This assumes you have setup Terraform as described in Amazon Web Services (AWS) - Getting Started with Terraform.
Let's say you have the following files on your Terraform server.
├── required_providers.tf
├── elastic_kubernetes_service (directory)
│ ├── add_ons.tf
│ ├── eks.tf
│ ├── iam.tf
│ ├── provider.tf
│ ├── security_groups.tf
│ ├── virtual_private_clouds.tf
required_providers.tf will almost always have this.
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
}
}
}
Let's say provider.tf has the following. In this example, the "default" profile in /home/username/.aws/config and /home/username/.aws/credentials is being used. This assumes you have setup Terraform as described in Amazon Web Services (AWS) - Getting Started with Terraform.
provider "aws" {
alias = "default"
profile = "default"
region = "default"
}
And virtual_private_clouds.tf could have something like this.
data "aws_vpc" "my_vpc" {
filter {
name = "tag:Name"
values = ["my-vpc"]
}
}
And security_groups.tf could have something like this.
resource "aws_security_group" "eks_security_group" {
name_prefix = "my-eks-cluster"
description = "EKS cluster security group"
vpc_id = data.aws_vpc.my_vpc.id
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["10.0.0.0/8"]
}
egress {
from_port = 0
to_port = 0
protocol = -1
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "EKS cluster security group"
Environment = "staging"
}
}
And iam.tf could have the following.
resource "aws_iam_role" "eks_vpc_cni" {
name = "my-vpc-cni"
path = "/eks/"
assume_role_policy = data.aws_iam_policy_document.eks_vpc_cni_assume_role_policy.json
tags = {
Name = "eks-vpc-cni"
}
}
data "aws_iam_policy_document" "eks_vpc_cni_assume_role_policy" {
statement {
effect = "Allow"
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = [aws_iam_openid_connect_provider.eks_cluster_oidc_provider.arn]
}
condition {
test = "StringEquals"
variable = "${replace(aws_iam_openid_connect_provider.eks_cluster_oidc_provider.url, "https://", "")}:sub"
values = ["system:serviceaccount:kube-system:aws-node"]
}
}
}
And eks.tf could have the following.
resource "aws_eks_cluster" "eks_cluster" {
name = "my-eks-cluster"
role_arn = aws_iam_role.eks_cluster.arn
version = "1.28"
enabled_cluster_log_types = [
"api",
"audit",
"authenticator"
]
vpc_config {
subnet_ids = var.subnet_ids
endpoint_private_access = true
endpoint_public_access = false
security_group_ids = [aws_security_group.eks_security_group.id]
}
depends_on = [
aws_iam_role_policy_attachment.AmazonEKSClusterPolicy,
aws_iam_role_policy_attachment.AmazonEKSVPCResourceController,
aws_cloudwatch_log_group.eks_cluster_log_group
]
tags = {
Environment = "staging"
}
}
And add_ons.tf could have the following.
resource "aws_eks_addon" "vpc_cni" {
cluster_name = aws_eks_cluster.eks_cluster.id
addon_name = "vpc-cni"
addon_version = "1.28"
resolve_conflicts_on_create = "OVERWRITE"
resolve_conflicts_on_update = "PRESERVE"
service_account_role_arn = aws_iam_role.eks_vpc_cni.arn
tags = {
Environment = "staging"
}
}
The terraform plan command can be used to see what Terraform will try to do.
terraform plan
The terraform apply command can be used to create or update EKS Cluster Add On.
terraform apply -auto-approve
Did you find this article helpful?
If so, consider buying me a coffee over at 