Forem: Chinmay Tonape The latest articles on Forem by Chinmay Tonape (@chinmay13). https://forem.com/chinmay13 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1200218%2F124ef576-240d-4fed-8c83-f3312ad968e0.jpg Forem: Chinmay Tonape https://forem.com/chinmay13 en AWS CDK Constructs Explained: L1, L2, and L3 with Python Chinmay Tonape Mon, 16 Mar 2026 17:42:14 +0000 https://forem.com/aws-builders/aws-cdk-constructs-explained-l1-l2-and-l3-with-python-4ie8 https://forem.com/aws-builders/aws-cdk-constructs-explained-l1-l2-and-l3-with-python-4ie8 <p>If you've ever looked at two CDK stacks doing the same thing and wondered why one is 200 lines and the other is 20, the answer is almost always <em>which level of construct</em> the author chose. This post breaks down all three levels — L1, L2, and L3 — using a consistent real-world example so you can see exactly what each abstraction buys you.</p> <h2> Background: What Is AWS CDK? </h2> <p>The AWS Cloud Development Kit (CDK) is an open-source framework that lets you define cloud infrastructure using familiar programming languages — Python, TypeScript, Java, and more. Under the hood, CDK synthesizes your code into AWS CloudFormation templates, which are then used to provision resources.</p> <p>The key advantage over raw CloudFormation YAML is that you get the full power of a programming language: loops, conditionals, type checking, reusable classes, and IDE support. Instead of copying and pasting 300 lines of YAML every time you need a Lambda function, you write a Python class once and reuse it everywhere.</p> <p>CDK apps are organized around three concepts:</p> <ul> <li> <strong>App</strong> — the root of your CDK application</li> <li> <strong>Stack</strong> — maps to a CloudFormation stack; a unit of deployment</li> <li> <strong>Construct</strong> — the building block. Everything in CDK is a construct.</li> </ul> <h2> What Are CDK Constructs? </h2> <p>Constructs are the core abstraction in CDK. Every resource you define — a Lambda function, an S3 bucket, an API Gateway — is a construct. They form a tree: your App contains Stacks, Stacks contain constructs, and constructs can contain other constructs.</p> <p>CDK ships with three levels of constructs, each offering a different trade-off between control and convenience:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Level</th> <th>Class prefix</th> <th>What it represents</th> <th>Boilerplate</th> </tr> </thead> <tbody> <tr> <td>L1</td> <td><code>Cfn*</code></td> <td>Raw CloudFormation resource, 1:1 mapping</td> <td>Maximum</td> </tr> <tr> <td>L2</td> <td>e.g. <code>Function</code>, <code>RestApi</code> </td> <td>Curated resource with defaults and helpers</td> <td>Medium</td> </tr> <tr> <td>L3</td> <td>Custom class or <code>aws-solutions-constructs</code> </td> <td>Opinionated, reusable multi-resource pattern</td> <td>Minimum</td> </tr> </tbody> </table></div> <p>Understanding when to use each level is one of the most practical skills you can develop as a CDK user.</p> <h2> The Example: A Hello World API </h2> <p>To make the comparison concrete, we'll build the same thing three times — once per construct level:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frs3i8wed4aqc3kycxldj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frs3i8wed4aqc3kycxldj.png" alt=" " width="700" height="407"></a></p> <p>A REST API with a single <code>GET /hello</code> endpoint, backed by a Lambda function, with CloudWatch Logs capturing both API Gateway access logs and Lambda execution logs.</p> <h2> Prerequisites </h2> <p>Install the required packages<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install</span> <span class="nt">-r</span> requirements.txt </code></pre> </div> <h2> L1 — Raw CloudFormation Wrappers </h2> <p>L1 constructs are the lowest level. Every class is prefixed with <code>Cfn</code> (short for CloudFormation) and maps directly to a CloudFormation resource type. If a property exists in CloudFormation, it exists on the L1 construct — nothing more, nothing less.</p> <p>Working with L1 feels a lot like writing CloudFormation YAML, just in Python. You are responsible for everything: IAM roles, resource dependencies, Lambda invoke permissions, deployment ordering.</p> <p><strong>When to reach for L1:</strong></p> <ul> <li>A property you need isn't exposed by the L2 construct yet</li> <li>You're migrating an existing CloudFormation template to CDK</li> <li>You need precise control over every resource attribute </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Every piece is explicit — IAM role, log group, function, permissions... </span><span class="n">lambda_role</span> <span class="o">=</span> <span class="n">iam</span><span class="p">.</span><span class="nc">CfnRole</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">LambdaRole</span><span class="sh">"</span><span class="p">,</span> <span class="n">assume_role_policy_document</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">Version</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">2012-10-17</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Statement</span><span class="sh">"</span><span class="p">:</span> <span class="p">[{</span> <span class="sh">"</span><span class="s">Effect</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Allow</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Principal</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">Service</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">lambda.amazonaws.com</span><span class="sh">"</span><span class="p">},</span> <span class="sh">"</span><span class="s">Action</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">sts:AssumeRole</span><span class="sh">"</span><span class="p">,</span> <span class="p">}],</span> <span class="p">},</span> <span class="n">managed_policy_arns</span><span class="o">=</span><span class="p">[</span> <span class="sh">"</span><span class="s">arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole</span><span class="sh">"</span> <span class="p">],</span> <span class="p">)</span> <span class="n">lambda_log_group</span> <span class="o">=</span> <span class="nc">CfnLogGroup</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">LambdaLogGroup</span><span class="sh">"</span><span class="p">,</span> <span class="n">log_group_name</span><span class="o">=</span><span class="sh">"</span><span class="s">/aws/lambda/l1-hello-world</span><span class="sh">"</span><span class="p">,</span> <span class="n">retention_in_days</span><span class="o">=</span><span class="mi">7</span><span class="p">,</span> <span class="p">)</span> <span class="n">lambda_fn</span> <span class="o">=</span> <span class="nc">CfnFunction</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">HelloFunction</span><span class="sh">"</span><span class="p">,</span> <span class="n">runtime</span><span class="o">=</span><span class="sh">"</span><span class="s">python3.12</span><span class="sh">"</span><span class="p">,</span> <span class="n">handler</span><span class="o">=</span><span class="sh">"</span><span class="s">index.handler</span><span class="sh">"</span><span class="p">,</span> <span class="n">role</span><span class="o">=</span><span class="n">lambda_role</span><span class="p">.</span><span class="n">attr_arn</span><span class="p">,</span> <span class="n">code</span><span class="o">=</span><span class="n">CfnFunction</span><span class="p">.</span><span class="nc">CodeProperty</span><span class="p">(</span><span class="n">zip_file</span><span class="o">=</span><span class="sh">"</span><span class="s">...</span><span class="sh">"</span><span class="p">),</span> <span class="n">logging_config</span><span class="o">=</span><span class="n">CfnFunction</span><span class="p">.</span><span class="nc">LoggingConfigProperty</span><span class="p">(</span> <span class="n">log_group</span><span class="o">=</span><span class="n">lambda_log_group</span><span class="p">.</span><span class="n">log_group_name</span><span class="p">,</span> <span class="n">log_format</span><span class="o">=</span><span class="sh">"</span><span class="s">JSON</span><span class="sh">"</span><span class="p">,</span> <span class="p">),</span> <span class="p">)</span> <span class="n">lambda_fn</span><span class="p">.</span><span class="nf">add_dependency</span><span class="p">(</span><span class="n">lambda_log_group</span><span class="p">)</span> <span class="c1"># you manage ordering manually </span> <span class="c1"># API Gateway — every piece by hand </span><span class="n">rest_api</span> <span class="o">=</span> <span class="nc">CfnRestApi</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">HelloApi</span><span class="sh">"</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">l1-hello-world-api</span><span class="sh">"</span><span class="p">)</span> <span class="n">hello_resource</span> <span class="o">=</span> <span class="nc">CfnResource</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">HelloResource</span><span class="sh">"</span><span class="p">,</span> <span class="n">rest_api_id</span><span class="o">=</span><span class="n">rest_api</span><span class="p">.</span><span class="n">ref</span><span class="p">,</span> <span class="n">parent_id</span><span class="o">=</span><span class="n">rest_api</span><span class="p">.</span><span class="n">attr_root_resource_id</span><span class="p">,</span> <span class="n">path_part</span><span class="o">=</span><span class="sh">"</span><span class="s">hello</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># + CfnMethod, CfnDeployment, CfnStage, CfnPermission, CfnAccount... </span></code></pre> </div> <p><strong>Pros:</strong> Total control. No hidden behavior. Great for auditing exactly what gets deployed.<br><br> <strong>Cons:</strong> Extremely verbose. You own every IAM permission, every <code>add_dependency()</code>, every <code>Fn.sub()</code> for ARN construction. Easy to miss something.</p> <h2> L2 — Curated Constructs with Defaults </h2> <p>L2 constructs are the sweet spot for most CDK users. They wrap L1 constructs with sensible defaults, helper methods, and automatic wiring. CDK generates IAM roles, adds Lambda invoke permissions, links log groups, and creates deployments — all without you asking.</p> <p>The mental model shifts from "how do I configure this resource" to "what do I want this resource to do."</p> <p><strong>When to reach for L2:</strong></p> <ul> <li>Day-to-day infrastructure work (this should be your default)</li> <li>You want secure defaults without writing boilerplate</li> <li>You want IDE autocomplete and type safety on resource props </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># CDK creates the execution role automatically </span><span class="n">hello_fn</span> <span class="o">=</span> <span class="n">_lambda</span><span class="p">.</span><span class="nc">Function</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">HelloFunction</span><span class="sh">"</span><span class="p">,</span> <span class="n">runtime</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Runtime</span><span class="p">.</span><span class="n">PYTHON_3_12</span><span class="p">,</span> <span class="n">handler</span><span class="o">=</span><span class="sh">"</span><span class="s">index.handler</span><span class="sh">"</span><span class="p">,</span> <span class="n">code</span><span class="o">=</span><span class="n">_lambda</span><span class="p">.</span><span class="n">Code</span><span class="p">.</span><span class="nf">from_inline</span><span class="p">(</span><span class="sh">"</span><span class="s">...</span><span class="sh">"</span><span class="p">),</span> <span class="n">timeout</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">10</span><span class="p">),</span> <span class="n">log_group</span><span class="o">=</span><span class="n">lambda_log_group</span><span class="p">,</span> <span class="c1"># just pass the log group, CDK links it </span><span class="p">)</span> <span class="c1"># LambdaIntegration automatically adds the resource-based policy </span><span class="n">api</span> <span class="o">=</span> <span class="n">apigw</span><span class="p">.</span><span class="nc">RestApi</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">HelloApi</span><span class="sh">"</span><span class="p">,</span> <span class="n">deploy_options</span><span class="o">=</span><span class="n">apigw</span><span class="p">.</span><span class="nc">StageOptions</span><span class="p">(</span> <span class="n">access_log_destination</span><span class="o">=</span><span class="n">apigw</span><span class="p">.</span><span class="nc">LogGroupLogDestination</span><span class="p">(</span><span class="n">apigw_log_group</span><span class="p">),</span> <span class="n">access_log_format</span><span class="o">=</span><span class="n">apigw</span><span class="p">.</span><span class="n">AccessLogFormat</span><span class="p">.</span><span class="nf">json_with_standard_fields</span><span class="p">(...),</span> <span class="n">logging_level</span><span class="o">=</span><span class="n">apigw</span><span class="p">.</span><span class="n">MethodLoggingLevel</span><span class="p">.</span><span class="n">INFO</span><span class="p">,</span> <span class="p">),</span> <span class="p">)</span> <span class="n">hello_resource</span> <span class="o">=</span> <span class="n">api</span><span class="p">.</span><span class="n">root</span><span class="p">.</span><span class="nf">add_resource</span><span class="p">(</span><span class="sh">"</span><span class="s">hello</span><span class="sh">"</span><span class="p">)</span> <span class="n">hello_resource</span><span class="p">.</span><span class="nf">add_method</span><span class="p">(</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">,</span> <span class="n">apigw</span><span class="p">.</span><span class="nc">LambdaIntegration</span><span class="p">(</span><span class="n">hello_fn</span><span class="p">))</span> </code></pre> </div> <p><strong>Pros:</strong> Dramatically less code. Secure defaults. Typed props with IDE support. Handles the boring stuff.<br><br> <strong>Cons:</strong> Occasionally a property isn't exposed yet. When that happens, you escape to L1 via <code>.node.default_child</code> — a bit awkward but workable.</p> <h2> L3 — Reusable Patterns </h2> <p>L3 constructs are where CDK really shines for teams. They're custom constructs you build by composing L2 constructs into a higher-level, opinionated pattern. The goal is to encode your team's standards — logging, security, tagging, naming conventions — once, and reuse them everywhere.</p> <p>Think of L3 as your internal infrastructure library. Instead of every developer wiring up Lambda + API Gateway + CloudWatch from scratch, they instantiate your <code>LambdaApiService</code> and get all of that for free.</p> <p>AWS also ships a set of official L3 patterns via the <a href="https://docs.aws.amazon.com/solutions/latest/constructs/welcome.html" rel="noopener noreferrer">AWS Solutions Constructs</a> library — pre-built, well-architected combinations like <code>aws-apigateway-lambda</code> or <code>aws-lambda-dynamodb</code>.</p> <p><strong>When to reach for L3:</strong></p> <ul> <li>You find yourself copy-pasting the same L2 pattern across multiple stacks</li> <li>You want to enforce team standards (logging, retention, tagging) in one place</li> <li>You're building a platform that other teams consume </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">LambdaApiService</span><span class="p">(</span><span class="n">Construct</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> One construct = Lambda + API Gateway + CloudWatch Logs. All wiring is internal. Consumers just pass props. </span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">scope</span><span class="p">:</span> <span class="n">Construct</span><span class="p">,</span> <span class="nb">id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="o">*</span><span class="p">,</span> <span class="n">props</span><span class="p">:</span> <span class="n">LambdaApiServiceProps</span><span class="p">):</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span><span class="n">scope</span><span class="p">,</span> <span class="nb">id</span><span class="p">)</span> <span class="c1"># All the L2 wiring happens here, once, for everyone </span> <span class="n">lambda_log_group</span> <span class="o">=</span> <span class="n">logs</span><span class="p">.</span><span class="nc">LogGroup</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">LambdaLogs</span><span class="sh">"</span><span class="p">,</span> <span class="p">...)</span> <span class="n">self</span><span class="p">.</span><span class="n">_function</span> <span class="o">=</span> <span class="n">_lambda</span><span class="p">.</span><span class="nc">Function</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">Function</span><span class="sh">"</span><span class="p">,</span> <span class="n">log_group</span><span class="o">=</span><span class="n">lambda_log_group</span><span class="p">,</span> <span class="p">...)</span> <span class="n">apigw_log_group</span> <span class="o">=</span> <span class="n">logs</span><span class="p">.</span><span class="nc">LogGroup</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">ApiGwLogs</span><span class="sh">"</span><span class="p">,</span> <span class="p">...)</span> <span class="n">self</span><span class="p">.</span><span class="n">_api</span> <span class="o">=</span> <span class="n">apigw</span><span class="p">.</span><span class="nc">RestApi</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">Api</span><span class="sh">"</span><span class="p">,</span> <span class="n">deploy_options</span><span class="o">=</span><span class="n">apigw</span><span class="p">.</span><span class="nc">StageOptions</span><span class="p">(</span> <span class="n">access_log_destination</span><span class="o">=</span><span class="n">apigw</span><span class="p">.</span><span class="nc">LogGroupLogDestination</span><span class="p">(</span><span class="n">apigw_log_group</span><span class="p">),</span> <span class="bp">...</span> <span class="p">))</span> <span class="n">resource</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">_api</span><span class="p">.</span><span class="n">root</span><span class="p">.</span><span class="nf">add_resource</span><span class="p">(</span><span class="n">props</span><span class="p">.</span><span class="n">path</span><span class="p">)</span> <span class="n">resource</span><span class="p">.</span><span class="nf">add_method</span><span class="p">(</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">,</span> <span class="n">apigw</span><span class="p">.</span><span class="nc">LambdaIntegration</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">_function</span><span class="p">))</span> <span class="n">self</span><span class="p">.</span><span class="n">endpoint_url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">_api</span><span class="p">.</span><span class="n">url</span><span class="si">}{</span><span class="n">props</span><span class="p">.</span><span class="n">path</span><span class="si">}</span><span class="sh">"</span> </code></pre> </div> <p>Using it in a stack becomes trivial:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">L3HelloWorldStack</span><span class="p">(</span><span class="n">Stack</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">scope</span><span class="p">:</span> <span class="n">Construct</span><span class="p">,</span> <span class="nb">id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span><span class="n">scope</span><span class="p">,</span> <span class="nb">id</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="c1"># One line gets you Lambda + API GW + CloudWatch, fully wired </span> <span class="n">service</span> <span class="o">=</span> <span class="nc">LambdaApiService</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">HelloService</span><span class="sh">"</span><span class="p">,</span> <span class="n">props</span><span class="o">=</span><span class="nc">LambdaApiServiceProps</span><span class="p">(</span> <span class="n">function_name</span><span class="o">=</span><span class="sh">"</span><span class="s">l3-hello-world</span><span class="sh">"</span><span class="p">,</span> <span class="n">handler_code</span><span class="o">=</span><span class="n">HANDLER_CODE</span><span class="p">,</span> <span class="n">api_name</span><span class="o">=</span><span class="sh">"</span><span class="s">l3-hello-world-api</span><span class="sh">"</span><span class="p">,</span> <span class="n">path</span><span class="o">=</span><span class="sh">"</span><span class="s">hello</span><span class="sh">"</span><span class="p">,</span> <span class="p">),</span> <span class="p">)</span> <span class="nc">CfnOutput</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">ApiUrl</span><span class="sh">"</span><span class="p">,</span> <span class="n">value</span><span class="o">=</span><span class="n">service</span><span class="p">.</span><span class="n">endpoint_url</span><span class="p">)</span> </code></pre> </div> <p><strong>Pros:</strong> Maximum reuse. New services inherit logging, IAM, and API Gateway automatically. Standards enforced at the construct level, not by convention.<br><br> <strong>Cons:</strong> Upfront design investment. Over-abstraction can hide details that matter. Needs versioning if shared across teams.</p> <h2> Side-by-Side Comparison </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>L1</th> <th>L2</th> <th>L3</th> </tr> </thead> <tbody> <tr> <td>Lines of code (this example)</td> <td>~130</td> <td>~60</td> <td>~40 stack + ~60 construct</td> </tr> <tr> <td>IAM roles</td> <td>Manual</td> <td>Auto-generated</td> <td>Auto-generated</td> </tr> <tr> <td>Lambda permissions</td> <td>Manual <code>CfnPermission</code> </td> <td> <code>LambdaIntegration</code> handles it</td> <td>Encapsulated</td> </tr> <tr> <td>Log group linking</td> <td>Manual <code>add_dependency</code> </td> <td> <code>log_group=</code> prop</td> <td>Encapsulated</td> </tr> <tr> <td>Reusability</td> <td>None</td> <td>Low</td> <td>High</td> </tr> <tr> <td>Escape hatch needed</td> <td>Never</td> <td>Rarely</td> <td>Rarely</td> </tr> <tr> <td>Best for</td> <td>Migration / edge cases</td> <td>Day-to-day work</td> <td>Platform / shared libraries</td> </tr> </tbody> </table></div> <h2> Deploying </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Bootstrap your AWS account (once per account/region)</span> <span class="c"># Run from inside any of the construct folders</span> <span class="nb">cd </span>l2_construct <span class="nv">$&amp;</span>&amp; cdk bootstrap <span class="c"># Deploy the constructs</span> <span class="nb">cd </span>l1_construct <span class="o">&amp;&amp;</span> cdk deploy <span class="nb">cd </span>l2_construct <span class="o">&amp;&amp;</span> cdk deploy <span class="nb">cd </span>l3_construct <span class="o">&amp;&amp;</span> cdk deploy </code></pre> </div> <p>Test the endpoint:</p> <p>L1 Construct:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F46oyoh8lkic6jfuictwg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F46oyoh8lkic6jfuictwg.png" alt=" " width="762" height="253"></a></p> <p>L2 Construct:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz4gb5jd82h8ctnzcy5gy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz4gb5jd82h8ctnzcy5gy.png" alt=" " width="800" height="274"></a></p> <p>L3 Construct:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz201gc8wtvnx9gwz3mkl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz201gc8wtvnx9gwz3mkl.png" alt=" " width="800" height="256"></a></p> <p>Check logs in CloudWatch:</p> <ul> <li>Lambda logs: <code>/aws/lambda/l2-hello-world</code> </li> <li>API Gateway logs: <code>/aws/apigateway/l2-hello-world</code> </li> </ul> <h2> Cleanup </h2> <p>To avoid ongoing charges, destroy the stacks when you're done:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>l1_construct <span class="o">&amp;&amp;</span> cdk destroy <span class="nb">cd </span>l2_construct <span class="o">&amp;&amp;</span> cdk destroy <span class="nb">cd </span>l3_construct <span class="o">&amp;&amp;</span> cdk destroy </code></pre> </div> <p>CDK will prompt for confirmation before deleting. </p> <blockquote> <p>Note: The CDK bootstrap stack (<code>CDKToolkit</code>) is not removed by <code>cdk destroy</code>. You can delete it manually from the CloudFormation console if you no longer need CDK in that account/region.</p> </blockquote> <h2> Conclusion </h2> <p>CDK constructs aren't a hierarchy where L3 is always better — they're tools for different situations. L1 gives you the full CloudFormation surface area with no magic. L2 handles the 80% case cleanly with sensible defaults. L3 is where you invest once and multiply the value across your entire team.</p> <p>A practical rule of thumb: start with L2, drop to L1 when you hit a wall, and promote repeated L2 patterns into L3 constructs when you find yourself copy-pasting. That progression naturally leads to a clean, maintainable infrastructure codebase.</p> <p>The real power of CDK isn't any single construct level — it's that all three levels compose together seamlessly in the same stack.</p> <h2> References </h2> <ul> <li>GitHub repo with all code from this post: <a href="https://github.com/chinmayto/aws-cdk-constructs-python" rel="noopener noreferrer">https://github.com/chinmayto/aws-cdk-constructs-python</a> </li> <li><a href="https://docs.aws.amazon.com/cdk/api/v2/python/index.html" rel="noopener noreferrer">AWS CDK Python API Reference</a></li> <li><a href="https://constructs.dev" rel="noopener noreferrer">AWS CDK Construct Library</a></li> <li> <a href="https://docs.aws.amazon.com/solutions/latest/constructs/welcome.html" rel="noopener noreferrer">AWS Solutions Constructs</a> — official L3 patterns</li> <li> <a href="https://cdkpatterns.com" rel="noopener noreferrer">CDK Patterns</a> — community-contributed patterns</li> </ul> aws cdk python cloudformation Building Scalable Web Application on AWS with CDK in TypeScript Chinmay Tonape Tue, 24 Feb 2026 18:45:26 +0000 https://forem.com/aws-builders/building-scalable-web-infrastructure-on-aws-with-cdk-in-typescript-21p5 https://forem.com/aws-builders/building-scalable-web-infrastructure-on-aws-with-cdk-in-typescript-21p5 <h2> Introduction </h2> <p>Infrastructure as Code (IaC) has revolutionized how we provision and manage cloud resources. In our previous blog post, we built a highly available web infrastructure using AWS CDK with Python. We explored the fundamentals of CDK, CloudFormation integration, and deployed a production-ready architecture with EC2 instances behind an Application Load Balancer.</p> <p>In this tutorial, we'll deploy the exact same architecture, but this time using TypeScript as our CDK language. This gives you the opportunity to:</p> <ul> <li>Compare Python and TypeScript approaches to infrastructure as code</li> <li>Understand how CDK provides a consistent experience across different programming languages</li> <li>Choose the language that best fits your team's expertise and preferences</li> <li>See how type safety and IDE support differ between languages</li> </ul> <p>Whether you're a JavaScript/TypeScript developer looking to manage infrastructure in a familiar language, or you're exploring different CDK language options, this guide will show you how TypeScript brings strong typing, excellent IDE support, and a robust ecosystem to your infrastructure code.</p> <h2> Architecture Overview </h2> <p>We'll build a highly available web infrastructure with the following components:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────────┐ │ Internet │ └────────────────────────────────┬────────────────────────────────────┘ │ ▼ ┌────────────────────────┐ │ Internet Gateway │ └────────────────────────┘ │ ┌────────────────────────────────┼────────────────────────────────────┐ │ │ VPC │ │ ▼ │ │ ┌─────────────────────────────────────────────────────────────┐ │ │ │ Application Load Balancer (ALB) │ │ │ │ (Public Subnets) │ │ │ └──────────────────────┬──────────────────┬───────────────────┘ │ │ │ │ │ │ ┌──────────────────────┼──────────────────┼─────────────────────┐ │ │ │ Availability Zone 1 │ │ Availability Zone 2 │ │ │ │ │ │ │ │ │ │ ┌───────────────────▼────────────┐ ┌──▼──────────────────┐ │ │ │ │ │ Public Subnet (AZ-1) │ │ Public Subnet (AZ-2)│ │ │ │ │ │ │ │ │ │ │ │ │ │ ┌──────────────────┐ │ │ │ │ │ │ │ │ │ NAT Gateway │ │ │ │ │ │ │ │ │ └────────┬─────────┘ │ │ │ │ │ │ │ └───────────┼────────────────────┘ └─────────────────────┘ │ │ │ │ │ │ │ │ │ ┌───────────▼────────────────┐ ┌────────────────────────┐ │ │ │ │ │ Private Subnet (AZ-1) │ │ Private Subnet (AZ-2) │ │ │ │ │ │ │ │ │ │ │ │ │ │ ┌──────────────────┐ │ │ ┌──────────────────┐ │ │ │ │ │ │ │ EC2 Instance 1 │ │ │ │ EC2 Instance 2 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ └──────────────────┘ │ │ └──────────────────┘ │ │ │ │ │ │ │ │ │ │ │ │ │ └────────────────────────────┘ └────────────────────────┘ │ │ │ │ │ │ │ └───────────────────────────────────────────────────────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h2> Building the Infrastructure </h2> <h3> Step 1: Project Setup </h3> <p>First, ensure you have the prerequisites installed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install Node.js and npm (if not already installed)</span> <span class="c"># Install AWS CDK CLI globally</span> npm <span class="nb">install</span> <span class="nt">-g</span> aws-cdk <span class="c"># Verify installation</span> cdk <span class="nt">--version</span> </code></pre> </div> <h3> Step 2: Initialize the Project </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Initialize CDK project (TypeScript example)</span> cdk init app <span class="nt">--language</span><span class="o">=</span>typescript <span class="c"># Install dependencies</span> npm <span class="nb">install</span> </code></pre> </div> <h3> Step 3: Bootstrap Your AWS Environment </h3> <p>Before deploying CDK applications, you need to bootstrap your AWS environment. This creates necessary resources like an S3 bucket for storing templates and IAM roles for deployments.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Bootstrap CDK (one-time per account/region)</span> cdk bootstrap </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span>cdk bootstrap Deploying to account: 197317184204, region: us-east-1 ⏳ Bootstrapping environment aws://197317184204/us-east-1... Trusted accounts <span class="k">for </span>deployment: <span class="o">(</span>none<span class="o">)</span> Trusted accounts <span class="k">for </span>lookup: <span class="o">(</span>none<span class="o">)</span> Using default execution policy of <span class="s1">'arn:aws:iam::aws:policy/AdministratorAccess'</span><span class="nb">.</span> Pass <span class="s1">'--cloudformation-execution-policies'</span> to customize. CDKToolkit: creating CloudFormation changeset... CDKToolkit | 0/12 | 11:46:00 pm | REVIEW_IN_PROGRESS | AWS::CloudFormation::Stack | CDKToolkit User Initiated <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> CDKToolkit | 12/12 | 11:46:51 pm | CREATE_COMPLETE | AWS::CloudFormation::Stack | CDKToolkit ✅ Environment aws://197317184204/us-east-1 bootstrapped. </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2g5p0uqrfh30a4u6n83r.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2g5p0uqrfh30a4u6n83r.png" alt=" " width="800" height="318"></a></p> <h3> Step 4: Review the Infrastructure Code </h3> <h3> Creating the VPC </h3> <p>The VPC is configured with 2 Availability Zones, public subnets for the load balancer, and private subnets for EC2 instances:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Create VPC with public and private subnets</span> <span class="kd">const</span> <span class="nx">vpc</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">Vpc</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">WebsiteVPC</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">maxAzs</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">natGateways</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">subnetConfiguration</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">PublicSubnet</span><span class="dl">'</span><span class="p">,</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PUBLIC</span><span class="p">,</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">24</span> <span class="p">},</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">PrivateSubnet</span><span class="dl">'</span><span class="p">,</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE_WITH_EGRESS</span><span class="p">,</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">24</span> <span class="p">}</span> <span class="p">]</span> <span class="p">});</span> </code></pre> </div> <h3> Security Groups </h3> <p>We create two security groups: one for the ALB (allowing internet traffic) and one for EC2 instances (allowing traffic only from the ALB):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Security group for ALB (public-facing)</span> <span class="kd">const</span> <span class="nx">albSecurityGroup</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">SecurityGroup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ALBSecurityGroup</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">vpc</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Security group for Application Load Balancer</span><span class="dl">'</span><span class="p">,</span> <span class="na">allowAllOutbound</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="nx">albSecurityGroup</span><span class="p">.</span><span class="nf">addIngressRule</span><span class="p">(</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Peer</span><span class="p">.</span><span class="nf">anyIpv4</span><span class="p">(),</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">80</span><span class="p">),</span> <span class="dl">'</span><span class="s1">Allow HTTP traffic from internet</span><span class="dl">'</span> <span class="p">);</span> <span class="c1">// Security group for EC2 instances (private)</span> <span class="kd">const</span> <span class="nx">ec2SecurityGroup</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">SecurityGroup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EC2SecurityGroup</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">vpc</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Security group for EC2 instances</span><span class="dl">'</span><span class="p">,</span> <span class="na">allowAllOutbound</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="nx">ec2SecurityGroup</span><span class="p">.</span><span class="nf">addIngressRule</span><span class="p">(</span> <span class="nx">albSecurityGroup</span><span class="p">,</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">80</span><span class="p">),</span> <span class="dl">'</span><span class="s1">Allow HTTP traffic from ALB</span><span class="dl">'</span> <span class="p">);</span> </code></pre> </div> <h3> IAM Role for EC2 </h3> <p>The IAM role allows EC2 instances to be managed via AWS Systems Manager:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// IAM role for EC2 instances</span> <span class="kd">const</span> <span class="nx">ec2Role</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EC2Role</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">assumedBy</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span><span class="dl">'</span><span class="s1">ec2.amazonaws.com</span><span class="dl">'</span><span class="p">),</span> <span class="na">managedPolicies</span><span class="p">:</span> <span class="p">[</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">ManagedPolicy</span><span class="p">.</span><span class="nf">fromAwsManagedPolicyName</span><span class="p">(</span><span class="dl">'</span><span class="s1">AmazonSSMManagedInstanceCore</span><span class="dl">'</span><span class="p">)</span> <span class="p">]</span> <span class="p">});</span> </code></pre> </div> <h3> User Data Script </h3> <p>The user data script installs Apache and creates a dynamic webpage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// User data script to install and configure web server</span> <span class="kd">const</span> <span class="nx">userData</span> <span class="o">=</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">UserData</span><span class="p">.</span><span class="nf">forLinux</span><span class="p">();</span> <span class="nx">userData</span><span class="p">.</span><span class="nf">addCommands</span><span class="p">(</span> <span class="dl">'</span><span class="s1">yum update -y</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">yum install -y httpd</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">systemctl start httpd</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">systemctl enable httpd</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">TOKEN=$(curl --request PUT "http://169.254.169.254/latest/api/token" --header "X-aws-ec2-metadata-token-ttl-seconds: 3600")</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">instanceId=$(curl -s http://169.254.169.254/latest/meta-data/instance-id --header "X-aws-ec2-metadata-token: $TOKEN")</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">echo "&lt;h1&gt;AWS Linux VM Deployed with CDK&lt;/h1&gt;" &gt; /var/www/html/index.html</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">echo "&lt;p&gt;Instance ID: $instanceId&lt;/p&gt;" &gt;&gt; /var/www/html/index.html</span><span class="dl">'</span> <span class="p">);</span> </code></pre> </div> <h3> Creating EC2 Instances </h3> <p>We create 2 EC2 instances distributed across different Availability Zones:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Create EC2 instances in different AZs</span> <span class="kd">const</span> <span class="nx">instance1</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">Instance</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">WebInstance1</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">vpc</span><span class="p">,</span> <span class="na">instanceType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nb">InstanceType</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">InstanceClass</span><span class="p">.</span><span class="nx">T3</span><span class="p">,</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">InstanceSize</span><span class="p">.</span><span class="nx">MICRO</span><span class="p">),</span> <span class="na">machineImage</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">MachineImage</span><span class="p">.</span><span class="nf">latestAmazonLinux2023</span><span class="p">(),</span> <span class="na">securityGroup</span><span class="p">:</span> <span class="nx">ec2SecurityGroup</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="nx">ec2Role</span><span class="p">,</span> <span class="na">userData</span><span class="p">:</span> <span class="nx">userData</span><span class="p">,</span> <span class="na">vpcSubnets</span><span class="p">:</span> <span class="p">{</span> <span class="na">subnets</span><span class="p">:</span> <span class="p">[</span><span class="nx">privateSubnets</span><span class="p">.</span><span class="nx">subnets</span><span class="p">[</span><span class="mi">0</span><span class="p">]]</span> <span class="p">},</span> <span class="na">requireImdsv2</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">instance2</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">Instance</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">WebInstance2</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">vpc</span><span class="p">,</span> <span class="na">instanceType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nb">InstanceType</span><span class="p">.</span><span class="k">of</span><span class="p">(</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">InstanceClass</span><span class="p">.</span><span class="nx">T3</span><span class="p">,</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">InstanceSize</span><span class="p">.</span><span class="nx">MICRO</span><span class="p">),</span> <span class="na">machineImage</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">MachineImage</span><span class="p">.</span><span class="nf">latestAmazonLinux2023</span><span class="p">(),</span> <span class="na">securityGroup</span><span class="p">:</span> <span class="nx">ec2SecurityGroup</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="nx">ec2Role</span><span class="p">,</span> <span class="na">userData</span><span class="p">:</span> <span class="nx">userData</span><span class="p">,</span> <span class="na">vpcSubnets</span><span class="p">:</span> <span class="p">{</span> <span class="na">subnets</span><span class="p">:</span> <span class="p">[</span><span class="nx">privateSubnets</span><span class="p">.</span><span class="nx">subnets</span><span class="p">[</span><span class="mi">1</span><span class="p">]]</span> <span class="p">},</span> <span class="na">requireImdsv2</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> </code></pre> </div> <h3> Application Load Balancer </h3> <p>Finally, we create the ALB with a target group and listener:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Application Load Balancer</span> <span class="kd">const</span> <span class="nx">alb</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">elbv2</span><span class="p">.</span><span class="nc">ApplicationLoadBalancer</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">WebsiteALB</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">vpc</span><span class="p">,</span> <span class="na">internetFacing</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">securityGroup</span><span class="p">:</span> <span class="nx">albSecurityGroup</span><span class="p">,</span> <span class="na">vpcSubnets</span><span class="p">:</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PUBLIC</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// Target group with health checks</span> <span class="kd">const</span> <span class="nx">targetGroup</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">elbv2</span><span class="p">.</span><span class="nc">ApplicationTargetGroup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">WebsiteTargetGroup</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">vpc</span><span class="p">,</span> <span class="na">port</span><span class="p">:</span> <span class="mi">80</span><span class="p">,</span> <span class="na">protocol</span><span class="p">:</span> <span class="nx">elbv2</span><span class="p">.</span><span class="nx">ApplicationProtocol</span><span class="p">.</span><span class="nx">HTTP</span><span class="p">,</span> <span class="na">targets</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nx">elbv2_targets</span><span class="p">.</span><span class="nc">InstanceTarget</span><span class="p">(</span><span class="nx">instance1</span><span class="p">,</span> <span class="mi">80</span><span class="p">),</span> <span class="k">new</span> <span class="nx">elbv2_targets</span><span class="p">.</span><span class="nc">InstanceTarget</span><span class="p">(</span><span class="nx">instance2</span><span class="p">,</span> <span class="mi">80</span><span class="p">)</span> <span class="p">],</span> <span class="na">healthCheck</span><span class="p">:</span> <span class="p">{</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="na">interval</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">30</span><span class="p">)</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// Listener</span> <span class="nx">alb</span><span class="p">.</span><span class="nf">addListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">WebsiteListener</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">port</span><span class="p">:</span> <span class="mi">80</span><span class="p">,</span> <span class="na">protocol</span><span class="p">:</span> <span class="nx">elbv2</span><span class="p">.</span><span class="nx">ApplicationProtocol</span><span class="p">.</span><span class="nx">HTTP</span><span class="p">,</span> <span class="na">defaultTargetGroups</span><span class="p">:</span> <span class="p">[</span><span class="nx">targetGroup</span><span class="p">]</span> <span class="p">});</span> </code></pre> </div> <h3> CloudFormation Outputs </h3> <p>We define outputs to easily access important resource information:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Outputs</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">LoadBalancerDNS</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="nx">alb</span><span class="p">.</span><span class="nx">loadBalancerDnsName</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">DNS name of the load balancer</span><span class="dl">'</span> <span class="p">});</span> </code></pre> </div> <h3> Step 5: Deploy the Infrastructure </h3> <p>Preview the CloudFormation template that CDK will generate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cdk synth </code></pre> </div> <p>Deploy the stack to AWS:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cdk deploy </code></pre> </div> <p>CDK will show you the changes and ask for confirmation. Type y to proceed.</p> <p>The deployment takes approximately 5–10 minutes. Once complete, you’ll see outputs including:</p> <p>The deployment process:</p> <ol> <li>CDK synthesizes your code into CloudFormation templates</li> <li>Templates are uploaded to the bootstrap S3 bucket</li> <li>CloudFormation creates a change set</li> <li>Resources are provisioned in dependency order</li> <li>Outputs are displayed (including the load balancer URL) </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span>cdk deploy Deploying to account: 197317184204, region: us-east-1 ✨ Synthesis <span class="nb">time</span>: 10.91s WebsiteStack: start: Building WebsiteStack/Custom::VpcRestrictDefaultSGCustomResourceProvider Code WebsiteStack: success: Built WebsiteStack/Custom::VpcRestrictDefaultSGCustomResourceProvider Code WebsiteStack: start: Building WebsiteStack Template WebsiteStack: success: Built WebsiteStack Template WebsiteStack: start: Publishing WebsiteStack/Custom::VpcRestrictDefaultSGCustomResourceProvider Code <span class="o">(</span>197317184204-us-east-1-78ffe0b8<span class="o">)</span> WebsiteStack: start: Publishing WebsiteStack Template <span class="o">(</span>197317184204-us-east-1-0ae3e5c9<span class="o">)</span> WebsiteStack: success: Published WebsiteStack/Custom::VpcRestrictDefaultSGCustomResourceProvider Code <span class="o">(</span>197317184204-us-east-1-78ffe0b8<span class="o">)</span> WebsiteStack: success: Published WebsiteStack Template <span class="o">(</span>197317184204-us-east-1-0ae3e5c9<span class="o">)</span> Stack WebsiteStack IAM Statement Changes ┌───┬──────────────────────────────────────────────────────────────┬────────┬──────────────────────────────────────────────────────────────┬────────────────────────────────────────────────────────────────┬───────────┐ │ │ Resource │ Effect │ Action │ Principal │ Condition │ ├───┼──────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────────┼───────────┤ │ + │ <span class="k">${</span><span class="nv">Custom</span>::VpcRestrictDefaultSGCustomResourceProvider/Role.Ar<span class="p"> │ Allow │ sts</span>:AssumeRole<span class="p"> │ Service</span>:lambda.amazonaws.com<span class="p"> │ │ │ │ n</span><span class="k">}</span> │ │ │ │ │ ├───┼──────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────────┼───────────┤ │ + │ <span class="k">${</span><span class="nv">EC2Role</span><span class="p">.Arn</span><span class="k">}</span> │ Allow │ sts:AssumeRole │ Service:ec2.amazonaws.com │ │ ├───┼──────────────────────────────────────────────────────────────┼────────┼──────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────────┼───────────┤ │ + │ arn:aws:ec2:us-east-1:197317184204:security-group/<span class="k">${</span><span class="nv">WebsiteV</span><span class="p"> │ Allow │ ec2</span>:AuthorizeSecurityGroupEgress<span class="p"> │ AWS</span>:<span class="k">${</span><span class="nv">Custom</span>::VpcRestrictDefaultSGCustomResourceProvider/Role<span class="k">}</span><span class="p"> │ │ │ │ PC.DefaultSecurityGroup</span><span class="k">}</span> │ │ ec2:AuthorizeSecurityGroupIngress │ │ │ │ │ │ │ ec2:RevokeSecurityGroupEgress │ │ │ │ │ │ │ ec2:RevokeSecurityGroupIngress │ │ │ └───┴──────────────────────────────────────────────────────────────┴────────┴──────────────────────────────────────────────────────────────┴────────────────────────────────────────────────────────────────┴───────────┘ IAM Policy Changes ┌───┬────────────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────────────────────────────────────────┐ │ │ Resource │ Managed Policy ARN │ ├───┼────────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────┤ │ + │ <span class="k">${</span><span class="nv">Custom</span>::VpcRestrictDefaultSGCustomResourceProvider/Role<span class="k">}</span> │ <span class="o">{</span><span class="s2">"Fn::Sub"</span>:<span class="s2">"arn:</span><span class="k">${</span><span class="nv">AWS</span>::Partition<span class="k">}</span><span class="s2">:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"</span><span class="o">}</span> │ ├───┼────────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────┤ │ + │ <span class="k">${</span><span class="nv">EC2Role</span><span class="k">}</span> │ arn:<span class="k">${</span><span class="nv">AWS</span>::Partition<span class="k">}</span>:iam::aws:policy/AmazonSSMManagedInstanceCore │ └───┴────────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────────────────────────────────────────┘ Security Group Changes ┌───┬─────────────────────────────┬─────┬────────────┬─────────────────────────────┐ │ │ Group │ Dir │ Protocol │ Peer │ ├───┼─────────────────────────────┼─────┼────────────┼─────────────────────────────┤ │ + │ <span class="k">${</span><span class="nv">ALBSecurityGroup</span><span class="p">.GroupId</span><span class="k">}</span> │ In │ TCP 80 │ Everyone <span class="o">(</span>IPv4<span class="o">)</span> │ │ + │ <span class="k">${</span><span class="nv">ALBSecurityGroup</span><span class="p">.GroupId</span><span class="k">}</span> │ In │ TCP 443 │ Everyone <span class="o">(</span>IPv4<span class="o">)</span> │ │ + │ <span class="k">${</span><span class="nv">ALBSecurityGroup</span><span class="p">.GroupId</span><span class="k">}</span> │ Out │ Everything │ Everyone <span class="o">(</span>IPv4<span class="o">)</span> │ ├───┼─────────────────────────────┼─────┼────────────┼─────────────────────────────┤ │ + │ <span class="k">${</span><span class="nv">EC2SecurityGroup</span><span class="p">.GroupId</span><span class="k">}</span> │ In │ TCP 80 │ <span class="k">${</span><span class="nv">ALBSecurityGroup</span><span class="p">.GroupId</span><span class="k">}</span> │ │ + │ <span class="k">${</span><span class="nv">EC2SecurityGroup</span><span class="p">.GroupId</span><span class="k">}</span> │ Out │ Everything │ Everyone <span class="o">(</span>IPv4<span class="o">)</span> │ └───┴─────────────────────────────┴─────┴────────────┴─────────────────────────────┘ <span class="o">(</span>NOTE: There may be security-related changes not <span class="k">in </span>this list. See https://github.com/aws/aws-cdk/issues/1299<span class="o">)</span> <span class="s2">"--require-approval"</span> is enabled and stack includes security-sensitive updates: <span class="s1">'Do you wish to deploy these changes'</span> <span class="o">(</span>y/n<span class="o">)</span> y WebsiteStack: deploying... <span class="o">[</span>1/1] WebsiteStack: creating CloudFormation changeset... WebsiteStack | 0/39 | 11:50:52 pm | REVIEW_IN_PROGRESS | AWS::CloudFormation::Stack | WebsiteStack User Initiated <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> WebsiteStack | 39/39 | 11:54:14 pm | CREATE_COMPLETE | AWS::CloudFormation::Stack | WebsiteStack ✅ WebsiteStack ✨ Deployment <span class="nb">time</span>: 213.29s Outputs: WebsiteStack.Instance1Id <span class="o">=</span> i-09fcc8032aee32aa0 WebsiteStack.Instance2Id <span class="o">=</span> i-0c0fa16e8fbfbbbc3 WebsiteStack.LoadBalancerDNS <span class="o">=</span> Websit-Websi-Ii3nPppS97V3-1650643368.us-east-1.elb.amazonaws.com WebsiteStack.VPCId <span class="o">=</span> vpc-0caf658a5e29d540d Stack ARN: arn:aws:cloudformation:us-east-1:197317184204:stack/WebsiteStack/8d7fe6a0-11ad-11f1-abb0-0affee6835c3 ✨ Total <span class="nb">time</span>: 224.2s </code></pre> </div> <h3> Step 6: Test Your Application </h3> <p>Open the LoadBalancerDNS URL in your browser to see your website. Refresh multiple times to see traffic distributed across different instances in different availability zones.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx5hvx9tvvvdlvpu1r965.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx5hvx9tvvvdlvpu1r965.png" alt=" " width="800" height="202"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6smrqwbf0nbn3hkgi42k.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6smrqwbf0nbn3hkgi42k.png" alt=" " width="800" height="202"></a></p> <h3> Step 7: Explore Your Infrastructure </h3> <p>View the CloudFormation stack in the AWS Console:</p> <ol> <li>Navigate to CloudFormation service</li> <li>Find the <code>WebsiteStack</code> stack</li> <li>Explore Resources, Events, and Outputs tabs</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fap2p516o44vdy7v48x7v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fap2p516o44vdy7v48x7v.png" alt=" " width="800" height="319"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqibwhc3piap8apreorg7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqibwhc3piap8apreorg7.png" alt=" " width="800" height="337"></a></p> <h2> Cleanup </h2> <p>To avoid ongoing AWS charges, destroy the infrastructure when you're done:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Delete all resources</span> cdk destroy <span class="c"># Confirm deletion when prompted</span> </code></pre> </div> <p>This removes all resources created by the stack. CloudFormation ensures clean deletion in the correct order, handling dependencies automatically.</p> <p><strong>Note</strong>: The bootstrap resources (S3 bucket, IAM roles) are not deleted by <code>cdk destroy</code>. These are shared across all CDK applications in your account and should be kept for future use.</p> <h2> Project Structure </h2> <p>Understanding the CDK project structure helps you navigate and organize your infrastructure code effectively:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws-cdk-website/ ├── bin/ │ └── app.ts # CDK app entry point - defines stacks ├── lib/ │ └── website-stack.ts # Main stack with VPC, EC2, ALB resources ├── node_modules/ # npm dependencies (auto-generated) ├── cdk.out/ # Synthesized CloudFormation templates ├── cdk.json # CDK toolkit configuration ├── cdk.context.json # CDK context values (auto-generated) ├── package.json # Node.js project dependencies and scripts ├── package-lock.json # Locked dependency versions ├── tsconfig.json # TypeScript compiler configuration </code></pre> </div> <h3> Key Files Explained: </h3> <p><strong>bin/app.ts</strong> - Application entry point where you instantiate your CDK app and stacks:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="cp">#!/usr/bin/env node </span><span class="k">import</span> <span class="dl">'</span><span class="s1">source-map-support/register</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-cdk-lib</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">WebsiteStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/website-stack</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">App</span><span class="p">();</span> <span class="k">new</span> <span class="nc">WebsiteStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">WebsiteStack</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">env</span><span class="p">:</span> <span class="p">{</span> <span class="na">account</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">CDK_DEFAULT_ACCOUNT</span><span class="p">,</span> <span class="na">region</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">CDK_DEFAULT_REGION</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p><strong>lib/website-stack.ts</strong> - Contains your infrastructure definitions (VPC, EC2, ALB, security groups, etc.)</p> <p><strong>cdk.json</strong> - Configures how the CDK toolkit executes your app:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"app"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npx ts-node --prefer-ts-exts bin/app.ts"</span><span class="p">,</span><span class="w"> </span><span class="nl">"context"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"@aws-cdk/core:enableStackNameDuplicates"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"aws-cdk:enableDiffNoFail"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>package.json</strong> - Defines project metadata, dependencies, and useful scripts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"build"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tsc"</span><span class="p">,</span><span class="w"> </span><span class="nl">"watch"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tsc -w"</span><span class="p">,</span><span class="w"> </span><span class="nl">"deploy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npm run build &amp;&amp; cdk deploy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"synth"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cdk synth"</span><span class="p">,</span><span class="w"> </span><span class="nl">"diff"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cdk diff"</span><span class="p">,</span><span class="w"> </span><span class="nl">"destroy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cdk destroy"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>cdk.out/</strong> - Generated directory containing CloudFormation templates after running <code>cdk synth</code>. This is what actually gets deployed to AWS.</p> <h2> Conclusion </h2> <p>We've successfully deployed the same highly available web infrastructure from our previous Python CDK tutorial, but this time using TypeScript. As you've seen, AWS CDK provides a consistent and powerful experience regardless of your language choice.</p> <p>TypeScript brings several advantages to infrastructure as code:</p> <ul> <li> <strong>Strong type safety</strong>: Catch errors at compile time before deployment</li> <li> <strong>Superior IDE support</strong>: Autocomplete, inline documentation, and refactoring tools</li> <li> <strong>Familiar syntax</strong>: JavaScript/TypeScript developers can leverage existing knowledge</li> <li> <strong>Rich ecosystem</strong>: Access to npm packages and TypeScript tooling</li> <li> <strong>Better collaboration</strong>: Type definitions serve as living documentation</li> </ul> <p>Whether you choose Python, TypeScript, or another supported language, CDK transforms infrastructure provisioning from a tedious, error-prone process into an enjoyable development experience. The combination of CDK's developer-friendly interface and CloudFormation's robust deployment engine provides the best of both worlds.</p> <h2> References </h2> <ul> <li> <strong>GitHub Repository</strong>: <a href="https://github.com/chinmayto/aws-cdk-typescript" rel="noopener noreferrer">aws-cdk-typescript</a> </li> <li> <strong>AWS CDK Documentation</strong>: <a href="https://docs.aws.amazon.com/cdk/" rel="noopener noreferrer">https://docs.aws.amazon.com/cdk/</a> </li> </ul> aws cdk typescript cloudformation Building Scalable Web Application on AWS with CDK and Python Chinmay Tonape Tue, 24 Feb 2026 17:49:41 +0000 https://forem.com/aws-builders/building-a-highly-available-web-application-on-aws-with-cdk-and-python-4epd https://forem.com/aws-builders/building-a-highly-available-web-application-on-aws-with-cdk-and-python-4epd <h2> Introduction </h2> <p>Infrastructure as Code (IaC) has revolutionized how we provision and manage cloud resources. In this tutorial, we'll explore AWS Cloud Development Kit (CDK) and build a production-ready web application infrastructure with high availability built in.</p> <h2> What is AWS CDK? </h2> <p>AWS Cloud Development Kit (CDK) is an open-source software development framework that lets you define cloud infrastructure using familiar programming languages like Python, TypeScript, Java, and C#. Instead of writing verbose JSON or YAML templates, you can use the full power of programming languages to define your infrastructure.</p> <h3> Why Use AWS CDK? </h3> <ul> <li> <strong>Use familiar programming languages</strong>: Write infrastructure code in Python, TypeScript, or other supported languages</li> <li> <strong>Leverage IDE features</strong>: Get autocomplete, type checking, and inline documentation</li> <li> <strong>Reusable components</strong>: Create and share infrastructure patterns as libraries</li> <li> <strong>Higher-level abstractions</strong>: CDK constructs provide sensible defaults and best practices</li> <li> <strong>Faster development</strong>: Write less code compared to raw CloudFormation templates</li> </ul> <h3> CDK and CloudFormation: The Perfect Partnership </h3> <p>AWS CDK doesn't replace CloudFormation—it enhances it. Here's how they work together:</p> <ol> <li> <strong>You write CDK code</strong> in your preferred programming language (Python in our case)</li> <li> <strong>CDK synthesizes CloudFormation templates</strong> from your code using <code>cdk synth</code> </li> <li> <strong>CloudFormation deploys the infrastructure</strong> to AWS</li> <li> <strong>CloudFormation manages the stack lifecycle</strong> (updates, rollbacks, deletions)</li> </ol> <p>This means you get the power of programming languages for authoring and the reliability of CloudFormation for deployment. CDK handles the complexity of generating correct CloudFormation templates, while CloudFormation ensures safe, predictable infrastructure changes.</p> <h2> Architecture Overview </h2> <p>We'll build a highly available web application with the following architecture:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────────────┐ │ Internet │ └────────────────────────────────┬────────────────────────────────────┘ │ ▼ ┌────────────────────────┐ │ Internet Gateway │ └────────────────────────┘ │ ┌────────────────────────────────┼────────────────────────────────────┐ │ │ VPC │ │ ▼ │ │ ┌─────────────────────────────────────────────────────────────┐ │ │ │ Application Load Balancer (ALB) │ │ │ │ (Public Subnets) │ │ │ └──────────────────────┬──────────────────┬───────────────────┘ │ │ │ │ │ │ ┌──────────────────────┼──────────────────┼─────────────────────┐ │ │ │ Availability Zone 1 │ │ Availability Zone 2 │ │ │ │ │ │ │ │ │ │ ┌───────────────────▼────────────┐ ┌──▼──────────────────┐ │ │ │ │ │ Public Subnet (AZ-1) │ │ Public Subnet (AZ-2)│ │ │ │ │ │ │ │ │ │ │ │ │ │ ┌──────────────────┐ │ │ │ │ │ │ │ │ │ NAT Gateway │ │ │ │ │ │ │ │ │ └────────┬─────────┘ │ │ │ │ │ │ │ └───────────┼────────────────────┘ └─────────────────────┘ │ │ │ │ │ │ │ │ │ ┌───────────▼────────────────┐ ┌────────────────────────┐ │ │ │ │ │ Private Subnet (AZ-1) │ │ Private Subnet (AZ-2) │ │ │ │ │ │ │ │ │ │ │ │ │ │ ┌──────────────────┐ │ │ ┌──────────────────┐ │ │ │ │ │ │ │ EC2 Instance 1 │ │ │ │ EC2 Instance 2 │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ └──────────────────┘ │ │ └──────────────────┘ │ │ │ │ │ │ │ │ │ │ │ │ │ └────────────────────────────┘ └────────────────────────┘ │ │ │ │ │ │ │ └───────────────────────────────────────────────────────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────────┘ </code></pre> </div> <h2> Prerequisites </h2> <p>Before we begin, ensure you have:</p> <ul> <li> <strong>Node.js</strong> (v14 or later) for CDK CLI</li> <li> <strong>Python 3.8+</strong> installed</li> </ul> <h2> Project Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws-cdk-python/ │ ├── app.py # CDK app entry point - initializes the stack ├── website_stack.py # Main infrastructure stack definition ├── deploy.py # Deployment helper script │ ├── cdk.json # CDK configuration file ├── cdk.context.json # CDK context values (auto-generated) │ ├── requirements.txt # Python dependencies ├── setup.py # Python package setup file │ └── cdk.out/ # CDK synthesized CloudFormation templates (auto-generated) ├── WebsiteStack.template.json ├── manifest.json └── tree.json </code></pre> </div> <h2> Step 1: Install AWS CDK CLI </h2> <p>Install the CDK CLI globally using npm:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> <span class="nt">-g</span> aws-cdk </code></pre> </div> <p>Verify the installation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cdk <span class="nt">--version</span> </code></pre> </div> <h2> Step 2: Set Up the Project </h2> <p>Clone the repository or create a new directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/chinmayto/aws-cdk-python.git <span class="nb">cd </span>aws-cdk-python </code></pre> </div> <p>Create a Python virtual environment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Windows</span> python <span class="nt">-m</span> venv .venv .venv<span class="se">\S</span>cripts<span class="se">\a</span>ctivate <span class="c"># Linux/Mac</span> python3 <span class="nt">-m</span> venv .venv <span class="nb">source</span> .venv/bin/activate </code></pre> </div> <p>Install Python dependencies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install</span> <span class="nt">-r</span> requirements.txt </code></pre> </div> <h2> Step 3: Bootstrap Your AWS Environment </h2> <p>CDK requires a one-time bootstrap process to create resources it needs for deployment (S3 bucket for assets, IAM roles, etc.):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cdk bootstrap </code></pre> </div> <p>This command creates a CloudFormation stack called <code>CDKToolkit</code> in your AWS account.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span>cdk bootstrap Deploying to account: 197317184204, region: us-east-1 ⏳ Bootstrapping environment aws://197317184204/us-east-1... Trusted accounts <span class="k">for </span>deployment: <span class="o">(</span>none<span class="o">)</span> Trusted accounts <span class="k">for </span>lookup: <span class="o">(</span>none<span class="o">)</span> Using default execution policy of <span class="s1">'arn:aws:iam::aws:policy/AdministratorAccess'</span><span class="nb">.</span> Pass <span class="s1">'--cloudformation-execution-policies'</span> to customize. CDKToolkit: creating CloudFormation changeset... CDKToolkit | 0/12 | 10:53:19 pm | REVIEW_IN_PROGRESS | AWS::CloudFormation::Stack | CDKToolkit User Initiated <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> CDKToolkit | 12/12 | 10:54:11 pm | CREATE_COMPLETE | AWS::CloudFormation::Stack | CDKToolkit ✅ Environment aws://197317184204/us-east-1 bootstrapped. </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbnx4acr5brgf8nu8ejh7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbnx4acr5brgf8nu8ejh7.png" alt=" " width="800" height="318"></a></p> <h2> Step 4: Review the Infrastructure Code </h2> <p>Our infrastructure is defined in <code>website_stack.py</code>. Let's break down the key components:</p> <h3> Creating the VPC </h3> <p>The VPC is configured with 2 Availability Zones, public subnets for the load balancer, and private subnets for EC2 instances:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Create VPC with public and private subnets </span><span class="n">vpc</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">Vpc</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">WebsiteVPC</span><span class="sh">"</span><span class="p">,</span> <span class="n">max_azs</span><span class="o">=</span><span class="mi">2</span><span class="p">,</span> <span class="n">nat_gateways</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">subnet_configuration</span><span class="o">=</span><span class="p">[</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">SubnetConfiguration</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">PublicSubnet</span><span class="sh">"</span><span class="p">,</span> <span class="n">subnet_type</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="n">SubnetType</span><span class="p">.</span><span class="n">PUBLIC</span><span class="p">,</span> <span class="n">cidr_mask</span><span class="o">=</span><span class="mi">24</span> <span class="p">),</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">SubnetConfiguration</span><span class="p">(</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">PrivateSubnet</span><span class="sh">"</span><span class="p">,</span> <span class="n">subnet_type</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="n">SubnetType</span><span class="p">.</span><span class="n">PRIVATE_WITH_EGRESS</span><span class="p">,</span> <span class="n">cidr_mask</span><span class="o">=</span><span class="mi">24</span> <span class="p">)</span> <span class="p">]</span> <span class="p">)</span> </code></pre> </div> <h3> Security Groups </h3> <p>We create two security groups: one for the ALB (allowing internet traffic) and one for EC2 instances (allowing traffic only from the ALB):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Security group for ALB (public-facing) </span><span class="n">alb_security_group</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">SecurityGroup</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">ALBSecurityGroup</span><span class="sh">"</span><span class="p">,</span> <span class="n">vpc</span><span class="o">=</span><span class="n">vpc</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">Security group for Application Load Balancer</span><span class="sh">"</span><span class="p">,</span> <span class="n">allow_all_outbound</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="n">alb_security_group</span><span class="p">.</span><span class="nf">add_ingress_rule</span><span class="p">(</span> <span class="n">ec2</span><span class="p">.</span><span class="n">Peer</span><span class="p">.</span><span class="nf">any_ipv4</span><span class="p">(),</span> <span class="n">ec2</span><span class="p">.</span><span class="n">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">80</span><span class="p">),</span> <span class="sh">"</span><span class="s">Allow HTTP traffic from internet</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># Security group for EC2 instances (private) </span><span class="n">ec2_security_group</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">SecurityGroup</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">EC2SecurityGroup</span><span class="sh">"</span><span class="p">,</span> <span class="n">vpc</span><span class="o">=</span><span class="n">vpc</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">Security group for EC2 instances</span><span class="sh">"</span><span class="p">,</span> <span class="n">allow_all_outbound</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="n">ec2_security_group</span><span class="p">.</span><span class="nf">add_ingress_rule</span><span class="p">(</span> <span class="n">alb_security_group</span><span class="p">,</span> <span class="n">ec2</span><span class="p">.</span><span class="n">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">80</span><span class="p">),</span> <span class="sh">"</span><span class="s">Allow HTTP traffic from ALB</span><span class="sh">"</span> <span class="p">)</span> </code></pre> </div> <h3> IAM Role for EC2 </h3> <p>The IAM role allows EC2 instances to be managed via AWS Systems Manager:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># IAM role for EC2 instances </span><span class="n">ec2_role</span> <span class="o">=</span> <span class="n">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">EC2Role</span><span class="sh">"</span><span class="p">,</span> <span class="n">assumed_by</span><span class="o">=</span><span class="n">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span><span class="sh">"</span><span class="s">ec2.amazonaws.com</span><span class="sh">"</span><span class="p">),</span> <span class="n">managed_policies</span><span class="o">=</span><span class="p">[</span> <span class="n">iam</span><span class="p">.</span><span class="n">ManagedPolicy</span><span class="p">.</span><span class="nf">from_aws_managed_policy_name</span><span class="p">(</span><span class="sh">"</span><span class="s">AmazonSSMManagedInstanceCore</span><span class="sh">"</span><span class="p">)</span> <span class="p">]</span> <span class="p">)</span> </code></pre> </div> <h3> User Data Script </h3> <p>The user data script installs Apache and creates a dynamic webpage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># User data script to install and configure web server </span><span class="n">user_data</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="n">UserData</span><span class="p">.</span><span class="nf">for_linux</span><span class="p">()</span> <span class="n">user_data</span><span class="p">.</span><span class="nf">add_commands</span><span class="p">(</span> <span class="sh">"</span><span class="s">yum update -y</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">yum install -y httpd</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">systemctl start httpd</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">systemctl enable httpd</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">,</span> <span class="sh">"</span><span class="s"># Get instance metadata using IMDSv2</span><span class="sh">"</span><span class="p">,</span> <span class="sh">'</span><span class="s">TOKEN=$(curl --request PUT </span><span class="sh">"</span><span class="s">http://169.254.169.254/latest/api/token</span><span class="sh">"</span><span class="s"> --header </span><span class="sh">"</span><span class="s">X-aws-ec2-metadata-token-ttl-seconds: 3600</span><span class="sh">"</span><span class="s">)</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">instanceId=$(curl -s http://169.254.169.254/latest/meta-data/instance-id --header </span><span class="sh">"</span><span class="s">X-aws-ec2-metadata-token: $TOKEN</span><span class="sh">"</span><span class="s">)</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">instanceAZ=$(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone --header </span><span class="sh">"</span><span class="s">X-aws-ec2-metadata-token: $TOKEN</span><span class="sh">"</span><span class="s">)</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">privHostName=$(curl -s http://169.254.169.254/latest/meta-data/local-hostname --header </span><span class="sh">"</span><span class="s">X-aws-ec2-metadata-token: $TOKEN</span><span class="sh">"</span><span class="s">)</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">privIPv4=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4 --header </span><span class="sh">"</span><span class="s">X-aws-ec2-metadata-token: $TOKEN</span><span class="sh">"</span><span class="s">)</span><span class="sh">'</span><span class="p">,</span> <span class="sh">""</span><span class="p">,</span> <span class="sh">"</span><span class="s"># Create HTML page</span><span class="sh">"</span><span class="p">,</span> <span class="sh">'</span><span class="s">echo </span><span class="sh">"</span><span class="s">&lt;font face = </span><span class="se">\\</span><span class="sh">"</span><span class="s">Verdana</span><span class="se">\\</span><span class="sh">"</span><span class="s"> size = </span><span class="se">\\</span><span class="sh">"</span><span class="s">5</span><span class="se">\\</span><span class="sh">"</span><span class="s">&gt;</span><span class="sh">"</span><span class="s"> &gt; /var/www/html/index.html</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">echo </span><span class="sh">"</span><span class="s">&lt;center&gt;&lt;h1&gt;AWS Linux VM Deployed with CDK using Python&lt;/h1&gt;&lt;/center&gt;</span><span class="sh">"</span><span class="s"> &gt;&gt; /var/www/html/index.html</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">echo </span><span class="sh">"</span><span class="s">&lt;center&gt; &lt;b&gt;EC2 Instance Metadata&lt;/b&gt; &lt;/center&gt;</span><span class="sh">"</span><span class="s"> &gt;&gt; /var/www/html/index.html</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">echo </span><span class="sh">"</span><span class="s">&lt;center&gt; &lt;b&gt;Instance ID:&lt;/b&gt; $instanceId &lt;/center&gt;</span><span class="sh">"</span><span class="s"> &gt;&gt; /var/www/html/index.html</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">echo </span><span class="sh">"</span><span class="s">&lt;center&gt; &lt;b&gt;AWS Availablity Zone:&lt;/b&gt; $instanceAZ &lt;/center&gt;</span><span class="sh">"</span><span class="s"> &gt;&gt; /var/www/html/index.html</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">echo </span><span class="sh">"</span><span class="s">&lt;center&gt; &lt;b&gt;Private Hostname:&lt;/b&gt; $privHostName &lt;/center&gt;</span><span class="sh">"</span><span class="s"> &gt;&gt; /var/www/html/index.html</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">echo </span><span class="sh">"</span><span class="s">&lt;center&gt; &lt;b&gt;Private IPv4:&lt;/b&gt; $privIPv4 &lt;/center&gt;</span><span class="sh">"</span><span class="s"> &gt;&gt; /var/www/html/index.html</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">echo </span><span class="sh">"</span><span class="s">&lt;/font&gt;</span><span class="sh">"</span><span class="s"> &gt;&gt; /var/www/html/index.html</span><span class="sh">'</span> <span class="p">)</span> </code></pre> </div> <h3> Creating EC2 Instances </h3> <p>We create 2 EC2 instances distributed across different Availability Zones:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Create 2 EC2 instances in private subnets across different AZs </span><span class="n">instances</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">private_subnets</span> <span class="o">=</span> <span class="n">vpc</span><span class="p">.</span><span class="nf">select_subnets</span><span class="p">(</span><span class="n">subnet_type</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="n">SubnetType</span><span class="p">.</span><span class="n">PRIVATE_WITH_EGRESS</span><span class="p">).</span><span class="n">subnets</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="mi">2</span><span class="p">):</span> <span class="n">instance</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="nc">Instance</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">WebInstance</span><span class="si">{</span><span class="n">i</span><span class="o">+</span><span class="mi">1</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">vpc</span><span class="o">=</span><span class="n">vpc</span><span class="p">,</span> <span class="n">instance_type</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="n">InstanceType</span><span class="p">.</span><span class="nf">of</span><span class="p">(</span><span class="n">ec2</span><span class="p">.</span><span class="n">InstanceClass</span><span class="p">.</span><span class="n">T3</span><span class="p">,</span> <span class="n">ec2</span><span class="p">.</span><span class="n">InstanceSize</span><span class="p">.</span><span class="n">MICRO</span><span class="p">),</span> <span class="n">machine_image</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="n">MachineImage</span><span class="p">.</span><span class="nf">latest_amazon_linux2023</span><span class="p">(),</span> <span class="n">security_group</span><span class="o">=</span><span class="n">ec2_security_group</span><span class="p">,</span> <span class="n">role</span><span class="o">=</span><span class="n">ec2_role</span><span class="p">,</span> <span class="n">user_data</span><span class="o">=</span><span class="n">user_data</span><span class="p">,</span> <span class="n">vpc_subnets</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="nc">SubnetSelection</span><span class="p">(</span> <span class="n">subnets</span><span class="o">=</span><span class="p">[</span><span class="n">private_subnets</span><span class="p">[</span><span class="n">i</span> <span class="o">%</span> <span class="nf">len</span><span class="p">(</span><span class="n">private_subnets</span><span class="p">)]]</span> <span class="p">),</span> <span class="n">require_imdsv2</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="n">instances</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">instance</span><span class="p">)</span> </code></pre> </div> <h3> Application Load Balancer </h3> <p>Finally, we create the ALB with a target group and listener:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Application Load Balancer </span><span class="n">alb</span> <span class="o">=</span> <span class="n">elbv2</span><span class="p">.</span><span class="nc">ApplicationLoadBalancer</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">WebsiteALB</span><span class="sh">"</span><span class="p">,</span> <span class="n">vpc</span><span class="o">=</span><span class="n">vpc</span><span class="p">,</span> <span class="n">internet_facing</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">security_group</span><span class="o">=</span><span class="n">alb_security_group</span><span class="p">,</span> <span class="n">vpc_subnets</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="nc">SubnetSelection</span><span class="p">(</span><span class="n">subnet_type</span><span class="o">=</span><span class="n">ec2</span><span class="p">.</span><span class="n">SubnetType</span><span class="p">.</span><span class="n">PUBLIC</span><span class="p">)</span> <span class="p">)</span> <span class="c1"># Target group </span><span class="n">target_group</span> <span class="o">=</span> <span class="n">elbv2</span><span class="p">.</span><span class="nc">ApplicationTargetGroup</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">WebsiteTargetGroup</span><span class="sh">"</span><span class="p">,</span> <span class="n">vpc</span><span class="o">=</span><span class="n">vpc</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">80</span><span class="p">,</span> <span class="n">protocol</span><span class="o">=</span><span class="n">elbv2</span><span class="p">.</span><span class="n">ApplicationProtocol</span><span class="p">.</span><span class="n">HTTP</span><span class="p">,</span> <span class="n">targets</span><span class="o">=</span><span class="p">[</span><span class="n">targets</span><span class="p">.</span><span class="nc">InstanceIdTarget</span><span class="p">(</span><span class="n">instance</span><span class="p">.</span><span class="n">instance_id</span><span class="p">)</span> <span class="k">for</span> <span class="n">instance</span> <span class="ow">in</span> <span class="n">instances</span><span class="p">],</span> <span class="n">health_check</span><span class="o">=</span><span class="n">elbv2</span><span class="p">.</span><span class="nc">HealthCheck</span><span class="p">(</span> <span class="n">path</span><span class="o">=</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">,</span> <span class="n">interval</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">30</span><span class="p">)</span> <span class="p">)</span> <span class="p">)</span> <span class="c1"># Listener </span><span class="n">listener</span> <span class="o">=</span> <span class="n">alb</span><span class="p">.</span><span class="nf">add_listener</span><span class="p">(</span> <span class="sh">"</span><span class="s">WebsiteListener</span><span class="sh">"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">80</span><span class="p">,</span> <span class="n">protocol</span><span class="o">=</span><span class="n">elbv2</span><span class="p">.</span><span class="n">ApplicationProtocol</span><span class="p">.</span><span class="n">HTTP</span><span class="p">,</span> <span class="n">default_target_groups</span><span class="o">=</span><span class="p">[</span><span class="n">target_group</span><span class="p">]</span> <span class="p">)</span> </code></pre> </div> <h3> CloudFormation Outputs </h3> <p>We define outputs to easily access important resource information:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Outputs </span><span class="nc">CfnOutput</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">LoadBalancerDNS</span><span class="sh">"</span><span class="p">,</span> <span class="n">value</span><span class="o">=</span><span class="n">alb</span><span class="p">.</span><span class="n">load_balancer_dns_name</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">DNS name of the load balancer</span><span class="sh">"</span> <span class="p">)</span> <span class="nc">CfnOutput</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">Instance1Id</span><span class="sh">"</span><span class="p">,</span> <span class="n">value</span><span class="o">=</span><span class="n">instances</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="n">instance_id</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">Instance ID of the first EC2 instance</span><span class="sh">"</span> <span class="p">)</span> <span class="nc">CfnOutput</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">Instance2Id</span><span class="sh">"</span><span class="p">,</span> <span class="n">value</span><span class="o">=</span><span class="n">instances</span><span class="p">[</span><span class="mi">1</span><span class="p">].</span><span class="n">instance_id</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">Instance ID of the second EC2 instance</span><span class="sh">"</span> <span class="p">)</span> </code></pre> </div> <h2> Step 5: Deploy the Infrastructure </h2> <p>Preview the CloudFormation template that CDK will generate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cdk synth </code></pre> </div> <p>Deploy the stack to AWS:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cdk deploy </code></pre> </div> <p>CDK will show you the changes and ask for confirmation. Type <code>y</code> to proceed.</p> <p>The deployment takes approximately 5-10 minutes. Once complete, you'll see outputs including:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt;cdk deploy Deploying to account: 197317184204, region: us-east-1 ✨ Synthesis time: 16.13s WebsiteStack: start: Building WebsiteStack/Custom::VpcRestrictDefaultSGCustomResourceProvider Code WebsiteStack: success: Built WebsiteStack/Custom::VpcRestrictDefaultSGCustomResourceProvider Code WebsiteStack: start: Building WebsiteStack Template WebsiteStack: success: Built WebsiteStack Template WebsiteStack: start: Publishing WebsiteStack/Custom::VpcRestrictDefaultSGCustomResourceProvider Code (197317184204-us-east-1-78ffe0b8) WebsiteStack: start: Publishing WebsiteStack Template (197317184204-us-east-1-2ed930b7) WebsiteStack: success: Published WebsiteStack Template (197317184204-us-east-1-2ed930b7) WebsiteStack: success: Published WebsiteStack/Custom::VpcRestrictDefaultSGCustomResourceProvider Code (197317184204-us-east-1-78ffe0b8) Stack WebsiteStack IAM Statement Changes ┌───┬─────────────────────────────────────────────────┬────────┬─────────────────────────────────────────────────┬─────────────────────────────────────────────────┬───────────┐ │ │ Resource │ Effect │ Action │ Principal │ Condition │ ├───┼─────────────────────────────────────────────────┼────────┼─────────────────────────────────────────────────┼─────────────────────────────────────────────────┼───────────┤ │ + │ ${Custom::VpcRestrictDefaultSGCustomResourcePro │ Allow │ sts:AssumeRole │ Service:lambda.amazonaws.com │ │ │ │ vider/Role.Arn} │ │ │ │ │ ├───┼─────────────────────────────────────────────────┼────────┼─────────────────────────────────────────────────┼─────────────────────────────────────────────────┼───────────┤ │ + │ ${EC2Role.Arn} │ Allow │ sts:AssumeRole │ Service:ec2.amazonaws.com │ │ ├───┼─────────────────────────────────────────────────┼────────┼─────────────────────────────────────────────────┼─────────────────────────────────────────────────┼───────────┤ │ + │ arn:aws:ec2:us-east-1:197317184204:security-gro │ Allow │ ec2:AuthorizeSecurityGroupEgress │ AWS:${Custom::VpcRestrictDefaultSGCustomResourc │ │ │ │ up/${WebsiteVPC.DefaultSecurityGroup} │ │ ec2:AuthorizeSecurityGroupIngress │ eProvider/Role} │ │ │ │ │ │ ec2:RevokeSecurityGroupEgress │ │ │ │ │ │ │ ec2:RevokeSecurityGroupIngress │ │ │ └───┴─────────────────────────────────────────────────┴────────┴─────────────────────────────────────────────────┴─────────────────────────────────────────────────┴───────────┘ IAM Policy Changes ┌───┬────────────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────────────────────────────────────────┐ │ │ Resource │ Managed Policy ARN │ ├───┼────────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────┤ │ + │ ${Custom::VpcRestrictDefaultSGCustomResourceProvider/Role} │ {"Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"} │ ├───┼────────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────┤ │ + │ ${EC2Role} │ arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore │ └───┴────────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────────────────────────────────────────┘ Security Group Changes ┌───┬─────────────────────────────┬─────┬────────────┬─────────────────────────────┐ │ │ Group │ Dir │ Protocol │ Peer │ ├───┼─────────────────────────────┼─────┼────────────┼─────────────────────────────┤ │ + │ ${ALBSecurityGroup.GroupId} │ In │ TCP 80 │ Everyone (IPv4) │ │ + │ ${ALBSecurityGroup.GroupId} │ In │ TCP 443 │ Everyone (IPv4) │ │ + │ ${ALBSecurityGroup.GroupId} │ Out │ Everything │ Everyone (IPv4) │ ├───┼─────────────────────────────┼─────┼────────────┼─────────────────────────────┤ │ + │ ${EC2SecurityGroup.GroupId} │ In │ TCP 22 │ ${WebsiteVPC.CidrBlock} │ │ + │ ${EC2SecurityGroup.GroupId} │ In │ TCP 80 │ ${ALBSecurityGroup.GroupId} │ │ + │ ${EC2SecurityGroup.GroupId} │ Out │ Everything │ Everyone (IPv4) │ └───┴─────────────────────────────┴─────┴────────────┴─────────────────────────────┘ (NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299) "--require-approval" is enabled and stack includes security-sensitive updates: 'Do you wish to deploy these changes' (y/n) y WebsiteStack: deploying... [1/1] WebsiteStack: creating CloudFormation changeset... WebsiteStack | 0/39 | 10:58:15 pm | REVIEW_IN_PROGRESS | AWS::CloudFormation::Stack | WebsiteStack User Initiated . . . WebsiteStack | 39/39 | 11:01:35 pm | CREATE_COMPLETE | AWS::CloudFormation::Stack | WebsiteStack ✅ WebsiteStack ✨ Deployment time: 213.18s Outputs: WebsiteStack.Instance1Id = i-089c31f66c61482a3 WebsiteStack.Instance2Id = i-0af48aefd5e4efcc2 WebsiteStack.LoadBalancerDNS = Websit-Websi-5kyWZuGmscD3-1445557942.us-east-1.elb.amazonaws.com WebsiteStack.VPCId = vpc-002b8b79c7f0e2f49 Stack ARN: arn:aws:cloudformation:us-east-1:197317184204:stack/WebsiteStack/33bc7c70-11a6-11f1-8888-0affc0f3836d ✨ Total time: 229.31s </code></pre> </div> <h2> Step 6: Test Your Application </h2> <p>Copy the LoadBalancerDNS value from the outputs and open it in your browser:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Websit-Websi-5kyWZuGmscD3-1445557942.us-east-1.elb.amazonaws.com </code></pre> </div> <p>You should see a webpage displaying EC2 instance metadata. Refresh the page multiple times to see the load balancer distributing traffic between the two instances (notice the Instance ID and Availability Zone changing).</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn5m27hn2yfx5jm9vkm88.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn5m27hn2yfx5jm9vkm88.png" alt=" " width="800" height="226"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkron1seymlh36qyo9ynr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkron1seymlh36qyo9ynr.png" alt=" " width="800" height="226"></a></p> <h2> Step 7: Explore Your Infrastructure </h2> <p>View the CloudFormation stack in the AWS Console:</p> <ol> <li>Navigate to CloudFormation service</li> <li>Find the <code>WebsiteStack</code> stack</li> <li>Explore Resources, Events, and Outputs tabs</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpa1yp4m75hizzr9svoy8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpa1yp4m75hizzr9svoy8.png" alt=" " width="800" height="318"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzv5eeyt57eae8gb8habw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzv5eeyt57eae8gb8habw.png" alt=" " width="800" height="337"></a></p> <h2> Cleanup </h2> <p>To avoid ongoing charges, destroy the infrastructure when you're done:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cdk destroy </code></pre> </div> <p>Type <code>y</code> to confirm. CDK will delete all resources created by the stack.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">&gt;</span>cdk destroy Deploying to account: 197317184204, region: us-east-1 Are you sure you want to delete: WebsiteStack <span class="o">(</span>y/n<span class="o">)</span> y WebsiteStack: destroying... <span class="o">[</span>1/1] WebsiteStack | 0 | 11:08:57 pm | DELETE_IN_PROGRESS | AWS::CloudFormation::Stack | WebsiteStack User Initiated <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> WebsiteStack | 37 | 11:10:22 pm | DELETE_IN_PROGRESS | AWS::EC2::VPC | WebsiteVPC <span class="o">(</span>WebsiteVPCD8B49DC8<span class="o">)</span> ✅ WebsiteStack: destroyed </code></pre> </div> <h2> Conclusion </h2> <p>AWS CDK transforms infrastructure provisioning from a tedious, error-prone process into an enjoyable development experience. By leveraging Python and CloudFormation together, we've built a production-ready, highly available web application infrastructure with just a few hundred lines of code.</p> <p>The combination of CDK's developer-friendly abstractions and CloudFormation's robust deployment engine gives you the best of both worlds: rapid development and reliable operations.</p> <h2> References </h2> <ul> <li> <strong>GitHub Repository</strong>: <a href="https://github.com/chinmayto/aws-cdk-python" rel="noopener noreferrer">aws-cdk-python</a> </li> <li> <strong>AWS CDK Documentation</strong>: <a href="https://docs.aws.amazon.com/cdk/" rel="noopener noreferrer">https://docs.aws.amazon.com/cdk/</a> </li> </ul> aws cdk python cloudformation GitOps with ArgoCD on Amazon EKS using Terraform: A Complete Implementation Guide Chinmay Tonape Fri, 12 Dec 2025 04:35:31 +0000 https://forem.com/aws-builders/gitops-with-argocd-on-amazon-eks-using-terraform-a-complete-implementation-guide-1inc https://forem.com/aws-builders/gitops-with-argocd-on-amazon-eks-using-terraform-a-complete-implementation-guide-1inc <p>In the rapidly evolving world of DevOps and cloud-native applications, GitOps has emerged as a revolutionary approach to continuous deployment and infrastructure management. This blog post explores how to implement a complete GitOps workflow using ArgoCD on Amazon Elastic Kubernetes Service (EKS), providing you with a production-ready setup that follows industry best practices.</p> <p>GitOps represents a paradigm shift where Git repositories serve as the single source of truth for both application code and infrastructure configuration. By leveraging ArgoCD as our GitOps operator, we can achieve automated, reliable, and auditable deployments while maintaining the declarative nature of Kubernetes.</p> <h2> What is GitOps? </h2> <p>GitOps is a modern approach to continuous deployment that uses Git as the single source of truth for declarative infrastructure and applications. The core principles include:</p> <ul> <li> <strong>Declarative Configuration</strong>: Everything is described declaratively in Git</li> <li> <strong>Version Control</strong>: All changes are tracked and auditable</li> <li> <strong>Automated Deployment</strong>: Changes in Git trigger automatic deployments</li> <li> <strong>Continuous Monitoring</strong>: The system continuously ensures the desired state matches the actual state</li> </ul> <h2> Why ArgoCD? </h2> <p>ArgoCD is a declarative, GitOps continuous delivery tool for Kubernetes that offers:</p> <ul> <li> <strong>Application Management</strong>: Centralized management of multiple applications</li> <li> <strong>Multi-Cluster Support</strong>: Deploy to multiple Kubernetes clusters</li> <li> <strong>Rich UI</strong>: Intuitive web interface for monitoring deployments</li> <li> <strong>RBAC Integration</strong>: Fine-grained access control</li> <li> <strong>Rollback Capabilities</strong>: Easy rollback to previous versions</li> </ul> <h2> Architecture Overview </h2> <p>Our implementation creates a robust, scalable architecture that includes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────────────────────────────────────────────────┐ │ AWS Cloud │ │ ┌──────────────────────────────────────────────────────────┐│ │ │ VPC ││ │ │ ┌─────────────────┐ ┌──────────────────────────────┐ ││ │ │ │ Public Subnets │ │ Private Subnets │ ││ │ │ │ │ │ ┌─────────────────────────┐ │ ││ │ │ │ ┌───────────┐ │ │ │ EKS Cluster │ │ ││ │ │ │ │ NAT │ │ │ │ ┌─────────────────────┐│ │ ││ │ │ │ │ Gateway │ │ │ │ │ NGINX Ingress ││ │ ││ │ │ │ └───────────┘ │ │ │ │ Controller ││ │ ││ │ │ │ │ │ │ └─────────────────────┘│ │ ││ │ │ └─────────────────┘ │ │ ┌─────────────────────┐│ │ ││ │ │ │ │ │ ArgoCD ││ │ ││ │ │ │ │ │ Server ││ │ ││ │ │ │ │ └─────────────────────┘│ │ ││ │ │ │ │ ┌─────────────────────┐│ │ ││ │ │ │ │ │ Application ││ │ ││ │ │ │ │ │ Workloads ││ │ ││ │ │ │ │ └─────────────────────┘│ │ ││ │ │ │ └─────────────────────────┘ │ ││ │ │ └──────────────────────────────┘ ││ │ └──────────────────────────────────────────────────────────┘│ │ │ │ ┌──────────────────────────────────────────────────────────┐│ │ │ Route53 ││ │ │ argocd.chinmayto.com → NGINX Ingress NLB ││ │ │ app.chinmayto.com → NGINX Ingress NLB ││ │ └──────────────────────────────────────────────────────────┘│ └──────────────────────────────────────────────────────────────┘ </code></pre> </div> <h2> Prerequisites </h2> <p>Before starting, ensure you have:</p> <ul> <li>AWS CLI configured with appropriate permissions</li> <li>Terraform installed (version &gt;= 1.0)</li> <li>kubectl installed</li> <li>A registered domain name in Route53</li> <li>Helm installed (version &gt;= 3.0)</li> </ul> <h2> Implementation Steps </h2> <h3> Step 1: Create VPC and EKS Cluster </h3> <p>We start by creating the foundational infrastructure using AWS community Terraform modules. First, let's define our variables:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># infrastructure/variables.tf</span> <span class="nx">variable</span> <span class="s2">"aws_region"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"AWS region"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"cluster_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Name of the EKS cluster"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"CT-EKS-Cluster"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"cluster_version"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Kubernetes version for the EKS cluster"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"1.33"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"vpc_cidr"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"CIDR block for VPC"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"public_subnet_cidrs"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"CIDR blocks for public subnets"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.0.1.0/24"</span><span class="p">,</span> <span class="s2">"10.0.2.0/24"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"private_subnet_cidrs"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"CIDR blocks for private subnets"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.0.10.0/24"</span><span class="p">,</span> <span class="s2">"10.0.20.0/24"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Now, let's create the VPC and EKS cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># infrastructure/main.tf</span> <span class="c1">####################################################################################</span> <span class="c1"># Data source for availability zones</span> <span class="c1">####################################################################################</span> <span class="nx">data</span> <span class="s2">"aws_availability_zones"</span> <span class="s2">"available"</span> <span class="p">{</span> <span class="nx">state</span> <span class="p">=</span> <span class="s2">"available"</span> <span class="p">}</span> <span class="c1">####################################################################################</span> <span class="c1">### VPC Module Configuration</span> <span class="c1">####################################################################################</span> <span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/vpc/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.cluster_name}-VPC"</span> <span class="nx">cidr</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_cidr</span> <span class="nx">azs</span> <span class="p">=</span> <span class="nx">slice</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">aws_availability_zones</span><span class="p">.</span><span class="nx">available</span><span class="p">.</span><span class="nx">names</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="nx">private_subnets</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnet_cidrs</span> <span class="nx">public_subnets</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">public_subnet_cidrs</span> <span class="nx">enable_nat_gateway</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_vpn_gateway</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">single_nat_gateway</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">public_subnet_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/role/elb"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="p">}</span> <span class="nx">private_subnet_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/role/internal-elb"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.cluster_name}-VPC"</span> <span class="nx">Terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">####################################################################################</span> <span class="c1">### EKS Cluster Module Configuration</span> <span class="c1">####################################################################################</span> <span class="nx">module</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/eks/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 20.0"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_version</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">cluster_endpoint_public_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_cluster_creator_admin_permissions</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># EKS Managed Node Groups</span> <span class="nx">eks_managed_node_groups</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">EKS_Node_Group</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"t3.medium"</span><span class="p">]</span> <span class="nx">capacity_type</span> <span class="p">=</span> <span class="s2">"ON_DEMAND"</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># EKS Add-ons</span> <span class="nx">cluster_addons</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">coredns</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">kube-proxy</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">vpc-cni</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">eks-pod-identity-agent</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">Terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">####################################################################################</span> <span class="c1">### Null Resource to update the kubeconfig file</span> <span class="c1">####################################################################################</span> <span class="nx">resource</span> <span class="s2">"null_resource"</span> <span class="s2">"update_kubeconfig"</span> <span class="p">{</span> <span class="nx">provisioner</span> <span class="s2">"local-exec"</span> <span class="p">{</span> <span class="nx">command</span> <span class="p">=</span> <span class="s2">"aws eks --region ${var.aws_region} update-kubeconfig --name ${var.cluster_name}"</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h3> Step 2: Deploy NGINX Ingress Controller </h3> <p>The NGINX Ingress Controller provides external access to our services through an AWS Network Load Balancer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># infrastructure/nginx-ingress.tf</span> <span class="c1">################################################################################</span> <span class="c1"># Create ingress-nginx namespace</span> <span class="c1">################################################################################</span> <span class="nx">resource</span> <span class="s2">"kubernetes_namespace"</span> <span class="s2">"ingress_nginx"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ingress-nginx"</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ingress-nginx"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">]</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># Install NGINX Ingress Controller using Helm</span> <span class="c1">################################################################################</span> <span class="nx">resource</span> <span class="s2">"helm_release"</span> <span class="s2">"nginx_ingress"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ingress-nginx"</span> <span class="nx">repository</span> <span class="p">=</span> <span class="s2">"https://kubernetes.github.io/ingress-nginx"</span> <span class="nx">chart</span> <span class="p">=</span> <span class="s2">"ingress-nginx"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">ingress_nginx</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"4.8.3"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">yamlencode</span><span class="p">({</span> <span class="nx">controller</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">service</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"LoadBalancer"</span> <span class="nx">annotations</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"service.beta.kubernetes.io/aws-load-balancer-type"</span> <span class="p">=</span> <span class="s2">"nlb"</span> <span class="s2">"service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled"</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">metrics</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">serviceMonitor</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> <span class="p">]</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">ingress_nginx</span><span class="p">]</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># Get the NLB hostname from nginx ingress controller</span> <span class="c1">################################################################################</span> <span class="nx">data</span> <span class="s2">"kubernetes_service"</span> <span class="s2">"nginx_ingress_controller"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ingress-nginx-controller"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">ingress_nginx</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">helm_release</span><span class="p">.</span><span class="nx">nginx_ingress</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h3> Step 3: Deploy ArgoCD Server </h3> <p>First, let's define the ArgoCD-specific variables:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># infrastructure/variables.tf (ArgoCD Variables)</span> <span class="nx">variable</span> <span class="s2">"argocd_namespace"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Kubernetes namespace for ArgoCD"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"argocd"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"argocd_chart_version"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"ArgoCD Helm chart version"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"5.51.6"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"argocd_hostname"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Hostname for ArgoCD ingress"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"argocd.chinmayto.com"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"argocd_admin_password"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Custom admin password for ArgoCD (leave empty for auto-generated)"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">""</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"domain_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Domain name for the hosted zone"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"chinmayto.com"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"argocd_subdomain"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Subdomain for ArgoCD"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"argocd"</span> <span class="p">}</span> </code></pre> </div> <p>Now, deploy ArgoCD using Helm with custom configuration for ingress access:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># infrastructure/argocd.tf</span> <span class="c1">####################################################################################</span> <span class="c1">### Route53 Hosted Zone</span> <span class="c1">####################################################################################</span> <span class="nx">data</span> <span class="s2">"aws_route53_zone"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">domain_name</span> <span class="nx">private_zone</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="c1">####################################################################################</span> <span class="c1">### ArgoCD Namespace</span> <span class="c1">####################################################################################</span> <span class="nx">resource</span> <span class="s2">"kubernetes_namespace"</span> <span class="s2">"argocd"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">argocd_namespace</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">]</span> <span class="p">}</span> <span class="c1">####################################################################################</span> <span class="c1">### ArgoCD Helm Release</span> <span class="c1">####################################################################################</span> <span class="nx">resource</span> <span class="s2">"helm_release"</span> <span class="s2">"argocd"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"argocd"</span> <span class="nx">repository</span> <span class="p">=</span> <span class="s2">"https://argoproj.github.io/argo-helm"</span> <span class="nx">chart</span> <span class="p">=</span> <span class="s2">"argo-cd"</span> <span class="nx">version</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">argocd_chart_version</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">argocd</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">yamlencode</span><span class="p">({</span> <span class="nx">server</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">service</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ClusterIP"</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">ingressClassName</span> <span class="p">=</span> <span class="s2">"nginx"</span> <span class="nx">hosts</span> <span class="p">=</span> <span class="p">[</span><span class="nx">var</span><span class="p">.</span><span class="nx">argocd_hostname</span><span class="p">]</span> <span class="nx">annotations</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"nginx.ingress.kubernetes.io/ssl-redirect"</span> <span class="p">=</span> <span class="s2">"false"</span> <span class="s2">"nginx.ingress.kubernetes.io/force-ssl-redirect"</span> <span class="p">=</span> <span class="s2">"false"</span> <span class="s2">"nginx.ingress.kubernetes.io/backend-protocol"</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">configs</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">params</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"server.insecure"</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> <span class="p">]</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">argocd</span><span class="p">]</span> <span class="p">}</span> <span class="c1">####################################################################################</span> <span class="c1">### ArgoCD Admin Password Secret (Optional - for custom password)</span> <span class="c1">####################################################################################</span> <span class="nx">resource</span> <span class="s2">"kubernetes_secret"</span> <span class="s2">"argocd_admin_password"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">argocd_admin_password</span> <span class="err">!</span><span class="p">=</span> <span class="s2">""</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"argocd-initial-admin-secret"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">argocd</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">data</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">password</span> <span class="p">=</span> <span class="nx">bcrypt</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">argocd_admin_password</span><span class="p">)</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">argocd</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h3> Step 4: Configure Route53 DNS </h3> <p>Set up DNS records to access ArgoCD via a custom subdomain:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># infrastructure/argocd.tf (continued)</span> <span class="c1">####################################################################################</span> <span class="c1">### Route53 DNS Record for ArgoCD (pointing to NGINX Ingress NLB)</span> <span class="c1">####################################################################################</span> <span class="nx">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"argocd"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">argocd_subdomain</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="nx">alias</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">kubernetes_service</span><span class="p">.</span><span class="nx">nginx_ingress_controller</span><span class="p">.</span><span class="nx">status</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="nx">load_balancer</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="nx">ingress</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="nx">hostname</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="s2">"Z26RNL4JYFTOTI"</span> <span class="c1"># NLB zone ID for us-east-1</span> <span class="nx">evaluate_target_health</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">helm_release</span><span class="p">.</span><span class="nx">argocd</span><span class="p">,</span> <span class="nx">data</span><span class="p">.</span><span class="nx">kubernetes_service</span><span class="p">.</span><span class="nx">nginx_ingress_controller</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>For application DNS records, create a separate file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># infrastructure/app-dns.tf</span> <span class="c1">####################################################################################</span> <span class="c1">### Route53 DNS Record for Node.js App (pointing to NGINX Ingress NLB)</span> <span class="c1">####################################################################################</span> <span class="nx">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"nodejs_app"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">app_subdomain</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="nx">alias</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">kubernetes_service</span><span class="p">.</span><span class="nx">nginx_ingress_controller</span><span class="p">.</span><span class="nx">status</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="nx">load_balancer</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="nx">ingress</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="nx">hostname</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="s2">"Z26RNL4JYFTOTI"</span> <span class="c1"># NLB zone ID for us-east-1</span> <span class="nx">evaluate_target_health</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">helm_release</span><span class="p">.</span><span class="nx">nginx_ingress</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h3> Step 5: Create ArgoCD Project </h3> <p>Define an ArgoCD project to manage application deployments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># argocd/project.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">AppProject</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">chinmayto-apps</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Project for chinmayto applications</span> <span class="na">sourceRepos</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">https://github.com/chinmayto/terraform-aws-eks-argocd.git'</span> <span class="na">destinations</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">clusterResourceWhitelist</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">group</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">kind</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">namespaceResourceWhitelist</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">group</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">kind</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> </code></pre> </div> <h3> Step 6: Implement App-of-Apps Pattern </h3> <p>Create a root application that manages other applications:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># argocd/app-of-apps.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-of-apps</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">default</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/chinmayto/terraform-aws-eks-argocd.git</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">HEAD</span> <span class="na">path</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">syncOptions</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">CreateNamespace=true</span> </code></pre> </div> <p>Create individual application definitions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># argocd/nodejs-app-application.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nodejs-app</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">chinmayto-apps</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/chinmayto/terraform-aws-eks-argocd.git</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">HEAD</span> <span class="na">path</span><span class="pi">:</span> <span class="s">k8s-manifests</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://kubernetes.default.svc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">simple-nodejs-app</span> <span class="na">syncPolicy</span><span class="pi">:</span> <span class="na">automated</span><span class="pi">:</span> <span class="na">prune</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">selfHeal</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">syncOptions</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">CreateNamespace=true</span> </code></pre> </div> <h2> Deployment Instructions </h2> <h3> 1. Deploy Infrastructure </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>infrastructure terraform init terraform plan terraform apply <span class="nt">-auto-approve</span> </code></pre> </div> <h3> 2. Verify Deployment </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check EKS cluster</span> kubectl get nodes <span class="c"># Check ArgoCD pods</span> kubectl get pods <span class="nt">-n</span> argocd <span class="c"># Check NGINX Ingress</span> kubectl get svc <span class="nt">-n</span> ingress-nginx <span class="c"># Get ArgoCD admin password</span> kubectl <span class="nt">-n</span> argocd get secret argocd-initial-admin-secret <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s2">"{.data.password}"</span> | <span class="nb">base64</span> <span class="nt">-d</span> </code></pre> </div> <h3> 3. Access ArgoCD UI </h3> <p>Navigate to <code>https://argocd.yourdomain.com</code> and login with:</p> <ul> <li>Username: <code>admin</code> </li> <li>Password: (from step 4 above)</li> </ul> <h3> 4. Deploy Applications </h3> <p>Apply the ArgoCD application manifests:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> argocd/app-of-apps.yaml </code></pre> </div> <h2> Testing </h2> <p>Accessing argocd using the domain: <a href="http://argocd.chinmayto.com" rel="noopener noreferrer">http://argocd.chinmayto.com</a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjbim75hlxteoth0ugxyf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjbim75hlxteoth0ugxyf.png" alt=" " width="800" height="435"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmc3q9goeblpw78855y43.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmc3q9goeblpw78855y43.png" alt=" " width="800" height="430"></a></p> <p>Deployed app-of-apps:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8xypvgh8n2h5txg168ca.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8xypvgh8n2h5txg168ca.png" alt=" " width="800" height="290"></a></p> <p>Deployed application with components:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fphqdfeh79apr8jzr7ena.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fphqdfeh79apr8jzr7ena.png" alt=" " width="800" height="388"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvbtq8gg4cnmy2uz3mpkb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvbtq8gg4cnmy2uz3mpkb.png" alt=" " width="800" height="303"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get all <span class="nt">-n</span> simple-nodejs-app NAME READY STATUS RESTARTS AGE pod/deployment-nodejs-app-bfb4c4d56-pdwtt 1/1 Running 0 10m pod/deployment-nodejs-app-bfb4c4d56-rfxfq 1/1 Running 0 10m NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE service/service-nodejs-app ClusterIP 172.20.120.15 &lt;none&gt; 80/TCP 10m NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/deployment-nodejs-app 2/2 2 2 10m NAME DESIRED CURRENT READY AGE replicaset.apps/deployment-nodejs-app-bfb4c4d56 2 2 2 10m </code></pre> </div> <p>Update the k8s-manifests, commit the code and see argocd picking up the changes and deploying them.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3vu4eosad65iay3bzf93.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3vu4eosad65iay3bzf93.png" alt=" " width="800" height="416"></a></p> <p>Deployment complete:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk1445pt5qnadh0klhktg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fk1445pt5qnadh0klhktg.png" alt=" " width="800" height="403"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fko3zat42qfzoqrjcoj7h.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fko3zat42qfzoqrjcoj7h.png" alt=" " width="800" height="305"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get all <span class="nt">-n</span> simple-nodejs-app NAME READY STATUS RESTARTS AGE pod/deployment-nodejs-app-66684f5945-fdwqp 1/1 Running 0 2m42s pod/deployment-nodejs-app-66684f5945-h6pv9 1/1 Running 0 2m16s pod/deployment-nodejs-app-66684f5945-tfs45 1/1 Running 0 2m30s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE service/service-nodejs-app ClusterIP 172.20.120.15 &lt;none&gt; 80/TCP 13m NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/deployment-nodejs-app 3/3 3 3 13m NAME DESIRED CURRENT READY AGE replicaset.apps/deployment-nodejs-app-66684f5945 3 3 3 2m43s replicaset.apps/deployment-nodejs-app-bfb4c4d56 0 0 0 13m </code></pre> </div> <h2> Cleanup Steps </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Verify applications present</span> kubectl get applications <span class="nt">-n</span> argocd <span class="c"># Delete specific applications by name (NEVER use --all with projects)</span> kubectl delete application app-of-apps <span class="nt">-n</span> argocd kubectl delete application nodejs-app <span class="nt">-n</span> argocd <span class="c"># Verify applications are deleted</span> kubectl get applications <span class="nt">-n</span> argocd <span class="c"># Verify custom projects</span> kubectl get appprojects <span class="nt">-n</span> argocd <span class="c"># Only delete the custom project, NEVER delete default project</span> kubectl delete appproject chinmayto-apps <span class="nt">-n</span> argocd <span class="c"># Verify only custom project is deleted (default should remain)</span> kubectl get appprojects <span class="nt">-n</span> argocd <span class="c"># Delete the resources and namespace for application</span> kubectl delete all <span class="nt">--all-namespaces</span> <span class="nt">-l</span> argocd.argoproj.io/instance<span class="o">=</span>nodejs-app kubectl delete ns <span class="nt">-l</span> argocd.argoproj.io/instance<span class="o">=</span>nodejs-app <span class="c"># Destroy terraform infrastructure</span> <span class="nb">cd </span>infrastructure terraform destroy <span class="nt">-auto-approve</span> </code></pre> </div> <h2> Conclusion </h2> <p>This implementation demonstrates a production-ready GitOps workflow using ArgoCD on Amazon EKS. By following this guide, you've created:</p> <ul> <li>A secure, scalable Kubernetes cluster on AWS</li> <li>Automated application deployment pipeline</li> <li>Centralized application management through ArgoCD</li> <li>DNS-based access to your GitOps platform</li> </ul> <p>The GitOps approach with ArgoCD provides numerous benefits including improved deployment reliability, enhanced security through Git-based workflows, and simplified application lifecycle management. This foundation can be extended to support multiple environments, advanced deployment strategies, and comprehensive monitoring solutions.</p> <h2> References and Further Reading </h2> <ul> <li> <strong>GitHub Repository</strong>: <a href="https://github.com/chinmayto/terraform-aws-eks-argocd" rel="noopener noreferrer">terraform-aws-eks-argocd</a> </li> <li> <strong>ArgoCD Documentation</strong>: <a href="https://argo-cd.readthedocs.io/" rel="noopener noreferrer">https://argo-cd.readthedocs.io/</a> </li> </ul> aws kubernetes argocd gitops Deploying Applications to Amazon ECS Using GitHub Actions CI/CD Chinmay Tonape Sun, 28 Sep 2025 08:41:09 +0000 https://forem.com/aws-builders/deploying-applications-to-amazon-ecs-using-github-actions-cicd-5b9k https://forem.com/aws-builders/deploying-applications-to-amazon-ecs-using-github-actions-cicd-5b9k <p>In the earlier module, we saw how to create an Amazon ECS cluster with a task definition using AWS Community Terraform modules. Now, let’s take the next step—automating application deployment using GitHub Actions CI/CD.</p> <p>By the end of this blog, you’ll understand how to set up a complete CI/CD pipeline for deploying new versions of your application to ECS, all triggered by source code changes in your repository.</p> <h2> What We’ll Cover </h2> <p>I’ve created GitHub workflows that handle the following:</p> <ol> <li> <code>initial-ecr-setup.yml</code> – Create an Amazon ECR public repository, build the Docker image, and push it to ECR.</li> <li> <code>deploy-infrastructure.yml</code> – Build the ECS infrastructure (cluster, services, task definitions, ALB) using Terraform.</li> <li> <code>build-and-deploy.yml</code> – Deploy an updated version of the app whenever source code changes are pushed.</li> <li> <code>deploy-infrastructure.yml</code> – Destroy ECS infrastructure using Terraform.</li> </ol> <p>In this blog, we’ll mainly focus on the CI/CD workflow for application version upgrades.</p> <h2> CI/CD Pipeline for ECS Deployment </h2> <p>When a new version of your application is committed to the repository, the following GitHub Actions workflow ensures it is automatically built and deployed to ECS.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Falkv1sx424i6yoxl662q.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Falkv1sx424i6yoxl662q.png" alt=" " width="800" height="203"></a></p> <h3> Secrets in GitHub Actions </h3> <p>For the above workflows, you’ll need to store sensitive information as GitHub Secrets. Navigate to your repository → Settings → Secrets and variables → Actions and add:</p> <ul> <li> <code>AWS_ACCESS_KEY_ID</code> – IAM user or role access key.</li> <li> <code>AWS_SECRET_ACCESS_KEY</code> – Corresponding secret key.</li> </ul> <p>This ensures that no credentials are exposed in your workflow files.</p> <p>The DevOps IAM user that will create the ECS infrastructure and run CICD pipelines will need following accesses. It will also need access to terraform state bucket and dynamodb table used for terraform state locking. Following Principle of least privilege is the need of the day!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"ecr-public:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ecr:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ecs:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ec2:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"elasticloadbalancing:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"logs:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"iam:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"application-autoscaling:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"sts:GetServiceBearerToken"</span><span class="p">,</span><span class="w"> </span><span class="s2">"sts:GetCallerIdentity"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Initial Setup </h2> <p>To create the public ECR repository and push initial verison of the application to it use <code>initial-ecr-setup.yml</code> workflow and then use <code>deploy-infrastructure.yml</code> workflow to create ECS infrastructure with baseic version of the application.</p> <h2> Step 1: Build and Push Docker Image </h2> <p>The workflow first builds a new Docker image from your application source code and tags it with the commit SHA or a version tag. The image is then pushed to the Amazon ECR public repository.<br> This ensures that ECS always uses the latest available image for deployment.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Build and Deploy Application</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">app/**'</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="pi">-</span> <span class="s">develop</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">app/**'</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build-and-push</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and Push to ECR</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">outputs</span><span class="pi">:</span> <span class="na">image-tag</span><span class="pi">:</span> <span class="s">${{ steps.build-image.outputs.image-tag }}</span> <span class="na">image-uri</span><span class="pi">:</span> <span class="s">${{ steps.build-image.outputs.image-uri }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">${{ env.AWS_REGION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Login to Amazon ECR Public</span> <span class="na">id</span><span class="pi">:</span> <span class="s">login-ecr-public</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/amazon-ecr-login@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">registry-type</span><span class="pi">:</span> <span class="s">public</span> <span class="na">mask-password</span><span class="pi">:</span> <span class="s1">'</span><span class="s">true'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and push Docker image</span> <span class="na">id</span><span class="pi">:</span> <span class="s">build-image</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">./app</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s"># Generate image tag using git commit SHA and timestamp</span> <span class="s">IMAGE_TAG="${GITHUB_SHA:0:8}-$(date +%s)"</span> <span class="s">IMAGE_URI="$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"</span> <span class="s">echo "Building image: $IMAGE_URI"</span> <span class="s"># Build the Docker image</span> <span class="s">docker build -t $IMAGE_URI .</span> <span class="s"># Push the image to ECR</span> <span class="s">docker push $IMAGE_URI</span> <span class="s"># Also tag and push as latest</span> <span class="s">docker tag $IMAGE_URI $ECR_REGISTRY/$ECR_REPOSITORY:latest</span> <span class="s">docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest</span> </code></pre> </div> <h2> Step 2: Update ECS Task Definition </h2> <p>ECS services run based on task definitions. To deploy a new version, we first fetch the current task definition JSON using AWS CLI. The workflow updates the container image inside the task definition JSON with the newly built image from Step 1.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Download current task definition</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">aws ecs describe-task-definition \</span> <span class="s">--task-definition $TASK_DEFINITION \</span> <span class="s">--query taskDefinition &gt; task-definition.json</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Update task definition with new image</span> <span class="na">id</span><span class="pi">:</span> <span class="s">task-def</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/amazon-ecs-render-task-definition@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">task-definition</span><span class="pi">:</span> <span class="s">task-definition.json</span> <span class="na">container-name</span><span class="pi">:</span> <span class="s">${{ env.CONTAINER_NAME }}</span> <span class="na">image</span><span class="pi">:</span> <span class="s">${{ needs.build-and-push.outputs.image-uri }}</span> </code></pre> </div> <h2> Step 3: Deploy to ECS Service </h2> <p>The new task definition is deployed to ECS using aws-actions/amazon-ecs-deploy-task-definition.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to Amazon ECS service</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/amazon-ecs-deploy-task-definition@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">task-definition</span><span class="pi">:</span> <span class="s">${{ steps.task-def.outputs.task-definition }}</span> <span class="na">service</span><span class="pi">:</span> <span class="s">${{ env.ECS_SERVICE }}</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">${{ env.ECS_CLUSTER }}</span> <span class="na">wait-for-service-stability</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <h2> Accessing the Application </h2> <p>Once the workflow finishes, navigate to the Application Load Balancer (ALB) DNS name associated with your ECS service. You should see the new version of the application running seamlessly.</p> <p>Initial ECR setup and push image:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foq2ss44vnkr4izc85xh7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foq2ss44vnkr4izc85xh7.png" alt=" " width="800" height="326"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhaca9iduzakl0errrgxl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhaca9iduzakl0errrgxl.png" alt=" " width="800" height="110"></a></p> <p>Build ECS infrastructure:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7ttzk1cwzm8kny0jxtao.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7ttzk1cwzm8kny0jxtao.png" alt=" " width="800" height="326"></a></p> <p>Access initial version of application using ALB:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd6rd7p14s4zfjrkpdkpr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd6rd7p14s4zfjrkpdkpr.png" alt=" " width="800" height="322"></a></p> <p>Now update the code, do git push and watch the build and deploy workflow run automatically!:</p> <p>New image built and pushed to ECR:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fijpw3x294995em8g043b.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fijpw3x294995em8g043b.png" alt=" " width="800" height="135"></a></p> <p>ECS Service Deployemnt in progress:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzr5g97ochokt94tnx4qn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzr5g97ochokt94tnx4qn.png" alt=" " width="800" height="360"></a></p> <p>Deployment complete!</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx3zlayfymtulomjjubkv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx3zlayfymtulomjjubkv.png" alt=" " width="800" height="405"></a></p> <p>Yay!!</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9zt7eth3l1owuswibug0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9zt7eth3l1owuswibug0.png" alt=" " width="800" height="322"></a></p> <h2> Cleanup </h2> <p>When you’re done testing, you can destroy the ECS infrastructure using the Terraform cleanup workflow in <code>destroy-infrastructure.yml</code></p> <h2> Conclusion </h2> <p>We successfully set up a CI/CD pipeline using GitHub Actions to deploy applications to Amazon ECS. With this automation in place:</p> <p>Developers just push code, and deployment happens automatically.<br> ECS services always stay up-to-date with the latest version of your app.<br> Infrastructure and deployments are consistent, repeatable, and easy to clean up.</p> <p>This approach enables faster iteration cycles and ensures your applications remain production-ready.</p> <h2> References </h2> <ul> <li><a href="https://github.com/chinmayto/terraform-aws-ecs-cicd" rel="noopener noreferrer">My GitHub Repo</a></li> <li><a href="https://docs.github.com/en/actions/how-tos/deploy/deploy-to-third-party-platforms/amazon-elastic-container-service" rel="noopener noreferrer">GitHub Actions for ECS</a></li> </ul> aws ecs github cicd Deploying a Simple App on ECS with Fargate & Terraform using AWS Community Modules Chinmay Tonape Fri, 26 Sep 2025 12:10:20 +0000 https://forem.com/aws-builders/deploying-a-simple-app-on-ecs-with-fargate-terraform-using-community-modules-e0b https://forem.com/aws-builders/deploying-a-simple-app-on-ecs-with-fargate-terraform-using-community-modules-e0b <p>Amazon Elastic Container Service (ECS) makes it easy to run containerized applications on AWS without managing servers. With AWS Fargate and Fargate Spot, you can run workloads in a serverless fashion while optimizing costs.</p> <p>In this guide, we’ll use Terraform AWS Community Modules to provision the infrastructure and deploy a simple Node.js app hosted in a public Amazon ECR repository.</p> <h2> Architecture </h2> <p>At the core, we provision a VPC with both public and private subnets across multiple Availability Zones for high availability. The ECS Cluster itself is a regional construct and does not directly reside in the VPC. Instead, the actual workloads — called ECS tasks — run inside the private subnets of our VPC. Each ECS task is deployed with security groups to control inbound and outbound traffic.</p> <p>To make the application accessible to users on the internet, we use an Application Load Balancer (ALB). The ALB is deployed in the public subnets, where it can receive internet traffic. It forwards requests to a target group that points to the ECS tasks running in the private subnets. This separation of public and private networking ensures security while still allowing external access through the load balancer.</p> <p>The ECS task definition specifies the Node.js container image (stored in a public Amazon ECR repository), along with CPU and memory settings. It also defines port mappings so the application can listen on port 8080. The ECS service ensures the desired number of tasks are always running, and it integrates with the ALB to register and deregister tasks dynamically.</p> <p>For scalability, we configure autoscaling policies based on CPU and memory utilization. This means if the load increases, ECS will automatically launch more Fargate or Fargate Spot tasks to handle the traffic, and scale down during low demand to save costs.</p> <h2> Step 1: Create VPC and ECS Cluster with Terraform </h2> <p>We’ll use the AWS community VPC and ECS modules.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">################################################################################</span> <span class="c1"># VPC Module</span> <span class="c1">################################################################################</span> <span class="k">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/vpc/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">project_name</span><span class="k">}</span><span class="s2">-vpc"</span> <span class="nx">cidr</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">vpc_cidr</span> <span class="nx">azs</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">availability_zones</span> <span class="nx">private_subnets</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">public_subnets</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">public_subnets</span> <span class="nx">enable_nat_gateway</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">single_nat_gateway</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_vpn_gateway</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">common_tags</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># ECS Cluster Module</span> <span class="c1">################################################################################</span> <span class="k">module</span> <span class="s2">"ecs_cluster"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/ecs/aws//modules/cluster"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">project_name</span><span class="k">}</span><span class="s2">-cluster"</span> <span class="c1"># Fargate capacity providers</span> <span class="nx">fargate_capacity_providers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">FARGATE</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">default_capacity_provider_strategy</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">weight</span> <span class="p">=</span> <span class="mi">50</span> <span class="nx">base</span> <span class="p">=</span> <span class="mi">20</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">FARGATE_SPOT</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">default_capacity_provider_strategy</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">weight</span> <span class="p">=</span> <span class="mi">50</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">common_tags</span> <span class="p">}</span> </code></pre> </div> <h2> Step 2: Create ECS Execution &amp; Task Roles </h2> <p>We need IAM roles so ECS can pull images from ECR and write logs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">################################################################################</span> <span class="c1"># ECS Execution Role</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"ecs_execution_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">project_name</span><span class="k">}</span><span class="s2">-ecs-execution-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"ecs-tasks.amazonaws.com"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="nx">tags</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">common_tags</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"ecs_execution_role_policy"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ecs_execution_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># Additional policy for ECR public registry access</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"ecs_execution_ecr_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">project_name</span><span class="k">}</span><span class="s2">-ecs-execution-ecr-policy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ecs_execution_role</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ecr-public:GetAuthorizationToken"</span><span class="p">,</span> <span class="s2">"ecr-public:BatchCheckLayerAvailability"</span><span class="p">,</span> <span class="s2">"ecr-public:GetDownloadUrlForLayer"</span><span class="p">,</span> <span class="s2">"ecr-public:BatchGetImage"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># ECS Task Role</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"ecs_task_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">project_name</span><span class="k">}</span><span class="s2">-ecs-task-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"ecs-tasks.amazonaws.com"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="nx">tags</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">common_tags</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># CloudWatch Logs Group</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_cloudwatch_log_group"</span> <span class="s2">"ecs_logs"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"/ecs/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">project_name</span><span class="k">}</span><span class="s2">"</span> <span class="nx">retention_in_days</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">log_retention_days</span> <span class="nx">tags</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">common_tags</span> <span class="p">}</span> </code></pre> </div> <h2> Step 3: Create ALB with Target Group </h2> <p>The ALB will live in public subnets and route traffic to ECS tasks running in private subnets.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">################################################################################</span> <span class="c1"># Security Group for ALB</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"alb"</span> <span class="p">{</span> <span class="nx">name_prefix</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">project_name</span><span class="k">}</span><span class="s2">-alb"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">common_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">project_name</span><span class="k">}</span><span class="s2">-alb-sg"</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># Application Load Balancer</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_lb"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">project_name</span><span class="k">}</span><span class="s2">-alb"</span> <span class="nx">internal</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">load_balancer_type</span> <span class="p">=</span> <span class="s2">"application"</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">alb</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">public_subnets</span> <span class="nx">enable_deletion_protection</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">tags</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">common_tags</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># Target Group</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_lb_target_group"</span> <span class="s2">"ecs_tg"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">project_name</span><span class="k">}</span><span class="s2">-tg"</span> <span class="nx">port</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">app_port</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">target_type</span> <span class="p">=</span> <span class="s2">"ip"</span> <span class="nx">health_check</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">healthy_threshold</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">interval</span> <span class="p">=</span> <span class="mi">30</span> <span class="nx">matcher</span> <span class="p">=</span> <span class="s2">"200"</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/"</span> <span class="nx">port</span> <span class="p">=</span> <span class="s2">"traffic-port"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="mi">5</span> <span class="nx">unhealthy_threshold</span> <span class="p">=</span> <span class="mi">2</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">common_tags</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># ALB Listener</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_lb_listener"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="nx">load_balancer_arn</span> <span class="p">=</span> <span class="nx">aws_lb</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">port</span> <span class="p">=</span> <span class="s2">"80"</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"HTTP"</span> <span class="nx">default_action</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"forward"</span> <span class="nx">target_group_arn</span> <span class="p">=</span> <span class="nx">aws_lb_target_group</span><span class="p">.</span><span class="nx">ecs_tg</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">common_tags</span> <span class="p">}</span> </code></pre> </div> <h2> Step 4: ECS Task Definition with Node.js Image </h2> <p>We’ll use a public ECR image of our Node.js app.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">################################################################################</span> <span class="c1"># ECS Task Definition</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_ecs_task_definition"</span> <span class="s2">"nodejs_app"</span> <span class="p">{</span> <span class="nx">family</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">project_name</span><span class="k">}</span><span class="s2">-task"</span> <span class="nx">network_mode</span> <span class="p">=</span> <span class="s2">"awsvpc"</span> <span class="nx">requires_compatibilities</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"FARGATE"</span><span class="p">]</span> <span class="nx">cpu</span> <span class="p">=</span> <span class="nx">tostring</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">task_cpu</span><span class="p">)</span> <span class="nx">memory</span> <span class="p">=</span> <span class="nx">tostring</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">task_memory</span><span class="p">)</span> <span class="nx">execution_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ecs_execution_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">task_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ecs_task_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">container_definitions</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">([</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"nodejs-app"</span> <span class="nx">image</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">ecr_repository_url</span> <span class="nx">portMappings</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">containerPort</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">app_port</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="p">]</span> <span class="nx">logConfiguration</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">logDriver</span> <span class="p">=</span> <span class="s2">"awslogs"</span> <span class="nx">options</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"awslogs-group"</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_log_group</span><span class="p">.</span><span class="nx">ecs_logs</span><span class="p">.</span><span class="nx">name</span> <span class="s2">"awslogs-region"</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">aws_region</span> <span class="s2">"awslogs-stream-prefix"</span> <span class="p">=</span> <span class="s2">"ecs"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">environment</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"NODE_ENV"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"PORT"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">tostring</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">app_port</span><span class="p">)</span> <span class="p">}</span> <span class="p">]</span> <span class="nx">essential</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">])</span> <span class="nx">tags</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">common_tags</span> <span class="p">}</span> </code></pre> </div> <h2> Step 5: ECS Service with Autoscaling </h2> <p>Attach the ECS service to the ALB target group and configure autoscaling.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">################################################################################</span> <span class="c1"># Security Group for ECS Service</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"ecs_service"</span> <span class="p">{</span> <span class="nx">name_prefix</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">project_name</span><span class="k">}</span><span class="s2">-ecs-service"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">app_port</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">app_port</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">alb</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">common_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">project_name</span><span class="k">}</span><span class="s2">-ecs-service-sg"</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># ECS Service</span> <span class="c1">################################################################################</span> <span class="k">module</span> <span class="s2">"ecs_service"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/ecs/aws//modules/service"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">project_name</span><span class="k">}</span><span class="s2">-service"</span> <span class="nx">cluster_arn</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">ecs_cluster</span><span class="p">.</span><span class="nx">arn</span> <span class="c1"># Use the separate task definition</span> <span class="nx">task_definition_arn</span> <span class="p">=</span> <span class="nx">aws_ecs_task_definition</span><span class="p">.</span><span class="nx">nodejs_app</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">desired_count</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">min_capacity</span> <span class="nx">ignore_task_definition_changes</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">force_new_deployment</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">create_task_definition</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># Built-in Auto Scaling</span> <span class="nx">autoscaling_min_capacity</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">min_capacity</span> <span class="nx">autoscaling_max_capacity</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">max_capacity</span> <span class="nx">autoscaling_policies</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cpu</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">policy_type</span> <span class="p">=</span> <span class="s2">"TargetTrackingScaling"</span> <span class="nx">target_tracking_scaling_policy_configuration</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">predefined_metric_specification</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">predefined_metric_type</span> <span class="p">=</span> <span class="s2">"ECSServiceAverageCPUUtilization"</span> <span class="p">}</span> <span class="nx">target_value</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cpu_target_value</span> <span class="nx">scale_in_cooldown</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">scale_in_cooldown</span> <span class="nx">scale_out_cooldown</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">scale_out_cooldown</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">memory</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">policy_type</span> <span class="p">=</span> <span class="s2">"TargetTrackingScaling"</span> <span class="nx">target_tracking_scaling_policy_configuration</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">predefined_metric_specification</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">predefined_metric_type</span> <span class="p">=</span> <span class="s2">"ECSServiceAverageMemoryUtilization"</span> <span class="p">}</span> <span class="nx">target_value</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">memory_target_value</span> <span class="nx">scale_in_cooldown</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">scale_in_cooldown</span> <span class="nx">scale_out_cooldown</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">scale_out_cooldown</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">load_balancer</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">service</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">target_group_arn</span> <span class="p">=</span> <span class="nx">aws_lb_target_group</span><span class="p">.</span><span class="nx">ecs_tg</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">container_name</span> <span class="p">=</span> <span class="s2">"nodejs-app"</span> <span class="nx">container_port</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">app_port</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">security_group_rules</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">alb_ingress</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ingress"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">app_port</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">app_port</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Service port"</span> <span class="nx">source_security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">alb</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">egress_all</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"egress"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">service_tags</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">common_tags</span> <span class="p">}</span> </code></pre> </div> <h2> Accessing the Application </h2> <p>Once deployed, Terraform will output the ALB DNS name. Open it in your browser:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fujwnmo651o6yt5nz8nb8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fujwnmo651o6yt5nz8nb8.png" alt=" " width="800" height="437"></a></p> <p>Service updated to have 10 tasks:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2rvg6t0tm24kmgi6fpwi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2rvg6t0tm24kmgi6fpwi.png" alt=" " width="800" height="277"></a></p> <p>ALB target group showing 10 IP addresse:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsv0x8irkr63vwik6ykb3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsv0x8irkr63vwik6ykb3.png" alt=" " width="800" height="316"></a></p> <h2> Cleanup </h2> <p>When finished, always clean up to avoid unnecessary costs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destory </code></pre> </div> <h2> Conclusion </h2> <p>We successfully deployed a Node.js application to ECS with Fargate and Fargate Spot using Terraform community modules.<br> This setup ensures:</p> <ul> <li>Scalability with autoscaling policies</li> <li>Cost efficiency with Fargate Spot</li> <li>Security by running tasks in private subnets behind an ALB</li> </ul> <p>Using Terraform makes the process repeatable, modular, and version-controlled.</p> <h2> References </h2> <p><a href="https://github.com/chinmayto/terraform-aws-ecs" rel="noopener noreferrer">My GitHub Repo</a></p> <p><a href="https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest" rel="noopener noreferrer">Terraform AWS VPC Module</a></p> <p><a href="https://registry.terraform.io/modules/terraform-aws-modules/ecs/aws/latest" rel="noopener noreferrer">Terraform AWS ECS Module</a></p> <p><a href="https://docs.aws.amazon.com/ecs/" rel="noopener noreferrer">Amazon ECS Documentation</a></p> aws ecs terraform Observability on Amazon EKS Cluster: A Complete Guide to Prometheus and Grafana with Helm Chinmay Tonape Sun, 21 Sep 2025 18:30:08 +0000 https://forem.com/aws-builders/observability-on-amazon-eks-cluster-a-complete-guide-to-prometheus-and-grafana-with-helm-5d4l https://forem.com/aws-builders/observability-on-amazon-eks-cluster-a-complete-guide-to-prometheus-and-grafana-with-helm-5d4l <p>When deploying applications on Amazon Elastic Kubernetes Service (EKS), ensuring that you can observe, monitor, and troubleshoot workloads effectively is crucial. This is where observability comes into play. In this blog, we’ll set up an EKS cluster using AWS Community Terraform modules, install Prometheus and Grafana for monitoring and visualization, configure Route53 DNS records, and deploy a sample microservices application (Voting App).## Why Prometheus and Grafana?</p> <h2> What is Observability in EKS? </h2> <p>Observability in Kubernetes (and EKS) refers to the ability to understand the internal state of your cluster and applications by analyzing the outputs such as logs, metrics, and traces. It goes beyond traditional monitoring:</p> <ul> <li>Monitoring answers “Is my system working?”</li> <li>Observability answers “Why is my system not working?”</li> </ul> <p>In Kubernetes on AWS EKS, observability provides insights into:</p> <ul> <li>Cluster health (nodes, pods, deployments, daemonsets, etc.)</li> <li>Application performance (latency, error rates, resource utilization)</li> <li>Infrastructure metrics (EC2, VPC, networking, EBS/EFS storage, etc.)</li> <li>User experience tracking (via service-level objectives and traces)</li> </ul> <p>Key pillars of observability:</p> <ul> <li>Metrics – quantitative data collected over time (CPU, memory, request counts).</li> <li>Logs – textual event records (pod logs, system logs).</li> <li>Traces – request paths across microservices (distributed tracing).</li> </ul> <p>By combining these three, DevOps teams can detect, debug, and optimize Kubernetes workloads effectively.</p> <h2> What is Prometheus and Grafana </h2> <p>Prometheus is an open-source monitoring and alerting toolkit designed for reliability and scalability. It collects time-series metrics by periodically scraping targets such as Kubernetes nodes, pods, services, and applications. Using its query language PromQL, Prometheus enables detailed analysis of cluster performance, application behavior, and infrastructure health. It also supports alerting rules, making it useful for proactive issue detection.</p> <p>Grafana is an open-source visualization and analytics platform that integrates with data sources like Prometheus. It allows users to create interactive dashboards and visualizations for monitoring metrics in real time. Grafana turns raw data into meaningful insights by providing charts, graphs, and alerts that help teams detect anomalies and optimize performance.</p> <p>Together, Prometheus and Grafana form a powerful observability stack on EKS. Prometheus handles metrics collection and storage, while Grafana provides visualization and analysis. This combination allows Kubernetes operators and developers to not only monitor cluster health but also understand why issues occur, enabling faster debugging and better capacity planning.</p> <h2> Architecture Overview </h2> <p>Our monitoring architecture consists of several key components:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────────────┐ │ EKS Cluster │ │ │ │ ┌─────────────────┐ ┌─────────────────┐ │ │ │ Prometheus │◄───┤ Node Exporter │ │ │ │ Server │ │ │ │ │ │ │ └─────────────────┘ │ │ │ - Scrapes │ │ │ │ - Stores │ ┌─────────────────┐ │ │ │ - Alerts │◄───┤ kube-state- │ │ │ └─────────────────┘ │ metrics │ │ │ │ └─────────────────┘ │ │ │ │ │ ▼ ┌─────────────────┐ │ │ ┌─────────────────┐◄────┤ Application │ │ │ │ Grafana │ │ Metrics │ │ │ │ │ └─────────────────┘ │ │ │ - Dashboards │ │ │ │ - Visualization│ ┌─────────────────┐ │ │ │ - Alerting │◄────┤ AlertManager │ │ │ └─────────────────┘ │ │ │ │ └─────────────────┘ │ └─────────────────────────────────────────────────────────────┘ </code></pre> </div> <h2> Architecture of Prometheus and Grafana on EKS </h2> <p>When deploying Prometheus and Grafana on EKS, the architecture typically looks like this:</p> <ul> <li> <p>Prometheus runs inside the cluster and is responsible for:</p> <ul> <li>Scraping metrics from Kubernetes components, node exporters, pods, and application endpoints.</li> <li>Storing time-series data in its own storage backend.</li> <li>Exposing APIs that allow querying using PromQL.</li> </ul> </li> <li> <p>Grafana runs alongside Prometheus and is responsible for:</p> <ul> <li>Connecting to Prometheus as a data source.</li> <li>Querying metrics with PromQL queries.</li> <li>Creating dashboards that visualize cluster health, workload performance, and application-specific data.</li> </ul> </li> </ul> <p><strong>Data Flow:</strong></p> <p>Kubernetes Metrics Sources:</p> <ul> <li>Kubelet – node and pod metrics.</li> <li>Kube-state-metrics – state of Kubernetes objects (deployments, pods, nodes, services).</li> <li>cAdvisor – container-level CPU, memory, filesystem, and network usage.</li> <li>ETCD metrics – key-value store performance.</li> <li>Application endpoints – any service exposing /metrics in Prometheus format.</li> </ul> <p>Prometheus Scraping:</p> <ul> <li>Prometheus periodically queries these endpoints using service discovery (Kubernetes API, annotations, labels).</li> <li>Metrics are collected and stored as time-series data.</li> </ul> <p>Grafana Visualization:</p> <ul> <li>Grafana queries Prometheus using PromQL.</li> <li>Dashboards are built to visualize CPU usage, memory utilization, pod restarts, latency, and custom application metrics.</li> <li>Dashboards can be customized or imported from Grafana’s community templates.</li> </ul> <h2> Step 1: Create EKS Cluster using AWS Community Terraform Modules </h2> <p>The first step in integrating Amazon EFS with EKS is to provision a Kubernetes cluster that runs securely inside a dedicated VPC. We will use the widely adopted AWS Terraform community modules for both the VPC and EKS setup. Please refer to main module of GitHub repo.</p> <h2> Step 2: Add Helm Repositories </h2> <p>First, let's add the necessary Helm repositories:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Add Prometheus community Helm repository</span> helm repo add prometheus-community https://prometheus-community.github.io/helm-charts <span class="c"># Add Grafana Helm repository </span> helm repo add grafana https://grafana.github.io/helm-charts <span class="c"># Add Nginx Ingress Helm repository </span> helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx <span class="c"># Update repositories</span> helm repo update </code></pre> </div> <h2> Step 3: Install NGINX Ingress Controller with Helm </h2> <p>To expose Prometheus, Grafana, and other applications securely outside the cluster, we need an Ingress Controller. We’ll use the NGINX Ingress Controller, installed via Helm in its own namespace.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">################################################################################</span> <span class="c1"># Create ingress-nginx namespace</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"kubernetes_namespace"</span> <span class="s2">"ingress_nginx"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ingress-nginx"</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ingress-nginx"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="k">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">]</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># Install NGINX Ingress Controller using Helm</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"helm_release"</span> <span class="s2">"nginx_ingress"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ingress-nginx"</span> <span class="nx">repository</span> <span class="p">=</span> <span class="s2">"https://kubernetes.github.io/ingress-nginx"</span> <span class="nx">chart</span> <span class="p">=</span> <span class="s2">"ingress-nginx"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">ingress_nginx</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"4.8.3"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">yamlencode</span><span class="p">({</span> <span class="nx">controller</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">service</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"LoadBalancer"</span> <span class="nx">annotations</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"service.beta.kubernetes.io/aws-load-balancer-type"</span> <span class="p">=</span> <span class="s2">"nlb"</span> <span class="s2">"service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled"</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">metrics</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">serviceMonitor</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> <span class="p">]</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">ingress_nginx</span><span class="p">]</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># Get the NLB hostname from nginx ingress controller</span> <span class="c1">################################################################################</span> <span class="k">data</span> <span class="s2">"kubernetes_service"</span> <span class="s2">"nginx_ingress_controller"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ingress-nginx-controller"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">ingress_nginx</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">helm_release</span><span class="p">.</span><span class="nx">nginx_ingress</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h2> Step 4: Create Route53 Records for Prometheus and Grafana </h2> <p>To make these tools accessible via a domain, configure Route53 DNS records. This allows you to access Prometheus at <a href="https://prometheus.chinmayto.com" rel="noopener noreferrer">https://prometheus.chinmayto.com</a> and Grafana at <a href="https://grafana.chinmayto.com" rel="noopener noreferrer">https://grafana.chinmayto.com</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">################################################################################</span> <span class="c1"># Get Route53 hosted zone for chinmayto.com</span> <span class="c1">################################################################################</span> <span class="k">data</span> <span class="s2">"aws_route53_zone"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"chinmayto.com"</span> <span class="nx">private_zone</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># Create Route53 A records for Prometheus and Grafana</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"prometheus"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"prometheus.chinmayto.com"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="nx">alias</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">kubernetes_service</span><span class="p">.</span><span class="nx">nginx_ingress_controller</span><span class="p">.</span><span class="nx">status</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="nx">load_balancer</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="nx">ingress</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="nx">hostname</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="s2">"Z26RNL4JYFTOTI"</span> <span class="c1"># NLB zone ID for us-east-1</span> <span class="nx">evaluate_target_health</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">helm_release</span><span class="p">.</span><span class="nx">nginx_ingress</span><span class="p">]</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"grafana"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"grafana.chinmayto.com"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="nx">alias</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">kubernetes_service</span><span class="p">.</span><span class="nx">nginx_ingress_controller</span><span class="p">.</span><span class="nx">status</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="nx">load_balancer</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="nx">ingress</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="nx">hostname</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="s2">"Z26RNL4JYFTOTI"</span> <span class="c1"># NLB zone ID for us-east-1</span> <span class="nx">evaluate_target_health</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">helm_release</span><span class="p">.</span><span class="nx">nginx_ingress</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h3> Step 5: Install Prometheus Stack </h3> <p>We’ll use the Terraform Helm provider to install both Prometheus (for metrics collection) and Grafana (for visualization) in its own namespace.</p> <p>The kube-prometheus-stack Helm chart is an umbrella chart maintained by the Prometheus community. It includes Prometheus, Grafana, and kube-state-metrics all bundled together. That’s why deploying just this chart is usually sufficient for Kubernetes observability.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">################################################################################</span> <span class="c1"># Create monitoring namespace</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"kubernetes_namespace"</span> <span class="s2">"monitoring"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"monitoring"</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"monitoring"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="k">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">]</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># Install Prometheus using Helm (after nginx ingress)</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"helm_release"</span> <span class="s2">"prometheus"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"prometheus"</span> <span class="nx">repository</span> <span class="p">=</span> <span class="s2">"https://prometheus-community.github.io/helm-charts"</span> <span class="nx">chart</span> <span class="p">=</span> <span class="s2">"kube-prometheus-stack"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">monitoring</span><span class="p">.</span><span class="nx">metadata</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"55.5.0"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">yamlencode</span><span class="p">({</span> <span class="nx">prometheus</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">prometheusSpec</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">retention</span> <span class="p">=</span> <span class="s2">"30d"</span> <span class="p">}</span> <span class="nx">service</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ClusterIP"</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">ingressClassName</span> <span class="p">=</span> <span class="s2">"nginx"</span> <span class="nx">hosts</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"prometheus.chinmayto.com"</span><span class="p">]</span> <span class="nx">paths</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"/"</span><span class="p">]</span> <span class="nx">annotations</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"nginx.ingress.kubernetes.io/rewrite-target"</span> <span class="p">=</span> <span class="s2">"/"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">grafana</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">adminPassword</span> <span class="p">=</span> <span class="s2">"admin123"</span> <span class="nx">service</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ClusterIP"</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">ingressClassName</span> <span class="p">=</span> <span class="s2">"nginx"</span> <span class="nx">hosts</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"grafana.chinmayto.com"</span><span class="p">]</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/"</span> <span class="nx">annotations</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"nginx.ingress.kubernetes.io/rewrite-target"</span> <span class="p">=</span> <span class="s2">"/"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">persistence</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">alertmanager</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">})</span> <span class="p">]</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">monitoring</span><span class="p">,</span> <span class="nx">helm_release</span><span class="p">.</span><span class="nx">nginx_ingress</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h3> Step 6: Deploy Sample Microservices Application (Voting App) </h3> <p>Now that observability is in place, let’s deploy a sample microservices app: the Voting App (a simple app with a frontend, backend, and database).</p> <p>Apply manifests:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>example-voting-app/k8s-specifications kubectl apply <span class="nt">-f</span> <span class="nb">.</span> </code></pre> </div> <h2> Accessing Your Monitoring Stack </h2> <p>You can access Prometheus at <a href="https://prometheus.chinmayto.com" rel="noopener noreferrer">https://prometheus.chinmayto.com</a> and Grafana at <a href="https://grafana.chinmayto.com" rel="noopener noreferrer">https://grafana.chinmayto.com</a>.</p> <h3> Validation Steps </h3> <h3> 1. Verify Prometheus Targets </h3> <p>In Prometheus UI:</p> <ol> <li>Go to Status → Targets</li> <li>Ensure all targets are "UP"</li> <li>Check for any scraping errors</li> </ol> <h3> 2. Test Prometheus Queries </h3> <p>Try these sample queries in Prometheus:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># CPU usage by node 100 - (avg by (instance) (irate(node_cpu_seconds_total{mode="idle"}[5m])) * 100) # Memory usage (1 - (node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes)) * 100 # Pod count by namespace count by (namespace) (kube_pod_info) </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgnqwg6jwktltxg95ko3e.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgnqwg6jwktltxg95ko3e.png" alt=" " width="800" height="418"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd05m8d9nd5lg7oiafkid.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd05m8d9nd5lg7oiafkid.png" alt=" " width="800" height="418"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fapu8z9fwyo465qglfcyc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fapu8z9fwyo465qglfcyc.png" alt=" " width="800" height="418"></a></p> <h3> 3. Verify Grafana Dashboards </h3> <p>Grafana comes with pre-built dashboards:</p> <ol> <li>Navigate to Dashboards</li> <li>Check "Kubernetes / Compute Resources / Cluster"</li> <li>Verify data is displaying correctly</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faz13tm8q65phkkfogkut.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faz13tm8q65phkkfogkut.png" alt=" " width="800" height="433"></a></p> <h2> Few Best Grafana Dashboards for EKS Monitoring </h2> <p>Grafana provides a wide range of prebuilt dashboards for Kubernetes and Prometheus. Some of the most popular ones for EKS monitoring include:</p> <ul> <li>Kubernetes / Compute Resources Cluster (ID: 315): Visualizes cluster-wide CPU and memory usage.</li> <li>Kubernetes / Compute Resources Namespace (Workloads) (ID: 3146): Breaks down metrics by namespace, useful for multi-team environments.</li> <li>Kubernetes / Compute Resources Pod (ID: 7633): Pod-level monitoring (CPU, memory, restarts).</li> <li>Kubernetes API Server Metrics (ID: 12006): Helps track API server performance, latency, and error rates.</li> <li>Node Exporter Full (ID: 1860): Deep-dive into node-level metrics such as disk I/O, CPU, memory, and network.</li> <li>ETCD Metrics (ID: 3070): Monitoring the control plane’s key-value store.</li> <li>Kube-State-Metrics Dashboards (ID: 13332): Tracks states of Kubernetes objects like deployments, daemonsets, jobs, and cronjobs. These dashboards can be directly imported into Grafana using their Dashboard IDs from Grafana Labs Dashboard Repository</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmrimzlg3wlxvh4bdsuyn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmrimzlg3wlxvh4bdsuyn.png" alt=" " width="800" height="433"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs6uojsjlzpehk2yis0w9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs6uojsjlzpehk2yis0w9.png" alt=" " width="800" height="433"></a></p> <h2> Cleanup </h2> <p>Delete the k8s resources created<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>example-voting-app/k8s-specifications kubectl delete <span class="nt">-f</span> <span class="nb">.</span> </code></pre> </div> <p>And then <code>terraform destroy</code> the EKS infrastructure if you are not using it to save costs.</p> <h2> Conclusion </h2> <p>Setting up Prometheus and Grafana on EKS provides powerful observability into your Kubernetes clusters. This monitoring stack enables you to:</p> <ul> <li>Track cluster and application performance</li> <li>Set up proactive alerting</li> <li>Visualize metrics through beautiful dashboards</li> <li>Make data-driven decisions about scaling and optimization</li> </ul> <p>The combination of Prometheus's robust metric collection and Grafana's visualization capabilities creates a comprehensive monitoring solution that scales with your infrastructure needs.</p> <p>Remember to regularly review and update your monitoring configuration as your applications and infrastructure evolve. Monitoring is not a "set it and forget it" solution – it requires ongoing attention and refinement.</p> <h2> References </h2> <ul> <li><a href="https://github.com/chinmayto/terraform-aws-eks-observability" rel="noopener noreferrer">My GitHub Repo</a></li> <li><a href="https://prometheus.io/docs/" rel="noopener noreferrer">Prometheus Documentation</a></li> <li><a href="https://grafana.com/docs/" rel="noopener noreferrer">Grafana Documentation</a></li> <li><a href="https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack" rel="noopener noreferrer">kube-prometheus-stack Helm Chart</a></li> <li><a href="https://docs.aws.amazon.com/eks/latest/userguide/" rel="noopener noreferrer">Amazon EKS User Guide</a></li> <li><a href="https://kubernetes.io/docs/concepts/cluster-administration/monitoring/" rel="noopener noreferrer">Kubernetes Monitoring Best Practices</a></li> <li><a href="https://prometheus-operator.dev/" rel="noopener noreferrer">Prometheus Operator Documentation</a></li> </ul> eks observability prometheus grafana Kubernetes Storage Playlist - Part 5: Choosing the Right Storage for EKS: EBS vs. EFS vs. S3 Chinmay Tonape Thu, 11 Sep 2025 02:30:01 +0000 https://forem.com/aws-builders/kubernetes-storage-playlist-part-5-choosing-the-right-storage-for-eks-ebs-vs-efs-vs-s3-3g2d https://forem.com/aws-builders/kubernetes-storage-playlist-part-5-choosing-the-right-storage-for-eks-ebs-vs-efs-vs-s3-3g2d <p>When running applications on Amazon EKS (Elastic Kubernetes Service), one of the first architectural questions you’ll face is: Which storage solution should I use?</p> <p>Picking the right storage isn’t just about saving data—it directly impacts scalability, reliability, and cost-efficiency of your workloads. AWS provides multiple storage services that integrate with Kubernetes through CSI drivers, and each serves a different purpose.</p> <p>In this post, we’ll compare the three primary options — Amazon EBS, Amazon EFS, and Amazon S3 (via the Mountpoint CSI driver) — to help you choose the right fit for your workloads.</p> <h2> Amazon EBS (Elastic Block Store) </h2> <p>Amazon EBS is block-level storage attached to a specific EC2 instance or pod through the EBS CSI driver. Think of it like attaching a hard drive to your VM — it’s fast, consistent, and designed for single-pod workloads.</p> <h3> Best suited for: </h3> <ul> <li>Relational &amp; NoSQL Databases (PostgreSQL, MySQL, Cassandra)</li> <li>Stateful applications needing low-latency, high IOPS</li> <li>Single-instance apps requiring persistence across pod restarts</li> </ul> <h3> Key Characteristics: </h3> <ul> <li> <strong>AZ-bound</strong>: An EBS volume lives in one Availability Zone, and pods must be scheduled in the same AZ.</li> <li> <strong>Single-pod access</strong>: Most volumes are ReadWriteOnce (RWO) — meaning one pod at a time.</li> <li> <strong>Dynamic provisioning</strong>: Kubernetes can auto-create EBS volumes using PersistentVolumeClaims.</li> </ul> <p>If your workload is a database or something that needs dedicated, fast disk storage, EBS is the go-to.</p> <h3> Amazon EFS (Elastic File System) </h3> <p>Amazon EFS is a fully managed, elastic NFS storage that multiple pods can mount simultaneously — even across different Availability Zones. With the EFS CSI driver, it becomes a shared, scalable storage layer for Kubernetes workloads.</p> <h3> Best suited for: </h3> <ul> <li>Web content management (WordPress, Drupal)</li> <li>CI/CD pipelines (shared build artifacts, code repos)</li> <li>Applications needing shared data across multiple pods</li> <li>Persistent storage with ReadWriteMany (RWX) access</li> </ul> <h3> Key Characteristics: </h3> <ul> <li> <strong>Shared access</strong>: Thousands of pods can read/write to the same file system.</li> <li> <strong>Elastic &amp; serverless</strong>: Automatically grows/shrinks with usage.</li> <li> <strong>Multi-AZ durability</strong>: Data is stored across multiple AZs for resilience.</li> </ul> <p>If you need shared storage accessible by many pods at once, EFS is the right choice.</p> <h2> Amazon S3 with Mountpoint CSI Driver </h2> <p>Amazon S3 is object storage, but with the Mountpoint for S3 CSI driver, you can mount an S3 bucket into your pod as if it were a file system. This is great for workloads that want S3’s scale and durability but expect a file system interface.</p> <h3> Best suited for: </h3> <ul> <li>Data analytics &amp; ML jobs reading/writing large datasets</li> <li>Centralized log aggregation from multiple pods</li> <li>Backups &amp; archival storage</li> <li>Media processing and high-throughput workloads</li> </ul> <h3> Key Characteristics: </h3> <ul> <li> <strong>Object store with file-like access</strong>: File operations are translated into S3 API calls.</li> <li> <strong>High throughput</strong>: Great for parallel data processing.</li> <li> <strong>Static provisioning only</strong>: You can’t dynamically create S3 buckets — only mount existing ones.</li> <li> <strong>Not POSIX-compliant</strong>: Doesn’t support all file operations like EBS/EFS.</li> </ul> <p>If your workload is data-intensive and benefits from S3’s scale and economics, the Mountpoint driver is an excellent fit.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Amazon EBS</th> <th>Amazon EFS</th> <th>Amazon S3</th> </tr> </thead> <tbody> <tr> <td><strong>Type</strong></td> <td>Block storage</td> <td>File system (NFS)</td> <td>Object storage (via CSI)</td> </tr> <tr> <td><strong>Access Mode</strong></td> <td>Single pod (RWO)</td> <td>Multi-pod (RWX)</td> <td>Multi-pod (limited)</td> </tr> <tr> <td><strong>Performance</strong></td> <td>Low latency, high IOPS</td> <td>Shared, elastic, multi-AZ</td> <td>High throughput, sequential</td> </tr> <tr> <td><strong>Use Case</strong></td> <td>Databases, stateful apps</td> <td>Shared web content, CI/CD, dev tools</td> <td>Data analytics, logs, backups</td> </tr> <tr> <td><strong>Provisioning</strong></td> <td>Static &amp; dynamic</td> <td>Static &amp; dynamic</td> <td>Static only</td> </tr> <tr> <td><strong>AZ Scope</strong></td> <td>Single AZ</td> <td>Multi-AZ</td> <td>Regional (bucket-level)</td> </tr> </tbody> </table></div> <h2> Conclusion </h2> <p>Choosing the right storage solution in EKS depends on your workload needs:</p> <ul> <li>Use <strong>EBS</strong> for high-performance, single-pod workloads like databases.</li> <li>Use <strong>EFS</strong> for shared, scalable storage where multiple pods need simultaneous access.</li> <li>Use <strong>S3 (Mountpoint)</strong> when you need massive, cost-effective object storage for data-heavy applications.</li> </ul> <p>By aligning your storage choice with your workload requirements, you’ll build an EKS architecture that’s resilient, cost-efficient, and scalable.</p> <h2> References </h2> <p>Refer to my detailed blogs for implementing each of the storage type</p> <p><a href="https://dev.to/aws-builders/kubernetes-storage-playlist-part-2-implementing-amazon-efs-storage-with-eks-using-terraform-and-542j">AWS Storage with EFS</a></p> <p><a href="https://dev.to/aws-builders/kubernetes-storage-playlist-part-3-implementing-amazon-ebs-storage-with-amazon-eks-using-1afc">AWS Storage with EBS</a></p> <p><a href="https://dev.to/aws-builders/kubernetes-storage-playlist-part-4-implementing-amazon-s3-storage-with-eks-using-terraform-and-3n59">AWS Storage with S3 with Mountpoint</a></p> kubernetes aws eks storage Building an Amazon EKS Cluster with raw Terraform Resources Chinmay Tonape Wed, 10 Sep 2025 18:55:42 +0000 https://forem.com/aws-builders/building-an-amazon-eks-cluster-with-raw-terraform-resources-1gj0 https://forem.com/aws-builders/building-an-amazon-eks-cluster-with-raw-terraform-resources-1gj0 <p>Most guides for provisioning Amazon EKS use the AWS community Terraform module for convenience. While this is great for speed, it often abstracts away what’s actually happening behind the scenes.</p> <p>In this blog, we will build an EKS cluster from scratch using raw Terraform resources (without using the community module). By doing this, you’ll gain a clear understanding of the AWS networking, IAM, and compute resources that make up a Kubernetes cluster on AWS.</p> <p>Finally, we’ll deploy a sample microservices application (Voting App) on the cluster and access it using port-forwarding.</p> <h2> Architecture </h2> <p>Here’s how the setup works at a high level:</p> <ul> <li>VPC is created with 2 Availability Zones for high availability.</li> <li>Each AZ contains both a public and a private subnet.</li> <li>EKS worker nodes (EC2 instances) are launched in private subnets for better security.</li> <li>A NAT Gateway is provisioned in a public subnet to allow worker nodes in private subnets to pull images and updates from the internet (e.g., from ECR, Docker Hub).</li> <li>EKS control plane (managed by AWS) communicates with the worker nodes securely within the VPC. This setup ensures that your nodes are not directly exposed to the internet while still having outbound internet access via the NAT gateway.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftb9utplt8dfl7xx7gjsd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftb9utplt8dfl7xx7gjsd.png" alt=" " width="763" height="530"></a></p> <h2> Step 1: Create a VPC with Public and Private Subnets </h2> <p>EKS requires a properly configured VPC with both public and private subnets. Worker nodes generally live in private subnets, while the NAT gateway in public subnets provides outbound internet connectivity. </p> <p>We also add Internet Gateway (IGW), NAT Gateway, and route tables to handle connectivity between public/private subnets.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">################################################################################</span> <span class="c1"># VPC</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"custom_vpc"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">networking</span><span class="p">.</span><span class="nx">cidr_block</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">common_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">naming_prefix</span><span class="k">}</span><span class="s2">-VPC"</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># PUBLIC SUBNETS</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"public_subnets"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">networking</span><span class="p">.</span><span class="nx">public_subnets</span> <span class="p">==</span> <span class="kc">null</span> <span class="err">||</span> <span class="kd">var</span><span class="p">.</span><span class="nx">networking</span><span class="p">.</span><span class="nx">public_subnets</span> <span class="p">==</span> <span class="s2">""</span> <span class="err">?</span> <span class="mi">0</span> <span class="err">:</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">networking</span><span class="p">.</span><span class="nx">public_subnets</span><span class="p">)</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">custom_vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">networking</span><span class="p">.</span><span class="nx">public_subnets</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">networking</span><span class="p">.</span><span class="nx">azs</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> <span class="nx">map_public_ip_on_launch</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">common_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">naming_prefix</span><span class="k">}</span><span class="s2">-public-subnet-</span><span class="k">${</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="k">}</span><span class="s2">"</span> <span class="s2">"kubernetes.io/role/elb"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="s2">"kubernetes.io/cluster/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">"</span> <span class="p">=</span> <span class="s2">"shared"</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># PRIVATE SUBNETS</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"private_subnets"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">networking</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="p">==</span> <span class="kc">null</span> <span class="err">||</span> <span class="kd">var</span><span class="p">.</span><span class="nx">networking</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="p">==</span> <span class="s2">""</span> <span class="err">?</span> <span class="mi">0</span> <span class="err">:</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">networking</span><span class="p">.</span><span class="nx">private_subnets</span><span class="p">)</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">custom_vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">networking</span><span class="p">.</span><span class="nx">private_subnets</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">networking</span><span class="p">.</span><span class="nx">azs</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> <span class="nx">map_public_ip_on_launch</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">common_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">naming_prefix</span><span class="k">}</span><span class="s2">-private-subnet-</span><span class="k">${</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="k">}</span><span class="s2">"</span> <span class="s2">"kubernetes.io/role/internal-elb"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="s2">"kubernetes.io/cluster/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">"</span> <span class="p">=</span> <span class="s2">"shared"</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># INTERNET GATEWAY</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_internet_gateway"</span> <span class="s2">"i_gateway"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">custom_vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">common_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">naming_prefix</span><span class="k">}</span><span class="s2">-i-gateway"</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># EIPs</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_eip"</span> <span class="s2">"elastic_ip"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">networking</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="p">==</span> <span class="kc">null</span> <span class="err">||</span> <span class="kd">var</span><span class="p">.</span><span class="nx">networking</span><span class="p">.</span><span class="nx">nat_gateways</span> <span class="p">==</span> <span class="kc">false</span> <span class="err">?</span> <span class="mi">0</span> <span class="err">:</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">networking</span><span class="p">.</span><span class="nx">private_subnets</span><span class="p">)</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">i_gateway</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">common_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">naming_prefix</span><span class="k">}</span><span class="s2">-eip-</span><span class="k">${</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="k">}</span><span class="s2">"</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># NAT GATEWAYS</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_nat_gateway"</span> <span class="s2">"nats"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">networking</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="p">==</span> <span class="kc">null</span> <span class="err">||</span> <span class="kd">var</span><span class="p">.</span><span class="nx">networking</span><span class="p">.</span><span class="nx">nat_gateways</span> <span class="p">==</span> <span class="kc">false</span> <span class="err">?</span> <span class="mi">0</span> <span class="err">:</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">networking</span><span class="p">.</span><span class="nx">private_subnets</span><span class="p">)</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public_subnets</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">].</span><span class="nx">id</span> <span class="nx">connectivity_type</span> <span class="p">=</span> <span class="s2">"public"</span> <span class="nx">allocation_id</span> <span class="p">=</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">elastic_ip</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">].</span><span class="nx">id</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">i_gateway</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">common_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">naming_prefix</span><span class="k">}</span><span class="s2">-nat-gw-</span><span class="k">${</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="k">}</span><span class="s2">"</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># PUBLIC ROUTE TABLE</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"public_table"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">custom_vpc</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_route"</span> <span class="s2">"public_routes"</span> <span class="p">{</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">public_table</span><span class="p">.</span><span class="nx">id</span> <span class="nx">destination_cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">gateway_id</span> <span class="p">=</span> <span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">i_gateway</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"assoc_public_routes"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">networking</span><span class="p">.</span><span class="nx">public_subnets</span><span class="p">)</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public_subnets</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">].</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">public_table</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># PRIVATE ROUTE TABLES</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"private_tables"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">networking</span><span class="p">.</span><span class="nx">azs</span><span class="p">)</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">custom_vpc</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_route"</span> <span class="s2">"private_routes"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">networking</span><span class="p">.</span><span class="nx">private_subnets</span><span class="p">)</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">private_tables</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">].</span><span class="nx">id</span> <span class="nx">destination_cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">nat_gateway_id</span> <span class="p">=</span> <span class="nx">aws_nat_gateway</span><span class="p">.</span><span class="nx">nats</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">].</span><span class="nx">id</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"assoc_private_routes"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">networking</span><span class="p">.</span><span class="nx">private_subnets</span><span class="p">)</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private_subnets</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">].</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">private_tables</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">].</span><span class="nx">id</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># SECURITY GROUPS</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"sec_groups"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">sec</span> <span class="nx">in</span> <span class="kd">var</span><span class="p">.</span><span class="nx">security_groups</span> <span class="err">:</span> <span class="nx">sec</span><span class="p">.</span><span class="nx">name</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">sec</span> <span class="p">}</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">naming_prefix</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2">"</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">description</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">custom_vpc</span><span class="p">.</span><span class="nx">id</span> <span class="nx">dynamic</span> <span class="s2">"ingress"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">try</span><span class="p">(</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">ingress</span><span class="p">,</span> <span class="p">[])</span> <span class="nx">content</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">ingress</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">description</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="nx">ingress</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">from_port</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="nx">ingress</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">to_port</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">ingress</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">protocol</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="nx">ingress</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">cidr_blocks</span> <span class="nx">ipv6_cidr_blocks</span> <span class="p">=</span> <span class="nx">ingress</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">ipv6_cidr_blocks</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">dynamic</span> <span class="s2">"egress"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">try</span><span class="p">(</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">egress</span><span class="p">,</span> <span class="p">[])</span> <span class="nx">content</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">egress</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">description</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="nx">egress</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">from_port</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="nx">egress</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">to_port</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">egress</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">protocol</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="nx">egress</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">cidr_blocks</span> <span class="nx">ipv6_cidr_blocks</span> <span class="p">=</span> <span class="nx">egress</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">ipv6_cidr_blocks</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Step 2: Create IAM Roles and Policies </h2> <p>EKS needs roles for both the control plane and worker nodes.</p> <ul> <li>Cluster Role – Grants permissions for EKS to manage AWS resources.</li> <li>Node Role – Allows EC2 instances (worker nodes) to join the cluster. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">################################################################################</span> <span class="c1"># EKS CLUSTER ROLE</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"EKSClusterRole"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">naming_prefix</span><span class="k">}</span><span class="s2">-EKSClusterRole"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"eks.amazonaws.com"</span> <span class="p">}</span> <span class="p">},</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">// This policy provides Kubernetes the permissions it requires to manage resources on your behalf. </span> <span class="c1">// Kubernetes requires Ec2:CreateTags permissions to place identifying information on EC2 resources</span> <span class="c1">// including but not limited to Instances, Security Groups, and Elastic Network Interfaces</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"AmazonEKSClusterPolicy"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">EKSClusterRole</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># NODE GROUP ROLE</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"NodeGroupRole"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">naming_prefix</span><span class="k">}</span><span class="s2">-EKSNodeGroupRole"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"ec2.amazonaws.com"</span> <span class="p">}</span> <span class="p">},</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">//This policy allows Amazon EKS worker nodes to connect to Amazon EKS Clusters.</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"AmazonEKSWorkerNodePolicy"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">NodeGroupRole</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="c1">// Provides read-only access to Amazon EC2 Container Registry repositories.</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"AmazonEC2ContainerRegistryReadOnly"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">NodeGroupRole</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="c1">// This policy provides the Amazon VPC CNI Plugin (amazon-vpc-cni-k8s) the permissions</span> <span class="c1">// it requires to modify the IP address configuration on your EKS worker nodes. </span> <span class="c1">// This permission set allows the CNI to list, describe, and modify ENIs on your behalf</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"AmazonEKS_CNI_Policy"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">NodeGroupRole</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> </code></pre> </div> <h2> Step 3: Provision the EKS Cluster </h2> <p>Following creates the EKS control plane.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">################################################################################</span> <span class="c1"># EKS Cluster</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_eks_cluster"</span> <span class="s2">"eks-cluster"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cluster_config</span><span class="p">.</span><span class="nx">name</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">EKSClusterRole</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">version</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cluster_config</span><span class="p">.</span><span class="nx">version</span> <span class="nx">vpc_config</span> <span class="p">{</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">flatten</span><span class="p">([</span><span class="kd">var</span><span class="p">.</span><span class="nx">public_subnets_id</span><span class="p">,</span> <span class="kd">var</span><span class="p">.</span><span class="nx">private_subnets_id</span><span class="p">])</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="nx">flatten</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">security_groups_id</span><span class="p">)</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_iam_role_policy_attachment</span><span class="p">.</span><span class="nx">AmazonEKSClusterPolicy</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>At this point, we create a managed set of EC2 worker nodes with basic required addons<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">################################################################################</span> <span class="c1"># NODE GROUP</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_eks_node_group"</span> <span class="s2">"node-ec2"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">node_group</span> <span class="nx">in</span> <span class="kd">var</span><span class="p">.</span><span class="nx">node_groups</span> <span class="err">:</span> <span class="nx">node_group</span><span class="p">.</span><span class="nx">name</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">node_group</span> <span class="p">}</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">eks-cluster</span><span class="p">.</span><span class="nx">name</span> <span class="nx">node_group_name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">naming_prefix</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2">"</span> <span class="nx">node_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">NodeGroupRole</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">flatten</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">private_subnets_id</span><span class="p">)</span> <span class="nx">scaling_config</span> <span class="p">{</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="nx">try</span><span class="p">(</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">scaling_config</span><span class="p">.</span><span class="nx">desired_size</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="nx">try</span><span class="p">(</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">scaling_config</span><span class="p">.</span><span class="nx">max_size</span><span class="p">,</span> <span class="mi">3</span><span class="p">)</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="nx">try</span><span class="p">(</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">scaling_config</span><span class="p">.</span><span class="nx">min_size</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="p">}</span> <span class="nx">update_config</span> <span class="p">{</span> <span class="nx">max_unavailable</span> <span class="p">=</span> <span class="nx">try</span><span class="p">(</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">update_config</span><span class="p">.</span><span class="nx">max_unavailable</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="p">}</span> <span class="nx">ami_type</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">ami_type</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">instance_types</span> <span class="nx">capacity_type</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">capacity_type</span> <span class="nx">disk_size</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">disk_size</span> <span class="nx">version</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cluster_config</span><span class="p">.</span><span class="nx">version</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">common_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">naming_prefix</span><span class="k">}</span><span class="s2">-nodes-</span><span class="k">${</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2">"</span> <span class="p">})</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_iam_role_policy_attachment</span><span class="p">.</span><span class="nx">AmazonEKSWorkerNodePolicy</span><span class="p">,</span> <span class="nx">aws_iam_role_policy_attachment</span><span class="p">.</span><span class="nx">AmazonEC2ContainerRegistryReadOnly</span><span class="p">,</span> <span class="nx">aws_iam_role_policy_attachment</span><span class="p">.</span><span class="nx">AmazonEKS_CNI_Policy</span> <span class="p">]</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_openid_connect_provider"</span> <span class="s2">"eks_oidc_provider"</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">eks-cluster</span><span class="p">.</span><span class="nx">identity</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">oidc</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">issuer</span> <span class="nx">client_id_list</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts.amazonaws.com"</span><span class="p">]</span> <span class="nx">thumbprint_list</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"9e99a48a9960b14926bb7f3b02e22da2b0ab7280"</span><span class="p">]</span> <span class="p">}</span> <span class="c1">################################################################################</span> <span class="c1"># EKS Addons</span> <span class="c1">################################################################################</span> <span class="k">data</span> <span class="s2">"aws_eks_addon_version"</span> <span class="s2">"eks_addons"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">addons</span> <span class="nx">addon_name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span> <span class="nx">kubernetes_version</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">eks-cluster</span><span class="p">.</span><span class="nx">version</span> <span class="nx">most_recent</span> <span class="p">=</span> <span class="nx">coalesce</span><span class="p">(</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">most_recent</span><span class="p">,</span> <span class="kc">true</span><span class="p">)</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_eks_addon"</span> <span class="s2">"addons"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">addons</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">eks-cluster</span><span class="p">.</span><span class="nx">name</span> <span class="nx">addon_name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span> <span class="nx">addon_version</span> <span class="p">=</span> <span class="nx">coalesce</span><span class="p">(</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">version</span><span class="p">,</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_eks_addon_version</span><span class="p">.</span><span class="nx">eks_addons</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">key</span><span class="p">].</span><span class="nx">version</span><span class="p">)</span> <span class="nx">resolve_conflicts_on_create</span> <span class="p">=</span> <span class="s2">"OVERWRITE"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">common_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">naming_prefix</span><span class="k">}</span><span class="s2">-addon-</span><span class="k">${</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2">"</span> <span class="p">})</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_eks_node_group</span><span class="p">.</span><span class="nx">node-ec2</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h2> Step 4: Configure kubectl and Access Cluster </h2> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">################################################################################</span> <span class="c1"># Update kubeconfig with created cluster</span> <span class="c1">################################################################################</span> <span class="k">resource</span> <span class="s2">"null_resource"</span> <span class="s2">"update_kubeconfig"</span> <span class="p">{</span> <span class="k">provisioner</span> <span class="s2">"local-exec"</span> <span class="p">{</span> <span class="nx">command</span> <span class="p">=</span> <span class="s2">"aws eks --region </span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">aws_region</span><span class="k">}</span><span class="s2"> update-kubeconfig --name </span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_config</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="k">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h2> Step 5: Deploy a Sample Microservices Application </h2> <p>We will deploy famous exmaple voting app from the <a href="https://github.com/dockersamples/example-voting-app" rel="noopener noreferrer">https://github.com/dockersamples/example-voting-app</a>. We will just deploy the manifests and not look into building the docker images at this moment.</p> <ul> <li>A front-end web app in Python which lets you vote between two options</li> <li>A Redis which collects new votes</li> <li>A .NET worker which consumes votes and stores them in…</li> <li>A Postgres database backed by a Docker volume</li> <li>A Node.js web app which shows the results of the voting in real time</li> </ul> <p>Note: The voting application only accepts one vote per client browser. It does not register additional votes if a vote has already been submitted from a client.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9hvmwee26zwwvi6md39q.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9hvmwee26zwwvi6md39q.png" alt=" " width="800" height="744"></a></p> <p>Apply the manifests and verify<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> /example-voting-app/k8s-specifications kubectl apply <span class="nt">-f</span> <span class="nb">.</span> deployment.apps/db created service/db created deployment.apps/redis created service/redis created deployment.apps/result created service/result created deployment.apps/vote created service/vote created deployment.apps/worker created kubectl port-forward service/vote 8080:8080 kubectl port-forward service/result 8081:8081 </code></pre> </div> <p>Access app using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Vote: http://localhost:8080 Result: http://localhost:8081 </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frwkv5j8j2rojv3b3tmz0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frwkv5j8j2rojv3b3tmz0.png" alt=" " width="800" height="493"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpjzdqspvmsy10vepzu6l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpjzdqspvmsy10vepzu6l.png" alt=" " width="800" height="436"></a></p> <h2> Cleanup </h2> <p>Delete the k8s resources created<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> /example-voting-app/k8s-specifications kubectl delete <span class="nt">-f</span> <span class="nb">.</span> </code></pre> </div> <p>And then <code>terraform destroy</code> the EKS infrastructure if you are not using it to save costs.</p> <h2> Conclusion </h2> <p>By building an EKS cluster from scratch with Terraform—without relying on the AWS community module—we gain a clear understanding of the essential AWS resources required to run Kubernetes in production.</p> <p>We saw how networking forms the foundation, how the cluster and node groups tie everything together, and finally how workloads are deployed and accessed. This exercise provides not only a strong foundation in AWS and Kubernetes but also the confidence to customize infrastructure for real-world production use cases.</p> <h2> References </h2> <ul> <li> <a href="https://github.com/chinmayto/terraform-aws-eks-deep-dive" rel="noopener noreferrer">GitHub Repository</a> </li> <li> <a href="https://docs.aws.amazon.com/eks/index.html" rel="noopener noreferrer">Amazon EKS Documentation</a> </li> <li> <a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs" rel="noopener noreferrer">Terraform AWS Provider Docs</a> </li> </ul> kubernetes aws eks terraform Kubernetes Storage Playlist - Part 4: Implementing Amazon S3 Storage with EKS using Terraform and and Kubernetes Manifests Chinmay Tonape Mon, 08 Sep 2025 19:07:09 +0000 https://forem.com/aws-builders/kubernetes-storage-playlist-part-4-implementing-amazon-s3-storage-with-eks-using-terraform-and-3n59 https://forem.com/aws-builders/kubernetes-storage-playlist-part-4-implementing-amazon-s3-storage-with-eks-using-terraform-and-3n59 <p>In this blog, we’ll explore how to integrate Amazon S3 as a storage solution with Amazon EKS using Terraform and Kubernetes YAML manifests. We will run a simple Nginx container that serves website files stored in an S3 bucket.</p> <p>This approach leverages the Mountpoint for S3 CSI driver, which provides Kubernetes workloads access to Amazon S3 objects using standard POSIX interfaces.</p> <h2> Understanding Amazon S3 for Kubernetes </h2> <h3> What is Amazon S3? </h3> <p>Amazon Simple Storage Service (Amazon S3) is an object storage service designed for scalability, durability, and availability. Unlike traditional block storage (like EBS) or file storage (like EFS), S3 stores data as objects inside buckets, which makes it ideal for static content, logs, and backups.</p> <h3> Architecture Diagram </h3> <p>The architecture of attaching Amazon S3 storage to an EKS cluster revolves around the S3 CSI (Container Storage Interface) driver and the Mountpoint for S3 integration. </p> <p>At the base layer, an S3 bucket acts as the backend object store where application data is kept. Inside Kubernetes, a StorageClass defines how storage is provisioned and consumed. With S3, however, only static provisioning is currently supported—meaning a PersistentVolume (PV) must be manually created and mapped to an existing S3 bucket, and then a PersistentVolumeClaim (PVC) binds to that PV so workloads can access it. </p> <p>Once a pod is deployed, Kubernetes mounts the PVC to the container’s filesystem through the S3 CSI driver, which internally uses Mountpoint for S3 to provide file system-like access to objects in the bucket. </p> <p>While dynamic provisioning—where PVCs automatically trigger creation of new storage volumes—is common for drivers like EBS and EFS, it is not yet available for S3. This makes static provisioning the only option, requiring administrators to pre-define the mapping between PVs and S3 buckets. Security is handled through IAM Roles for Service Accounts (IRSA), ensuring pods have only the minimum required permissions to access specific S3 buckets.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq1bd7rrf8w3v0z9ue38p.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq1bd7rrf8w3v0z9ue38p.png" alt=" " width="695" height="603"></a></p> <p>Key Benefits of Using S3 with EKS</p> <ul> <li>Scalability: Virtually unlimited storage capacity.</li> <li>Durability: 11 9’s durability guarantees.</li> <li>Cost-Effective: Pay for what you use with no upfront provisioning.</li> <li>Integration: Easy integration with AWS services like Athena, Glue, and CloudFront.</li> </ul> <p>Important Considerations for EKS</p> <ul> <li>CSI Driver Requirements: The Mountpoint for S3 CSI driver must be installed.</li> <li>Pod Identity Support: Currently, IRSA (IAM Roles for Service Accounts) is required. Pod Identity is not supported yet.</li> <li>Limitations: Only static provisioning is supported as of now. Dynamic provisioning is on the roadmap.</li> <li>Resource Quotas: Watch for limits like open file descriptors and network throughput when scaling workloads.</li> </ul> <h2> Step 1: Provisioning EKS Cluster with Terraform in a VPC </h2> <p>The first step in integrating Amazon S3 with EKS is to provision a Kubernetes cluster that runs securely inside a dedicated VPC. We will use the widely adopted AWS Terraform community modules for both the VPC and EKS setup. Please refer to main module of GitHub repo.</p> <h2> Step 2: Creating the S3 bucket </h2> <ul> <li> <strong>S3 Bucket</strong>: Encrypted S3 bucket with versioning and permissions </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">####################################################################################</span> <span class="c1"># S3 Bucket for Kubernetes Storage</span> <span class="c1">####################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">bucket_name</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">bucket_name</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">####################################################################################</span> <span class="c1"># S3 Bucket Versioning</span> <span class="c1">####################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_s3_bucket_versioning"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">versioning_configuration</span> <span class="p">{</span> <span class="nx">status</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">versioning_enabled</span> <span class="err">?</span> <span class="s2">"Enabled"</span> <span class="err">:</span> <span class="s2">"Disabled"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">####################################################################################</span> <span class="c1"># S3 Bucket Encryption</span> <span class="c1">####################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_s3_bucket_server_side_encryption_configuration"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">apply_server_side_encryption_by_default</span> <span class="p">{</span> <span class="nx">sse_algorithm</span> <span class="p">=</span> <span class="s2">"AES256"</span> <span class="p">}</span> <span class="nx">bucket_key_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">####################################################################################</span> <span class="c1"># S3 Bucket Public Access Block</span> <span class="c1">####################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_s3_bucket_public_access_block"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">block_public_acls</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">block_public_policy</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">ignore_public_acls</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">restrict_public_buckets</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <ul> <li> <strong>IAM Role</strong>: For Mountpoint for S3 CSI Driver </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">####################################################################################</span> <span class="c1"># IAM Role for S3 CSI Driver (IRSA)</span> <span class="c1">####################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"s3_csi_driver_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-s3-csi-driver-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Federated</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::</span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">account_id</span><span class="k">}</span><span class="s2">:oidc-provider/</span><span class="k">${</span><span class="nx">replace</span><span class="p">(</span><span class="k">data</span><span class="p">.</span><span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">identity</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">oidc</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">issuer</span><span class="p">,</span> <span class="s2">"https://"</span><span class="p">,</span> <span class="s2">""</span><span class="p">)</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRoleWithWebIdentity"</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringEquals</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"</span><span class="k">${</span><span class="nx">replace</span><span class="p">(</span><span class="k">data</span><span class="p">.</span><span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">identity</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">oidc</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">issuer</span><span class="p">,</span> <span class="s2">"https://"</span><span class="p">,</span> <span class="s2">""</span><span class="p">)</span><span class="k">}</span><span class="s2">:sub"</span> <span class="p">=</span> <span class="s2">"system:serviceaccount:kube-system:s3-csi-driver-sa"</span> <span class="s2">"</span><span class="k">${</span><span class="nx">replace</span><span class="p">(</span><span class="k">data</span><span class="p">.</span><span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">cluster</span><span class="p">.</span><span class="nx">identity</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">oidc</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">issuer</span><span class="p">,</span> <span class="s2">"https://"</span><span class="p">,</span> <span class="s2">""</span><span class="p">)</span><span class="k">}</span><span class="s2">:aud"</span> <span class="p">=</span> <span class="s2">"sts.amazonaws.com"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-s3-csi-driver-role"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">####################################################################################</span> <span class="c1"># S3 CSI Driver Policy (Based on AWS Documentation)</span> <span class="c1">####################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"s3_csi_driver_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-s3-csi-driver-policy"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"IAM policy for S3 CSI Driver based on AWS documentation"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:ListBucket"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">arn</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:GetObject"</span><span class="p">,</span> <span class="s2">"s3:PutObject"</span><span class="p">,</span> <span class="s2">"s3:AbortMultipartUpload"</span><span class="p">,</span> <span class="s2">"s3:DeleteObject"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">arn</span><span class="k">}</span><span class="s2">/*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-s3-csi-driver-policy"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">####################################################################################</span> <span class="c1"># Attach S3 CSI Driver Policy</span> <span class="c1">####################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"s3_csi_driver_policy"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">s3_csi_driver_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">s3_csi_driver_policy</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <ul> <li> <strong>Mountpoint for S3 Add-on</strong>: AWS Mountpoint for S3 CSI Driver for Kubernetes integration </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">####################################################################################</span> <span class="c1">### S3 Mountpoint CSI Driver Addon (deployed after S3 module)</span> <span class="c1">####################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_eks_addon"</span> <span class="s2">"s3_mountpoint_csi_driver"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">addon_name</span> <span class="p">=</span> <span class="s2">"aws-mountpoint-s3-csi-driver"</span> <span class="nx">service_account_role_arn</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">s3</span><span class="p">.</span><span class="nx">s3_csi_driver_role_arn</span> <span class="c1"># Using IRSA for CSI driver, Pod Identity for application pods</span> <span class="c1"># Ensure this addon is created after the S3 module creates the IAM role and pod identity association</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="k">module</span><span class="p">.</span><span class="nx">s3</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-s3-mountpoint-csi-driver"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Step 3: S3 Storage Implementation Patterns </h2> <p>Since only static provisioning is supported for S3 today, we’ll define PersistentVolumes (PV) that reference an S3 bucket.</p> <ul> <li> <code>storage-class.yaml</code> - StorageClass for S3 CSI driver (requires <code>${S3_BUCKET_NAME}</code> placeholder) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">storage.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StorageClass</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">s3-csi-sc</span> <span class="na">provisioner</span><span class="pi">:</span> <span class="s">s3.csi.aws.com</span> <span class="na">parameters</span><span class="pi">:</span> <span class="na">bucketName</span><span class="pi">:</span> <span class="s">${S3_BUCKET_NAME}</span> <span class="na">prefix</span><span class="pi">:</span> <span class="s2">"</span><span class="s">k8s-storage/"</span> <span class="na">volumeBindingMode</span><span class="pi">:</span> <span class="s">Immediate</span> <span class="na">allowVolumeExpansion</span><span class="pi">:</span> <span class="kc">false</span> </code></pre> </div> <ul> <li> <code>persistent-volume.yaml</code> - PersistentVolume for S3 bucket (static provisioning only) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PersistentVolume</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">s3-pv</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">capacity</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">1Gi</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteMany</span> <span class="na">persistentVolumeReclaimPolicy</span><span class="pi">:</span> <span class="s">Retain</span> <span class="na">storageClassName</span><span class="pi">:</span> <span class="s">s3-csi-sc</span> <span class="na">csi</span><span class="pi">:</span> <span class="na">driver</span><span class="pi">:</span> <span class="s">s3.csi.aws.com</span> <span class="na">volumeHandle</span><span class="pi">:</span> <span class="s">s3-csi-driver-volume</span> <span class="na">volumeAttributes</span><span class="pi">:</span> <span class="na">bucketName</span><span class="pi">:</span> <span class="s">${S3_BUCKET_NAME}</span> <span class="na">prefix</span><span class="pi">:</span> <span class="s2">"</span><span class="s">k8s-storage/"</span> </code></pre> </div> <ul> <li> <code>persistent-volume-claim.yaml</code> - PVC using S3 CSI driver </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PersistentVolumeClaim</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">s3-pvc</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteMany</span> <span class="na">storageClassName</span><span class="pi">:</span> <span class="s">s3-csi-sc</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">1Gi</span> </code></pre> </div> <ul> <li> <code>nginx-pod.yaml</code> - Nginx pod with S3 storage mounted and content creation </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-s3-pod</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx-s3</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">runAsUser</span><span class="pi">:</span> <span class="m">0</span> <span class="na">runAsGroup</span><span class="pi">:</span> <span class="m">0</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">POD_NAME</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">fieldRef</span><span class="pi">:</span> <span class="na">fieldPath</span><span class="pi">:</span> <span class="s">metadata.name</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">/bin/sh"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-c"</span><span class="pi">]</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">echo '&lt;h1&gt;Hello from S3 Mountpoint!&lt;/h1&gt;&lt;p&gt;&lt;b&gt;Pod:&lt;/b&gt; '$POD_NAME'&lt;/p&gt;' &gt; /usr/share/nginx/html/index.html || true</span> <span class="s">sed -i 's/user nginx;/user root;/' /etc/nginx/nginx.conf</span> <span class="s">nginx -g 'daemon off;'</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">s3-storage</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/usr/share/nginx/html</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">s3-storage</span> <span class="na">persistentVolumeClaim</span><span class="pi">:</span> <span class="na">claimName</span><span class="pi">:</span> <span class="s">s3-pvc</span> </code></pre> </div> <ul> <li> <code>nginx-service.yaml</code> - ClusterIP service to expose nginx on port 80 </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-s3-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx-s3</span> </code></pre> </div> <h3> Deployment Steps For Static Provisioning: </h3> <ol> <li>Get S3 bucket name from Terraform: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>infrastructure <span class="nv">S3_BUCKET_NAME</span><span class="o">=</span><span class="si">$(</span>terraform output <span class="nt">-raw</span> s3_bucket_name 2&gt;/dev/null <span class="o">||</span> <span class="nb">echo</span> <span class="s2">""</span><span class="si">)</span> </code></pre> </div> <ol> <li>Update manifests with S3 values: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sed</span> <span class="s2">"s/</span><span class="se">\$</span><span class="s2">{S3_BUCKET_NAME}/</span><span class="nv">$S3_BUCKET_NAME</span><span class="s2">/g"</span> storage-class.yaml <span class="o">&gt;</span> storage-class-final.yaml <span class="nb">sed</span> <span class="s2">"s/</span><span class="se">\$</span><span class="s2">{S3_BUCKET_NAME}/</span><span class="nv">$S3_BUCKET_NAME</span><span class="s2">/g"</span> persistent-volume.yaml <span class="o">&gt;</span> persistent-volume-final.yaml </code></pre> </div> <ol> <li>Apply manifests: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> storage-class-final.yaml kubectl apply <span class="nt">-f</span> persistent-volume-final.yaml kubectl apply <span class="nt">-f</span> persistent-volume-claim.yaml kubectl apply <span class="nt">-f</span> nginx-pod.yaml kubectl apply <span class="nt">-f</span> nginx-service.yaml </code></pre> </div> <p>Refer to <code>deploy.sh</code> for automated deployment script<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get sc,pv,pvc NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE storageclass.storage.k8s.io/s3-csi-sc s3.csi.aws.com Delete Immediate <span class="nb">false </span>10m NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS VOLUMEATTRIBUTESCLASS REASON AGE persistentvolume/s3-pv 1Gi RWX Retain Bound default/s3-pvc s3-csi-sc &lt;<span class="nb">unset</span><span class="o">&gt;</span> 10m NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE persistentvolumeclaim/s3-pvc Bound s3-pv 1Gi RWX s3-csi-sc &lt;<span class="nb">unset</span><span class="o">&gt;</span> 10m </code></pre> </div> <p>S3 Bucket:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2qkutklsaoagh7bf8gdg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2qkutklsaoagh7bf8gdg.png" alt=" " width="800" height="147"></a></p> <p>S3 Bucket Contents:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl9mesmmwvix68rv9a2y8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl9mesmmwvix68rv9a2y8.png" alt=" " width="800" height="156"></a></p> <p>Nginx pod accessing S3 for index.html</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frw5c7vael9kb2jszkq83.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frw5c7vael9kb2jszkq83.png" alt=" " width="750" height="276"></a></p> <h2> Verification </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check S3 CSI driver status:</span> kubectl get pods <span class="nt">-n</span> kube-system <span class="nt">-l</span> <span class="nv">app</span><span class="o">=</span>aws-mountpoint-s3-csi-driver <span class="c"># Check deployment status:</span> kubectl get pod nginx-s3-pod kubectl get service nginx-s3-service kubectl get pvc s3-pvc kubectl get pv <span class="c"># Test nginx web server:</span> kubectl port-forward service/nginx-s3-service 8084:80 <span class="c"># Then visit http://localhost:8084</span> <span class="c"># Check S3 File Persistence</span> kubectl <span class="nb">exec </span>nginx-s3-pod <span class="nt">--</span> <span class="nb">ls</span> <span class="nt">-la</span> /usr/share/nginx/html/ kubectl <span class="nb">exec </span>nginx-s3-pod <span class="nt">--</span> <span class="nb">cat</span> /usr/share/nginx/html/index.html <span class="c"># Check S3 bucket content:</span> aws s3 <span class="nb">ls </span>s3://<span class="nv">$S3_BUCKET_NAME</span>/k8s-storage/ </code></pre> </div> <h2> Cleanup </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl delete <span class="nt">-f</span> nginx-service.yaml kubectl delete <span class="nt">-f</span> nginx-pod.yaml kubectl delete <span class="nt">-f</span> persistent-volume-claim.yaml kubectl delete <span class="nt">-f</span> persistent-volume.yaml kubectl delete <span class="nt">-f</span> storage-class.yaml </code></pre> </div> <p>And then terraform destroy the EKS infrastructure if you are not using it to save costs.</p> <h2> Conclusion </h2> <p>Amazon S3 provides a scalable and cost-effective storage solution for workloads running on EKS. With the Mountpoint for S3 CSI driver, Kubernetes pods can directly mount S3 buckets and serve static files seamlessly. While currently limited to static provisioning, this integration is a powerful way to manage object storage in containerized environments.</p> <p>In this blog, we provisioned an EKS cluster using Terraform, set up IAM roles with IRSA, deployed the S3 CSI driver, and ran an Nginx container backed by S3 storage.</p> <h2> References </h2> <ul> <li><a href="https://github.com/chinmayto/aws-eks-kubernetes-storage-volumes/tree/main" rel="noopener noreferrer">My GitHub Repo – Full Terraform &amp; YAML Implementation</a></li> <li><a href="https://docs.aws.amazon.com/eks/latest/userguide/s3-csi.html" rel="noopener noreferrer">AWS Documentation – Mountpoint for S3 CSI Driver</a></li> </ul> kubernetes aws eks s3 Kubernetes Storage Playlist - Part 3: Implementing Amazon EBS Storage with Amazon EKS Using Terraform and Kubernetes Manifests Chinmay Tonape Mon, 08 Sep 2025 18:33:23 +0000 https://forem.com/aws-builders/kubernetes-storage-playlist-part-3-implementing-amazon-ebs-storage-with-amazon-eks-using-1afc https://forem.com/aws-builders/kubernetes-storage-playlist-part-3-implementing-amazon-ebs-storage-with-amazon-eks-using-1afc <p>In this blog, we’ll explore how to integrate Amazon Elastic Block Store (EBS) with Amazon Elastic Kubernetes Service (EKS). We’ll provision an EKS cluster with Terraform, configure the EBS CSI driver, and run an Nginx container that uses EBS storage to persist website files.</p> <p>This is a practical guide for anyone building stateful workloads on EKS.</p> <h2> Understanding Amazon EBS for Kubernetes </h2> <h3> What is Amazon EBS? </h3> <p>Amazon Elastic Block Store (EBS) provides persistent block-level storage volumes that can be attached to Amazon EC2 instances. Within Kubernetes, EBS volumes can be exposed to Pods through the EBS CSI (Container Storage Interface) driver, allowing workloads to persist data beyond pod lifecycles.</p> <h3> Architecture Diagram </h3> <p>When you use Amazon EBS with Amazon EKS, your application asks for storage through a PersistentVolumeClaim (PVC). Kubernetes then either connects this request to an existing EBS volume (static provisioning) or automatically creates a new one (dynamic provisioning) with the help of a StorageClass and the EBS CSI driver. </p> <p>The CSI driver talks to AWS to create and attach the volume to the worker node where your Pod is running, and the volume gets mounted inside the container at the specified path (like /usr/share/nginx/html). One important thing to remember is that EBS volumes work only within a single Availability Zone (AZ). This means your Pod and the EBS volume must be in the same AZ. Dynamic provisioning usually takes care of this automatically, but with static provisioning, you need to make sure the volume is created in the right AZ.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2etsv6v4a0ea5xwpbddt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2etsv6v4a0ea5xwpbddt.png" alt=" " width="800" height="622"></a></p> <h3> Key Benefits for EKS </h3> <ul> <li> <strong>Durability</strong>: Data persists beyond pod restarts.</li> <li> <strong>Performance</strong>: Multiple volume types (gp3, io2, st1, etc.) for optimized throughput or IOPS.</li> <li> <strong>Elasticity</strong>: Volumes can be resized without downtime.</li> <li> <strong>Cost-effectiveness</strong>: Pay only for the storage provisioned.</li> </ul> <h3> Important Considerations with EKS </h3> <ul> <li>EBS volumes are AZ-scoped – a Pod using EBS must run in the same Availability Zone as the volume.</li> <li>Requires Kubernetes v1.17+ with CSI driver support.</li> <li>Pods requiring EBS must use StatefulSets or carefully scheduled Deployments.</li> <li>Resource quotas should be monitored to avoid exhausting storage or hitting API limits.</li> </ul> <h2> Step 1: Provisioning EKS Cluster with Terraform in a VPC </h2> <p>The first step in integrating Amazon EBS with EKS is to provision a Kubernetes cluster that runs securely inside a dedicated VPC. We will use the widely adopted AWS Terraform community modules for both the VPC and EKS setup. Please refer to main module of GitHub repo.</p> <h2> Step 2: Creating the EFS File System </h2> <p>EBS Storage: Encrypted EBS Storage with optional encryption<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">####################################################################################</span> <span class="c1"># Static EBS Volume for Testing</span> <span class="c1">####################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_ebs_volume"</span> <span class="s2">"static_volume"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">create_static_volume</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">availability_zones</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="nx">size</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">static_volume_size</span> <span class="nx">type</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">ebs_volume_type</span> <span class="nx">encrypted</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">ebs_encrypted</span> <span class="nx">kms_key_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">ebs_kms_key_id</span> <span class="c1"># Configure IOPS for gp3, io1, io2 volumes</span> <span class="nx">iops</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">ebs_volume_type</span> <span class="p">==</span> <span class="s2">"gp3"</span> <span class="err">||</span> <span class="kd">var</span><span class="p">.</span><span class="nx">ebs_volume_type</span> <span class="p">==</span> <span class="s2">"io1"</span> <span class="err">||</span> <span class="kd">var</span><span class="p">.</span><span class="nx">ebs_volume_type</span> <span class="p">==</span> <span class="s2">"io2"</span> <span class="err">?</span> <span class="kd">var</span><span class="p">.</span><span class="nx">ebs_volume_iops</span> <span class="err">:</span> <span class="kc">null</span> <span class="c1"># Configure throughput for gp3 volumes</span> <span class="nx">throughput</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">ebs_volume_type</span> <span class="p">==</span> <span class="s2">"gp3"</span> <span class="err">?</span> <span class="kd">var</span><span class="p">.</span><span class="nx">ebs_volume_throughput</span> <span class="err">:</span> <span class="kc">null</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-static-ebs-volume"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="nx">Purpose</span> <span class="p">=</span> <span class="s2">"Static EBS volume for Kubernetes testing"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">####################################################################################</span> <span class="c1"># KMS Key for EBS Encryption (Optional)</span> <span class="c1">####################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_kms_key"</span> <span class="s2">"ebs_encryption"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">ebs_kms_key_id</span> <span class="p">==</span> <span class="kc">null</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"KMS key for EBS volume encryption in </span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">"</span> <span class="nx">deletion_window_in_days</span> <span class="p">=</span> <span class="mi">7</span> <span class="nx">enable_key_rotation</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-ebs-encryption-key"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_kms_alias"</span> <span class="s2">"ebs_encryption"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">ebs_kms_key_id</span> <span class="p">==</span> <span class="kc">null</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"alias/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-ebs-encryption"</span> <span class="nx">target_key_id</span> <span class="p">=</span> <span class="nx">aws_kms_key</span><span class="p">.</span><span class="nx">ebs_encryption</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">key_id</span> <span class="p">}</span> </code></pre> </div> <p>IAM Role: For EFS CSI driver with pod identity<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">####################################################################################</span> <span class="c1"># IAM Role for EBS CSI Driver (Pod Identity)</span> <span class="c1">####################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"ebs_csi_driver_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-ebs-csi-driver-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"pods.eks.amazonaws.com"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"sts:AssumeRole"</span><span class="p">,</span> <span class="s2">"sts:TagSession"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-ebs-csi-driver-role"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">####################################################################################</span> <span class="c1"># Create Custom EBS CSI Driver Policy</span> <span class="c1">####################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"ebs_csi_driver_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-ebs-csi-driver-policy"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Policy for EBS CSI driver"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2:CreateSnapshot"</span><span class="p">,</span> <span class="s2">"ec2:AttachVolume"</span><span class="p">,</span> <span class="s2">"ec2:DetachVolume"</span><span class="p">,</span> <span class="s2">"ec2:ModifyVolume"</span><span class="p">,</span> <span class="s2">"ec2:DescribeAvailabilityZones"</span><span class="p">,</span> <span class="s2">"ec2:DescribeInstances"</span><span class="p">,</span> <span class="s2">"ec2:DescribeSnapshots"</span><span class="p">,</span> <span class="s2">"ec2:DescribeTags"</span><span class="p">,</span> <span class="s2">"ec2:DescribeVolumes"</span><span class="p">,</span> <span class="s2">"ec2:DescribeVolumesModifications"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2:CreateTags"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"arn:aws:ec2:*:*:volume/*"</span><span class="p">,</span> <span class="s2">"arn:aws:ec2:*:*:snapshot/*"</span> <span class="p">]</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringEquals</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"ec2:CreateAction"</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"CreateVolume"</span><span class="p">,</span> <span class="s2">"CreateSnapshot"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2:DeleteTags"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"arn:aws:ec2:*:*:volume/*"</span><span class="p">,</span> <span class="s2">"arn:aws:ec2:*:*:snapshot/*"</span> <span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2:CreateVolume"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringLike</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"aws:RequestedRegion"</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_region</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2:DeleteVolume"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringLike</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"ec2:ResourceTag/ebs.csi.aws.com/cluster"</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2:DeleteSnapshot"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringLike</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"ec2:ResourceTag/CSIVolumeSnapshotName"</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-ebs-csi-driver-policy"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">####################################################################################</span> <span class="c1"># Attach EBS CSI Driver Policy</span> <span class="c1">####################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"ebs_csi_driver_policy"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ebs_csi_driver_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">ebs_csi_driver_policy</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="c1">####################################################################################</span> <span class="c1"># Pod Identity Association for EBS CSI Driver</span> <span class="c1">####################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_eks_pod_identity_association"</span> <span class="s2">"ebs_csi_driver"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"kube-system"</span> <span class="nx">service_account</span> <span class="p">=</span> <span class="s2">"ebs-csi-controller-sa"</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">ebs_csi_driver_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-ebs-csi-pod-identity"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>EKS Add-on: AWS EFS CSI driver for Kubernetes integration<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">####################################################################################</span> <span class="c1">### EBS CSI Driver Addon (deployed after EBS module)</span> <span class="c1">####################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_eks_addon"</span> <span class="s2">"ebs_csi_driver"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">addon_name</span> <span class="p">=</span> <span class="s2">"aws-ebs-csi-driver"</span> <span class="c1"># Ensure this addon is created after the EBS module creates the IAM role and pod identity association</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="k">module</span><span class="p">.</span><span class="nx">ebs</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-ebs-csi-driver"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Step 3: EBS Storage Implementation Patterns </h2> <h3> Static Provisioning </h3> <p>In static provisioning, the PersistentVolume (PV) is created manually by the administrator. The PV explicitly points to an existing EBS volume ID and directory.</p> <p>How it works:</p> <ol> <li>You first provision an EBS Volume using Terraform/CLI.</li> <li>You then define a Kubernetes PersistentVolume (PV) resource that references the EBS Volume ID.</li> <li>Then youcreate a PersistentVolumeClaim (PVC) that requests storage matching the PV’s specifications.</li> <li>Deploy your Pod (e.g., Nginx) and mount the PVC as a volume to store files.</li> </ol> <ul> <li> <code>static-storage-class.yaml</code> - StorageClass for static EBS volumes (no parameters needed) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">storage.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StorageClass</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ebs-static-sc</span> <span class="na">provisioner</span><span class="pi">:</span> <span class="s">ebs.csi.aws.com</span> <span class="na">parameters</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">gp3</span> <span class="na">fsType</span><span class="pi">:</span> <span class="s">ext4</span> <span class="na">volumeBindingMode</span><span class="pi">:</span> <span class="s">WaitForFirstConsumer</span> <span class="na">allowVolumeExpansion</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <ul> <li> <code>static-persistent-volume.yaml</code> - PersistentVolume pointing to existing EBS volume (requires <code>${EBS_VOLUME_ID}</code>) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PersistentVolume</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ebs-static-pv</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">capacity</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">10Gi</span> <span class="na">volumeMode</span><span class="pi">:</span> <span class="s">Filesystem</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteOnce</span> <span class="na">persistentVolumeReclaimPolicy</span><span class="pi">:</span> <span class="s">Retain</span> <span class="na">storageClassName</span><span class="pi">:</span> <span class="s">ebs-static-sc</span> <span class="na">csi</span><span class="pi">:</span> <span class="na">driver</span><span class="pi">:</span> <span class="s">ebs.csi.aws.com</span> <span class="na">volumeHandle</span><span class="pi">:</span> <span class="s">${EBS_VOLUME_ID}</span> <span class="na">fsType</span><span class="pi">:</span> <span class="s">ext4</span> </code></pre> </div> <ul> <li> <code>static-persistent-volume-claim.yaml</code> - PersistentVolumeClaim for static volume </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PersistentVolumeClaim</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ebs-static-pvc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteOnce</span> <span class="na">storageClassName</span><span class="pi">:</span> <span class="s">ebs-static-sc</span> <span class="na">volumeName</span><span class="pi">:</span> <span class="s">ebs-static-pv</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">10Gi</span> </code></pre> </div> <ul> <li> <code>static-nginx-pod.yaml</code> - Test pod using static EBS volume </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-ebs-static-pod</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx-ebs-static</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ebs-storage</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/usr/share/nginx/html</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">POD_NAME</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">fieldRef</span><span class="pi">:</span> <span class="na">fieldPath</span><span class="pi">:</span> <span class="s">metadata.name</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">/bin/sh"</span><span class="pi">]</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">-c"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">echo</span><span class="nv"> </span><span class="s">'&lt;h1&gt;Hello</span><span class="nv"> </span><span class="s">from</span><span class="nv"> </span><span class="s">EBS</span><span class="nv"> </span><span class="s">Static</span><span class="nv"> </span><span class="s">Volume!&lt;/h1&gt;&lt;p&gt;&lt;b&gt;Pod:&lt;/b&gt;</span><span class="nv"> </span><span class="s">'$POD_NAME'&lt;/p&gt;'</span><span class="nv"> </span><span class="s">&gt;</span><span class="nv"> </span><span class="s">/usr/share/nginx/html/index.html</span><span class="nv"> </span><span class="s">&amp;&amp;</span><span class="nv"> </span><span class="s">nginx</span><span class="nv"> </span><span class="s">-g</span><span class="nv"> </span><span class="s">'daemon</span><span class="nv"> </span><span class="s">off;'"</span><span class="pi">]</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ebs-storage</span> <span class="na">persistentVolumeClaim</span><span class="pi">:</span> <span class="na">claimName</span><span class="pi">:</span> <span class="s">ebs-static-pvc</span> </code></pre> </div> <ul> <li> <code>static-nginx-service.yaml</code> - Service to expose the static test pod </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-ebs-static-service</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx-ebs-static</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx-ebs-static</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> </code></pre> </div> <h3> Deployment Steps For Static Provisioning: </h3> <ol> <li>Get EBS values from Terraform: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>infrastructure <span class="nv">EBS_VOLUME_ID</span><span class="o">=</span><span class="si">$(</span>terraform output <span class="nt">-raw</span> ebs_volume_id 2&gt;/dev/null <span class="o">||</span> <span class="nb">echo</span> <span class="s2">""</span><span class="si">)</span> </code></pre> </div> <ol> <li>Update manifests with EFS values: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sed</span> <span class="s2">"s/</span><span class="se">\$</span><span class="s2">{EBS_VOLUME_ID}/</span><span class="nv">$EBS_VOLUME_ID</span><span class="s2">/g"</span> static-persistent-volume.yaml <span class="o">&gt;</span> static-persistent-volume-final.yaml </code></pre> </div> <ol> <li>Apply static manifests: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> static-storage-class.yaml kubectl apply <span class="nt">-f</span> static-persistent-volume-final.yaml kubectl apply <span class="nt">-f</span> static-persistent-volume-claim.yaml kubectl apply <span class="nt">-f</span> static-nginx-pod.yaml kubectl apply <span class="nt">-f</span> static-nginx-service.yaml </code></pre> </div> <p>Refer to <code>static-deploy.sh</code> for deployment script for static provisioning<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get sc,pv,pvc NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE storageclass.storage.k8s.io/ebs-static-sc ebs.csi.aws.com Delete WaitForFirstConsumer <span class="nb">true </span>6m39s NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS VOLUMEATTRIBUTESCLASS REASON AGE persistentvolume/ebs-static-pv 10Gi RWO Retain Bound default/ebs-static-pvc ebs-static-sc &lt;<span class="nb">unset</span><span class="o">&gt;</span> 6m31s NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE persistentvolumeclaim/ebs-static-pvc Bound ebs-static-pv 10Gi RWO ebs-static-sc &lt;<span class="nb">unset</span><span class="o">&gt;</span> 6m28s </code></pre> </div> <p>EBS Volume:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyvu1o1hr6uy50w55mk96.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyvu1o1hr6uy50w55mk96.png" alt=" " width="800" height="97"></a></p> <p>Nginx pod accessing EBS for index.html</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5f1c112dnlnpf9zugna1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5f1c112dnlnpf9zugna1.png" alt=" " width="769" height="271"></a></p> <h3> Dynamic Provisioning (Recommended) </h3> <p>In dynamic provisioning, Kubernetes automatically creates EBS volumes on demand using the EBS CSI driver and a StorageClass.</p> <p>How it works:</p> <ol> <li>Define a StorageClass that specifies the EBS Volume (e.g., gp3 type, retention policy, binding mode)..</li> <li>When an application requests storage using a PVC, Kubernetes dynamically creates: <ul> <li>A new PV backed by a new EBS volume</li> <li>Pods mount the dynamically provisioned PV through the PVC.</li> </ul> </li> </ol> <ul> <li> <code>dynamic-storage-class.yaml</code> - StorageClass with gp3 volume configuration </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">storage.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StorageClass</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ebs-dynamic-sc</span> <span class="na">provisioner</span><span class="pi">:</span> <span class="s">ebs.csi.aws.com</span> <span class="na">parameters</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">gp3</span> <span class="na">fsType</span><span class="pi">:</span> <span class="s">ext4</span> <span class="na">encrypted</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">iops</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3000"</span> <span class="na">throughput</span><span class="pi">:</span> <span class="s2">"</span><span class="s">125"</span> <span class="na">volumeBindingMode</span><span class="pi">:</span> <span class="s">WaitForFirstConsumer</span> <span class="na">allowVolumeExpansion</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">reclaimPolicy</span><span class="pi">:</span> <span class="s">Delete</span> </code></pre> </div> <ul> <li> <code>dynamic-persistent-volume-claim.yaml</code> - PVC for dynamic volume creation </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PersistentVolumeClaim</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ebs-dynamic-pvc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteOnce</span> <span class="na">storageClassName</span><span class="pi">:</span> <span class="s">ebs-dynamic-sc</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">10Gi</span> </code></pre> </div> <ul> <li> <code>dynamic-nginx-pod.yaml</code> - Test pod using dynamic EBS volume </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-ebs-dynamic-pod</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx-ebs-dynamic</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ebs-storage</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/usr/share/nginx/html</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">POD_NAME</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">fieldRef</span><span class="pi">:</span> <span class="na">fieldPath</span><span class="pi">:</span> <span class="s">metadata.name</span> <span class="na">lifecycle</span><span class="pi">:</span> <span class="na">postStart</span><span class="pi">:</span> <span class="na">exec</span><span class="pi">:</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">/bin/sh"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-c"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">echo</span><span class="nv"> </span><span class="s">'&lt;h1&gt;Hello</span><span class="nv"> </span><span class="s">from</span><span class="nv"> </span><span class="s">EBS</span><span class="nv"> </span><span class="s">Dynamic</span><span class="nv"> </span><span class="s">Volume!&lt;/h1&gt;&lt;p&gt;&lt;b&gt;Pod:&lt;/b&gt;</span><span class="nv"> </span><span class="s">'$POD_NAME'&lt;/p&gt;'</span><span class="nv"> </span><span class="s">&gt;</span><span class="nv"> </span><span class="s">/usr/share/nginx/html/index.html"</span><span class="pi">]</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ebs-storage</span> <span class="na">persistentVolumeClaim</span><span class="pi">:</span> <span class="na">claimName</span><span class="pi">:</span> <span class="s">ebs-dynamic-pvc</span> </code></pre> </div> <ul> <li> <code>dynamic-nginx-service.yaml</code> - Service to expose the dynamic test pod </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-ebs-dynamic-service</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx-ebs-dynamic</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx-ebs-dynamic</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> </code></pre> </div> <h3> Deployment Steps For Dynamic Provisioning: </h3> <ol> <li>Apply static manifests: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> dynamic-storage-class.yaml kubectl apply <span class="nt">-f</span> dynamic-persistent-volume-claim.yaml kubectl apply <span class="nt">-f</span> dynamic-nginx-pod.yaml kubectl apply <span class="nt">-f</span> dynamic-nginx-service.yaml </code></pre> </div> <p>Refer to <code>dynamic-deploy.sh</code> for deployment script for dynamic provisioning<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get sc,pv,pvc NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE storageclass.storage.k8s.io/ebs-dynamic-sc ebs.csi.aws.com Delete WaitForFirstConsumer <span class="nb">true </span>3m31s NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS VOLUMEATTRIBUTESCLASS REASON AGE persistentvolume/pvc-7057dfad-6961-49cd-bf4f-db2f0bd9727f 10Gi RWO Delete Bound default/ebs-dynamic-pvc ebs-dynamic-sc &lt;<span class="nb">unset</span><span class="o">&gt;</span> 3m22s NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE persistentvolumeclaim/ebs-dynamic-pvc Bound pvc-7057dfad-6961-49cd-bf4f-db2f0bd9727f 10Gi RWO ebs-dynamic-sc &lt;<span class="nb">unset</span><span class="o">&gt;</span> 3m29s </code></pre> </div> <p>EBS Volume:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnnw1vsnswaf71wmvvfa5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnnw1vsnswaf71wmvvfa5.png" alt=" " width="800" height="95"></a></p> <p>Nginx pod accessing EBS for index.html</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzjg6skxod51mu9e7uuw4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzjg6skxod51mu9e7uuw4.png" alt=" " width="727" height="291"></a></p> <h3> Verification </h3> <p>Check that everything is working:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check EFS CSI driver pods</span> kubectl get pods <span class="nt">-n</span> kube-system <span class="nt">-l</span> <span class="nv">app</span><span class="o">=</span>efs-csi-controller <span class="c"># Check storage classes</span> kubectl get storageclass ebs-sc <span class="c"># For Static Provisioning:</span> kubectl get pv ebs-static-pv kubectl get pvc ebs-static-pvc kubectl get pod nginx-ebs-static kubectl get service nginx-ebs-static-service <span class="c"># For Dynamic Provisioning:</span> kubectl get pvc ebs-dynamic-pvc kubectl get pod nginx-ebs-dynamic kubectl get service nginx-ebs-dynamic-service <span class="c"># Check volume mount</span> kubectl <span class="nb">exec </span>nginx-ebs-static-pod <span class="nt">--</span> <span class="nb">df</span> <span class="nt">-h</span> /usr/share/nginx/html kubectl <span class="nb">exec </span>nginx-ebs-dynamic-pod <span class="nt">--</span> <span class="nb">df</span> <span class="nt">-h</span> /usr/share/nginx/html <span class="c"># View content</span> kubectl <span class="nb">exec </span>nginx-ebs-static-pod <span class="nt">--</span> <span class="nb">cat</span> /usr/share/nginx/html/index.html kubectl <span class="nb">exec </span>nginx-ebs-dynamic-pod <span class="nt">--</span> <span class="nb">cat</span> /usr/share/nginx/html/index.html <span class="c"># Test nginx web servers</span> kubectl port-forward service/nginx-ebs-static-service 8082:80 <span class="c"># Static</span> <span class="c"># Then visit http://localhost:8082</span> kubectl port-forward service/nginx-ebs-dynamic-service 8083:80 <span class="c"># Dynamic</span> <span class="c"># Then visit http://localhost:8083</span> </code></pre> </div> <h2> Cleanup </h2> <ul> <li>Static Provisioning Cleanup </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl delete <span class="nt">-f</span> static-storage-class.yaml kubectl delete <span class="nt">-f</span> static-persistent-volume-final.yaml kubectl delete <span class="nt">-f</span> static-persistent-volume-claim.yaml kubectl delete <span class="nt">-f</span> static-nginx-pod.yaml kubectl delete <span class="nt">-f</span> static-nginx-service.yaml </code></pre> </div> <ul> <li>Dynamic Provisioning Cleanup </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl delete <span class="nt">-f</span> dynamic-nginx-service.yaml kubectl delete <span class="nt">-f</span> dynamic-nginx-pod.yaml kubectl delete <span class="nt">-f</span> dynamic-persistent-volume-claim.yaml kubectl delete <span class="nt">-f</span> dynamic-storage-class.yaml </code></pre> </div> <p>And then terraform destroy the EKS infrastructure if you are not using it to save costs.</p> <h3> Conclusion </h3> <p>Amazon EBS provides reliable block storage for stateful workloads on Amazon EKS. Using Terraform for infrastructure provisioning and Kubernetes manifests for storage configuration gives you both automation and flexibility. With proper setup of IAM roles, CSI drivers, and best practices, you can run workloads like Nginx with persistent storage on EKS confidently.</p> <h3> References </h3> <ul> <li><a href="https://github.com/chinmayto/aws-eks-kubernetes-storage-volumes/tree/main" rel="noopener noreferrer">My GitHub Repo – Full Terraform &amp; YAML Implementation</a></li> <li><a href="https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html" rel="noopener noreferrer">Amazon EBS CSI Driver Documentation</a></li> </ul> kubernetes aws eks ebs Kubernetes Storage Playlist - Part 2: Implementing Amazon EFS Storage with EKS using Terraform and Kubernetes Manifests Chinmay Tonape Mon, 08 Sep 2025 06:10:28 +0000 https://forem.com/aws-builders/kubernetes-storage-playlist-part-2-implementing-amazon-efs-storage-with-eks-using-terraform-and-542j https://forem.com/aws-builders/kubernetes-storage-playlist-part-2-implementing-amazon-efs-storage-with-eks-using-terraform-and-542j <p>In this blog, we will walk through how to integrate Amazon Elastic File System (EFS) with Amazon Elastic Kubernetes Service (EKS) using Terraform for infrastructure provisioning and Kubernetes manifests for workloads.</p> <p>As a demo, we will deploy an NGINX container that uses EFS-backed storage to persist and serve website files. This approach is common for workloads that require shared storage across multiple pods.</p> <h2> Understanding Amazon EFS for Kubernetes </h2> <h3> What is Amazon EFS? </h3> <p>Amazon Elastic File System (EFS) is a fully managed, scalable, and serverless network file system that can be mounted concurrently by multiple EC2 instances, Lambda functions, and Kubernetes pods.</p> <p>For Kubernetes workloads, EFS provides persistent volumes that can be shared across multiple pods, even across Availability Zones (AZs) in a VPC.</p> <h3> Architecture Diagram </h3> <p>The architecture of how Amazon EFS integrates with an EKS cluster revolves around Kubernetes storage resources and AWS networking components. First, an EFS file system is created with mount targets in each Availability Zone of the VPC, ensuring that EKS worker nodes across zones can connect to the storage. The EFS CSI driver, deployed as a DaemonSet in the EKS cluster, acts as the bridge between Kubernetes and EFS. To use this storage, a StorageClass is defined, which tells Kubernetes how to provision PersistentVolumes (PVs) either statically (by pointing to an existing file system/directory) or dynamically (by creating sub-directories through EFS Access Points). Applications then request storage using PersistentVolumeClaims (PVCs), which bind to the appropriate PV. When pods are deployed (e.g., an NGINX container), the CSI driver mounts the EFS file system onto the worker node through the mount targets, and the pod accesses it as a standard directory path. This setup ensures that any pod in the cluster, regardless of node or AZ, can reliably attach to the same EFS-backed storage for shared and persistent data.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn1el1bfavcbhq4d4jxl2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn1el1bfavcbhq4d4jxl2.png" alt=" " width="800" height="687"></a></p> <h3> Key Benefits for EKS </h3> <ul> <li> <strong>Shared storage</strong>: Multiple pods can read and write simultaneously.</li> <li> <strong>Elastic scaling</strong>: Automatically grows and shrinks with demand.</li> <li> <strong>Multi-AZ access</strong>: Ensures high availability across EKS worker nodes.</li> <li> <strong>Use cases</strong>: Content management, logs aggregation, web apps, home directories.</li> </ul> <h3> Important Considerations with EKS </h3> <ul> <li> <strong>Kubernetes version</strong>: Ensure you are using a supported version (v1.23+ recommended).</li> <li> <strong>EFS CSI driver</strong>: Must be installed in the cluster to enable storage integration.</li> <li> <strong>Pod Identity/IRSA</strong>: Required to grant fine-grained IAM permissions.</li> <li> <strong>Performance</strong>: Suitable for general-purpose and throughput-heavy workloads, but not ideal for low-latency databases.</li> <li> <strong>Quotas</strong>: File system size and performance modes must be considered when designing workloads.</li> </ul> <h2> Step 1: Provisioning EKS Cluster with Terraform in a VPC </h2> <p>The first step in integrating Amazon EFS with EKS is to provision a Kubernetes cluster that runs securely inside a dedicated VPC. We will use the widely adopted AWS Terraform community modules for both the VPC and EKS setup. Please refer to main module of GitHub repo.</p> <h2> Step 2: Creating the EFS File System </h2> <ul> <li> <strong>EFS File System</strong>: Encrypted EFS with configurable performance mode </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">####################################################################################</span> <span class="c1"># EFS File System</span> <span class="c1">####################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_efs_file_system"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">creation_token</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-efs"</span> <span class="nx">encrypted</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">performance_mode</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">performance_mode</span> <span class="nx">throughput_mode</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">throughput_mode</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-efs"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <ul> <li> <strong>EFS Mount Targets</strong>: One per private subnet for high availability and EFS access point </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">####################################################################################</span> <span class="c1"># EFS Mount Targets (one per private subnet)</span> <span class="c1">####################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_efs_mount_target"</span> <span class="s2">"main"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span><span class="p">)</span> <span class="nx">file_system_id</span> <span class="p">=</span> <span class="nx">aws_efs_file_system</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">efs</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="c1">####################################################################################</span> <span class="c1"># EFS Access Point for Pod</span> <span class="c1">####################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_efs_access_point"</span> <span class="s2">"pod_access_point"</span> <span class="p">{</span> <span class="nx">file_system_id</span> <span class="p">=</span> <span class="nx">aws_efs_file_system</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">posix_user</span> <span class="p">{</span> <span class="nx">gid</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">posix_user_gid</span> <span class="nx">uid</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">posix_user_uid</span> <span class="p">}</span> <span class="nx">root_directory</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/app-data"</span> <span class="nx">creation_info</span> <span class="p">{</span> <span class="nx">owner_gid</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">posix_user_gid</span> <span class="nx">owner_uid</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">posix_user_uid</span> <span class="nx">permissions</span> <span class="p">=</span> <span class="s2">"755"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-efs-access-point"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <ul> <li> <strong>Security Group</strong>: Allows NFS traffic (port 2049) from EKS nodes </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">####################################################################################</span> <span class="c1"># Security Group for EFS</span> <span class="c1">####################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"efs"</span> <span class="p">{</span> <span class="nx">name_prefix</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-efs-"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"NFS from EKS nodes"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">2049</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">2049</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="kd">var</span><span class="p">.</span><span class="nx">vpc_cidr</span><span class="p">]</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-efs-sg"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <ul> <li> <strong>IAM Role</strong>: For EFS CSI driver with pod identity </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">####################################################################################</span> <span class="c1"># IAM Role for EFS CSI Driver (Pod Identity)</span> <span class="c1">####################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"efs_csi_driver_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-efs-csi-driver-role"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"pods.eks.amazonaws.com"</span> <span class="p">}</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"sts:AssumeRole"</span><span class="p">,</span> <span class="s2">"sts:TagSession"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-efs-csi-driver-role"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">####################################################################################</span> <span class="c1"># Create Custom EFS CSI Driver Policy</span> <span class="c1">####################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_iam_policy"</span> <span class="s2">"efs_csi_driver_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-efs-csi-driver-policy"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Policy for EFS CSI driver"</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"elasticfilesystem:DescribeAccessPoints"</span><span class="p">,</span> <span class="s2">"elasticfilesystem:DescribeFileSystems"</span><span class="p">,</span> <span class="s2">"elasticfilesystem:DescribeMountTargets"</span><span class="p">,</span> <span class="s2">"ec2:DescribeAvailabilityZones"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"elasticfilesystem:CreateAccessPoint"</span><span class="p">,</span> <span class="s2">"elasticfilesystem:TagResource"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"elasticfilesystem:DeleteAccessPoint"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringEquals</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"elasticfilesystem:AccessedViaMountTarget"</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-efs-csi-driver-policy"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">####################################################################################</span> <span class="c1"># Attach EFS CSI Driver Policy</span> <span class="c1">####################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"efs_csi_driver_policy"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">efs_csi_driver_role</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="nx">aws_iam_policy</span><span class="p">.</span><span class="nx">efs_csi_driver_policy</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="c1">####################################################################################</span> <span class="c1"># Pod Identity Association for EFS CSI Driver</span> <span class="c1">####################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_eks_pod_identity_association"</span> <span class="s2">"efs_csi_driver"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"kube-system"</span> <span class="nx">service_account</span> <span class="p">=</span> <span class="s2">"efs-csi-controller-sa"</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">efs_csi_driver_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-efs-csi-pod-identity"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <ul> <li> <strong>EKS Add-on</strong>: AWS EFS CSI driver for Kubernetes integration </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1">####################################################################################</span> <span class="c1">### EFS CSI Driver Addon (deployed after EFS module)</span> <span class="c1">####################################################################################</span> <span class="k">resource</span> <span class="s2">"aws_eks_addon"</span> <span class="s2">"efs_csi_driver"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="k">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">addon_name</span> <span class="p">=</span> <span class="s2">"aws-efs-csi-driver"</span> <span class="c1"># Ensure this addon is created after the EFS module creates the IAM role and pod identity association</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="k">module</span><span class="p">.</span><span class="nx">efs</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-efs-csi-driver"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">Terraform</span> <span class="p">=</span> <span class="s2">"true"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Step 3: EFS Storage Implementation Patterns </h2> <h3> Static Provisioning </h3> <p>In static provisioning, the PersistentVolume (PV) is created manually by the administrator. The PV explicitly points to an existing EFS File System ID and directory.</p> <p>How it works:</p> <ol> <li>You first provision an EFS file system and create mount targets in your VPC.</li> <li>You then define a Kubernetes PersistentVolume (PV) resource that references the EFS File System ID.</li> <li>Applications request storage through a PersistentVolumeClaim (PVC) that binds to this PV.</li> <li>The EFS volume is mounted directly into pods through the PVC.</li> </ol> <ul> <li> <code>static-storage-class.yaml</code> - StorageClass for static EFS provisioning (no parameters) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">storage.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StorageClass</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">efs-static-sc</span> <span class="na">provisioner</span><span class="pi">:</span> <span class="s">efs.csi.aws.com</span> <span class="c1"># Static provisioning - no parameters needed</span> </code></pre> </div> <ul> <li> <code>static-persistent-volume.yaml</code> - PV using existing EFS file system (requires <code>${EFS_FILE_SYSTEM_ID}</code>) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PersistentVolume</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">efs-static-pv</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">capacity</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">5Gi</span> <span class="na">volumeMode</span><span class="pi">:</span> <span class="s">Filesystem</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteMany</span> <span class="na">persistentVolumeReclaimPolicy</span><span class="pi">:</span> <span class="s">Retain</span> <span class="na">storageClassName</span><span class="pi">:</span> <span class="s">efs-static-sc</span> <span class="na">csi</span><span class="pi">:</span> <span class="na">driver</span><span class="pi">:</span> <span class="s">efs.csi.aws.com</span> <span class="na">volumeHandle</span><span class="pi">:</span> <span class="s">${EFS_FILE_SYSTEM_ID}</span> </code></pre> </div> <ul> <li> <code>static-persistent-volume-claim.yaml</code> - PVC for static volume </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PersistentVolumeClaim</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">efs-static-pvc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteMany</span> <span class="na">storageClassName</span><span class="pi">:</span> <span class="s">efs-static-sc</span> <span class="na">volumeName</span><span class="pi">:</span> <span class="s">efs-static-pv</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">5Gi</span> </code></pre> </div> <ul> <li> <code>static-nginx-pod.yaml</code> - Test pod using static EFS volume </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-efs-static-pod</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx-efs-static</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">efs-storage</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/usr/share/nginx/html</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">POD_NAME</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">fieldRef</span><span class="pi">:</span> <span class="na">fieldPath</span><span class="pi">:</span> <span class="s">metadata.name</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">/bin/sh"</span><span class="pi">]</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">-c"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">echo</span><span class="nv"> </span><span class="s">'&lt;h1&gt;Hello</span><span class="nv"> </span><span class="s">from</span><span class="nv"> </span><span class="s">EFS</span><span class="nv"> </span><span class="s">Static</span><span class="nv"> </span><span class="s">Volume!&lt;/h1&gt;&lt;p&gt;&lt;b&gt;Pod:&lt;/b&gt;</span><span class="nv"> </span><span class="s">'$POD_NAME'&lt;/p&gt;'</span><span class="nv"> </span><span class="s">&gt;</span><span class="nv"> </span><span class="s">/usr/share/nginx/html/index.html</span><span class="nv"> </span><span class="s">&amp;&amp;</span><span class="nv"> </span><span class="s">nginx</span><span class="nv"> </span><span class="s">-g</span><span class="nv"> </span><span class="s">'daemon</span><span class="nv"> </span><span class="s">off;'"</span><span class="pi">]</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">efs-storage</span> <span class="na">persistentVolumeClaim</span><span class="pi">:</span> <span class="na">claimName</span><span class="pi">:</span> <span class="s">efs-static-pvc</span> </code></pre> </div> <ul> <li> <code>static-nginx-service.yaml</code> - Service to expose the static test pod </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-efs-static-service</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx-efs-static</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> </code></pre> </div> <h3> Deployment Steps For Static Provisioning: </h3> <p>1 <strong>Get EFS values from Terraform</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">cd </span>infrastructure <span class="nv">EFS_FILE_SYSTEM_ID</span><span class="o">=</span><span class="si">$(</span>terraform output <span class="nt">-raw</span> efs_file_system_id<span class="si">)</span> </code></pre> </div> <p>2 <strong>Update manifests with EFS values</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Replace placeholder in static-persistent-volume.yaml</span> <span class="nb">sed</span> <span class="s2">"s/</span><span class="se">\$</span><span class="s2">{EFS_FILE_SYSTEM_ID}/</span><span class="nv">$EFS_FILE_SYSTEM_ID</span><span class="s2">/g"</span> static-persistent-volume.yaml <span class="o">&gt;</span> static-persistent-volume-final.yaml </code></pre> </div> <p>3 <strong>Apply static manifests</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl apply <span class="nt">-f</span> static-storage-class.yaml kubectl apply <span class="nt">-f</span> static-persistent-volume-final.yaml kubectl apply <span class="nt">-f</span> static-persistent-volume-claim.yaml kubectl apply <span class="nt">-f</span> static-nginx-pod.yaml kubectl apply <span class="nt">-f</span> static-nginx-service.yaml </code></pre> </div> <p>Refer to <code>static-deploy.sh</code> for deployment script for static provisioning<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get sc,pv,pvc NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE storageclass.storage.k8s.io/efs-static-sc efs.csi.aws.com Delete Immediate <span class="nb">false </span>27s NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS VOLUMEATTRIBUTESCLASS REASON AGE persistentvolume/efs-static-pv 5Gi RWX Retain Bound default/efs-static-pvc efs-static-sc &lt;<span class="nb">unset</span><span class="o">&gt;</span> 25s NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE persistentvolumeclaim/efs-static-pvc Bound efs-static-pv 5Gi RWX efs-static-sc &lt;<span class="nb">unset</span><span class="o">&gt;</span> 21s </code></pre> </div> <p>EFS Volume:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7xaolkqhcw481zw3efkl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7xaolkqhcw481zw3efkl.png" alt=" " width="800" height="133"></a></p> <p>Nginx pod accessing EFS for index.html</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb16jyfg626rltgvy171a.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb16jyfg626rltgvy171a.png" alt=" " width="656" height="259"></a></p> <h3> Dynamic Provisioning </h3> <p>In dynamic provisioning, Kubernetes automatically creates PersistentVolumes (PVs) as needed, based on a StorageClass that uses the EFS CSI driver. This approach leverages EFS Access Points, which act like sub-directories with their own permissions inside the file system.</p> <p>How it works:</p> <ol> <li>Define a StorageClass that specifies the EFS file system and provisioning mode.</li> <li>When an application requests storage using a PVC, Kubernetes dynamically creates: <ul> <li>A new PV backed by an EFS Access Point.</li> <li>A dedicated directory within the EFS filesystem.</li> <li>Pods mount the dynamically provisioned PV through the PVC.</li> </ul> </li> </ol> <ul> <li> <code>dynamic-storage-class.yaml</code> - StorageClass for dynamic EFS provisioning (requires <code>${EFS_FILE_SYSTEM_ID}</code>) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">storage.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StorageClass</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">efs-dynamic-sc</span> <span class="na">provisioner</span><span class="pi">:</span> <span class="s">efs.csi.aws.com</span> <span class="na">parameters</span><span class="pi">:</span> <span class="na">provisioningMode</span><span class="pi">:</span> <span class="s">efs-ap</span> <span class="na">fileSystemId</span><span class="pi">:</span> <span class="s">${EFS_FILE_SYSTEM_ID}</span> <span class="na">directoryPerms</span><span class="pi">:</span> <span class="s2">"</span><span class="s">700"</span> <span class="na">gidRangeStart</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1000"</span> <span class="na">gidRangeEnd</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2000"</span> <span class="na">basePath</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/dynamic_provisioning"</span> <span class="na">allowVolumeExpansion</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <ul> <li> <code>dynamic-persistent-volume-claim.yaml</code> - PVC for dynamic volume creation </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PersistentVolumeClaim</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">efs-dynamic-pvc</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteMany</span> <span class="na">storageClassName</span><span class="pi">:</span> <span class="s">efs-dynamic-sc</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">5Gi</span> </code></pre> </div> <ul> <li> <code>dynamic-nginx-pod.yaml</code> - Test pod using dynamic EFS volume </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-efs-dynamic-pod</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx-efs-dynamic</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">efs-storage</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/usr/share/nginx/html</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">POD_NAME</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">fieldRef</span><span class="pi">:</span> <span class="na">fieldPath</span><span class="pi">:</span> <span class="s">metadata.name</span> <span class="na">lifecycle</span><span class="pi">:</span> <span class="na">postStart</span><span class="pi">:</span> <span class="na">exec</span><span class="pi">:</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">/bin/sh"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-c"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">echo</span><span class="nv"> </span><span class="s">'&lt;h1&gt;Hello</span><span class="nv"> </span><span class="s">from</span><span class="nv"> </span><span class="s">EFS</span><span class="nv"> </span><span class="s">Dynamic</span><span class="nv"> </span><span class="s">Volume!&lt;/h1&gt;&lt;p&gt;&lt;b&gt;Pod:&lt;/b&gt;</span><span class="nv"> </span><span class="s">'$POD_NAME'&lt;/p&gt;'</span><span class="nv"> </span><span class="s">&gt;</span><span class="nv"> </span><span class="s">/usr/share/nginx/html/index.html"</span><span class="pi">]</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">efs-storage</span> <span class="na">persistentVolumeClaim</span><span class="pi">:</span> <span class="na">claimName</span><span class="pi">:</span> <span class="s">efs-dynamic-pvc</span> </code></pre> </div> <ul> <li> <code>dynamic-nginx-service.yaml</code> - Service to expose the dynamic test pod </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-efs-dynamic-service</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">nginx-efs-dynamic</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> </code></pre> </div> <h3> Deployment Steps For Dynamic Provisioning: </h3> <p>1 <strong>Get EFS values from Terraform</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">cd </span>infrastructure <span class="nv">EFS_FILE_SYSTEM_ID</span><span class="o">=</span><span class="si">$(</span>terraform output <span class="nt">-raw</span> efs_file_system_id<span class="si">)</span> </code></pre> </div> <p>2 <strong>Update manifests with EFS values</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># Replace placeholder in dynamic-storage-class.yaml</span> <span class="nb">sed</span> <span class="s2">"s/</span><span class="se">\$</span><span class="s2">{EFS_FILE_SYSTEM_ID}/</span><span class="nv">$EFS_FILE_SYSTEM_ID</span><span class="s2">/g"</span> dynamic-storage-class.yaml <span class="o">&gt;</span> dynamic-storage-class-final.yaml </code></pre> </div> <p>3 <strong>Apply dynamic manifests</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl apply <span class="nt">-f</span> dynamic-storage-class-final.yaml kubectl apply <span class="nt">-f</span> dynamic-persistent-volume-claim.yaml kubectl apply <span class="nt">-f</span> dynamic-nginx-pod.yaml kubectl apply <span class="nt">-f</span> dynamic-nginx-service.yaml </code></pre> </div> <p>Refer <code>dynamic-deploy.sh</code> for deployment script for dynamic provisioning<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get sc,pv,pvc NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE storageclass.storage.k8s.io/efs-dynamic-sc efs.csi.aws.com Delete Immediate <span class="nb">true </span>14m NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS VOLUMEATTRIBUTESCLASS REASON AGE persistentvolume/pvc-c07eb431-8060-4e19-8fd6-7166e816c4d9 5Gi RWX Delete Bound default/efs-dynamic-pvc efs-dynamic-sc &lt;<span class="nb">unset</span><span class="o">&gt;</span> 14m NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE persistentvolumeclaim/efs-dynamic-pvc Bound pvc-c07eb431-8060-4e19-8fd6-7166e816c4d9 5Gi RWX efs-dynamic-sc &lt;<span class="nb">unset</span><span class="o">&gt;</span> 14m </code></pre> </div> <p>Nginx pod accessing EFS for index.html:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fair3pgu5n6pmzs72tyjo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fair3pgu5n6pmzs72tyjo.png" alt=" " width="672" height="250"></a></p> <h2> Verification </h2> <p>Check that everything is working:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check EFS CSI driver pods</span> kubectl get pods <span class="nt">-n</span> kube-system <span class="nt">-l</span> <span class="nv">app</span><span class="o">=</span>efs-csi-controller <span class="c"># Check storage classes</span> kubectl get storageclass efs-static-sc efs-dynamic-sc <span class="c"># For Static Provisioning:</span> kubectl get pv efs-static-pv kubectl get pvc efs-static-pvc kubectl get pod nginx-efs-static-pod kubectl get service nginx-efs-static-service <span class="c"># For Dynamic Provisioning:</span> kubectl get pvc efs-dynamic-pvc kubectl get pod nginx-efs-dynamic-pod kubectl get service nginx-efs-dynamic-service <span class="c"># Test nginx web servers</span> kubectl port-forward service/nginx-efs-static-service 8080:80 <span class="c"># Static</span> <span class="c"># Then visit http://localhost:8080</span> kubectl port-forward service/nginx-efs-dynamic-service 8081:80 <span class="c"># Dynamic</span> <span class="c"># Then visit http://localhost:8081</span> <span class="c"># Test file persistence</span> kubectl <span class="nb">exec</span> <span class="nt">-it</span> nginx-efs-static-pod <span class="nt">--</span> <span class="nb">ls</span> <span class="nt">-la</span> /usr/share/nginx/html/ kubectl <span class="nb">exec</span> <span class="nt">-it</span> nginx-efs-dynamic-pod <span class="nt">--</span> <span class="nb">ls</span> <span class="nt">-la</span> /usr/share/nginx/html/ </code></pre> </div> <h3> Cleanup </h3> <ul> <li>Static Provisioning Cleanup </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl delete <span class="nt">-f</span> static-nginx-service.yaml kubectl delete <span class="nt">-f</span> static-nginx-pod.yaml kubectl delete <span class="nt">-f</span> static-persistent-volume-claim.yaml kubectl delete <span class="nt">-f</span> static-persistent-volume.yaml kubectl delete <span class="nt">-f</span> static-storage-class.yaml </code></pre> </div> <ul> <li>Dynamic Provisioning Cleanup </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl delete <span class="nt">-f</span> dynamic-nginx-service.yaml kubectl delete <span class="nt">-f</span> dynamic-nginx-pod.yaml kubectl delete <span class="nt">-f</span> dynamic-persistent-volume-claim.yaml kubectl delete <span class="nt">-f</span> dynamic-storage-class.yaml </code></pre> </div> <p>And then terraform destroy the EKS infrastructure if you are not using it to save costs.</p> <h3> Conclusion </h3> <p>Amazon EFS with EKS provides a scalable, shared, and highly available storage solution for Kubernetes workloads. Using Terraform, YAML manifests, and the EFS CSI driver, you can seamlessly integrate cloud-native storage with your workloads.</p> <p>For our demo, we deployed an NGINX container that serves website files from EFS storage. This pattern is widely applicable to web applications, shared logs, and content management systems running on EKS.</p> <h3> References </h3> <ul> <li><a href="https://github.com/chinmayto/aws-eks-kubernetes-storage-volumes/tree/main" rel="noopener noreferrer">My GitHub Repo – Full Terraform &amp; YAML Implementation</a></li> <li><a href="https://docs.aws.amazon.com/eks/latest/userguide/efs-csi.html" rel="noopener noreferrer">Amazon EFS CSI Driver Documentation</a></li> </ul> kubernetes aws eks efs