Deployment of AWS EKS cluster using Terraform

As we all know how AWS is playing a very important role in building, deploying and managing websites ,applications and Processes.

So in this article we will learn how to set up one of the important services of AWS i.e EKS Cluster using Terraform.

What is Terraform?

Terraform is an open source and cloud-agnostic Infrastructure as Code(IaC) tool.

Notable features of Terraform

Installable Modules
Plan and predict changes
Dependency graphing
State Management

Terraform using declarative configuration files.

Terraform executes *.tf files and the following structure will be followed in this blog:-

provider.tf
vpc.tf
iam.tf
ekscluster.tf

Step 1: Create a AWS user

The first thing is to create a user in aws for terraform.

In AWS, go to the IAM section and create a user and attach the Administrator Access policy to that user.

Note:- Copy down the access key and secret key as the will be used by terraform for setting up of infrastructure.

Step 2: Create provider.tf

Now we will start writing our code for eks infrastructure.

For that create a separate folder under which create a provider.tf file with the following configuration.

As we are using AWS for our infrastructure, we will use the AWS provider block providing it the region with access key and secret key of the user we had created in step1 so that terraform can get the access to our AWS account.

provider "aws" {
region = "us-east-1"
access_key = "**********************"
secret_key = "*****************************************"
}

Step 2: Create vpc.tf

For creating the vpc we will be using the terraform-aws-module.

Using a module you can use a shorthand Domain Specific Language(DSL) That will reduce the amount of work.

module "vpc" {
source = "terraform-aws-modules/vpc/aws"
name = "my-vpc"
cidr = "10.0.0.0/16"
#azs = ["us-east-1a", "us-east-1b", "us-east-1c"]
azs = slice(data.aws_availability_zones.available.names, 0, 2)
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
enable_nat_gateway = false
enable_vpn_gateway = false
tags = {
Name = "${var.cluster-name}-vpc"
}
}

Step 3: Create IAM roles for cluster and node group and attach required policies to them in iam.tf.

resource "aws_iam_role" "eks-cluster" {
name = "eks-cluster-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Sid": "",
"Principal": {
"Service": "eks.amazonaws.com"
}
}
]
}
EOF
}

#This policy provides K8S the permissions it requires to manage resources on your behalf.
resource "aws_iam_role_policy_attachment" "AmazonEKSClusterPolicy" {
role = aws_iam_role.eks-cluster.name
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
}

#This policy allows amazon elastic container service for K8S to create and manage the necessary resources to operate EKS clusters.
resource "aws_iam_role_policy_attachment" "AmazonEKSServicePolicy" {
role = aws_iam_role.eks-cluster.name
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
}

resource "aws_iam_role" "eks-nodes" {
name = "eks-node-group"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Sid": "",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}
]
}
EOF
}

resource "aws_iam_role_policy_attachment" "AmazonEKSWorkerNodePolicy" {
role = aws_iam_role.eks-nodes.name
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
}

resource "aws_iam_role_policy_attachment" "AmazonEC2ContainerRegistryReadOnly" {
role = aws_iam_role.eks-nodes.name
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
}

#This policy provides the Amazon VPC CNI plugin the permissions it requires to modify the IP address configuration on your Eks worker nodes.
resource "aws_iam_role_policy_attachment" "AmazonEKSCNIPolicy" {
role = aws_iam_role.eks-nodes.name
policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
}

Step 4: Create cluster and nodes in ekscluster.tf

We have attached the role of cluster and node that we have created.

resource "aws_eks_cluster" "aws_eks" {
name = eks-cluster
role_arn = aws_iam_role.eks-cluster-role.arn

vpc_config {
subnet_ids = module.vpc.public_subnets
}

depends_on = [
aws_iam_role_policy_attachment.AmazonEKSClusterPolicy,
aws_iam_role_policy_attachment.AmazonEKSServicePolicy,
]

tags = {
Name = var.cluster-name
}
}

resource "aws_eks_node_group" "node" {
cluster_name = aws_eks_cluster.aws_eks.name
node_group_name = "eks-cluster-ng"
node_role_arn = aws_iam_role.eks-nodes.arn
subnet_ids = module.vpc.public_subnets

scaling_config {
desired_size = 1
max_size = 2
min_size = 1
}

# Ensure that IAM Role permissions are created before and deleted after EKS Node group handling
# Otherwise, EKS will not be able to properly delete EC2 instance and Elastic Network interfaces

depends_on = [
aws_iam_role_policy_attachment.AmazonEKSWorkerNodePolicy,
aws_iam_role_policy_attachment.AmazonEKSCNIPolicy,
aws_iam_role_policy_attachment.AmazonEC2ContainerRegistryReadOnly,
]
}

Step 5: Deploy the resources

Once we have created the resources ,we can deploy it with the simple commands:

terraform init: it is used to initialize the working directory and download the required configuration files.
terraform apply : it will apply all the changes through which we can reach our desired state.

This will describe all the resources that will be created and will ask for the confirmation in which we have to type yes.

After the complete creation of the resources, you can go to your aws console to see your services.

Step 6: Destroy the resources

We can destroy these resources with a single command:-