{"id":49339749,"url":"https://github.com/citadel-cloud-management/terraform-aws-eks","last_synced_at":"2026-04-27T03:04:27.020Z","repository":{"id":343203472,"uuid":"1175254185","full_name":"Citadel-Cloud-Management/terraform-aws-eks","owner":"Citadel-Cloud-Management","description":"Production-grade AWS EKS Terraform module with managed node groups, Fargate profiles, IRSA, cluster add-ons, and EKS access API","archived":false,"fork":false,"pushed_at":"2026-04-11T22:19:45.000Z","size":50,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-12T00:27:36.851Z","etag":null,"topics":["aws","devops","eks","infrastructure-as-code","kubernetes","production-ready","terraform","terraform-module"],"latest_commit_sha":null,"homepage":"https://citadel-cloud-management.github.io/terraform-aws-eks/","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Citadel-Cloud-Management.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"security.tf","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-07T13:04:28.000Z","updated_at":"2026-04-11T22:39:50.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Citadel-Cloud-Management/terraform-aws-eks","commit_stats":null,"previous_names":["kogunlowo123/terraform-aws-eks"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/Citadel-Cloud-Management/terraform-aws-eks","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Citadel-Cloud-Management%2Fterraform-aws-eks","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Citadel-Cloud-Management%2Fterraform-aws-eks/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Citadel-Cloud-Management%2Fterraform-aws-eks/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Citadel-Cloud-Management%2Fterraform-aws-eks/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Citadel-Cloud-Management","download_url":"https://codeload.github.com/Citadel-Cloud-Management/terraform-aws-eks/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Citadel-Cloud-Management%2Fterraform-aws-eks/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32320688,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T23:26:28.701Z","status":"online","status_checked_at":"2026-04-27T02:00:06.769Z","response_time":128,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","devops","eks","infrastructure-as-code","kubernetes","production-ready","terraform","terraform-module"],"created_at":"2026-04-27T03:04:10.871Z","updated_at":"2026-04-27T03:04:27.011Z","avatar_url":"https://github.com/Citadel-Cloud-Management.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"![Terraform](https://img.shields.io/badge/Terraform-%3E%3D1.5-blueviolet?logo=terraform)\n![AWS](https://img.shields.io/badge/AWS-FF9900?logo=amazonaws\u0026logoColor=white)\n![License](https://img.shields.io/badge/License-MIT-green)\n![CI](https://img.shields.io/github/actions/workflow/status/kogunlowo123/terraform-aws-eks/terraform-ci.yml?label=CI)\n![GitHub release](https://img.shields.io/github/v/release/kogunlowo123/terraform-aws-eks)\n\n# terraform-aws-eks\n\nProduction-grade Terraform module for deploying Amazon EKS clusters with managed node groups, Fargate profiles, IRSA, cluster add-ons, and the EKS Access API.\n\n## Architecture Diagram\n\n```mermaid\nflowchart TB\n subgraph ControlPlane[\"EKS Control Plane\"]\n API[\"Kubernetes API Server\\n(AWS Managed, Multi-AZ)\"]\n OIDC[\"OIDC Provider\\n(IRSA)\"]\n KMS[\"KMS Key\\n(Envelope Encryption)\"]\n end\n\n subgraph Workers[\"Worker Nodes\"]\n subgraph MNG[\"Managed Node Groups\"]\n SYSTEM[\"System Nodes\\n(On-Demand)\"]\n APP[\"App Nodes\\n(On-Demand)\"]\n SPOT[\"Spot Nodes\\n(Cost-Optimized)\"]\n GPU[\"GPU Nodes\\n(g5.2xlarge)\"]\n end\n FARGATE[\"Fargate Profiles\\n(Serverless Pods)\"]\n end\n\n subgraph Addons[\"EKS Managed Add-ons\"]\n VPCCNI[\"vpc-cni\"]\n COREDNS[\"coredns\"]\n PROXY[\"kube-proxy\"]\n EBSCSI[\"ebs-csi-driver\"]\n PODID[\"pod-identity-agent\"]\n end\n\n subgraph Security[\"Security\"]\n CLUSTERSG[\"Cluster SG\\n(API Access)\"]\n NODESG[\"Node SG\\n(Workers)\"]\n ACCESS[\"Access Entries\\n(AuthN/AuthZ)\"]\n end\n\n subgraph Logging[\"Observability\"]\n CWLOGS[\"CloudWatch Logs\\n(api/audit/authenticator\\ncontroller/scheduler)\"]\n end\n\n API --\u003e OIDC\n API --\u003e KMS\n API --\u003e SYSTEM\n API --\u003e APP\n API --\u003e SPOT\n API --\u003e GPU\n API --\u003e FARGATE\n Addons --\u003e Workers\n CLUSTERSG --\u003e API\n NODESG --\u003e Workers\n ACCESS --\u003e API\n Workers --\u003e CWLOGS\n\n style ControlPlane fill:#0078D4,color:#fff\n style Workers fill:#FF9900,color:#fff\n style Addons fill:#3F8624,color:#fff\n style Security fill:#DD344C,color:#fff\n style Logging fill:#8C4FFF,color:#fff\n```\n\n## Architecture\n\n```\n +---------------------------+\n | EKS Control Plane |\n | (AWS Managed, Multi-AZ) |\n +------+--------+-----------+\n | |\n +--------------+ +---------------+\n | |\n +---------v---------+ +-------------v-----------+\n | Control Plane ENIs| | OIDC Provider (IRSA) |\n | (Intra Subnets) | | sts.amazonaws.com |\n +---+------+------+-+ +-------------------------+\n | | |\n +--------v--+ +-v------v-+ +-------------------+\n | Node SG | | Cluster | | KMS Key |\n | (Workers)| | SG (API) | | (Envelope Enc.) |\n +-----+-----+ +----------+ +-------------------+\n |\n +-----v--------------------------------------------+\n | Private Subnets (Multi-AZ) |\n | |\n | +----------------+ +----------------+ +--------+ |\n | | Managed Node | | Managed Node | |Fargate | |\n | | Group: system | | Group: app | |Pods | |\n | | (On-Demand, | | (On-Demand, | | | |\n | | IMDSv2, | | Encrypted EBS)| | | |\n | | Encrypted EBS)| +----------------+ +--------+ |\n | +----------------+ |\n | +----------------+ +----------------+ |\n | | Managed Node | | Managed Node | |\n | | Group: spot | | Group: gpu | |\n | | (Spot, | | (g5.2xlarge, | |\n | | Tainted) | | Tainted) | |\n | +----------------+ +----------------+ |\n +--------------------------------------------------+\n |\n +-------------v--------------+\n | EKS Managed Add-ons |\n | vpc-cni | coredns | proxy |\n | ebs-csi | pod-identity |\n +----------------------------+\n\n +--------------------------------------------------+\n | CloudWatch Logs (Encrypted) |\n | api | audit | authenticator | controller | sched |\n +--------------------------------------------------+\n```\n\n## Features\n\n- **EKS Cluster**: Kubernetes control plane with configurable version and access\n- **Managed Node Groups**: Auto-scaling EC2 node groups with launch templates\n- **Fargate Profiles**: Serverless Kubernetes pods with namespace selectors\n- **IRSA**: IAM Roles for Service Accounts via OIDC federation\n- **Cluster Add-ons**: Managed lifecycle for vpc-cni, coredns, kube-proxy, ebs-csi, pod-identity-agent\n- **EKS Access API**: Fine-grained cluster authentication and authorization\n- **Envelope Encryption**: KMS-based encryption for Kubernetes secrets\n- **Security Hardened**: IMDSv2 enforced, private endpoint, encrypted EBS, least-privilege IAM\n\n## Usage\n\n### Minimal\n\n```hcl\nmodule \"eks\" {\n source = \"github.com/kogunlowo123/terraform-aws-eks\"\n\n cluster_name = \"my-cluster\"\n vpc_id = \"vpc-0123456789abcdef0\"\n subnet_ids = [\"subnet-a\", \"subnet-b\", \"subnet-c\"]\n\n managed_node_groups = {\n default = {\n name = \"default\"\n instance_types = [\"m5.large\"]\n min_size = 2\n max_size = 5\n desired_size = 3\n }\n }\n}\n```\n\n### Production\n\n```hcl\nmodule \"eks\" {\n source = \"github.com/kogunlowo123/terraform-aws-eks\"\n\n cluster_name = \"production\"\n cluster_version = \"1.29\"\n\n vpc_id = module.vpc.vpc_id\n subnet_ids = module.vpc.private_subnet_ids\n control_plane_subnet_ids = module.vpc.intra_subnet_ids\n\n cluster_endpoint_private_access = true\n cluster_endpoint_public_access = false\n\n enable_cluster_encryption = true\n cluster_log_retention_days = 365\n\n managed_node_groups = {\n system = {\n name = \"system\"\n instance_types = [\"m6i.xlarge\"]\n capacity_type = \"ON_DEMAND\"\n min_size = 3\n max_size = 6\n desired_size = 3\n disk_size = 100\n ami_type = \"AL2023_x86_64_STANDARD\"\n labels = { \"node.kubernetes.io/purpose\" = \"system\" }\n taints = [{\n key = \"CriticalAddonsOnly\"\n effect = \"NO_SCHEDULE\"\n }]\n }\n application = {\n name = \"application\"\n instance_types = [\"m6i.2xlarge\", \"m5.2xlarge\"]\n capacity_type = \"ON_DEMAND\"\n min_size = 3\n max_size = 50\n desired_size = 6\n disk_size = 200\n ami_type = \"AL2023_x86_64_STANDARD\"\n }\n }\n\n cluster_addons = {\n vpc-cni = { resolve_conflicts = \"OVERWRITE\" }\n coredns = { resolve_conflicts = \"OVERWRITE\" }\n kube-proxy = { resolve_conflicts = \"OVERWRITE\" }\n aws-ebs-csi-driver = { resolve_conflicts = \"OVERWRITE\" }\n }\n\n tags = {\n Environment = \"production\"\n ManagedBy = \"terraform\"\n }\n}\n```\n\n## Security Considerations\n\n### IMDSv2 Enforcement\nAll managed node groups use launch templates that enforce IMDSv2 (`http_tokens = \"required\"`), preventing SSRF-based credential theft from the instance metadata service.\n\n### Envelope Encryption\nKubernetes secrets are encrypted at rest using a KMS key. The module can create a dedicated KMS key or use an existing one. Key rotation is enabled by default.\n\n### Private Endpoint\nBy default, the cluster API server is only accessible via private endpoint (`cluster_endpoint_public_access = false`). Access the cluster through a VPN, bastion host, or AWS SSM Session Manager.\n\n### Least-Privilege IAM\n- Each node group gets its own IAM role with only the required managed policies\n- Fargate pods use a dedicated execution role with scoped trust policy\n- IRSA enables per-pod IAM without sharing node-level credentials\n\n### EBS Encryption\nAll node group EBS volumes are encrypted using KMS. The launch template enforces encryption at the block device level.\n\n### Security Groups\n- Cluster security group allows only HTTPS ingress from worker nodes\n- Node security group allows inter-node communication and required control plane ports\n- All egress is allowed for pulling container images and communicating with AWS APIs\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|----------|\n| cluster_name | Name of the EKS cluster | `string` | - | yes |\n| cluster_version | Kubernetes version | `string` | `\"1.29\"` | no |\n| vpc_id | VPC ID | `string` | - | yes |\n| subnet_ids | Subnet IDs for worker nodes | `list(string)` | - | yes |\n| control_plane_subnet_ids | Subnet IDs for control plane ENIs | `list(string)` | `[]` | no |\n| cluster_endpoint_private_access | Enable private API endpoint | `bool` | `true` | no |\n| cluster_endpoint_public_access | Enable public API endpoint | `bool` | `false` | no |\n| cluster_endpoint_public_access_cidrs | CIDRs for public API access | `list(string)` | `[\"0.0.0.0/0\"]` | no |\n| enable_cluster_encryption | Enable KMS envelope encryption | `bool` | `true` | no |\n| kms_key_arn | Existing KMS key ARN (creates new if null) | `string` | `null` | no |\n| cluster_log_types | Control plane log types | `list(string)` | all 5 types | no |\n| cluster_log_retention_days | CloudWatch log retention | `number` | `90` | no |\n| managed_node_groups | Map of managed node group configs | `map(object)` | `{}` | no |\n| fargate_profiles | Map of Fargate profile configs | `map(object)` | `{}` | no |\n| cluster_addons | Map of EKS add-on configs | `map(object)` | `{}` | no |\n| enable_irsa | Enable OIDC provider for IRSA | `bool` | `true` | no |\n| access_entries | Map of EKS access entries | `map(object)` | `{}` | no |\n| tags | Tags for all resources | `map(string)` | `{}` | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| cluster_id | The ID of the EKS cluster |\n| cluster_arn | The ARN of the EKS cluster |\n| cluster_endpoint | The API server endpoint URL |\n| cluster_certificate_authority_data | Base64 encoded cluster CA certificate |\n| cluster_security_group_id | Cluster security group ID |\n| node_security_group_id | Node security group ID |\n| oidc_provider_arn | OIDC provider ARN for IRSA |\n| oidc_provider_url | OIDC provider URL |\n| node_group_arns | Map of node group ARNs |\n| fargate_profile_arns | Map of Fargate profile ARNs |\n| cluster_iam_role_arn | Cluster IAM role ARN |\n| kms_key_arn | KMS key ARN used for encryption |\n\n## Cost Estimation\n\n| Component | Approximate Monthly Cost |\n|-----------|--------------------------|\n| EKS Control Plane | $73 |\n| m5.large (3 nodes) | $210 |\n| m6i.xlarge (3 nodes) | $420 |\n| m6i.2xlarge (6 nodes) | $1,680 |\n| CloudWatch Logs | Variable |\n| KMS Key | $1 |\n| NAT Gateway (data transfer) | Variable |\n\nCosts vary by region, instance type, and utilization. Use the [AWS Pricing Calculator](https://calculator.aws/) for precise estimates.\n\n## IAM Permissions Required\n\nThe IAM principal running Terraform needs the following permissions:\n\n```json\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"eks:*\",\n \"ec2:CreateSecurityGroup\",\n \"ec2:DeleteSecurityGroup\",\n \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:AuthorizeSecurityGroupEgress\",\n \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RevokeSecurityGroupEgress\",\n \"ec2:CreateLaunchTemplate\",\n \"ec2:DeleteLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n \"ec2:DescribeLaunchTemplateVersions\",\n \"ec2:DescribeSecurityGroups\",\n \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n \"ec2:CreateTags\",\n \"ec2:DeleteTags\",\n \"ec2:RunInstances\",\n \"iam:CreateRole\",\n \"iam:DeleteRole\",\n \"iam:AttachRolePolicy\",\n \"iam:DetachRolePolicy\",\n \"iam:PutRolePolicy\",\n \"iam:DeleteRolePolicy\",\n \"iam:GetRole\",\n \"iam:ListRolePolicies\",\n \"iam:ListAttachedRolePolicies\",\n \"iam:ListInstanceProfilesForRole\",\n \"iam:PassRole\",\n \"iam:CreatePolicy\",\n \"iam:DeletePolicy\",\n \"iam:GetPolicy\",\n \"iam:GetPolicyVersion\",\n \"iam:ListPolicyVersions\",\n \"iam:CreateOpenIDConnectProvider\",\n \"iam:DeleteOpenIDConnectProvider\",\n \"iam:GetOpenIDConnectProvider\",\n \"kms:CreateKey\",\n \"kms:CreateAlias\",\n \"kms:DeleteAlias\",\n \"kms:DescribeKey\",\n \"kms:GetKeyPolicy\",\n \"kms:GetKeyRotationStatus\",\n \"kms:ListAliases\",\n \"kms:ListResourceTags\",\n \"kms:PutKeyPolicy\",\n \"kms:ScheduleKeyDeletion\",\n \"kms:TagResource\",\n \"kms:EnableKeyRotation\",\n \"logs:CreateLogGroup\",\n \"logs:DeleteLogGroup\",\n \"logs:PutRetentionPolicy\",\n \"logs:DescribeLogGroups\",\n \"logs:ListTagsLogGroup\",\n \"logs:TagLogGroup\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}\n```\n\n## Submodules\n\n| Module | Description |\n|--------|-------------|\n| [modules/node-group](./modules/node-group/) | Reusable managed node group with launch template |\n| [modules/fargate-profile](./modules/fargate-profile/) | Reusable Fargate profile |\n| [modules/irsa](./modules/irsa/) | IAM Roles for Service Accounts helper |\n\n## Examples\n\n| Example | Description |\n|---------|-------------|\n| [examples/basic](./examples/basic/) | Simple cluster with one node group |\n| [examples/advanced](./examples/advanced/) | Multi-node-group with Fargate and Spot |\n| [examples/complete](./examples/complete/) | Full enterprise cluster with all features |\n\n## References\n\n- [Amazon EKS User Guide](https://docs.aws.amazon.com/eks/latest/userguide/)\n- [EKS Best Practices Guide](https://aws.github.io/aws-eks-best-practices/)\n- [EKS Managed Node Groups](https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html)\n- [EKS Fargate](https://docs.aws.amazon.com/eks/latest/userguide/fargate.html)\n- [IRSA Documentation](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html)\n- [EKS Access Entries](https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html)\n- [EKS Add-ons](https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html)\n- [Envelope Encryption](https://docs.aws.amazon.com/eks/latest/userguide/enable-kms.html)\n\n## Requirements\n\n| Name | Version |\n|------|---------|\n| terraform | \u003e= 1.5.0 |\n| aws | \u003e= 5.20.0 |\n| tls | \u003e= 4.0 |\n| kubernetes | \u003e= 2.20 |\n\n## License\n\nMIT License. See [LICENSE](LICENSE) for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcitadel-cloud-management%2Fterraform-aws-eks","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcitadel-cloud-management%2Fterraform-aws-eks","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcitadel-cloud-management%2Fterraform-aws-eks/lists"}