184n https://dev.to/aws-builders/how-to-deploy-to-aws-from-fargate-backed-gitlab-runners-184n <h2> Introduction </h2> <p>I love <a href="https://aws.amazon.com/codepipeline/" rel="noopener noreferrer">AWS CodePipeline</a>. It integrates with GitHub and Bitbucket, you can add as many stages for your pipeline as you want, be it for Approval, Build, Invoking, Testing, and efficiently deploying to multiple AWS Services. One thing it does not to integrate with, unfortunately (at the time of my writing this article), is Gitlab.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdp9eispq9kuvv3ogrte5.gif" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdp9eispq9kuvv3ogrte5.gif" alt="Sipping tea"></a></p> <p>This article will cover the steps required to deploy to AWS from a GitLab runner backed by the Amazon Fargate service. I will not talk about how to set everything up, Gitlab covers it in detail on their documentation <a href="https://docs.gitlab.com/runner/configuration/runner_autoscale_aws_fargate/" rel="noopener noreferrer">https://docs.gitlab.com/runner/configuration/runner_autoscale_aws_fargate/</a></p> <h2> Prerequisites </h2> <p>Before we get started, there are a few things you need to have set up:</p> <ol> <li><a href="https://gitlab.com/" rel="noopener noreferrer">A GitLab account with a repository that will run CI jobs with Fargate.</a></li> <li><a href="https://aws.amazon.com/" rel="noopener noreferrer">An AWS account.</a></li> <li><a href="https://docs.gitlab.com/runner/configuration/runner_autoscale_aws_fargate/" rel="noopener noreferrer">GitLab runner set up and running in your AWS account.</a></li> <li>Fargate task definition that Gitlab runner will use to run your CI jobs.</li> </ol> <p><a href="https://gitlab.com/femilawal76/fargate-driver-debian" rel="noopener noreferrer">A modified version of the example debian image</a> in the instructions from Gitlab will be used for the Fargate task Gitlab runner invokes, the only addition is the AWS CLI</p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code> <span class="k">FROM</span><span class="s"> debian:buster</span> <span class="c"># ---------------------------------------------------------------------</span> <span class="c"># Install https://github.com/krallin/tini - a very small 'init' process</span> <span class="c"># that helps processing signalls sent to the container properly.</span> <span class="c"># ---------------------------------------------------------------------</span> <span class="k">ARG</span><span class="s"> TINI_VERSION=v0.19.0</span> <span class="k">RUN </span>apt-get update <span class="o">&amp;&amp;</span> <span class="se">\ </span> apt-get <span class="nb">install</span> <span class="nt">-y</span> curl <span class="o">&amp;&amp;</span> <span class="se">\ </span> curl <span class="nt">-Lo</span> /usr/local/bin/tini https://github.com/krallin/tini/releases/download/<span class="k">${</span><span class="nv">TINI_VERSION</span><span class="k">}</span>/tini-amd64 <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">chmod</span> +x /usr/local/bin/tini <span class="c"># --------------------------------------------------------------------------</span> <span class="c"># Install and configure sshd.</span> <span class="c"># https://docs.docker.com/engine/examples/running_ssh_service for reference.</span> <span class="c"># --------------------------------------------------------------------------</span> <span class="k">RUN </span>apt-get <span class="nb">install</span> <span class="nt">-y</span> openssh-server <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="c"># Creating /run/sshd instead of /var/run/sshd, because in the Debian</span> <span class="c"># image /var/run is a symlink to /run. Creating /var/run/sshd directory</span> <span class="c"># as proposed in the Docker documentation linked above just doesn't</span> <span class="c"># work.</span> mkdir -p /run/sshd <span class="k">EXPOSE</span><span class="s"> 22</span> <span class="c"># ----------------------------------------</span> <span class="c"># Install GitLab CI required dependencies.</span> <span class="c"># ----------------------------------------</span> <span class="k">ARG</span><span class="s"> GITLAB_RUNNER_VERSION=v12.9.0</span> <span class="k">RUN </span>curl <span class="nt">-Lo</span> /usr/local/bin/gitlab-runner https://gitlab-runner-downloads.s3.amazonaws.com/<span class="k">${</span><span class="nv">GITLAB_RUNNER_VERSION</span><span class="k">}</span>/binaries/gitlab-runner-linux-amd64 <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">chmod</span> +x /usr/local/bin/gitlab-runner <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="c"># Test if the downloaded file was indeed a binary and not, for example,</span> <span class="c"># an HTML page representing S3's internal server error message or something</span> <span class="c"># like that.</span> gitlab-runner --version <span class="k">RUN </span>apt-get <span class="nb">install</span> <span class="nt">-y</span> bash ca-certificates git git-lfs <span class="o">&amp;&amp;</span> <span class="se">\ </span> git lfs <span class="nb">install</span> <span class="nt">--skip-repo</span> <span class="c"># ----------------------------------------</span> <span class="c"># Install AWS CLI.</span> <span class="c"># ----------------------------------------</span> <span class="k">RUN </span>apt-get <span class="nb">install</span> <span class="nt">-y</span> awscli <span class="c"># -------------------------------------------------------------------------------------</span> <span class="c"># Execute a startup script.</span> <span class="c"># https://success.docker.com/article/use-a-script-to-initialize-stateful-container-data</span> <span class="c"># for reference.</span> <span class="c"># -------------------------------------------------------------------------------------</span> <span class="k">COPY</span><span class="s"> docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh</span> <span class="k">RUN </span><span class="nb">chmod</span> +x /usr/local/bin/docker-entrypoint.sh <span class="k">ENTRYPOINT</span><span class="s"> ["tini", "--", "/usr/local/bin/docker-entrypoint.sh"]</span> </code></pre> </div> <p>You will have to <a href="https://aws.amazon.com/ecr/" rel="noopener noreferrer">create an ECR repository for the image, build your image and push it ECR</a>, then create the task definition that uses the image.</p> <h2> Setting Up The Deployment </h2> <p>The scenario is you have a Gitlab repository that holds a CloudFormation template for creating ECR Repositories, merges to the main branch should update the template in your AWS account. Our pipeline requires two key components</p> <ol> <li>Creating a <code>ecr.yaml</code> CloudFormation template.</li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2010-09-09"</span> <span class="na">Description</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">This template creates ECR resources</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="na">IAMUserName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">IAM User Name</span> <span class="na">Default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">YOUR_USER_NAME"</span> <span class="na">AllowedPattern</span><span class="pi">:</span> <span class="s2">"</span><span class="s">[a-zA-Z0-9-_]+"</span> <span class="na">ConstraintDescription</span><span class="pi">:</span> <span class="s">must be a valid IAM user name</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">ECRRepository</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ECR::Repository</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RepositoryName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AWS::StackName</span> <span class="na">RepositoryPolicyText</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2012-10-17"</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AllowPushPull"</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">AWS</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">[</span> <span class="s2">"</span><span class="s">"</span><span class="pi">,</span> <span class="pi">[</span> <span class="s2">"</span><span class="s">arn:aws:iam::"</span><span class="pi">,</span> <span class="kt">!Ref</span> <span class="nv">AWS</span><span class="pi">::</span><span class="nv">AccountId</span><span class="pi">,</span> <span class="s2">"</span><span class="s">:user/"</span><span class="pi">,</span> <span class="kt">!Ref</span> <span class="nv">IAMUserName</span> <span class="pi">],</span> <span class="pi">]</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ecr:GetDownloadUrlForLayer"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ecr:BatchGetImage"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ecr:BatchCheckLayerAvailability"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ecr:PutImage"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ecr:InitiateLayerUpload"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ecr:UploadLayerPart"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ecr:CompleteLayerUpload"</span> <span class="na">Outputs</span><span class="pi">:</span> <span class="na">ECRRepository</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">ECR repository</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ECRRepository</span> </code></pre> </div> <ol> <li>Modifying the <code>.gitlab-ci.yml</code> file to include a deployment stage that will deploy your changes to AWS. ```yaml </li> </ol> <p>variables:<br> STACK_NAME: ecr-stack<br> TEMPLATE_PATH: /templates/ecr.yaml</p> <p>stages:</p> <ul> <li>deploy</li> </ul> <p>cloudformation_deploy:<br> stage: deploy<br> script:<br> - aws cloudformation deploy --template-file $TEMPLATE_PATH --stack-name $STACK_NAME --capabilities CAPABILITY_NAMED_IAM</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## The Problem The pipeline is not actually going to work, the AWS CLI will be unable to locate the credentials and will ask you to run `aws configure`. You might be thinking the simple solution is to just create credentials for Gitlab then set the AWS_SECRET_ACCESS_KEY and AWS_ACCESS_KEY_ID environment variables, but that's completely unnecessary (and not very secure). The pipeline is running in a Fargate container within your AWS account and has proper permissions, so why doesn't it work?  Ordinarily, the container makes a request to the task metadata endpoint to get temporary AWS credentials, but unfortunately, the environment variable it uses for that is only available to the init container process (PID 1). So to fix this issue, we have to set that environment variable. How do we get an environment variable from an entirely different process? PID 1 environment variables are stored in the environ file of the process, so we can retrieve it from there by running: ```bash export $(strings /proc/1/environ | grep AWS_CONTAINER_CREDENTIALS_RELATIVE_URI) </code></pre> </div> <p>This will make the variable avaialable to the CI process and enable to container to retrieve temporary AWS credentials, the final <code>.gitlab.ci.yaml</code> file will look like this:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <p><span class="na">variables</span><span class="pi">:</span><br> <span class="na">STACK_NAME</span><span class="pi">:</span> <span class="s">ecr-stack</span><br> <span class="na">TEMPLATE_PATH</span><span class="pi">:</span> <span class="s">/templates/ecr.yaml</span></p> <p><span class="na">stages</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="s">deploy</span></p> <p><span class="na">deploy</span><span class="pi">:</span><br> <span class="na">stage</span><span class="pi">:</span> <span class="s">deploy</span><br> <span class="na">script</span><span class="pi">:</span><br> <span class="pi">-</span> <span class="s">export $(strings /proc/1/environ | grep AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)</span><br> <span class="pi">-</span> <span class="s">aws cloudformation deploy --template-file $TEMPLATE_PATH --stack-name $STACK_NAME --capabilities CAPABILITY_NAMED_IAM</span></p> </code></pre> </div> <h2> <br> <br> <br> Conclusion<br> </h2> <p>In this article, we covered the steps required to use the AWS CLI for deployments from a GitLab runner backed by the Amazon Fargate service. With these steps in place, you can automate the deployment of your resources to AWS.</p> aws community devops containers Oluwafemi Lawal Thu, 07 Jul 2022 08:03:21 +0000 https://dev.to/femilawal/how-to-ssh-into-an-ecs-fargate-container-1l3k https://dev.to/femilawal/how-to-ssh-into-an-ecs-fargate-container-1l3k <h2> The Problem </h2> <p>Best practices dictate that you should not SSH into containers; instead, you should implement proper observability mechanisms for monitoring, debugging, and log analysis. So it was impossible with ECS, at least not until the 16th of March 2021. After that, it was a highly requested feature on the AWS Container roadmap. AWS eventually gave in because they understood that engineers must be able to debug and test quickly in the early stages of development. It can also be helpful to debug high severity issues in production.</p> <h2> The Solution </h2> <p>Before getting into your ECS container, you would have to open the SSH ports, get keys/passwords to the host instance, SSH into that instance, and then <code>docker exec</code> into the container. If you were running the serverless Fargate model, you couldn't even do this because you do not have access to the host machine, so you'd have to redeploy it to an EC2 instance.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzz3v4x1lm2rmjyjplv3s.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzz3v4x1lm2rmjyjplv3s.png" alt="Superman on the floor"></a></p> <p>Then ECS exec came to the rescue, and it allows you to <code>docker exec</code> right into the container you want without the overhead of worrying about security issues with distributing SSH keys or passwords<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0i4keb2f9xyy5ygtl5pm.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0i4keb2f9xyy5ygtl5pm.png" alt="Superman being a hero"></a></p> <h2> Implementation </h2> <p>I will use the Fargate container from <a href="https://dev.to/femilawal/creating-an-ecs-cluster-with-cloudformation-54cg">this post</a> and make modifications to specific parts of the CloudFormation template.</p> <ul> <li>IAM Policy for the Task Role</li> <li>KMS key to encrypt the ECS Exec data channel</li> <li>Enable Execute command</li> <li>Place cluster in public subnets The template already has the cluster in public subnets, so first, we'll add the IAM Policy. ``` yaml TaskRole: Type: AWS::IAM::Role Properties: RoleName: !Join ["-", [!Ref ServiceName, TaskRole]] AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Action: "sts:AssumeRole" Policies: - PolicyName: "systems-manager" PolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Action: - "ssmmessages:CreateControlChannel" - "ssmmessages:CreateDataChannel" - "ssmmessages:OpenControlChannel" - "ssmmessages:OpenDataChannel" Resource: "*" - Effect: "Allow" Action: - "kms:Decrypt" Resource: !Ref KMSKey</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Then the KMS key: ```yaml ############################################################ # KMS KEY ############################################################ KMSKey: Type: AWS::KMS::Key Properties: Description: Key needed to encrypt docker exec data channel KeyPolicy: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" Action: - "kms:*" Resource: "*" </code></pre> </div> <p>Now we enable the exec command on the service, that can be done by adding <code>EnableExecuteCommand: true</code></p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="c1">############################################################</span> <span class="c1"># ECS SERVICE</span> <span class="c1">############################################################</span> <span class="na">Service</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ECS::Service</span> <span class="c1"># This dependency is needed so that the load balancer is setup correctly in time</span> <span class="na">DependsOn</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ApplicationLoadBalancer</span> <span class="pi">-</span> <span class="s">ALBHTTPListener</span> <span class="pi">-</span> <span class="s">ListenerRule</span> <span class="pi">-</span> <span class="s">TargetGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ServiceName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ServiceName</span> <span class="na">Cluster</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">Cluster</span> <span class="na">TaskDefinition</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">TaskDefinition</span> <span class="na">EnableExecuteCommand</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">DeploymentConfiguration</span><span class="pi">:</span> <span class="na">MinimumHealthyPercent</span><span class="pi">:</span> <span class="m">100</span> <span class="na">MaximumPercent</span><span class="pi">:</span> <span class="m">200</span> <span class="na">DesiredCount</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MinContainers</span> <span class="na">HealthCheckGracePeriodSeconds</span><span class="pi">:</span> <span class="m">300</span> <span class="na">LaunchType</span><span class="pi">:</span> <span class="s">FARGATE</span> <span class="na">NetworkConfiguration</span><span class="pi">:</span> <span class="na">AwsvpcConfiguration</span><span class="pi">:</span> <span class="na">AssignPublicIp</span><span class="pi">:</span> <span class="s">ENABLED</span> <span class="na">Subnets</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">PublicSubnetOne</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">PublicSubnetTwo</span> <span class="na">SecurityGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">ContainerSecurityGroup</span> <span class="na">LoadBalancers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">ContainerName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ServiceName</span> <span class="na">ContainerPort</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ContainerPort</span> <span class="na">TargetGroupArn</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">TargetGroup</span> </code></pre> </div> <p>You can deploy the <a href="https://gist.github.com/Femi-lawal/1a542fc3f3f782db615d2bb028e49cc6" rel="noopener noreferrer">template</a>:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> aws cloudformation deploy <span class="nt">--template-file</span> ecs.yml <span class="nt">--stack-name</span> ecs-infrastructure <span class="nt">--capabilities</span> CAPABILITY_NAMED_IAM <span class="nt">--profile</span> default </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl3wume9ww9yonnh6ciu6.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl3wume9ww9yonnh6ciu6.png" alt="Deploy output"></a><br> Then you can get the Task Id by running:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> aws ecs list-tasks <span class="nt">--cluster</span> rest-api-cluster </code></pre> </div> <p>The task id is the part highlighted in red below:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fib00er1t3fodf7ia1gh7.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fib00er1t3fodf7ia1gh7.png" alt="Task Id"></a></p> <p>This is an alpine linux docker image, so instead of <code>"/bin/bash"</code>, to docker exec into it, <code>"/bin/sh"</code> will have to be used instead.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> aws ecs execute-command <span class="nt">--region</span> us-east-1 <span class="nt">--cluster</span> rest-api-cluster <span class="nt">--task</span> INSERT_YOUR_TASK_ID_HERE <span class="nt">--container</span> rest-api <span class="nt">--command</span> <span class="s2">"/bin/sh"</span> <span class="nt">--interactive</span> </code></pre> </div> <p>Sample output: <br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdtt6p9rgnflg81urgadr.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdtt6p9rgnflg81urgadr.png" alt="Output"></a><br> You can use <a href="https://github.com/aws-containers/amazon-ecs-exec-checker" rel="noopener noreferrer">this tool</a> to troubleshoot issues.</p> <h2> Cleanup </h2> <p>Always remember to delete resources you do not need, run:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> aws cloudformation delete-stack <span class="nt">--stack-name</span> ecs-infrastructure </code></pre> </div> <p>You can check the status of the stack to confirm if it was deleted successfully:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> aws cloudformation describe-stacks <span class="nt">--stack-name</span> ecs-infrastructure </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuv6ppmns2r6jvbf33wiw.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuv6ppmns2r6jvbf33wiw.png" alt="Sample output"></a><br> Confirm the stack was deleted successfully; remember to clean up the ECR repository if you implemented that.</p> aws docker cloud serverless Oluwafemi Lawal Wed, 06 Jul 2022 22:36:09 +0000 https://dev.to/femilawal/creating-an-ecs-cluster-with-cloudformation-54cg https://dev.to/femilawal/creating-an-ecs-cluster-with-cloudformation-54cg <h2> What is ECS? </h2> <p>Amazon Elastic Container Service (Amazon ECS) is the AWS container orchestration service that runs and manages Docker containers. With ECS, you can run clusters of virtual machines with either the EC2-backed option or the serverless option with Fargate.<br> You can read more about ECS in the <a href="https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html" rel="noopener noreferrer">AWS documentation</a></p> <h2> Infrastructure </h2> <p><strong>Disclaimer:</strong> This is not created for a production use case. It is just for illustration purposes.<br> Things that will be created included in this post:</p> <ul> <li>VPC</li> <li>Internet Gateway</li> <li>Public Subnets</li> <li>Route tables</li> <li>ECS cluster</li> <li>ECS Service </li> <li>Task definition</li> <li>IAM roles</li> <li>Application Load balancer</li> <li>Target group</li> <li>Security groups</li> <li>CloudWatch Log groups</li> </ul> <p>That's a long list, but we will accomplish this with CloudFormation. To use HTTPS with the load balancer, you would need to create an SSL certificate in AWS Certificate Manager, but this post will make a load balancer with HTTP, and the cluster will be in public subnets instead of private.<br> The application used is a simple <a href="https://hub.docker.com/r/femilawal/python-api" rel="noopener noreferrer">rest api</a>.<br> You can create an ECR repository by following <a href="https://dev.to/femilawal/creating-an-elastic-container-registry-repo-with-cloudformation-f5d">this post</a> and push the docker image to the repo following <a href="https://dev.to/femilawal/creating-your-private-versions-of-public-docker-images-in-ecr-11f6">this post</a>.</p> <p>I could divide the CloudFormation template into multiple templates, then export and import values when needed, and give detailed explanations for what each template does, but that would make this post very long... <br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd5crtyhaobdcnti6hm6w.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd5crtyhaobdcnti6hm6w.png" alt="Apology"></a></p> <p>I'm going to post everything in a single template, you can consult the <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html" rel="noopener noreferrer">CloudFormation documentation</a> for explanations </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2010-09-09"</span> <span class="na">Description</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">This template creates ECS Fargate Services.</span> <span class="c1">############################################################</span> <span class="c1"># PARAMETERS RECORDS BLOCK</span> <span class="c1">############################################################</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="na">ImageTag</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s">latest</span> <span class="na">ServiceName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s">rest-api</span> <span class="na">ContainerPort</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">Number</span> <span class="na">Default</span><span class="pi">:</span> <span class="m">80</span> <span class="na">ContainerCpu</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="m">256</span> <span class="na">ContainerMemory</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s">1GB</span> <span class="na">HealthCheckPath</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s">/</span> <span class="na">MinContainers</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">Number</span> <span class="na">Default</span><span class="pi">:</span> <span class="m">1</span> <span class="na">VpcCIDR</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">IP</span><span class="nv"> </span><span class="s">range</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">this</span><span class="nv"> </span><span class="s">VPC"</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">String"</span> <span class="na">Default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">10.0.0.0/16"</span> <span class="na">PublicSubnetOneCIDR</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">IP</span><span class="nv"> </span><span class="s">range</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">public</span><span class="nv"> </span><span class="s">subnet</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">first</span><span class="nv"> </span><span class="s">Availability</span><span class="nv"> </span><span class="s">Zone"</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">String"</span> <span class="na">Default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">10.0.1.0/24"</span> <span class="na">PublicSubnetTwoCIDR</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">IP</span><span class="nv"> </span><span class="s">range</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">public</span><span class="nv"> </span><span class="s">subnet</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">second</span><span class="nv"> </span><span class="s">Availability</span><span class="nv"> </span><span class="s">Zone"</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">String"</span> <span class="na">Default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">10.0.2.0/24"</span> <span class="na">Resources</span><span class="pi">:</span> <span class="c1">############################################################</span> <span class="c1"># VPC &amp; PUBLIC SUBNETS</span> <span class="c1">############################################################</span> <span class="na">RestVPC</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::EC2::VPC"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s2">"</span><span class="s">VpcCIDR"</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Name"</span> <span class="na">Value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Rest-API-VPC"</span> <span class="c1">####### Create Public Subnet #######</span> <span class="na">PublicSubnetOne</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::EC2::Subnet"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">RestVPC</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s2">"</span><span class="s">PublicSubnetOneCIDR"</span> <span class="na">AvailabilityZone</span><span class="pi">:</span> <span class="kt">!Select</span> <span class="pi">[</span><span class="s2">"</span><span class="s">0"</span><span class="pi">,</span> <span class="kt">!GetAZs</span> <span class="pi">]</span> <span class="na">MapPublicIpOnLaunch</span><span class="pi">:</span> <span class="s2">"</span><span class="s">True"</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Name"</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${PublicSubnetOneCIDR}-PublicSubnetOne"</span> <span class="na">PublicSubnetTwo</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::EC2::Subnet"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">RestVPC</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s2">"</span><span class="s">PublicSubnetTwoCIDR"</span> <span class="na">AvailabilityZone</span><span class="pi">:</span> <span class="kt">!Select</span> <span class="pi">[</span><span class="s2">"</span><span class="s">1"</span><span class="pi">,</span> <span class="kt">!GetAZs</span> <span class="pi">]</span> <span class="na">MapPublicIpOnLaunch</span><span class="pi">:</span> <span class="s2">"</span><span class="s">True"</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Name"</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">${PublicSubnetTwoCIDR}-PublicSubnetTwo"</span> <span class="c1">######## Create Public Route Table #######</span> <span class="na">PublicRouteTable1</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::EC2::RouteTable"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">RestVPC</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Name"</span> <span class="na">Value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">PublicRoute1"</span> <span class="na">PublicRouteTable2</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::EC2::RouteTable"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">RestVPC</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Name"</span> <span class="na">Value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">PublicRoute2"</span> <span class="c1">######## Create Internet Gateway #######</span> <span class="na">InternetGateway</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::EC2::InternetGateway"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Name"</span> <span class="na">Value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">InternetGateway"</span> <span class="c1">######## Attach Internet Gateway to VPC #######</span> <span class="na">GatewayToInternet</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::EC2::VPCGatewayAttachment"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">RestVPC</span> <span class="na">InternetGatewayId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s2">"</span><span class="s">InternetGateway"</span> <span class="c1">######## Route-out Public Route Table to Internet Gateway (Internet connection) #######</span> <span class="na">PublicRouteIGW1</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::EC2::Route"</span> <span class="na">DependsOn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">GatewayToInternet"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s2">"</span><span class="s">PublicRouteTable1"</span> <span class="na">DestinationCidrBlock</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.0.0.0/0"</span> <span class="na">GatewayId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s2">"</span><span class="s">InternetGateway"</span> <span class="na">PublicRouteIGW2</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::EC2::Route"</span> <span class="na">DependsOn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">GatewayToInternet"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s2">"</span><span class="s">PublicRouteTable2"</span> <span class="na">DestinationCidrBlock</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.0.0.0/0"</span> <span class="na">GatewayId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s2">"</span><span class="s">InternetGateway"</span> <span class="c1">######## Associate Public Route Table with Public Subnet1 &amp; Subnet2 #######</span> <span class="na">PublicSubnetOneRouteTableAssociation</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::EC2::SubnetRouteTableAssociation"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s2">"</span><span class="s">PublicSubnetOne"</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s2">"</span><span class="s">PublicRouteTable1"</span> <span class="na">PublicSubnetTwoRouteTableAssociation</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::EC2::SubnetRouteTableAssociation"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s2">"</span><span class="s">PublicSubnetTwo"</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s2">"</span><span class="s">PublicRouteTable2"</span> <span class="c1">######## Create Custom Network ACL #######</span> <span class="na">PublicNetworkACL</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::EC2::NetworkAcl"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">RestVPC</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Name"</span> <span class="na">Value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">PublicNetworkACL"</span> <span class="na">PublicInboundPublicACL</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::EC2::NetworkAclEntry"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">NetworkAclId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PublicNetworkACL</span> <span class="na">RuleNumber</span><span class="pi">:</span> <span class="s2">"</span><span class="s">100"</span> <span class="na">Protocol</span><span class="pi">:</span> <span class="s2">"</span><span class="s">-1"</span> <span class="na">RuleAction</span><span class="pi">:</span> <span class="s2">"</span><span class="s">allow"</span> <span class="na">Egress</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.0.0.0/0"</span> <span class="na">PublicOutboundPublicACL</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::EC2::NetworkAclEntry"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">NetworkAclId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PublicNetworkACL</span> <span class="na">RuleNumber</span><span class="pi">:</span> <span class="s2">"</span><span class="s">100"</span> <span class="na">Protocol</span><span class="pi">:</span> <span class="s2">"</span><span class="s">-1"</span> <span class="na">RuleAction</span><span class="pi">:</span> <span class="s2">"</span><span class="s">allow"</span> <span class="na">Egress</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.0.0.0/0"</span> <span class="c1">######## Associate Public Subnet to Network ACL #######</span> <span class="na">PublicSubnetOneNetworkAclAssociation</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::EC2::SubnetNetworkAclAssociation"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s2">"</span><span class="s">PublicSubnetOne"</span> <span class="na">NetworkAclId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s2">"</span><span class="s">PublicNetworkACL"</span> <span class="na">PublicSubnetTwoNetworkAclAssociation</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::EC2::SubnetNetworkAclAssociation"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s2">"</span><span class="s">PublicSubnetTwo"</span> <span class="na">NetworkAclId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s2">"</span><span class="s">PublicNetworkACL"</span> <span class="c1">############################################################</span> <span class="c1"># ECS CLUSTER BLOCK</span> <span class="c1">############################################################</span> <span class="na">Cluster</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ECS::Cluster</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ClusterName</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">[</span><span class="s2">"</span><span class="s">-"</span><span class="pi">,</span> <span class="pi">[</span><span class="kt">!Ref</span> <span class="nv">ServiceName</span><span class="pi">,</span> <span class="nv">cluster</span><span class="pi">]]</span> <span class="c1">############################################################</span> <span class="c1"># ECS TASK DEFINITION</span> <span class="c1">############################################################</span> <span class="na">TaskDefinition</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ECS::TaskDefinition</span> <span class="na">DependsOn</span><span class="pi">:</span> <span class="s">LogGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="c1"># Name of the task definition. Subsequent versions of the task definition are grouped together under this name.</span> <span class="na">Family</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">[</span><span class="s2">"</span><span class="s">-"</span><span class="pi">,</span> <span class="pi">[</span><span class="kt">!Ref</span> <span class="nv">ServiceName</span><span class="pi">,</span> <span class="nv">TaskDefinition</span><span class="pi">]]</span> <span class="c1"># awsvpc is required for Fargate</span> <span class="na">NetworkMode</span><span class="pi">:</span> <span class="s">awsvpc</span> <span class="na">RequiresCompatibilities</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">FARGATE</span> <span class="na">Cpu</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ContainerCpu</span> <span class="na">Memory</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ContainerMemory</span> <span class="na">ExecutionRoleArn</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ExecutionRole</span> <span class="na">TaskRoleArn</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">TaskRole</span> <span class="na">ContainerDefinitions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ServiceName</span> <span class="na">Image</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">[</span> <span class="s2">"</span><span class="s">."</span><span class="pi">,</span> <span class="pi">[</span> <span class="kt">!Ref</span> <span class="nv">AWS</span><span class="pi">::</span><span class="nv">AccountId</span><span class="pi">,</span> <span class="s2">"</span><span class="s">dkr.ecr"</span><span class="pi">,</span> <span class="kt">!Ref</span> <span class="nv">AWS</span><span class="pi">::</span><span class="nv">Region</span><span class="pi">,</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">amazonaws.com/ecr-repository:${ImageTag}"</span><span class="pi">,</span> <span class="pi">],</span> <span class="pi">]</span> <span class="na">PortMappings</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">ContainerPort</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ContainerPort</span> <span class="c1"># Send logs to CloudWatch Logs</span> <span class="na">LogConfiguration</span><span class="pi">:</span> <span class="na">LogDriver</span><span class="pi">:</span> <span class="s">awslogs</span> <span class="na">Options</span><span class="pi">:</span> <span class="na">awslogs-region</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AWS::Region</span> <span class="na">awslogs-group</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">LogGroup</span> <span class="na">awslogs-stream-prefix</span><span class="pi">:</span> <span class="s">ecs</span> <span class="c1">############################################################</span> <span class="c1"># IAM ROLE</span> <span class="c1">############################################################</span> <span class="na">ExecutionRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RoleName</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">[</span><span class="s2">"</span><span class="s">-"</span><span class="pi">,</span> <span class="pi">[</span><span class="kt">!Ref</span> <span class="nv">ServiceName</span><span class="pi">,</span> <span class="nv">ExecutionRole</span><span class="pi">]]</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="s">ecs-tasks.amazonaws.com</span> <span class="na">Action</span><span class="pi">:</span> <span class="s2">"</span><span class="s">sts:AssumeRole"</span> <span class="na">ManagedPolicyArns</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"</span> <span class="na">TaskRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RoleName</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">[</span><span class="s2">"</span><span class="s">-"</span><span class="pi">,</span> <span class="pi">[</span><span class="kt">!Ref</span> <span class="nv">ServiceName</span><span class="pi">,</span> <span class="nv">TaskRole</span><span class="pi">]]</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="s">ecs-tasks.amazonaws.com</span> <span class="na">Action</span><span class="pi">:</span> <span class="s2">"</span><span class="s">sts:AssumeRole"</span> <span class="c1">############################################################</span> <span class="c1"># SECURITY GROUP</span> <span class="c1">############################################################</span> <span class="na">ContainerSecurityGroup</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SecurityGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">GroupDescription</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">[</span><span class="s2">"</span><span class="s">-"</span><span class="pi">,</span> <span class="pi">[</span><span class="kt">!Ref</span> <span class="nv">ServiceName</span><span class="pi">,</span> <span class="nv">ContainerSecurityGroup</span><span class="pi">]]</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">RestVPC</span> <span class="na">SecurityGroupIngress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s">tcp</span> <span class="na">FromPort</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ContainerPort</span> <span class="na">ToPort</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ContainerPort</span> <span class="na">SourceSecurityGroupId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">LoadBalancerSecurityGroup</span> <span class="na">LoadBalancerSecurityGroup</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SecurityGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">GroupDescription</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">[</span><span class="s2">"</span><span class="s">-"</span><span class="pi">,</span> <span class="pi">[</span><span class="kt">!Ref</span> <span class="nv">ServiceName</span><span class="pi">,</span> <span class="nv">LoadBalancerSecurityGroup</span><span class="pi">]]</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">RestVPC</span> <span class="na">SecurityGroupIngress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s">tcp</span> <span class="na">FromPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">ToPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">CidrIp</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span> <span class="c1">############################################################</span> <span class="c1"># ECS SERVICE</span> <span class="c1">############################################################</span> <span class="na">Service</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ECS::Service</span> <span class="c1"># This dependency is needed so that the load balancer is setup correctly in time</span> <span class="na">DependsOn</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ApplicationLoadBalancer</span> <span class="pi">-</span> <span class="s">ALBHTTPListener</span> <span class="pi">-</span> <span class="s">ListenerRule</span> <span class="pi">-</span> <span class="s">TargetGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ServiceName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ServiceName</span> <span class="na">Cluster</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">Cluster</span> <span class="na">TaskDefinition</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">TaskDefinition</span> <span class="na">DeploymentConfiguration</span><span class="pi">:</span> <span class="na">MinimumHealthyPercent</span><span class="pi">:</span> <span class="m">100</span> <span class="na">MaximumPercent</span><span class="pi">:</span> <span class="m">200</span> <span class="na">DesiredCount</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MinContainers</span> <span class="na">HealthCheckGracePeriodSeconds</span><span class="pi">:</span> <span class="m">300</span> <span class="na">LaunchType</span><span class="pi">:</span> <span class="s">FARGATE</span> <span class="na">NetworkConfiguration</span><span class="pi">:</span> <span class="na">AwsvpcConfiguration</span><span class="pi">:</span> <span class="na">AssignPublicIp</span><span class="pi">:</span> <span class="s">ENABLED</span> <span class="na">Subnets</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">PublicSubnetOne</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">PublicSubnetTwo</span> <span class="na">SecurityGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">ContainerSecurityGroup</span> <span class="na">LoadBalancers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">ContainerName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ServiceName</span> <span class="na">ContainerPort</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ContainerPort</span> <span class="na">TargetGroupArn</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">TargetGroup</span> <span class="c1">############################################################</span> <span class="c1"># ECS TARGET GROUP</span> <span class="c1">############################################################</span> <span class="na">TargetGroup</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ElasticLoadBalancingV2::TargetGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">HealthCheckIntervalSeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">HealthCheckPath</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">HealthCheckPath</span> <span class="na">HealthCheckTimeoutSeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">UnhealthyThresholdCount</span><span class="pi">:</span> <span class="m">2</span> <span class="na">HealthyThresholdCount</span><span class="pi">:</span> <span class="m">2</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">[</span><span class="s2">"</span><span class="s">-"</span><span class="pi">,</span> <span class="pi">[</span><span class="kt">!Ref</span> <span class="nv">ServiceName</span><span class="pi">,</span> <span class="nv">TargetGroup</span><span class="pi">]]</span> <span class="na">Port</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ContainerPort</span> <span class="na">Protocol</span><span class="pi">:</span> <span class="s">HTTP</span> <span class="na">TargetGroupAttributes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">deregistration_delay.timeout_seconds</span> <span class="na">Value</span><span class="pi">:</span> <span class="m">60</span> <span class="na">TargetType</span><span class="pi">:</span> <span class="s">ip</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">RestVPC</span> <span class="na">Matcher</span><span class="pi">:</span> <span class="na">HttpCode</span><span class="pi">:</span> <span class="m">200</span> <span class="c1">############################################################</span> <span class="c1"># APPLICATION LOAD BALANCER</span> <span class="c1">############################################################</span> <span class="na">ApplicationLoadBalancer</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ElasticLoadBalancingV2::LoadBalancer</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">LoadBalancerAttributes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">idle_timeout.timeout_seconds</span> <span class="na">Value</span><span class="pi">:</span> <span class="m">60</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">[</span><span class="s2">"</span><span class="s">-"</span><span class="pi">,</span> <span class="pi">[</span><span class="kt">!Ref</span> <span class="nv">ServiceName</span><span class="pi">,</span> <span class="nv">ApplicationLoadBalancer</span><span class="pi">]]</span> <span class="na">Scheme</span><span class="pi">:</span> <span class="s">internet-facing</span> <span class="na">SecurityGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">LoadBalancerSecurityGroup</span> <span class="na">Subnets</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">PublicSubnetOne</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">PublicSubnetTwo</span> <span class="na">ALBHTTPListener</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::ElasticLoadBalancingV2::Listener"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">LoadBalancerArn</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ApplicationLoadBalancer</span> <span class="na">DefaultActions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">FixedResponseConfig</span><span class="pi">:</span> <span class="na">StatusCode</span><span class="pi">:</span> <span class="m">200</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">fixed-response</span> <span class="na">Port</span><span class="pi">:</span> <span class="s2">"</span><span class="s">80"</span> <span class="na">Protocol</span><span class="pi">:</span> <span class="s">HTTP</span> <span class="c1"># ---- Applcation Load Balancer Listener Rule ---- #</span> <span class="na">ListenerRule</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::ElasticLoadBalancingV2::ListenerRule"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Actions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">forward</span> <span class="na">TargetGroupArn</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">TargetGroup</span> <span class="na">Conditions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Field</span><span class="pi">:</span> <span class="s">path-pattern</span> <span class="na">Values</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">*"</span> <span class="na">ListenerArn</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ALBHTTPListener</span> <span class="na">Priority</span><span class="pi">:</span> <span class="m">1</span> <span class="c1">############################################################</span> <span class="c1"># CLOUDWATCH LOG GROUPS</span> <span class="c1">############################################################</span> <span class="na">LogGroup</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Logs::LogGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">LogGroupName</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">,</span> <span class="pi">[</span><span class="nv">/ecs/</span><span class="pi">,</span> <span class="kt">!Ref</span> <span class="nv">ServiceName</span><span class="pi">,</span> <span class="nv">TaskDefinition</span><span class="pi">]]</span> </code></pre> </div> <p>I named the template <code>ecs.yaml</code>. You can deploy it by running:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> aws cloudformation deploy <span class="nt">--template-file</span> ecs.yml <span class="nt">--stack-name</span> ecs-infrastructure <span class="nt">--capabilities</span> CAPABILITY_NAMED_IAM <span class="nt">--profile</span> default </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl3wume9ww9yonnh6ciu6.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl3wume9ww9yonnh6ciu6.png" alt="Deploy output"></a></p> <p>You can navigate to the <a href="https://us-east-1.console.aws.amazon.com/ecs/v2/clusters" rel="noopener noreferrer">ECS console</a> and confirm your cluster was created successfully.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fboi3gautjyn1efjrhimz.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fboi3gautjyn1efjrhimz.png" alt="ECS Console"></a><br> You can also open the load balancer address to see if the container works as expected.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxadumj4mqge43c5j53v4.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxadumj4mqge43c5j53v4.png" alt="LB Address"></a></p> <h2> Cleanup </h2> <p>Always remember to delete resources you do not need, run:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> aws cloudformation delete-stack <span class="nt">--stack-name</span> ecs-infrastructure </code></pre> </div> <p>You can check the status of the stack to confirm if it was deleted successfully:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> aws cloudformation delete-stack <span class="nt">--stack-name</span> ecs-infrastructure </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuv6ppmns2r6jvbf33wiw.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuv6ppmns2r6jvbf33wiw.png" alt="Sample output"></a><br> Confirm the stack was deleted successfully; remember to clean up the ECR repository if you implemented that.</p> cloud aws serverless Oluwafemi Lawal Wed, 06 Jul 2022 11:20:18 +0000 https://dev.to/femilawal/creating-your-private-versions-of-public-docker-images-in-ecr-11f6 https://dev.to/femilawal/creating-your-private-versions-of-public-docker-images-in-ecr-11f6 <h2> Why do this? </h2> <p>One reason could be avoiding Docker Hub's free tier rate limits. If your team uses free Docker Hub, you might run into rate limits while pulling images into something like AWS CodeBuild. The rate limit is set to 100 pulls per 6 hours per IP address if you are anonymous and 200 pulls per 6 hours for authenticated users with a Docker ID.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--Fctv-egY--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ojo7m18j2ykkj3dcb0pd.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--Fctv-egY--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ojo7m18j2ykkj3dcb0pd.png" alt="Example of Docker Hub CodeBuild rate limit error" width="880" height="156"></a></p> <h2> Creation process </h2> <p>You can create an ECR Repository following <a href="https://dev.to/femilawal/creating-an-elastic-container-registry-repo-with-cloudformation-f5d">this guide</a>.<br> We will save an image of <a href="https://hub.docker.com/_/ubuntu">ubuntu</a><br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--MmL7fx_O--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/1cnl0w2g2pt4j5yo2d0x.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--MmL7fx_O--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/1cnl0w2g2pt4j5yo2d0x.png" alt="Ubuntu docker hub page" width="880" height="424"></a><br> First, pull the docker image:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker pull ubuntu:20.04 </code></pre> </div> <p>You should get an output similar to this:<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--qbRxTAfd--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/24n5f0pzv2qd1ssk5nyo.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--qbRxTAfd--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/24n5f0pzv2qd1ssk5nyo.png" alt="Docker Pull" width="880" height="138"></a><br> Then create a target image tag that refers to the source image:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker tag ubuntu:20.04 YOUR_AWS_ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com/ecr-repository </code></pre> </div> <p>Before you can push to ECR, you have to authenticate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ecr get-login-password <span class="nt">--region</span> us-east-1 | docker login <span class="nt">--username</span> AWS <span class="nt">--password-stdin</span> YOUR_AWS_ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com </code></pre> </div> <p>The output should be:<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--yna9KPWn--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/vw1i8c08mmntvjfqtr04.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--yna9KPWn--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/vw1i8c08mmntvjfqtr04.png" alt="Authentication success" width="880" height="89"></a><br> Then push the image:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker push YOUR_AWS_ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com/ecr-repository </code></pre> </div> <p>The output should be:<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--Cu8PM9WX--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/8ei189pln0q3b32bnqen.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--Cu8PM9WX--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/8ei189pln0q3b32bnqen.png" alt="ECR Push output" width="880" height="183"></a><br> You can confirm it's creation in the AWS console:<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--sstcerpK--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/bl993rtx0gjqyepnuvh2.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--sstcerpK--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/bl993rtx0gjqyepnuvh2.png" alt="ECR Repo in console" width="880" height="306"></a></p> <h2> Cleanup </h2> <p>Always remember to clean up resources you do not need.<br> First delete the image:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ecr batch-delete-image <span class="nt">--repository-name</span> ecr-repository <span class="nt">--image-ids</span> <span class="nv">imageTag</span><span class="o">=</span>latest </code></pre> </div> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--yNz5Qist--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/t3eoa4zyyckfitryz01b.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--yNz5Qist--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/t3eoa4zyyckfitryz01b.png" alt="Delete image output" width="880" height="197"></a><br> Assuming you used the CloudFormation template from <a href="https://dev.to/femilawal/creating-an-elastic-container-registry-repo-with-cloudformation-f5d">this lesson</a>, delete the repository by running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws cloudformation delete-stack <span class="nt">--stack-name</span> ecr-repository </code></pre> </div> aws docker devops Oluwafemi Lawal Tue, 05 Jul 2022 15:54:16 +0000 https://dev.to/femilawal/creating-an-elastic-container-registry-repo-with-cloudformation-f5d https://dev.to/femilawal/creating-an-elastic-container-registry-repo-with-cloudformation-f5d <h2> What is Amazon ECR? </h2> <p>A Container Registry is a centralized way to distribute and manage <a href="https://www.docker.com/resources/what-container/">container images</a>. Amazon ECR is simply a container registry that AWS provides, and you can create public and private images, just like on Docker Hub.</p> <h2> Why Amazon ECR? </h2> <h3> Ecosystem </h3> <p>Some teams prefer to keep all their services in the same ecosystem. In this case, AWS can make things much easier to manage and control user access. For example, you can use ECR instead of Docker Hub or Amazon Elastic Container Service (a fully managed container orchestration service) instead of Kubernetes (the de-facto standard for container orchestration). Instead, you can use Kubernetes on AWS with Amazon Elastic Kubernetes Service.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--M-IwqBeP--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/fmgzac9nangjygk0lwei.jpg" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--M-IwqBeP--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/fmgzac9nangjygk0lwei.jpg" alt="Picture of a cloud" width="880" height="573"></a></p> <h3> Rate limits </h3> <p>There is at least one other reason to use ECR, if your team uses free Docker Hub, you might run into rate limits while pulling images into something like AWS CodeBuild. The rate limit is set to 100 pulls per 6 hours per IP address if you are anonymous and 200 pulls per 6 hours for authenticated users with a Docker ID.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--aumVPoSs--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/rcech10z6a4sg3aw88kp.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--aumVPoSs--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/rcech10z6a4sg3aw88kp.png" alt="Example of Docker Hub CodeBuild rate limit error" width="880" height="124"></a></p> <p>The cheapest way to overcome this might be to add the image to your AWS accounts ECR and use that instead.</p> <h2> Creating the ECR Repository </h2> <p>You can create an ECR Repository manually in the <a href="https://us-east-1.console.aws.amazon.com/ecr/home">ECR console</a>, but we will focus on the CloudFormation method.<br> You can create a file called <code>ecr.yml</code> and paste the template below inside it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2010-09-09"</span> <span class="na">Description</span><span class="pi">:</span> <span class="pi">&gt;</span> <span class="s">This template creates ECR resources</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="na">IAMUserName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">IAM User Name</span> <span class="na">Default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">YOUR_USER_NAME"</span> <span class="na">AllowedPattern</span><span class="pi">:</span> <span class="s2">"</span><span class="s">[a-zA-Z0-9-_]+"</span> <span class="na">ConstraintDescription</span><span class="pi">:</span> <span class="s">must be a valid IAM user name</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">ECRRepository</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ECR::Repository</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RepositoryName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AWS::StackName</span> <span class="na">RepositoryPolicyText</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2012-10-17"</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AllowPushPull"</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">AWS</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">[</span> <span class="s2">"</span><span class="s">"</span><span class="pi">,</span> <span class="pi">[</span> <span class="s2">"</span><span class="s">arn:aws:iam::"</span><span class="pi">,</span> <span class="kt">!Ref</span> <span class="nv">AWS</span><span class="pi">::</span><span class="nv">AccountId</span><span class="pi">,</span> <span class="s2">"</span><span class="s">:user/"</span><span class="pi">,</span> <span class="kt">!Ref</span> <span class="nv">IAMUserName</span> <span class="pi">],</span> <span class="pi">]</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ecr:GetDownloadUrlForLayer"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ecr:BatchGetImage"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ecr:BatchCheckLayerAvailability"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ecr:PutImage"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ecr:InitiateLayerUpload"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ecr:UploadLayerPart"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ecr:CompleteLayerUpload"</span> <span class="na">Outputs</span><span class="pi">:</span> <span class="na">ECRRepository</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">ECR repository</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ECRRepository</span> </code></pre> </div> <p>The above template is responsible for creating the repo and proving an IAM user, specified in the <code>YOUR_USER_NAME</code> parameter, the necessary permissions to use the repository. Please replace <code>YOUR_USER_NAME</code> with your actual IAM username, or the creation will fail.<br> To deploy the template, run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws cloudformation deploy <span class="nt">--template-file</span> ecr.yml <span class="nt">--stack-name</span> ecr-repository <span class="nt">--capabilities</span> CAPABILITY_NAMED_IAM <span class="nt">--profile</span> default <span class="nt">--parameter-overrides</span> <span class="nv">IAMUserName</span><span class="o">=</span>YOUR_USER_NAME </code></pre> </div> <p>and you will get an output similar to this:<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--WilB_WBK--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/2ecqevkm6fwlti7npqsn.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--WilB_WBK--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/2ecqevkm6fwlti7npqsn.png" alt="Command output" width="880" height="138"></a></p> <p>You can check the status of the stack creation by running<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>AWS cloudformation describe-stacks <span class="nt">--stack-name</span> ecr-repository </code></pre> </div> <p>If it created successfully, you should get an output similar to this with a <code>StackStatus</code> of <code>CREATE_COMPLETE</code>:<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--s_sr1U8H--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ynsuzvug90zcgwsyx206.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--s_sr1U8H--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ynsuzvug90zcgwsyx206.png" alt="Describe stacks output" width="880" height="447"></a><br> You can also check on the <a href="https://us-east-1.console.aws.amazon.com/cloudformation/home">CloudFormation console</a> in the region your default profile is set to.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--2QmaGlVp--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/869dbl692lh0rpol1ds2.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--2QmaGlVp--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/869dbl692lh0rpol1ds2.png" alt="CloudFormation Console" width="880" height="572"></a><br> Then in the ECR console, your repository should be there.<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--a4YN0DRb--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/lspb6h4o3wdr9nmm3l7i.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--a4YN0DRb--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/lspb6h4o3wdr9nmm3l7i.png" alt="ECR console" width="880" height="290"></a></p> <h2> Cleanup </h2> <p>Always clean up resources you don't need to avoid unexpected bills.<br> To delete to the repository, run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws cloudformation delete-stack <span class="nt">--stack-name</span> ecr-repository </code></pre> </div> <p>Confirm the delete was successful by checking the status of the stack,<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>AWS cloudformation describe-stacks <span class="nt">--stack-name</span> ecr-repository </code></pre> </div> <p>and you should get a response similar to this<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--X_9t0OTi--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/s5ip7yjr585ixihs0sky.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--X_9t0OTi--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/s5ip7yjr585ixihs0sky.png" alt="Describe stack error" width="880" height="127"></a></p> <p>You can double-check in the AWS console to be sure.</p> aws cloud docker