{"id":20285397,"url":"https://github.com/bocan/my-aws-eks","last_synced_at":"2025-04-11T08:38:54.975Z","repository":{"id":49561746,"uuid":"369772515","full_name":"bocan/my-aws-eks","owner":"bocan","description":"A Terraform project to produce a secure, autoscaling EKS cluster for testing, demos, and labs - using mostly Spot instances.","archived":false,"fork":false,"pushed_at":"2023-04-03T07:34:54.000Z","size":155,"stargazers_count":12,"open_issues_count":2,"forks_count":6,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-07T05:43:02.402Z","etag":null,"topics":["autoscaling","aws","devops","eks","framework","kubernetes","spot","terraform"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bocan.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-05-22T09:55:12.000Z","updated_at":"2025-01-14T07:38:44.000Z","dependencies_parsed_at":"2022-08-20T07:01:33.882Z","dependency_job_id":null,"html_url":"https://github.com/bocan/my-aws-eks","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bocan%2Fmy-aws-eks","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bocan%2Fmy-aws-eks/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bocan%2Fmy-aws-eks/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bocan%2Fmy-aws-eks/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bocan","download_url":"https://codeload.github.com/bocan/my-aws-eks/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248362176,"owners_count":21091063,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["autoscaling","aws","devops","eks","framework","kubernetes","spot","terraform"],"created_at":"2024-11-14T14:26:24.318Z","updated_at":"2025-04-11T08:38:54.947Z","avatar_url":"https://github.com/bocan.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# My AWS EKS\n\n## Description\n\nI couldn't find any example Terraform projects to make an EKS cluster that I was happy with, so I cobbled this one together. This project spins up a decent EKS cluster for demos, development, or testing. In theory, you could scale it up to production too if your apps are stateful and can tolerate using spot instances - but it's really meant to be for short/medium term environments that you spin up or down at need.\n\nIt currently features:\n\n* Custom VPC Setup.\n* Kubernetes 1.21.\n* Secrets Encryption via a rotating customer-managed KMS key.\n* Cloudwatch Encryption via a rotating customer-managed KMS key.\n* Control Plane logging to Cloudwatch.\n* Common Tagging across all created resources for easy billing resolution.\n* [Calico networking](https://www.tigera.io/project-calico/) instead of \"aws-node\"\n* EC2 worker nodes with encrypted root volumes.\n* 2 Helm Charts at a minimum:\n * [Cluster-Autoscaler](https://github.com/kubernetes/autoscaler) for autoscaling\n * [AWS's Node Termination Handler](https://github.com/aws/aws-node-termination-handler) to watch for Spot instances being terminiated and draining them, rebalancing requests, and scheduled event draining\n* Configurable ausoscaling EC2 Pools. By default it runs:\n * 1 t3.small instance for safety. The autoscaler pod runs here.\n * 1 to 5 t3.medium spot instances. Ideally, most of the workload should run on these. The spot price is set to the on-demand price.\n* Configurable mapping of accounts, IAM roles, and IAM users to the aws-auth conifgmap.\n* (Occasionally) bleeding edge compatibility with Terraform 1.0.7\n* Generation of the Kubeconfig needed for kubectl, helm, etc.\n\n## Key Aims\n\n* Cost to remain as low as possible. \n* Ideally, I want this project to always run with the latest Terraform - though this requires compatibility with the public AWS terraform modules.\n* Helm is the tool of choice for installing into the cluster - Convince me otherwise.\n\n## Installation.\n\n* This was last run with Terraform 1.0.7\n* Just edit what you need to in provider.tf to allow you to connect, and put what you want into local.tf \n* Run a terraform apply.\n\nThis is what ends up running after your first install:\n```\n╰─❯ kubectl get all -A\nNAMESPACE NAME READY STATUS RESTARTS AGE\nkube-system pod/aws-load-balancer-controller-54cf85b446-c8244 1/1 Running 1 43m\nkube-system pod/aws-load-balancer-controller-54cf85b446-vbpfz 1/1 Running 1 43m\nkube-system pod/aws-node-termination-handler-5jcfs 1/1 Running 0 43m\nkube-system pod/aws-node-termination-handler-nqv7q 1/1 Running 0 43m\nkube-system pod/calico-kube-controllers-784b4f4c9-qpfs8 1/1 Running 0 43m\nkube-system pod/calico-node-r7lkj 1/1 Running 0 43m\nkube-system pod/calico-node-rmw6m 1/1 Running 0 43m\nkube-system pod/cluster-autoscaler-aws-cluster-autoscaler-d49c449d5-vlzt5 1/1 Running 0 43m\nkube-system pod/coredns-65ccb76b7c-g7cbz 1/1 Running 0 46m\nkube-system pod/coredns-65ccb76b7c-nzcd4 1/1 Running 0 46m\nkube-system pod/kube-proxy-qs2r5 1/1 Running 0 43m\nkube-system pod/kube-proxy-svnh5 1/1 Running 0 43m\n\nNAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE\ndefault service/kubernetes ClusterIP 10.100.0.1 \u003cnone\u003e 443/TCP 46m\nkube-system service/aws-load-balancer-webhook-service ClusterIP 10.100.25.81 \u003cnone\u003e 443/TCP 43m\nkube-system service/cluster-autoscaler-aws-cluster-autoscaler ClusterIP 10.100.115.16 \u003cnone\u003e 8085/TCP 43m\nkube-system service/kube-dns ClusterIP 10.100.0.10 \u003cnone\u003e 53/UDP,53/TCP 46m\n\nNAMESPACE NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE\nkube-system daemonset.apps/aws-node-termination-handler 2 2 2 2 2 kubernetes.io/os=linux 43m\nkube-system daemonset.apps/calico-node 2 2 2 2 2 kubernetes.io/os=linux 43m\nkube-system daemonset.apps/kube-proxy 2 2 2 2 2 \u003cnone\u003e 46m\n\nNAMESPACE NAME READY UP-TO-DATE AVAILABLE AGE\nkube-system deployment.apps/aws-load-balancer-controller 2/2 2 2 43m\nkube-system deployment.apps/calico-kube-controllers 1/1 1 1 43m\nkube-system deployment.apps/cluster-autoscaler-aws-cluster-autoscaler 1/1 1 1 43m\nkube-system deployment.apps/coredns 2/2 2 2 46m\n\nNAMESPACE NAME DESIRED CURRENT READY AGE\nkube-system replicaset.apps/aws-load-balancer-controller-54cf85b446 2 2 2 43m\nkube-system replicaset.apps/calico-kube-controllers-784b4f4c9 1 1 1 43m\nkube-system replicaset.apps/cluster-autoscaler-aws-cluster-autoscaler-d49c449d5 1 1 1 43m\nkube-system replicaset.apps/coredns-65ccb76b7c\n```\n\n## Todo\n\n* Setup pre-commit tooling, including a Checkov security scan.\n* I wanted to use Launch Templates instead of Launch Configs - but there seems to be a bug in the EKS terraform modules where it's ignoring the Spot configuration.\n* Testing Framework?\n* Build a list of must-have Helm charts you'd tend to put into an EKS/K8S cluster. I'm thinking it would start with:\n * Vault\n * Consul ?\n * Prometheus (via its Operator)\n * Cert Manager\n * Keycloak\n* How can this integrate with Route53? Should it? \n\n\u003c!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 0.13.1 |\n| \u003ca name=\"requirement_aws\"\u003e\u003c/a\u003e [aws](#requirement\\_aws) | \u003e= 3.42.0 |\n| \u003ca name=\"requirement_cloudinit\"\u003e\u003c/a\u003e [cloudinit](#requirement\\_cloudinit) | ~\u003e 2.2.0 |\n| \u003ca name=\"requirement_kubernetes\"\u003e\u003c/a\u003e [kubernetes](#requirement\\_kubernetes) | ~\u003e 2.2.0 |\n| \u003ca name=\"requirement_local\"\u003e\u003c/a\u003e [local](#requirement\\_local) | \u003e= 2.1.0 |\n| \u003ca name=\"requirement_null\"\u003e\u003c/a\u003e [null](#requirement\\_null) | ~\u003e 3.1.0 |\n| \u003ca name=\"requirement_random\"\u003e\u003c/a\u003e [random](#requirement\\_random) | \u003e= 3.1.0 |\n| \u003ca name=\"requirement_template\"\u003e\u003c/a\u003e [template](#requirement\\_template) | ~\u003e 2.2.0 |\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | \u003e= 3.42.0 |\n| \u003ca name=\"provider_helm\"\u003e\u003c/a\u003e [helm](#provider\\_helm) | n/a |\n| \u003ca name=\"provider_null\"\u003e\u003c/a\u003e [null](#provider\\_null) | ~\u003e 3.1.0 |\n\n## Modules\n\n| Name | Source | Version |\n|------|--------|---------|\n| \u003ca name=\"module_alb_controller\"\u003e\u003c/a\u003e [alb\\_controller](#module\\_alb\\_controller) | git::github.com/GSA/terraform-kubernetes-aws-load-balancer-controller?ref=v4.1.0 | |\n| \u003ca name=\"module_eks\"\u003e\u003c/a\u003e [eks](#module\\_eks) | terraform-aws-modules/eks/aws | |\n| \u003ca name=\"module_iam_assumable_role_admin\"\u003e\u003c/a\u003e [iam\\_assumable\\_role\\_admin](#module\\_iam\\_assumable\\_role\\_admin) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | |\n| \u003ca name=\"module_vpc\"\u003e\u003c/a\u003e [vpc](#module\\_vpc) | terraform-aws-modules/vpc/aws | |\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [aws_iam_policy.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [aws_kms_alias.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |\n| [aws_kms_alias.ekslogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |\n| [aws_kms_key.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |\n| [aws_kms_key.ekslogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |\n| [helm_release.autoscaler](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [helm_release.aws_node_termination_handler](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |\n| [null_resource.install_calico_plugin](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |\n| [null_resource.kube_config](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |\n| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |\n| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |\n| [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |\n| [aws_eks_cluster_auth.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |\n| [aws_iam_policy_document.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n| [aws_iam_policy_document.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |\n\n## Inputs\n\nNo inputs.\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_cloudwatch_log_group_name\"\u003e\u003c/a\u003e [cloudwatch\\_log\\_group\\_name](#output\\_cloudwatch\\_log\\_group\\_name) | Cloudwatch Log Group Name for this Cluster |\n| \u003ca name=\"output_cluster_endpoint\"\u003e\u003c/a\u003e [cluster\\_endpoint](#output\\_cluster\\_endpoint) | Endpoint for EKS control plane. |\n| \u003ca name=\"output_cluster_security_group_id\"\u003e\u003c/a\u003e [cluster\\_security\\_group\\_id](#output\\_cluster\\_security\\_group\\_id) | Security group ids attached to the cluster control plane. |\n| \u003ca name=\"output_config_map_aws_auth\"\u003e\u003c/a\u003e [config\\_map\\_aws\\_auth](#output\\_config\\_map\\_aws\\_auth) | A kubernetes configuration to authenticate to this EKS cluster. |\n| \u003ca name=\"output_kubectl_config\"\u003e\u003c/a\u003e [kubectl\\_config](#output\\_kubectl\\_config) | kubectl config as generated by the module. |\n| \u003ca name=\"output_region\"\u003e\u003c/a\u003e [region](#output\\_region) | AWS region. |\n\u003c!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --\u003e\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbocan%2Fmy-aws-eks","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbocan%2Fmy-aws-eks","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbocan%2Fmy-aws-eks/lists"}