terraform-aws-eks

Production-grade EKS cluster with managed node groups, Fargate, IRSA, add-ons, and EKS Access API

Terraform ≥ 1.5.0 AWS Provider ≥ 5.20.0 Kubernetes 1.25+ Encryption Enabled

Executive Summary

This module provisions a fully managed Amazon EKS cluster with support for multiple managed node groups (ON_DEMAND and SPOT), Fargate profiles for serverless pods, IAM Roles for Service Accounts (IRSA) via OIDC federation, managed add-ons (vpc-cni, coredns, kube-proxy, ebs-csi-driver, pod-identity-agent), and the EKS Access API for fine-grained authentication and authorization. Security hardening includes KMS envelope encryption for secrets, IMDSv2 enforcement, private endpoint access, encrypted EBS volumes, and least-privilege IAM roles per node group. CloudWatch Logs captures all five control plane log types with configurable retention.

Overview

Resources Created

12+

Cluster, Node Groups, Fargate, SGs, IAM, OIDC, KMS, CW Logs, Add-ons, Access Entries

Input Variables

cluster_name, cluster_version, vpc_id, subnet_ids, managed_node_groups, etc.

Outputs

cluster_id, cluster_endpoint, oidc_provider_arn, node_group_arns, kms_key_arn, etc.

Submodules

node-group, fargate-profile, irsa

Architecture Diagram

EKS Control Plane
API Server (Multi-AZ)

↓

OIDC Provider
IRSA

KMS Key
Envelope Encryption

Access Entries
AuthN / AuthZ

↓

System Nodes
ON_DEMAND

App Nodes
ON_DEMAND

Spot Nodes
Cost-Optimized

GPU Nodes
g5.2xlarge

Fargate
Serverless Pods

↓

vpc-cni

coredns

kube-proxy

ebs-csi-driver

pod-identity-agent

↓

Cluster SG
API Access

Node SG
Workers

CloudWatch Logs
5 Log Types

Component Breakdown

EKS Cluster

aws_eks_cluster with configurable K8s version (1.25+)
Private + public endpoint access control
API_AND_CONFIG_MAP authentication mode
Envelope encryption for secrets via KMS
All 5 control plane log types enabled by default

Managed Node Groups

for_each driven -- deploy any number of groups
Launch templates with IMDSv2, encrypted EBS (gp3)
ON_DEMAND or SPOT capacity types
AL2, AL2023, Bottlerocket, GPU AMI types
Labels, taints, per-group IAM roles

Fargate Profiles

Namespace-based pod selectors with label matching
Dedicated pod execution IAM role
Custom subnet placement support

Add-ons & Access

Managed add-ons: vpc-cni, coredns, kube-proxy, ebs-csi, pod-identity
OVERWRITE / NONE / PRESERVE conflict resolution
EKS Access Entries with policy associations
Namespace-scoped or cluster-scoped access

Data Flow

Clients authenticate via EKS Access API or kubeconfig (OIDC/IAM)
API requests hit the EKS Control Plane through private or public endpoint
Control plane communicates with worker nodes via ENIs in control plane subnets
Node groups launch EC2 instances via launch templates in private subnets
Pods use IRSA for per-service-account AWS credentials via STS AssumeRoleWithWebIdentity
Kubernetes secrets are encrypted at rest using KMS envelope encryption
Control plane logs stream to CloudWatch Log Group with configurable retention

Security Controls

Control	Implementation	Default
Endpoint Access	Private-only API endpoint	`private=true, public=false`
Secrets Encryption	KMS envelope encryption	`enable_cluster_encryption=true`
IMDSv2	Launch template enforces `http_tokens=required`	Always enforced
EBS Encryption	KMS-encrypted gp3 volumes	`encrypted=true`
IAM Isolation	Per-node-group IAM roles, Fargate execution role	Least-privilege
IRSA	OIDC provider for pod-level IAM	`enable_irsa=true`
Network	Cluster SG (API) + Node SG (workers)	Restricted ingress
Audit Logging	All 5 control plane log types	90-day retention

Industry Adaptation

Financial Services

Enable KMS encryption + 365-day log retention
Private endpoint only, no public access
Dedicated system node group with taints
Access Entries for RBAC compliance

Healthcare / HIPAA

Customer-managed KMS keys for audit trail
EBS encryption on all volumes
VPC-isolated control plane subnets
IMDSv2 enforcement prevents credential exfiltration

SaaS / Multi-Tenant

Spot node groups for cost optimization
Fargate profiles for tenant isolation
Namespace-scoped access policies
Multiple add-ons for platform services

Production Readiness Checklist

Set cluster_endpoint_public_access = false
Enable KMS encryption for secrets and EBS
Configure at least 2 subnets across AZs
Use separate control_plane_subnet_ids (intra subnets)
Deploy system node group with CriticalAddonsOnly taint
Set cluster_log_retention_days = 365 for compliance
Configure IRSA for workload IAM
Install managed add-ons (vpc-cni, coredns, kube-proxy, ebs-csi)
Define access_entries for cluster RBAC
Tag all resources with Environment, Team, ManagedBy

Configuration Reference

Key Inputs

Variable	Type	Default	Description
`cluster_name`	string	--	Name of the EKS cluster (required)
`cluster_version`	string	`1.29`	Kubernetes version
`vpc_id`	string	--	VPC for deployment
`subnet_ids`	list(string)	--	Worker node subnets (min 2)
`managed_node_groups`	map(object)	`{}`	Node group configs with instance types, scaling, taints
`fargate_profiles`	map(object)	`{}`	Fargate profile selectors
`cluster_addons`	map(object)	`{}`	EKS managed add-ons
`enable_cluster_encryption`	bool	`true`	KMS envelope encryption
`enable_irsa`	bool	`true`	OIDC provider for IRSA
`access_entries`	map(object)	`{}`	EKS Access API entries

Key Outputs

Output	Description
`cluster_endpoint`	API server endpoint URL
`cluster_certificate_authority_data`	Base64 cluster CA cert
`oidc_provider_arn`	OIDC provider ARN for IRSA
`node_group_arns`	Map of node group ARNs
`cluster_security_group_id`	Cluster SG ID
`kms_key_arn`	Encryption key ARN

Deployment

# Initialize
terraform init

# Plan
terraform plan -var-file="production.tfvars"

# Apply
terraform apply -var-file="production.tfvars"

# Configure kubectl
aws eks update-kubeconfig --name <cluster_name> --region <region>

# Verify
kubectl get nodes
kubectl get pods -A