Infrastructure as Code (IaC): Provisioning Kubernetes Clusters on AWS EKS using Terraform

Infrastructure as Code (IaC): Provisioning Kubernetes Clusters on AWS EKS using Terraform

Infrastructure as Code (IaC) has revolutionized the way we manage and provision computing infrastructure. Instead of manually configuring servers and networks, IaC allows us to define and automate the entire process using code. This approach ensures consistency, repeatability, and efficiency in infrastructure management. In this article, we will explore how to provision Kubernetes clusters on Amazon Elastic Kubernetes Service (EKS) using Terraform, a powerful IaC tool. We will dive into the configuration details and explain how to structure the Terraform files for best practices.


Amazon EKS is a managed Kubernetes service that simplifies running Kubernetes on AWS without the need to manage the control plane. Terraform, on the other hand, is an open-source tool that enables us to define and provision infrastructure using a high-level configuration language. By combining EKS and Terraform, we can achieve a robust and scalable Kubernetes deployment on AWS.

In this article, we will:

  • Set up a Virtual Private Cloud (VPC) with subnets, route tables, and gateways.
  • Create security groups for the EKS cluster.
  • Provision an EKS cluster with managed node groups.

We will organize the Terraform configuration into four primary files for better maintainability:

  1. - Core resources and modules.
  2. - Input variables.
  3. - Provider configurations.
  4. - Outputs from the Terraform configuration.

Lets create a structured Terraform project:


Terraform Configuration

Let's start by breaking down the configuration into the respective files and explaining each component.

Provider Configuration (

The file sets up the AWS provider and the backend configuration for storing the Terraform state file in an S3 bucket. This ensures that the state is stored securely and can be shared among team members.

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"

  backend "s3" {
    bucket = "terraform-state-bucket-tf"  # Use your actual bucket name
    key    = "solar-system-cluster-state.tfstate"
    region = "us-east-1"

provider "aws" {
  region = "us-east-1"

  • Terraform Block: This block specifies the required provider (aws) and its version. It also configures the backend to store the Terraform state in an S3 bucket.
  • Provider Block: The provider block defines the AWS region where the resources will be provisioned.

Input Variables (

The file defines the input variables that will be used throughout the configuration. This helps in making the Terraform code modular and reusable.

variable "region" {
  description = "The AWS region to deploy resources in"
  default     = "us-east-1"

variable "vpc_cidr" {
  description = "CIDR block for the VPC"
  default     = ""

variable "public_subnet_cidr_blocks" {
  description = "CIDR blocks for the public subnets"
  type        = list(string)
  default     = ["", ""]

variable "private_subnet_cidr_blocks" {
  description = "CIDR blocks for the private subnets"
  type        = list(string)
  default     = ["", ""]

variable "eks_cluster_name" {
  description = "Name of the EKS cluster"
  default     = "Solar-System-Cluster"

  • Region: Specifies the AWS region for deploying resources.
  • VPC CIDR: Defines the CIDR block for the VPC.
  • Public and Private Subnet CIDR Blocks: Lists the CIDR blocks for the public and private subnets, respectively.
  • EKS Cluster Name: Sets the name for the EKS cluster.

Main Configuration (

The file contains the main resources for setting up the VPC, subnets, route tables, security groups, and the EKS cluster. Let's break it down:

# Data Sources
data "aws_availability_zones" "available" {
  state = "available"

  • Data Source: Retrieves a list of available availability zones in the specified region.

# VPC 
resource "aws_vpc" "solar_system_vpc" {
  cidr_block = var.vpc_cidr
  tags = {
    Name = "Solar-System-Cluster-VPC"

  • VPC Resource: Creates a VPC with the specified CIDR block and tags.

# Subnets
resource "aws_subnet" "public" {
  count             = length(data.aws_availability_zones.available.names)
  vpc_id            =
  cidr_block        = var.public_subnet_cidr_blocks[count.index]
  availability_zone = data.aws_availability_zones.available.names[count.index]
  tags = {
    Name = "Solar-System-Cluster-Public-${count.index}"

resource "aws_subnet" "private" {
  count             = length(var.private_subnet_cidr_blocks)
  vpc_id            =
  cidr_block        = var.private_subnet_cidr_blocks[count.index]
  availability_zone = data.aws_availability_zones.available.names[count.index]
  map_public_ip_on_launch = false
  tags = {
    Name = "Solar-System-Cluster-Private-${count.index}"

  • Public Subnets: Creates public subnets in each availability zone with specified CIDR blocks.
  • Private Subnets: Creates private subnets in each availability zone with specified CIDR blocks and disables public IP assignment.

# Internet Gateway
resource "aws_internet_gateway" "gw" {
  vpc_id =

  • Internet Gateway: Creates an internet gateway for the VPC to enable internet access for resources in public subnets.

# NAT Gateway
resource "aws_eip" "nat_eip" {
  vpc = true

resource "aws_nat_gateway" "nat" {
  allocation_id =
  subnet_id     = element(aws_subnet.public.*.id, 0)
  tags = {
    Name = "Solar-System-Cluster-NAT"
  depends_on = []

  • NAT Gateway: Creates a NAT gateway to enable instances in private subnets to access the internet. An Elastic IP (EIP) is allocated to the NAT gateway.

# Route Tables
resource "aws_route_table" "public_route_table" {
  vpc_id =
  route {
    cidr_block = ""
    gateway_id =

resource "aws_route_table" "private_route_table" {
  vpc_id =
  route {
    cidr_block     = ""
    nat_gateway_id =

  • Public Route Table: Creates a route table for public subnets with a route to the internet gateway.
  • Private Route Table: Creates a route table for private subnets with a route to the NAT gateway.

# Route Table Associations
resource "aws_route_table_association" "public_subnet_association" {
  count          = length(aws_subnet.public)
  subnet_id      = element(aws_subnet.public.*.id, count.index)
  route_table_id =

resource "aws_route_table_association" "private_subnet_association" {
  count          = length(aws_subnet.private)
  subnet_id      = element(aws_subnet.private.*.id, count.index)
  route_table_id =

  • Public Route Table Associations: Associates the public route table with each public subnet.
  • Private Route Table Associations: Associates the private route table with each private subnet.

# Security Groups
resource "aws_security_group" "eks_cluster_security_group" {
  name        = "Solar-System-Cluster-SG"
  description = "Security group for EKS cluster"
  vpc_id      =
  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = [""]  # Consider restricting for production
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = [""]

  • EKS Cluster Security Group: Creates a security group for the EKS cluster, allowing inbound traffic on port 443 (HTTPS) and all outbound traffic. Note that in a production environment, you should restrict the inbound rules to trusted sources.

# EKS Cluster
module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "~> 18.0"
  cluster_name           = var.eks_cluster_name
  cluster_version        = "1.30"
  vpc_id                 =
  subnet_ids             = aws_subnet.private.*.id
  eks_managed_node_group_defaults = {
    ami_type = "AL2_x86_64"
  eks_managed_node_groups = {
    solar_system_nodes = {
      instance_types = ["t3.medium"]
      min_size       = 2
      max_size       = 3
      desired_size   = 2

  • EKS Cluster Module: Uses the official Terraform AWS EKS module to create an EKS cluster with managed node groups. The node groups are configured with t3.medium instances and desired size settings. Adjust the cluster_version and other parameters as needed.

Output Variables (

The file defines the outputs for the Terraform configuration. These outputs are useful for referencing resource attributes after the infrastructure has been provisioned.

output "vpc_id" {
  value =

output "public_subnet_ids" {
  value = aws_subnet.public.*.id

output "private_subnet_ids" {
  value = aws_subnet.private.*.id

output "eks_cluster_id" {
  value = module.eks.cluster_id

output "eks_cluster_endpoint" {
  value = module.eks.cluster_endpoint

output "eks_cluster_security_group_id" {
  value =

  • VPC ID: Outputs the ID of the VPC.
  • Public and Private Subnet IDs: Outputs the IDs of the public and private subnets, respectively.
  • EKS Cluster ID and Endpoint: Outputs the ID and endpoint URL of the EKS cluster.
  • EKS Cluster Security Group ID: Outputs the ID of the security group for the EKS cluster.

Detailed Explanation of Key Components

Let's delve deeper into some key components of the configuration to understand their significance and how they interact with each other.

Virtual Private Cloud (VPC)

A VPC is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS cloud. You can launch AWS resources, such as Amazon EC2 instances, in your VPC. By defining a VPC, you can control the network configuration, including IP address ranges, subnets, route tables, and gateways.


Subnets are subdivisions within a VPC. They allow you to group instances based on security and operational needs. In this configuration, we create both public and private subnets:

  • Public Subnets: These subnets are accessible from the internet. They are typically used for resources that need to communicate with the internet, such as web servers.
  • Private Subnets: These subnets are not directly accessible from the internet. They are used for resources that do not need direct internet access, such as database servers.

Route Tables and Gateways

Route tables contain rules (routes) that determine how network traffic is directed. In this configuration, we set up route tables for both public and private subnets:

  • Public Route Table: This route table directs traffic destined for the internet ( to the internet gateway.
  • Private Route Table: This route table directs traffic destined for the internet ( to the NAT gateway, which then routes it to the internet via the public subnets.

Security Groups

Security groups act as virtual firewalls for your instances to control inbound and outbound traffic. In this configuration, we create a security group specifically for the EKS cluster:

  • Inbound Rules: Allow HTTPS traffic (port 443) from any source. For production environments, it's recommended to restrict this to trusted sources.
  • Outbound Rules: Allow all outbound traffic. This can be further restricted based on security requirements.

EKS Cluster

Amazon EKS simplifies running Kubernetes on AWS by managing the Kubernetes control plane for you. In this configuration, we use the official Terraform AWS EKS module to create an EKS cluster. Key configurations include:

  • Cluster Name and Version: Specify the name and version of the EKS cluster.
  • VPC and Subnet IDs: Define the VPC and subnets where the EKS cluster will be deployed.
  • Managed Node Groups: Define the instance types, sizes, and scaling settings for the node groups. Managed node groups simplify the provisioning and management of worker nodes for the EKS cluster.

Configuring Kubectl Access with the AWS CLI

Now that our EKS cluster is provisioned, let's configure our local environment to manage it using kubectl.

  1. Update Kubeconfig: Run the following AWS CLI command:

aws eks --region <your-cluster-region> update-kubeconfig --name <your-cluster-name>        

Replace <your-cluster-region> with the region where your cluster is located (e.g., us-east-1) and <your-cluster-name> with the name you gave your cluster in Terraform (e.g., solar-system-cluster).

This command does two crucial things:

  • Downloads Cluster Credentials: It retrieves authentication information (certificates and tokens) from AWS EKS.
  • Updates kubeconfig: It adds or updates the configuration in your kubeconfig file (usually located at ~/.kube/config). This file tells kubectl how to connect to your cluster.

2. Verify Configuration:

Confirm that the update was successful by checking the output. You should see a message similar to this:

Updated context arn:aws:eks:<your-cluster-region>:<your-aws-account-id>:cluster/<your-cluster-name> in /Users/neamulkabiremon/.kube/config        


If your cluster is named "solar-system-cluster" and is in the "us-east-1" region, the command and output would look like this:

aws eks --region us-east-1 update-kubeconfig --name solar-system-cluster
Updated context arn:aws:eks:us-east-1:123456789012:cluster/solar-system-cluster in /Users/neamulkabiremon/.kube/config        

Key Points:

  • The kubeconfig file stores connection details for multiple clusters. Make sure the correct context is set using kubectl config use-context <your-context-name>.
  • You may need to re-run this command periodically as authentication tokens can expire.


Provisioning an EKS cluster on AWS using Terraform allows for a robust, scalable, and repeatable infrastructure setup. By splitting the configuration into separate files (,,, and, we follow Terraform best practices, making the code more modular and maintainable. This approach enhances readability and allows for easier updates and management of the infrastructure as your needs evolve.

Using Infrastructure as Code with tools like Terraform and AWS EKS streamlines the deployment process, reduces the risk of human error, and enables efficient scaling of your Kubernetes clusters to meet the demands of your applications. By understanding each component of the configuration, you can customize and extend this setup to fit your specific requirements, ensuring a robust and flexible Kubernetes environment on AWS.


Neamul Kabir Emon的更多文章
