This repository contains a production-ready AWS infrastructure deployment using Terraform, implementing a highly available, secure, and scalable multi-tier architecture on Amazon EKS.
- Amazon EKS: Kubernetes orchestration platform with mixed On-Demand/Spot instances
- Amazon S3: Static content storage with lifecycle policies
- Application Load Balancer: Internet-facing load balancer with SSL termination
- VPC: Multi-AZ networking with public/private subnets
- Network Isolation: Private subnets for compute and data layers
- Encryption: All data encrypted at rest and in transit
- AWS Secrets Manager: Automated credential rotation
- AWS WAF: Application-layer firewall protection
- Security Groups: Granular network access control
- IAM Roles: Fine-grained permission management
- Multi-AZ Deployment: Resources distributed across 3 availability zones
- Auto-scaling: Horizontal scaling for EKS nodes and pods
- Redundant NAT Gateways: One per availability zone for outbound connectivity
- S3 Cross-Region Replication: Optional for disaster recovery
- AWS CLI configured with appropriate credentials
- Terraform >= 1.5.0
- kubectl >= 1.29
- Helm >= 3.0
aws-eks/
├── terraform/
│ ├── modules/
│ │ ├── vpc/ # VPC and networking configuration
│ │ ├── security/ # Security groups and NACLs
│ │ ├── iam/ # IAM roles and policies
│ │ ├── eks/ # EKS cluster and node groups
│ │ ├── rds/ # Aurora PostgreSQL database
│ │ ├── elasticache/ # Redis cluster configuration
│ │ └── s3/ # S3 buckets and policies
│ ├── environments/
│ │ └── production/ # Production environment configuration
│ ├── main.tf # Main Terraform configuration
│ └── variables.tf # Variable definitions
└── README.md
# Clone the repository
git clone <repository-url>
cd aws-eks
# Navigate to production environment
cd terraform/environments/productionEdit terraform.tfvars with your specific values:
region = "us-east-1"
project_name = "your-project-name"
domain_name = "your-domain.com"
alert_email = "your-email@example.com"Before deploying, create the S3 bucket and DynamoDB table for Terraform state:
aws s3api create-bucket \
--bucket terraform-state-aws-eks-app \
--region us-east-1
aws s3api put-bucket-versioning \
--bucket terraform-state-aws-eks-app \
--versioning-configuration Status=Enabled
aws s3api put-bucket-encryption \
--bucket terraform-state-aws-eks-app \
--server-side-encryption-configuration '{
"Rules": [{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}]
}'
aws dynamodb create-table \
--table-name terraform-state-lock \
--attribute-definitions AttributeName=LockID,AttributeType=S \
--key-schema AttributeName=LockID,KeyType=HASH \
--provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
--region us-east-1# Initialize Terraform
terraform init
# Review the execution plan
terraform plan
# Apply the configuration
terraform apply -auto-approveAfter deployment, configure kubectl to connect to the EKS cluster:
aws eks update-kubeconfig \
--region us-east-1 \
--name aws-eks-app-production
# Verify connection
kubectl get nodes# Add the EKS Helm repository
helm repo add eks https://aws.github.io/eks-charts
helm repo update
# Install the AWS Load Balancer Controller
helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
-n kube-system \
--set clusterName=aws-eks-app-production \
--set serviceAccount.create=false \
--set serviceAccount.name=aws-load-balancer-controllerUpdate your Route 53 or DNS provider to point to the CloudFront distribution:
# Get CloudFront distribution domain
terraform output cloudfront_domain_nameEnsure the ACM certificate is validated by adding the required DNS records.
Deploy your application using Kubernetes manifests or Helm charts:
kubectl apply -f your-application-manifests/Deploy the Cluster Autoscaler:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/autoscaler/master/cluster-autoscaler/cloudprovider/aws/examples/cluster-autoscaler-autodiscover.yamlThe infrastructure automatically creates CloudWatch alarms for:
- High CPU utilization
- Database connections
- Cache evictions
- Storage capacity
- RDS: Automated backups with 7-day retention
- ElastiCache: Daily snapshots with 5-day retention
- S3: Versioning enabled with lifecycle policies
- Spot Instances: 70% of compute capacity on Spot
- S3 Lifecycle: Automatic transition to cheaper storage tiers
- Reserved Capacity: Consider purchasing Reserved Instances for stable workloads
- Rotate Secrets Regularly: Secrets Manager handles automatic rotation
- Update Security Groups: Review and update security group rules periodically
- Patch Management: Enable automatic minor version upgrades
- Audit Logging: All API calls logged to CloudWatch
- Network Segmentation: Use private subnets for sensitive resources
-
EKS Node Connection Issues
kubectl get nodes kubectl describe node <node-name>
-
Database Connectivity
kubectl run -it --rm debug --image=postgres:15 --restart=Never -- psql -h <aurora-endpoint>
-
Redis Connection
kubectl run -it --rm redis-cli --image=redis:7 --restart=Never -- redis-cli -h <redis-endpoint>
To destroy all resources:
terraform destroy -auto-approveFor issues or questions, please open an issue in the repository or contact the infrastructure team.
[Your License Here]