DEV Community: Ravindu Fernando The latest articles on DEV Community by Ravindu Fernando (@ravindukrs). https://dev.to/ravindukrs https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1976720%2Ff8e52199-afc6-4c63-90c5-900e7de055af.jpg DEV Community: Ravindu Fernando https://dev.to/ravindukrs en A Production Ready EKS Deployment with IaC & GitOps - Part 5 - Deploying EKS Cluster Ravindu Fernando Sun, 02 Feb 2025 14:41:32 +0000 https://dev.to/ravindukrs/a-production-ready-eks-deployment-with-iac-gitops-part-5-deploying-eks-cluster-29bn https://dev.to/ravindukrs/a-production-ready-eks-deployment-with-iac-gitops-part-5-deploying-eks-cluster-29bn <blockquote> <p><strong>Refer here for corresponding Git commit: <a href="https://github.com/ravindukrs/eks-infrastructure/commit/d98ba0303062caf7ed4f1107d35464585ade7d2b" rel="noopener noreferrer">Provision EKS Cluster</a></strong></p> </blockquote> <p>In this article, we'll explore how to deploy the Amazon EKS cluster using Terraform. We'll examine each component and explain how to customize them for your specific requirements.</p> <p>For this EKS deployment, we'll add / make changes for these files:</p> <ul> <li> <code>eks.tf</code>: Contains the EKS cluster configuration</li> <li> <code>variables.tf</code>: Contains variable definitions</li> </ul> <h2> Adding the required the Variables </h2> <p>Let's start with the new variables in <code>variables.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">variable</span> <span class="s2">"cluster_name"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"opsninja"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"worker_group_name"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"opsninja"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"cluster_creator_admin_permission"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Enable admin permissions to access Kubernetes API - "</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">bool</span> <span class="nx">default</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"cluster_endpoint_public_access"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Enable or disable public access to the EKS cluster endpoint"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">bool</span> <span class="nx">default</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"public_access_cidrs"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"List of CIDRs allowed for public access to the EKS cluster"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"coredns_addon_version"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Version of the CoreDNS addon"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"v1.11.3-eksbuild.2"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"kube_proxy_addon_version"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Version of the kube-proxy addon"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"v1.31.2-eksbuild.2"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"vpc_cni_addon_version"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Version of the VPC CNI addon"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"v1.19.0-eksbuild.1"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"pod_identity_agent_addon_version"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Version of the POD IDENTITY addon"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"v1.3.2-eksbuild.2"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"app_namespace"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"opsninja"</span> <span class="p">}</span> </code></pre> </div> <h2> EKS Configuration Breakdown </h2> <p>Here's the complete configuration for the EKS cluster.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/eks/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"20.29.0"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.31"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">control_plane_subnet_ids</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">intra_subnets</span> <span class="nx">cluster_endpoint_private_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">cluster_endpoint_public_access</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_endpoint_public_access</span> <span class="nx">cluster_endpoint_public_access_cidrs</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">public_access_cidrs</span> <span class="nx">enable_cluster_creator_admin_permissions</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_creator_admin_permission</span> <span class="nx">eks_managed_node_group_defaults</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">ami_type</span> <span class="p">=</span> <span class="s2">"AL2_x86_64"</span> <span class="nx">disk_size</span> <span class="p">=</span> <span class="mi">100</span> <span class="p">}</span> <span class="nx">cluster_addons</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">coredns</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">addon_version</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">coredns_addon_version</span> <span class="nx">resolve_conflicts</span> <span class="p">=</span> <span class="s2">"OVERWRITE"</span> <span class="p">}</span> <span class="nx">kube-proxy</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">addon_version</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">kube_proxy_addon_version</span> <span class="nx">resolve_conflicts</span> <span class="p">=</span> <span class="s2">"OVERWRITE"</span> <span class="p">}</span> <span class="nx">eks-pod-identity-agent</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">addon_version</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">pod_identity_agent_addon_version</span> <span class="nx">resolve_conflicts</span> <span class="p">=</span> <span class="s2">"OVERWRITE"</span> <span class="p">}</span> <span class="nx">vpc-cni</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">addon_version</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cni_addon_version</span> <span class="nx">resolve_conflicts</span> <span class="p">=</span> <span class="s2">"OVERWRITE"</span> <span class="nx">before_compute</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">configuration_values</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">env</span> <span class="p">=</span> <span class="p">{</span> <span class="c1"># Reference docs https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html</span> <span class="nx">ENABLE_PREFIX_DELEGATION</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="nx">WARM_PREFIX_TARGET</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">enable_irsa</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">cluster_security_group_additional_rules</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">egress_nodes_ephemeral_ports_tcp</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"To node 1025-65535"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">1025</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">65535</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"egress"</span> <span class="nx">source_node_security_group</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">node_security_group_additional_rules</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">ingress_self_all</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Node to node all ports/protocols"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ingress"</span> <span class="nx">self</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">egress_all</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Node all egress"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"egress"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">ipv6_cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"::/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">eks_managed_node_groups</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">opsninja-wg</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.worker_group_name}-${var.env}-wg"</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"m6a.xlarge"</span><span class="p">]</span> <span class="nx">create_security_group</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">attach_cluster_primary_security_group</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="mi">6</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">iam_role_additional_policies</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">policy1</span> <span class="p">=</span> <span class="s2">"arn:${local.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore"</span><span class="p">,</span> <span class="nx">policy_cw</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"</span> <span class="p">}</span> <span class="nx">pre_bootstrap_user_data</span> <span class="p">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOT</span><span class="sh"> #!/bin/bash LINE_NUMBER=$(grep -n "KUBELET_EXTRA_ARGS=\$2" /etc/eks/bootstrap.sh | cut -f1 -d:) REPLACEMENT="\ \ \ \ \ \ KUBELET_EXTRA_ARGS=\$(echo \$2 | sed -s -E 's/--max-pods=[0-9]+/--max-pods=90/g')" sed -i '/KUBELET_EXTRA_ARGS=\$2/d' /etc/eks/bootstrap.sh sed -i "$${LINE_NUMBER}i $${REPLACEMENT}" /etc/eks/bootstrap.sh </span><span class="no"> EOT </span> <span class="p">}</span> <span class="p">}</span> <span class="nx">node_security_group_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"karpenter.sh/discovery"</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"kubernetes_namespace"</span> <span class="s2">"app_namespace"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">app_namespace</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><em>Let's examine each part in detail:</em></p> <h3> Network Integration </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">vpc_id</span> <span class="err">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">vpc</span><span class="err">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="err">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">vpc</span><span class="err">.</span><span class="nx">private_subnets</span> <span class="nx">control_plane_subnet_ids</span> <span class="err">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">vpc</span><span class="err">.</span><span class="nx">intra_subnets</span> <span class="nx">cluster_endpoint_private_access</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">cluster_endpoint_public_access</span> <span class="err">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">cluster_endpoint_public_access</span> <span class="nx">cluster_endpoint_public_access_cidrs</span> <span class="err">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">public_access_cidrs</span> </code></pre> </div> <p><strong>Customization Points</strong>:<br> We are referring to the VPC module we provisioned earlier to obtain most of the information.</p> <ul> <li> <code>cluster_endpoint_public_access</code>: Set to <code>false</code> for private-only clusters. However, in our case, we can set this to 'true' while we provision infrastructure.</li> <li> <code>public_access_cidrs</code>: Restrict access to specific IP ranges. In thr <code>variables.tf</code> we have set this to <code>0.0.0.0/0</code> which allows all IPs to access the Kubernetes API Server. This is insecure. If you have a bastion host or a server which you would like to access the EKS cluster with, you can enter that IP here. </li> <li>Control plane placed in intra subnets for enhanced security</li> <li>Worker nodes placed in private subnets</li> </ul> <h3> Node Group Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">eks_managed_node_group_defaults</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">ami_type</span> <span class="p">=</span> <span class="s2">"AL2_x86_64"</span> <span class="nx">disk_size</span> <span class="p">=</span> <span class="mi">100</span> <span class="p">}</span> <span class="nx">eks_managed_node_groups</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">opsninja-wg</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.worker_group_name}-${var.env}-wg"</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"m6a.xlarge"</span><span class="p">]</span> <span class="nx">create_security_group</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">attach_cluster_primary_security_group</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="mi">6</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">iam_role_additional_policies</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">policy1</span> <span class="p">=</span> <span class="s2">"arn:${local.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore"</span><span class="p">,</span> <span class="nx">policy_cw</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>In this configuration we are using the following specs. But you can customize them</strong>:</p> <ul> <li>Using Amazon Linux 2 AMI</li> <li>100GB root volume for container images and system files</li> <li>m6a.xlarge instances for good price/performance ratio</li> <li>Autoscaling configuration: min=1, max=6</li> <li>SSM and CloudWatch policies attached for monitoring and management</li> </ul> <h3> Add-ons Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">cluster_addons</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">coredns</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">addon_version</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">coredns_addon_version</span> <span class="nx">resolve_conflicts</span> <span class="p">=</span> <span class="s2">"OVERWRITE"</span> <span class="p">}</span> <span class="nx">kube-proxy</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">addon_version</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">kube_proxy_addon_version</span> <span class="nx">resolve_conflicts</span> <span class="p">=</span> <span class="s2">"OVERWRITE"</span> <span class="p">}</span> <span class="nx">eks-pod-identity-agent</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">addon_version</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">pod_identity_agent_addon_version</span> <span class="nx">resolve_conflicts</span> <span class="p">=</span> <span class="s2">"OVERWRITE"</span> <span class="p">}</span> <span class="nx">vpc-cni</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">addon_version</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cni_addon_version</span> <span class="nx">resolve_conflicts</span> <span class="p">=</span> <span class="s2">"OVERWRITE"</span> <span class="nx">before_compute</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">configuration_values</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">env</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">ENABLE_PREFIX_DELEGATION</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="nx">WARM_PREFIX_TARGET</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Important notes</strong>:</p> <ul> <li>Update addon versions as new releases become available. In our case we have pinned the addon versions since terraform would otherwise show a drift everytime we apply.</li> <li>VPC CNI configured with prefix delegation for better IP address management. You can read more about it: <a href="https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html" rel="noopener noreferrer">here</a>. Without this configuration, there is a limit on number of IPs that are made available for a Node. To bypass this limitation, we have done a hack on <code>pre_bootstrap_user_data</code> aswell under eks_managed_node_group. More on that later in this article..</li> </ul> <h3> Security Group Rules </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">cluster_security_group_additional_rules</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">egress_nodes_ephemeral_ports_tcp</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"To node 1025-65535"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">1025</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">65535</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"egress"</span> <span class="nx">source_node_security_group</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">node_security_group_additional_rules</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">ingress_self_all</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Node to node all ports/protocols"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ingress"</span> <span class="nx">self</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">egress_all</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Node all egress"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"egress"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="nx">ipv6_cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"::/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>What this configuration does:</strong>:</p> <ul> <li>Allows necessary communication between control plane and nodes</li> <li>Enables node-to-node communication for pod networking</li> <li>Permits outbound internet access for nodes</li> </ul> <h3> Bootstrap Customization </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">pre_bootstrap_user_data</span> <span class="err">=</span> <span class="o">&lt;&lt;-</span><span class="no">EOT</span><span class="sh"> #!/bin/bash LINE_NUMBER=$(grep -n "KUBELET_EXTRA_ARGS=\$2" /etc/eks/bootstrap.sh | cut -f1 -d:) REPLACEMENT="\ \ \ \ \ \ KUBELET_EXTRA_ARGS=\$(echo \$2 | sed -s -E 's/--max-pods=[0-9]+/--max-pods=90/g')" sed -i '/KUBELET_EXTRA_ARGS=\$2/d' /etc/eks/bootstrap.sh sed -i "$${LINE_NUMBER}i $${REPLACEMENT}" /etc/eks/bootstrap.sh </span><span class="no">EOT </span></code></pre> </div> <p><strong>Configuration Notes</strong>:</p> <ul> <li>Modifies max pods per node to 90</li> <li>However note that if you want to use a different AMI, the <code>pre_bootstrap_user_data</code> here might not work (Although it should work for atleast most of the Linux AMIs).</li> </ul> <h3> Namespace Creation </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"kubernetes_namespace"</span> <span class="s2">"app_namespace"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">app_namespace</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>We are creating the namespace where our application will ultimately run aswell.</p> <h2> Accessing the cluster </h2> <p>Once you have applied the changes above through terraform, you will finally have your cluster created.</p> <p>To access your cluster, now you can configure kubectl:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws eks update-kubeconfig <span class="nt">--name</span> &lt;cluster-name&gt; <span class="nt">--region</span> &lt;region&gt; </code></pre> </div> aws kubernetes gitops eks A Production Ready EKS Deployment with IaC & GitOps - Part 4 - Deploying VPC Ravindu Fernando Sun, 02 Feb 2025 12:03:43 +0000 https://dev.to/ravindukrs/a-production-ready-eks-deployment-with-iac-gitops-part-3-deploying-vpc-42nd https://dev.to/ravindukrs/a-production-ready-eks-deployment-with-iac-gitops-part-3-deploying-vpc-42nd <blockquote> <p><strong>Refer here for corresponding Git commit: <a href="https://github.com/ravindukrs/eks-infrastructure/commit/dae7324c953878b6e8a99dda0366631cbeb190bc" rel="noopener noreferrer">Deploying VPC</a></strong></p> </blockquote> <p>In this article, we'll explore how to set up a production-ready VPC for our Amazon EKS cluster using Terraform. We'll walk through each component and explain how you can customize them for your specific needs.</p> <h2> File Structure </h2> <p>For this VPC deployment, we'll work with two main files:</p> <ul> <li> <code>data.tf</code>: Contains data sources for AWS resources</li> <li> <code>vpc.tf</code>: Contains the VPC module configuration</li> </ul> <h2> Understanding the Data Sources </h2> <p>Let's start with <code>data.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"aws_availability_zones"</span> <span class="s2">"available"</span> <span class="p">{</span> <span class="nx">filter</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"opt-in-status"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"opt-in-not-required"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"${var.cluster_name}-${var.env}"</span> <span class="p">}</span> </code></pre> </div> <p>This data source fetches available AWS Availability Zones (AZs) in our region that don't require opt-in. This ensures our VPC spans across reliable and readily available AZs.</p> <p>We have a local defined to append the environment to the cluster name we define in <code>variables.tf</code>.</p> <p><code>variables.tf</code> file would be updated with the following code block;<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"vpc_name"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"opsninja"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"cluster_name"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"opsninja"</span> <span class="p">}</span> </code></pre> </div> <h2> VPC Configuration Breakdown </h2> <p>Here's the complete configuration for the VPC.<br> <code>vpc.tf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/vpc/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"5.15.0"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.vpc_name}-${var.env}-vpc"</span> <span class="nx">cidr</span> <span class="p">=</span> <span class="s2">"10.1.0.0/16"</span> <span class="nx">azs</span> <span class="p">=</span> <span class="nx">slice</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">aws_availability_zones</span><span class="p">.</span><span class="nx">available</span><span class="p">.</span><span class="nx">names</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">3</span><span class="p">)</span> <span class="nx">private_subnets</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.1.1.0/24"</span><span class="p">,</span> <span class="s2">"10.1.2.0/24"</span><span class="p">,</span> <span class="s2">"10.1.3.0/24"</span><span class="p">]</span> <span class="nx">public_subnets</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.1.4.0/24"</span><span class="p">,</span> <span class="s2">"10.1.5.0/24"</span><span class="p">,</span> <span class="s2">"10.1.6.0/24"</span><span class="p">]</span> <span class="nx">intra_subnets</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.1.7.0/24"</span><span class="p">,</span> <span class="s2">"10.1.8.0/24"</span><span class="p">,</span> <span class="s2">"10.1.9.0/24"</span><span class="p">]</span> <span class="nx">enable_nat_gateway</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">single_nat_gateway</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">public_subnet_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/cluster/${local.cluster_name}"</span> <span class="p">=</span> <span class="s2">"shared"</span> <span class="s2">"kubernetes.io/role/elb"</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">private_subnet_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/cluster/${local.cluster_name}"</span> <span class="p">=</span> <span class="s2">"shared"</span> <span class="s2">"kubernetes.io/role/internal-elb"</span> <span class="p">=</span> <span class="mi">1</span> <span class="s2">"karpenter.sh/discovery"</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now, let's examine each part of the VPC configuration in <code>vpc.tf</code>:</p> <h3> Module Source and Version </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/vpc/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"5.15.0"</span> </code></pre> </div> <p>We're using the official AWS VPC Terraform module. You can update the version number as newer releases become available.</p> <h3> VPC Naming </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">name</span> <span class="err">=</span> <span class="s2">"${var.vpc_name}-${var.env}-vpc"</span> </code></pre> </div> <p>The VPC name follows the format: <code>[vpc_name]-[environment]-vpc</code>. For example: <code>opsninja-prod-vpc</code></p> <p><strong>Customization Point</strong>: </p> <ul> <li>Modify <code>var.vpc_name</code> in <code>variables.tf</code> to match your project name</li> <li>The <code>env</code> variable determines the environment (prod, dev, etc.)</li> </ul> <h3> Network Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">cidr</span> <span class="err">=</span> <span class="s2">"10.1.0.0/16"</span> <span class="nx">azs</span> <span class="err">=</span> <span class="nx">slice</span><span class="err">(</span><span class="nx">data</span><span class="err">.</span><span class="nx">aws_availability_zones</span><span class="err">.</span><span class="nx">available</span><span class="err">.</span><span class="nx">names</span><span class="err">,</span> <span class="mi">0</span><span class="err">,</span> <span class="mi">3</span><span class="err">)</span> <span class="nx">private_subnets</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"10.1.1.0/24"</span><span class="p">,</span> <span class="s2">"10.1.2.0/24"</span><span class="p">,</span> <span class="s2">"10.1.3.0/24"</span><span class="p">]</span> <span class="nx">public_subnets</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"10.1.4.0/24"</span><span class="p">,</span> <span class="s2">"10.1.5.0/24"</span><span class="p">,</span> <span class="s2">"10.1.6.0/24"</span><span class="p">]</span> <span class="nx">intra_subnets</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"10.1.7.0/24"</span><span class="p">,</span> <span class="s2">"10.1.8.0/24"</span><span class="p">,</span> <span class="s2">"10.1.9.0/24"</span><span class="p">]</span> </code></pre> </div> <p><strong>Customization Points</strong>:</p> <ul> <li>CIDR Range: Modify <code>10.1.0.0/16</code> based on your network requirements. Note that Each pod requires its own IP address. Consider future growth in pod count. For 1000 pods: A /24 subnet (256 IPs) might be too small. For 5000+ pods: Consider larger subnets like /22 (1024 IPs) or bigger. Current configuration (/24) provides ~250 usable IPs per subnet.</li> <li> <p>Subnet CIDRs: Adjust subnet ranges ensuring they fall within your VPC CIDR. Private subnets host your worker nodes and pods. Size private subnets larger than public/intra subnets.<br> Example sizing for high pod density:<br> </p> <pre class="highlight hcl"><code> <span class="nx">private_subnets</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"10.1.0.0/22"</span><span class="p">,</span> <span class="s2">"10.1.4.0/22"</span><span class="p">,</span> <span class="s2">"10.1.8.0/22"</span><span class="p">]</span> <span class="c1"># ~1000 IPs each</span> <span class="nx">public_subnets</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"10.1.12.0/24"</span><span class="p">,</span> <span class="s2">"10.1.13.0/24"</span><span class="p">,</span> <span class="s2">"10.1.14.0/24"</span><span class="p">]</span> <span class="c1"># ~250 IPs each</span> <span class="nx">intra_subnets</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"10.1.15.0/24"</span><span class="p">,</span> <span class="s2">"10.1.16.0/24"</span><span class="p">,</span> <span class="s2">"10.1.17.0/24"</span><span class="p">]</span> <span class="c1"># ~250 IPs each</span> </code></pre> </li> <li><p>Number of AZs: The <code>slice</code> function selects the first 3 AZs, modify if needed</p></li> </ul> <h3> Network Features </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">enable_nat_gateway</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">single_nat_gateway</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">enable_dns_hostnames</span> <span class="err">=</span> <span class="kc">true</span> </code></pre> </div> <p><strong>Configuration Notes</strong>:</p> <ul> <li> <code>single_nat_gateway</code>: Set to <code>true</code> for cost optimization, set to <code>false</code> for high availability</li> <li> <code>enable_dns_hostnames</code>: Required for EKS functionality</li> <li>NAT Gateway: Required for private subnet internet access</li> </ul> <h3> Subnet Tagging </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">public_subnet_tags</span> <span class="err">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/cluster/${local.cluster_name}"</span> <span class="p">=</span> <span class="s2">"shared"</span> <span class="s2">"kubernetes.io/role/elb"</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">private_subnet_tags</span> <span class="err">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/cluster/${local.cluster_name}"</span> <span class="p">=</span> <span class="s2">"shared"</span> <span class="s2">"kubernetes.io/role/internal-elb"</span> <span class="p">=</span> <span class="mi">1</span> <span class="s2">"karpenter.sh/discovery"</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="p">}</span> </code></pre> </div> <p>These tags are crucial for:</p> <ul> <li>EKS cluster networking</li> <li>Load balancer provisioning</li> <li>Karpenter node auto-discovery. We haven't deployed Karpenter yet, but since we are configuring the VPC, might as well add those tags.</li> </ul> aws terraform gitops kubernetes A Production Ready EKS Deployment with IaC & GitOps - Part 3 - Backend & Provider Configuration Ravindu Fernando Sun, 02 Feb 2025 10:20:30 +0000 https://dev.to/ravindukrs/a-production-ready-eks-deployment-with-iac-gitops-part-3-provisioning-eks-cluster-42mk https://dev.to/ravindukrs/a-production-ready-eks-deployment-with-iac-gitops-part-3-provisioning-eks-cluster-42mk <blockquote> <p><strong>Refer here for corresponding Git commit: <a href="https://github.com/ravindukrs/eks-infrastructure/commit/4cfc1d0a25fb32339c3765b3385cd31fc6428b16" rel="noopener noreferrer">Backend &amp; Provider Configuration</a></strong></p> </blockquote> <p>In this part of the series, we will provision an <strong>AWS EKS Cluster</strong> using <strong>Terraform</strong>. To maintain <strong>infrastructure as code (IaC)</strong>, we are using Terraform to define and manage the EKS cluster and related resources in an automated and repeatable manner. </p> <p>Before diving into the actual cluster provisioning, let’s go through the <strong>file structure</strong> and the <strong>Terraform backend &amp; provider configurations</strong> that will be used throughout this guide. </p> <h2> <strong>Terraform File Structure</strong> </h2> <p>Our initial Terraform setup is structured as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>├── terraform.tf ├── main.tf ├── variables.tf </code></pre> </div> <p>We will add more terraform files here for other components such as vpc, eks etc..</p> <h3> terraform.tf: The Foundation </h3> <p>The <code>terraform.tf</code> file serves as the foundational configuration file for our Terraform project. It contains two critical sections:</p> <ol> <li> <strong>Backend Configuration</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"opsninja-tf-state-prod"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"opsninja/v1/terraform-prod.tfstate"</span> <span class="nx">dynamodb_table</span> <span class="p">=</span> <span class="s2">"opsninja-tf-state-prod"</span> <span class="p">}</span> </code></pre> </div> <p>In Part 2 of this article series we provisioned the S3 bucket and the DynamoDB table. You should use the same table name and bucket name here.</p> <p>This configuration specifies where Terraform should store its state file. Using an S3 bucket with DynamoDB for state locking is a common practice in production environments, ensuring safe concurrent access to the infrastructure state.</p> <p>Here's what each property does:</p> <ol> <li><p><code>bucket</code> - The name of the S3 bucket where Terraform will store the state file</p></li> <li><p><code>region</code> - The AWS region where the S3 bucket is located</p></li> <li> <p><code>key</code> - The path within the S3 bucket where the state file will be stored. In your case:</p> <ul> <li> <code>opsninja/v1/terraform-prod.tfstate</code> represents the full path to the state file</li> </ul> </li> <li><p><code>dynamodb_table</code> - The name of the DynamoDB table used for state locking. This prevents multiple users from modifying the infrastructure at the same time</p></li> </ol> <p>This configuration ensures your Terraform state is stored remotely and can be accessed securely by team members while preventing concurrent modifications.</p> <ol> <li> <strong>Provider Requirements</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"5.76.0"</span> <span class="p">}</span> <span class="c1"># Additional providers...</span> <span class="p">}</span> </code></pre> </div> <p>This section defines all the providers needed for our infrastructure and their specific versions, ensuring consistency across team members and environments.</p> <h3> main.tf: Provider Configuration </h3> <p>The <code>main.tf</code> file focuses on configuring the providers declared in <code>terraform.tf</code>. It contains the specific settings and authentication methods for each provider. Key aspects include:</p> <ol> <li> <strong>AWS Provider Configuration</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">profile</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">profile</span> <span class="nx">default_tags</span> <span class="p">{</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">application_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">app</span> <span class="nx">application_env</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">env</span> <span class="nx">terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="nx">managed_by</span> <span class="p">=</span> <span class="s2">"Terraform"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This configuration sets up AWS-specific settings, including default tags that will be applied to all resources.</p> <ol> <li> <strong>Kubernetes-Related Providers</strong> The file also includes configurations for kubectl, kubernetes, and helm providers, all necessary for managing Kubernetes resources.</li> </ol> <h3> variables.tf: Variable Definitions </h3> <p>The <code>variables.tf</code> file defines all the variables used across our Terraform configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Application name"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"opsninja"</span> <span class="p">}</span> </code></pre> </div> <p>This file makes our configuration more flexible and reusable across different environments.</p> <p>Now that we have a clear idea about what our project structure is, you can add the following files to your terraform project.</p> <p><code>terraform.tf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"s3"</span><span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"opsninja-tf-state-prod"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"opsninja/v1/terraform-prod.tfstate"</span> <span class="nx">dynamodb_table</span> <span class="p">=</span> <span class="s2">"opsninja-tf-state-prod"</span> <span class="p">}</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"5.76.0"</span> <span class="p">}</span> <span class="nx">random</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/random"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 3.5.1"</span> <span class="p">}</span> <span class="nx">tls</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/tls"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 4.0.4"</span> <span class="p">}</span> <span class="nx">cloudinit</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/cloudinit"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 2.3.2"</span> <span class="p">}</span> <span class="nx">helm</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/helm"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 2.11.0"</span> <span class="p">}</span> <span class="nx">kubectl</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"alekc/kubectl"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"&gt;= 2.0.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"~&gt; 1.3"</span> <span class="p">}</span> </code></pre> </div> <p><code>main.tf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">profile</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">profile</span> <span class="nx">default_tags</span> <span class="p">{</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">application_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">app</span> <span class="nx">application_env</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">env</span> <span class="nx">terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="nx">managed_by</span> <span class="p">=</span> <span class="s2">"Terraform"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"kubectl"</span> <span class="p">{</span> <span class="nx">apply_retry_count</span> <span class="p">=</span> <span class="mi">15</span> <span class="nx">host</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_endpoint</span> <span class="nx">cluster_ca_certificate</span> <span class="p">=</span> <span class="nx">base64decode</span><span class="p">(</span><span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_certificate_authority_data</span><span class="p">)</span> <span class="nx">load_config_file</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">exec</span> <span class="p">{</span> <span class="nx">api_version</span> <span class="p">=</span> <span class="s2">"client.authentication.k8s.io/v1beta1"</span> <span class="nx">command</span> <span class="p">=</span> <span class="s2">"aws"</span> <span class="nx">args</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"eks"</span><span class="p">,</span> <span class="s2">"get-token"</span><span class="p">,</span> <span class="s2">"--cluster-name"</span><span class="p">,</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_name</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"kubernetes"</span> <span class="p">{</span> <span class="nx">host</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_endpoint</span> <span class="nx">cluster_ca_certificate</span> <span class="p">=</span> <span class="nx">base64decode</span><span class="p">(</span><span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_certificate_authority_data</span><span class="p">)</span> <span class="nx">exec</span> <span class="p">{</span> <span class="nx">api_version</span> <span class="p">=</span> <span class="s2">"client.authentication.k8s.io/v1beta1"</span> <span class="nx">command</span> <span class="p">=</span> <span class="s2">"aws"</span> <span class="nx">args</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"eks"</span><span class="p">,</span> <span class="s2">"get-token"</span><span class="p">,</span> <span class="s2">"--cluster-name"</span><span class="p">,</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_name</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"helm"</span> <span class="p">{</span> <span class="nx">kubernetes</span> <span class="p">{</span> <span class="nx">host</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_endpoint</span> <span class="nx">cluster_ca_certificate</span> <span class="p">=</span> <span class="nx">base64decode</span><span class="p">(</span><span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_certificate_authority_data</span><span class="p">)</span> <span class="nx">exec</span> <span class="p">{</span> <span class="nx">api_version</span> <span class="p">=</span> <span class="s2">"client.authentication.k8s.io/v1beta1"</span> <span class="nx">args</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"eks"</span><span class="p">,</span> <span class="s2">"get-token"</span><span class="p">,</span> <span class="s2">"--cluster-name"</span><span class="p">,</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_name</span><span class="p">]</span> <span class="nx">command</span> <span class="p">=</span> <span class="s2">"aws"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><code>variables.tf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1">##### Globals #####</span> <span class="nx">variable</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Application name. Used as a prefix to most resources created (Ex: Policies)"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"opsninja"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"env"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Environment. Used to prefix most resources to identify resources environment-wise"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"prod"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"AWS region"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"profile"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"AWS Profile. Used to provision resources"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> </code></pre> </div> aws eks terraform gitops A Production Ready EKS Deployment with IaC & GitOps - Part 2 - Configuring Terraform Backend & Validate Prerequisites Ravindu Fernando Sun, 02 Feb 2025 07:58:45 +0000 https://dev.to/ravindukrs/a-production-ready-eks-deployment-with-gitops-part-2-configuring-terraform-backend-validate-29i8 https://dev.to/ravindukrs/a-production-ready-eks-deployment-with-gitops-part-2-configuring-terraform-backend-validate-29i8 <blockquote> <p><strong>Refer here for corresponding Git commit: <a href="https://github.com/ravindukrs/eks-infrastructure/commit/ee3b6d69e6baa9194f0af4580339a9b9b18c3975" rel="noopener noreferrer">Provision Terraform Backend<br> </a></strong></p> </blockquote> <h2> <strong>Pre-requisites</strong> </h2> <p>Throughout this guide, all infrastructure and applications will either be named or prefixed with "opsninja" for easy identification. Our deployments will take place in the us-east-1 region.</p> <p>Before we start deploying our <strong>AWS EKS cluster</strong> using <strong>Terraform</strong>, we need to ensure that the required tools are installed and properly configured.</p> <h3> <strong>1. Install AWS CLI v2</strong> </h3> <p>The <strong>AWS CLI (Command Line Interface) v2</strong> is required to interact with AWS services. To install it, follow these steps:</p> <h4> <strong>For macOS</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>brew <span class="nb">install </span>awscli </code></pre> </div> <h4> <strong>For Linux</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="s2">"https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"</span> <span class="nt">-o</span> <span class="s2">"awscliv2.zip"</span> unzip awscliv2.zip <span class="nb">sudo</span> ./aws/install </code></pre> </div> <h4> <strong>For Windows</strong> </h4> <ol> <li>Download the installer from the official AWS website: <a href="https://aws.amazon.com/cli/" rel="noopener noreferrer">AWS CLI v2</a> </li> <li>Run the installer and follow the setup instructions.</li> <li>Verify the installation: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> aws <span class="nt">--version</span> </code></pre> </div> <p>You should see an output similar to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> aws-cli/2.x.x Python/x.x.x Linux/x86_64 </code></pre> </div> <h3> <strong>2. Install Helm (Kubernetes Package Manager)</strong> </h3> <p>Helm is a package manager for Kubernetes that simplifies the deployment of applications and services.</p> <h4> <strong>For macOS</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>brew <span class="nb">install </span>helm </code></pre> </div> <h4> <strong>For Linux</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash </code></pre> </div> <h4> <strong>For Windows (using Chocolatey)</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>choco <span class="nb">install </span>kubernetes-helm </code></pre> </div> <p>Verify the installation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm version </code></pre> </div> <p>You should see an output similar to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>version.BuildInfo{Version:"v3.x.x", GitCommit:"xxxx", GoVersion:"go1.x.x"} </code></pre> </div> <h3> <strong>3. Install AWS IAM Authenticator</strong> </h3> <p>The <strong>AWS IAM Authenticator</strong> is required for authentication with the Amazon EKS cluster.</p> <h4> <strong>For macOS</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>brew <span class="nb">install </span>aws-iam-authenticator </code></pre> </div> <h4> <strong>For Linux</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-o</span> aws-iam-authenticator https://amazon-eks.s3.us-west-2.amazonaws.com/1.24.3/2022-06-24/bin/linux/amd64/aws-iam-authenticator <span class="nb">chmod</span> +x ./aws-iam-authenticator <span class="nb">mv</span> ./aws-iam-authenticator /usr/local/bin/ </code></pre> </div> <h4> <strong>For Windows</strong> </h4> <p>Download the binary from the <a href="https://docs.aws.amazon.com/eks/latest/userguide/install-aws-iam-authenticator.html" rel="noopener noreferrer">official AWS EKS release</a> and add it to your system's PATH.</p> <p>Verify the installation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws-iam-authenticator version </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{"Version":"0.x.x","Commit":"xxxx"} </code></pre> </div> <h3> <strong>4. Configure AWS CLI with a Profile Named <code>terraform</code></strong> </h3> <p>We will be using a dedicated AWS CLI profile called <strong><code>terraform</code></strong> to provision our infrastructure with Terraform.</p> <h4> <strong>Run the following command to configure AWS CLI with the <code>terraform</code> profile:</strong> </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws configure <span class="nt">--profile</span> terraform </code></pre> </div> <p>You'll be prompted to enter your AWS credentials:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AWS Access Key ID [None]: &lt;YOUR_ACCESS_KEY&gt; AWS Secret Access Key [None]: &lt;YOUR_SECRET_KEY&gt; Default region name [None]: us-east-1 Default output format [None]: json </code></pre> </div> <h4> <strong>Verify the Profile</strong> </h4> <p>To check if the profile is configured correctly, run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws configure list <span class="nt">--profile</span> terraform </code></pre> </div> <p>or list all available profiles:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws configure list-profiles </code></pre> </div> <p>This profile will be used throughout this guide to authenticate and interact with AWS when deploying infrastructure using Terraform.</p> <h3> <strong>5. Validate AWS Configuration</strong> </h3> <p>To confirm that the AWS CLI and profile are correctly set up, run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws sts get-caller-identity <span class="nt">--profile</span> terraform </code></pre> </div> <p>This should return details of the authenticated IAM user or role.</p> <p>With <strong>AWS CLI, Helm, and AWS IAM Authenticator installed</strong> and the <strong><code>terraform</code></strong> profile configured, we are now ready to proceed with <strong>configuring the Terraform backend</strong></p> <h2> <strong>Configuring the Terraform Backend</strong> </h2> <blockquote> <p>Throughout this guide, all infrastructure and applications will either be named or prefixed with "opsninja" for easy identification. Our deployments will take place in the us-east-1 region.</p> </blockquote> <p>For <strong>better state management</strong>, we will configure a <strong>Terraform backend</strong> using <strong>AWS S3</strong> and <strong>DynamoDB</strong>. This will allow us to store our Terraform state remotely and enable state locking to prevent conflicts in collaborative environments. </p> <h3> <strong>Terraform Backend Configuration (<code>main.tf</code>)</strong> </h3> <p>Below is the <strong>Terraform backend configuration</strong>, which uses an S3 bucket for state storage and a DynamoDB table for state locking.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">profile</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"terraform_state_bucket"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">s3_bucket_name</span> <span class="nx">versioning</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">server_side_encryption_configuration</span> <span class="p">{</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">apply_server_side_encryption_by_default</span> <span class="p">{</span> <span class="nx">sse_algorithm</span> <span class="p">=</span> <span class="s2">"AES256"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">prevent_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">s3_bucket_name</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">App</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">app</span> <span class="nx">ManagedBy</span> <span class="p">=</span> <span class="s2">"Terraform"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_dynamodb_table"</span> <span class="s2">"terraform_lock_table"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">dynamodb_table_name</span> <span class="nx">billing_mode</span> <span class="p">=</span> <span class="s2">"PAY_PER_REQUEST"</span> <span class="nx">hash_key</span> <span class="p">=</span> <span class="s2">"LockID"</span> <span class="nx">attribute</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"LockID"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"S"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">dynamodb_table_name</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">App</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">app</span> <span class="nx">ManagedBy</span> <span class="p">=</span> <span class="s2">"Terraform"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> <strong>Terraform Variables (<code>variables.tf</code>)</strong> </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"App Name"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"opsninja"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"AWS region"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"s3_bucket_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the S3 bucket for storing Terraform state"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"opsninja-tf-state-prod"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"dynamodb_table_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the DynamoDB table for state locking"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"opsninja-tf-state-prod"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Environment for tagging purposes (e.g., dev, prod)"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"prod"</span> <span class="p">}</span> </code></pre> </div> <h3> <strong>Terraform Output (<code>output.tf</code>)</strong> </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"s3_bucket_name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">terraform_state_bucket</span><span class="p">.</span><span class="nx">bucket</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"dynamodb_table_name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_dynamodb_table</span><span class="p">.</span><span class="nx">terraform_lock_table</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> </code></pre> </div> <h2> <strong>Deploying the Terraform Backend</strong> </h2> <p>Once the backend is defined, <strong>apply Terraform</strong> using the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init terraform apply </code></pre> </div> <h2> <strong>Deployment Output and State Management</strong> </h2> <p>Once the deployment is complete, the output will display the <strong>S3 bucket</strong> and <strong>DynamoDB table</strong> that were created. <strong>Make sure to note these values</strong>, as they will be required for future steps in this guide.</p> <p>Additionally, the <strong>state file for backend provisioning is saved locally</strong>. This file must be preserved, as it is necessary to manage the lifecycle of the S3 bucket and DynamoDB table in the future.</p> eks terraform kubernetes aws A Production Ready EKS Deployment with IaC & GitOps - Part 1 - Introduction Ravindu Fernando Sun, 25 Aug 2024 15:11:12 +0000 https://dev.to/ravindukrs/a-production-ready-eks-deployment-with-gitops-part-1-introduction-89i https://dev.to/ravindukrs/a-production-ready-eks-deployment-with-gitops-part-1-introduction-89i <h2> Introduction to AWS EKS Deployment </h2> <p>This series is designed to take you through the process of deploying a production-ready application on AWS EKS (Elastic Kubernetes Service) from scratch. Whether you're a beginner developer or someone looking to refine your skills, this series will help you confidently set up and deploy your application in the least amount of time, without the need to dig through extensive documentation.</p> <h2> <strong>What We Will Cover</strong> </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm97a2cb2i4r5hnpx68rc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm97a2cb2i4r5hnpx68rc.png" alt="Series Overview" width="800" height="450"></a> </p> <p>This article series will guide you through deploying and managing an <strong>AWS EKS</strong> cluster, integrating essential services, and automating your workflows. Below is an overview of the steps we will take.</p> <h3> <strong>1. Configuring Terraform Backend and Validating Pre-requisites</strong> </h3> <p>Before deploying our infrastructure, we'll configure the <strong>Terraform backend</strong> to store our state securely and validate pre-requisites to ensure we have the required permissions and dependencies in place.</p> <h3> <strong>2. Provisioning an AWS EKS Cluster with Terraform</strong> </h3> <p>Using <strong>Terraform</strong>, we'll provision an <strong>AWS EKS cluster</strong> along with essential resources such as <strong>Elastic File System (EFS)</strong>, <strong>Storage Classes (SC)</strong>, and other networking components.</p> <h3> <strong>3. Setting Up Cluster Autoscaler</strong> </h3> <p>We'll configure <strong>Cluster Autoscaler</strong>, which dynamically adjusts the number of nodes in your cluster based on workload demands, optimizing resource usage and cost.</p> <h3> <strong>4. Deploying &amp; Configuring Karpenter for Node Provisioning</strong> </h3> <p>We will deploy <strong>Karpenter</strong>, an advanced node provisioning tool for Kubernetes, and set up <strong>IAM roles, instance profiles, and policies</strong> to enable automated scaling.</p> <h3> <strong>5. Enabling CloudWatch Container Insights for Monitoring</strong> </h3> <p>Once Karpenter is deployed, we'll enable <strong>AWS CloudWatch Container Insights</strong> to gain visibility into cluster metrics, logs, and resource utilization.</p> <h3> <strong>6. Setting Up an Ingress Controller on EKS</strong> </h3> <p>We'll configure an <strong>Ingress Controller</strong>, a crucial component for managing external access to services within the cluster, ensuring your applications are securely exposed.</p> <h3> <strong>7. Installing ArgoCD for GitOps-based Deployment</strong> </h3> <p>We'll install and configure <strong>ArgoCD</strong>, a declarative <strong>GitOps</strong> tool that automates deployments and ensures version-controlled application rollouts.</p> <h3> <strong>8. Using EFS Mounts in Containers</strong> </h3> <p>You'll learn how to create <strong>Persistent Volumes (PVs)</strong> and <strong>Persistent Volume Claims (PVCs)</strong> to mount <strong>AWS EFS</strong> inside your containers, enabling stateful applications.</p> <h3> <strong>9. Deploying a Sample Application with ArgoCD</strong> </h3> <p>With our infrastructure ready, we'll deploy a <strong>sample application</strong> using ArgoCD to demonstrate <strong>continuous deployment and GitOps practices</strong>.</p> <h3> <strong>10. Configuring Application Load Balancer as an Ingress Controller</strong> </h3> <p>We'll set up an <strong>AWS Application Load Balancer (ALB)</strong> as an ingress solution, allowing efficient routing of external traffic to your services.</p> <h3> <strong>11. DNS Propagation to Application Load Balancer from a Custom Domain</strong> </h3> <p>You'll learn how to configure <strong>DNS propagation</strong> to map your custom domain to the <strong>ALB</strong>, making your application accessible via a user-friendly URL.</p> <h3> <strong>12. Adding SSL Certificates for Secure Communication</strong> </h3> <p>To secure traffic to your application, we'll integrate <strong>SSL/TLS certificates</strong>, ensuring encrypted connections and HTTPS accessibility.</p> <p>This structured approach ensures you gain a <strong>comprehensive understanding of AWS EKS</strong>, from cluster setup to automated deployment and monitoring. Stay tuned as we explore each topic in depth and build a <strong>fully functional EKS environment</strong> from the ground up! 🚀</p> eks terraform gitops argocd