Terraform-on-AWS-EKS-v5 adshdhddhowahaaaaaaaaaaa.pptx

StackSimplify
Terraform on AWS EKS Kubernetes - 50 Real-World Demos
Kalyan Reddy Daida

StackSimplify
© Kalyan Reddy Daida
AWS EKS
Kubernetes
Azure AKS
Kubernetes
Google GKE Kubernetes
AWS CloudFormation
DevOps on
AWS & Azure
AWS ECS
Docker on AWS
Kubernetes
Certifications
CKAD, CKA, CKS
HashiCorp Certified Terraform Associate on AWS with 50 Practical Demos
HashiCorp Certified
Vault & Consul
Terraform on AWS with SRE and IaC DevOps with 20 Real-World Demos
HashiCorp Certified Terraform Associate on Azure with 60+ Practical Demos
Terraform on Azure with IaC DevOps SRE with 20+ Real-World Demos
Jenkins
Ansible
Azure Certs
AZ-900, 104, 204,
400
DevOps &
SRE
Roadmap
AWS Lambda
Google Cloud
Associate &
Professional Certs
Azure AKS
Part-2
Python
Terraform on AWS EKS Elastic Kubernetes Service with 50+ Real-World Demos

StackSimplify
Terraform Fundamentals
(4.5 Hours)
Kubernetes Fundamentals
(3 Hours)
AWS VPC 3-Tier Network
EC2 Bastion Host in Public
Subnets
EKS Cluster
(Public and Private Node Group)
Kubernetes Deployment &
Services using TF k8s Provider
Terraform Remote State Storage
(Key Concept for Real-World Implementation)
EKS Cluster
EKS IRSA
(AWS IAM Roles for k8s Service Accounts)
Kubernetes Storage: EBS CSI
(5 Demos)
EKS IAM
(7 Demos)
EKS Load Balancer Controller Ingress
(17 Demos)
EKS Fargate
(3 Demos)
Autoscaling
(Cluster Autoscaler, HPA, VPA)
EKS Monitoring and Logging
(CloudWatch Agent + FluentBit)
50
Real-World
Demos
Kubernetes Storage: EFS CSI
(4 Demos)

StackSimplify
GitHub Step-by-Step Documentation

StackSimplify
How are Terraform Projects organized ?
4 Terraform Projects
1 YAML Project
EKS Cluster Terraform Project

StackSimplify
AWS Load Balancer
Controller
Terraform Project
AWS External DNS
Terraform Project
Ingress + External DNS
YAML Project

StackSimplify
Terraform Project
In short, every AWS EKS demo is
automated with Terraform
Every Terraform Project is organized
in GitHub and contains step by step
documentation

StackSimplify
AWS EKS Kubernetes Storage
AWS EBS Volume Volume Volume Volume Volume
AWS EBS CSI Install on EKS
Kubernetes Sample App with EBS
Volumes (YAML Manifests)
Kubernetes Sample App with EBS
Volumes (Terraform Manifests)
D1
D2
D3
AWS EFS CSI Install on EKS
AWS EFS Static Provisioning
AWS EFS Dynamic Provisioning
D1
D2
D3
Elastic File System
(AWS EFS)
File system File system File system File system
AWS EFS Mounts for Fargate Workloads
D4
EBS CSI Controller EFS CSI Controller
EBS Volumes Resizing
D4
EBS CSI Install using EKS Add-On
D5

StackSimplify
AWS EKS Autoscaling, Monitoring & Logging
Kubernetes Cluster Autoscaler Install
Cluster Autoscaler Testing using Sample
App
Horizontal Pod Autoscaler with Sample
App
D1
D2
D3
EKS Monitoring & Logging
(Implement using kubectl)
EKS Monitoring & Logging
(Automate with Terraform)
D1
D2
Autoscaling Monitoring &
Logging
Vertical Pod Autoscaler Install
D4
Vertical Pod Autoscaler Testing with
Sample App
D5
CloudWatch Agent FluentBit
CloudWatch Agent FluentBit

StackSimplify
A Developer requesting full access to
a namespace (dev) in EKS Cluster
and in addition, also asking for read-
only access to EKS Cluster
1. Kubernetes Role
2. Kubernetes Role Binding
3. Kubernetes Cluster Role
4. Kubernetes Cluster Role Binding
Section-19
Section-20
Section-21
Section-22
Section-23
Section-24
Section-25
IAM
IAM Policy
IAM Role
Kubernetes
Config Map
IAM User
IAM Group
Role Binding
Role
Cluster Role
Binding
Cluster Role
AWS EKS IAM Demos
Provision AWS IAM
Admins as EKS Admins
Provision AWS IAM Basic
User as EKS Admin
Automate Section-19,20
with Terraform
Provision EKS Admins with
AWS IAM Roles & IAM
Groups
Automate Section-22 with
Terraform
Provision EKS Read-Only Users with IAM Roles, IAM
Groups, Kubernetes Cluster Role and Cluster Role Binding

StackSimplify
AWS Load Balancer
Controller Install
Ingress Basics
Ingress Context Path
Routing
Ingress SSL & SSL Redirect
Ingress Cross Namespaces
External DNS Install
k8s Service + External DNS
Ingress Name based Virtual
Host Routing
SSL Discovery - Host
SSL Discovery - TLS
Ingress Groups
Ingress Target Type - IP
Ingress Internal ALB
D1
D2
D3
D4
D5
D6
D7
D8
D9
D10
D11
D12
D13
D14
AWS Load
Balancer
Controller
AWS
Application
Load
Balancer
Kubernetes
Ingress
Service
Terraform
Kubernetes
Provider
AWS EKS Load Balancer Demos

StackSimplify
Network Load Balancer
Basics
TLS + External DNS
Internal LB
AWS Load
Balancer
Controller
AWS
Network
Load
Balancer
Kubernetes
Service
Terraform
Kubernetes
Provider
D15
D16
D17
AWS EKS Load Balancer
Controller Demos
AWS Fargate
EKS Fargate Profiles
Run k8s Workloads on
Fargate
Fargate Only EKS Cluster
(VERY IMPORTANT)
D1
D2
D3
EKS Cluster Fargate
Elastic
Load Balancing
Application Load
Balancer
Network Load
Balancer

StackSimplify
Terraform
Providers
AWS
Kubernetes
Kubectl
HELM
NULL
HTTP
Terraform Providers

StackSimplify
GitHub Repository
Repository Used For Repository URL
Course Main Repository with step-by-step
documentation
https://github.com/stacksimplify/terraform-on-aws-eks

StackSimplify
END OF INTRODUCTION

StackSimplify
Terraform
Infrastructure as Code
IaC

StackSimplify
What is Infrastructure as Code ?

StackSimplify
Traditional Way of Managing Infrastructure
Dev QA Staging Production
Disaster
Recovery
Admin-1 Admin-1
Documentation
Admin-2 Admin-2 Admin-2
5 Days 5 Days 5 Days 5 Days 5 Days
Total Time: 25 Days

StackSimplify
Disaster
Recovery
Admin-1 Admin-1
Documentation
(Steps Missing)
No CI Delays Issues Outages
Not-in-
Sync
Many Problems at many places in manual process

StackSimplify
Disaster
Recovery
Admin-1 Admin-1
Documentation
Infrastructure scalability – Workforce need to be increased to meet the timelines
Disaster
Recovery
Documentation
Admin-3 Admin-3 Admin-4 Admin-4 Admin-4

StackSimplify
Prod-1 Prod-2 Prod-3 Prod-4
On-Demand Scale-Up and Scale-Down is not an option
Prod-1 Prod-2
Scale Up
Scale Down

StackSimplify
Manage using IaC with Terraform
Disaster
Recovery
Admin-1
5 Days
Total Time: 25 Days reduced to 5 days, Provisioning environments will be in minutes or seconds
Check-In TF Code Triggers
TF Runs
Creates Infra
Terraform
Cloud
One-Time
Work
Re-Use
Template
s
Quick &
Fast
Reliable
Tracked
for Audit
DevOps / CI CD for IaC
Scale-Up and Scale-Down On-Demand
Github

StackSimplify
Manage using IaC with Terraform
Visibility
IaC serves as a very clear reference of what resources we created, and what their settings are.
We don’t have to navigate to the web console to check the parameters.
Stability
If you accidentally change the wrong setting or delete the wrong resource in the web console
you can break things. IaC helps solve this, especially when it is combined with version control,
such as Git.
Scalability
With IaC we can write it once and then reuse it many times. This means that one well written
template can be used as the basis for multiple services, in multiple regions around the world,
making it much easier to horizontally scale.
Security
Once again IaC gives you a unified template for how to deploy our architecture. If we create one
well secured architecture we can reuse it multiple times, and know that each deployed version is
following the same settings.
Audit
Terraform not only creates resources it also maintains the record of what is created in real world
cloud environments using its State files.

StackSimplify
Google Trends – Past 5 Years

StackSimplify
Google Trends – Past 1 Year

StackSimplify
Terraform
Site Reliability
Engineering
SRE

StackSimplify
What is SRE?

StackSimplify
50%
Infrastructure
Automation
50%
Operations
Site Reliability Engineering - SRE
Our course primarily focuses on Infrastructure
Automation which will be a key role for an SRE even
though weightage is 50%

StackSimplify
Terraform
Installation

StackSimplify
Terraform Installation
Terraform CLI AWS CLI VS Code Editor
Terraform plugin
for VS Code
Mac OS
Linux OS
Windows OS

StackSimplify
Terraform
Command Basics

StackSimplify
init validate plan apply destroy
1 2 3 4 5
terraform init terraform validate terraform plan terraform apply terraform destroy
Terraform Workflow

StackSimplify
init validate plan apply destroy
1 2 3 4 5
• Used to Initialize a
working directory
containing
terraform config
files
• This is the first
command that
should be run after
writing a new
Terraform
configuration
• Downloads
Providers
• Validates the
terraform
configurations files
in that respective
directory to ensure
they are
syntactically valid
and internally
consistent.
• Creates an
execution plan
• Terraform
performs a refresh
and determines
what actions are
necessary to
achieve the
desired state
specified in
configuration files
• Used to apply the
changes required
to reach the
desired state of the
configuration.
• By
default, apply scan
s the current
directory for the
configuration and
applies the
changes
appropriately.
• Used to destroy
the Terraform-
managed
infrastructure
• This will ask for
confirmation
before destroying.
Terraform Workflow

StackSimplify
Terraform
Language Basics

StackSimplify
• Code in the Terraform language is stored
in plain text files with the .tf file
extension.
• There is also a JSON-based variant of
the language that is named with
the .tf.json file extension.
• We can call the files containing
terraform code as Terraform
Configuration Files or Terraform
Manifests
Terraform Language Basics – Files
Terraform Working
Directory
Terraform Configuration Files
ending with .tf as extension

StackSimplify
Terraform Language Basics – Configuration Syntax
Blocks
Arguments
Identifiers
Comments
HCL – HashiCorp Language Terraform

StackSimplify
Block Type
Block Labels
Arguments
Based on Block
Type block labels
will be 1 or 2
Example:
Resource – 2
labels
Variables – 1 label
Top Level &
Block inside
Blocks
Top Level Blocks: resource, provider
Block Inside Block: provisioners,
resource specific blocks like tags

StackSimplify
Argument
Name
[or]
Identifier
Argument
Value
[or]
Expression

StackSimplify
Single Line Comments with # or //
Multi-line comment

StackSimplify
Terraform Block
Providers Block
Resources Block
Input Variables Block
Output Values Block
Data Sources Block
Modules Block
Local Values Block
Terraform
Top-Level
Blocks
Fundamental Blocks Variable Blocks Calling / Referencing Blocks
Terraform language uses a limited number
of top-level block types, which
are blocks that can appear outside of any
other block in a TF configuration file.
Most of Terraform's features are
implemented as top-level blocks.

StackSimplify
Terraform
Fundamental Blocks

StackSimplify
Terraform Basic Blocks
Terraform
Block
Provider
Block
Resource
Block
Special block used to configure
some behaviors
Required Terraform Version
List Required Providers
Terraform Backend
HEART of Terraform
Terraform relies on providers to
interact with Remote Systems
Declare providers for Terraform
to install providers & use them
Provider configurations belong
to Root Module
Each Resource Block describes one
or more Infrastructure Objects
Resource Syntax:
How to declare Resources?
Resource Behavior: How Terraform
handles resource declarations?
Provisioners: We can configure
Resource post-creation actions
c1-versions.tf c2-resource-name.tf

StackSimplify
Terraform
Block

StackSimplify
• This block can be called in 3 ways. All means the same.
• Terraform Block
• Terraform Settings Block
• Terraform Configuration Block
• Each terraform block can contain a number of settings related to
Terraform's behavior.
• VERY VERY IMPORTANT TO MEMORIZE
• Within a terraform block, only constant values can be used; arguments may
not refer to named objects such as resources, input variables, etc, and may
not use any of the Terraform language built-in functions.
Terraform Block

StackSimplify
Terraform Block from 0.13 onwards

StackSimplify
Terraform Block
Terraform Block
Required Terraform
Version
Provider Requirements
Terraform Backend
Experimental Language
Features
Passing Metadata to
Providers

StackSimplify
Terraform
Providers

StackSimplify
Terraform Providers
AWS Cloud
VPC
Public subnet
EC2 Instance
AWS
APIs
Terraform Admin
Local Desktop
Terraform CLI
Terraform AWS
Provider
Terraform Registry
terraform init
terraform plan
terraform destroy
terraform apply
Providers are HEART of Terraform
Without Providers Terraform cannot manage any infrastructure.
Providers are distributed separately from Terraform and each
provider has its own release cycles and Version Numbers
Terraform Registry is publicly available which contains many
Terraform Providers for most major Infra Platforms
Every Resource Type (example: EC2 Instance), is implemented by a
Provider
1
2 terraform validate 3
4
5

StackSimplify
Provider Requirements Provider Configuration Dependency Lock File
Terraform
Providers

StackSimplify
Dependency Lock File

StackSimplify
Required Providers
Local Names
Local Names are Module specific and should be unique per-module
Terraform configurations always refer to local name of provider outside
required_provider block
Users of a provider can choose any local name for it (myaws, aws1, aws2).
Recommended way of choosing local name is to use preferred local name of
that provider (For AWS Provider: hashicorp/aws, preferred local name is aws)
Source
It is the primary location where we can download the Terraform Provider
Source addresses consist of three parts delimited by slashes (/)
[<HOSTNAME>/]<NAMESPACE>/<TYPE>
registry.terraform.io/hashicorp/aws
Registry Name is optional as default is going to be Terraform Public Registry

StackSimplify
Terraform Provider
Registry
Providers Modules
Provider Badges
Provider Documentation
These are owned and maintained by HashiCorp
These are owned and maintained by third-party technology
partners. HashiCorp has verified the authenticity of the
Provider’s publisher
Community providers are published to the Terraform Registry
by individual maintainers, groups of maintainers, or other
members of the Terraform community.
Archived Providers are Official or Verified Providers that are
no longer maintained by HashiCorp or the community.
registry.terraform.io
Terraform Registry

StackSimplify
Terraform
Resources
Introduction

StackSimplify
Resource Syntax
Resource Type: It determines the kind of
infrastructure object it manages and what arguments
and other attributes the resource supports.
Resource Local Name: It is used to refer to this
resource from elsewhere in the same Terraform
module, but has no significance outside that module's
scope.
The resource type and name together serve as an
identifier for a given resource and so must be unique
within a module
Meta-Arguments: Can be used with any resource to
change the behavior of resources
Resource Arguments: Will be specific to resource
type. Argument Values can make use of Expressions or
other Terraform Dynamic Language Features

StackSimplify
Terraform
State

StackSimplify
Resource Behavior
Terraform Resource
Create Resource
Destroy Resource
Update in-place
Resources
Destroy and re-
create
Create resources that exist in the configuration but are not
associated with a real infrastructure object in the state.
Destroy resources that exist in the state but no longer exist
in the configuration.
Update in-place resources whose arguments have
changed.
Destroy and re-create resources whose arguments have
changed but which cannot be updated in-place due to
remote API limitations.
Terraform State

StackSimplify
Terraform
State
AWS Cloud
VPC
Public subnet
EC2 Instance
AWS
APIs
Terraform
Admin
Local Desktop
Terraform CLI
Terraform AWS
Provider
Terraform Registry
terraform init
terraform plan
terraform destroy
terraform apply
This state is stored by default in a local file named "terraform.tfstate", but it can
also be stored remotely, which works better in a team environment.
The primary purpose of Terraform state is to store bindings between objects in a
remote system and resource instances declared in your configuration.
1
2 terraform validate
3
4
5
Terraform State
File
terraform.tfstate
Terraform must store state about your managed infrastructure and configuration
This state is used by Terraform to map real world resources to your configuration
(.tf files), keep track of metadata, and to improve performance for large
infrastructures.
When Terraform creates a remote object in response to a change of configuration, it will record the
identity of that remote object against a particular resource instance, and then potentially update or delete
that object in response to future configuration changes.

StackSimplify
Desired & Current Terraform States
terraform.tfstate
Terraform Configuration Files Real World Resource – EC2 Instance
Desired State Current State

StackSimplify
Terraform
Input Variables
Datasources
Outputs

StackSimplify
What are we going to learn ?
Default VPC
AWS Cloud
Public subnet
EC2 Instance
Security group
VPC-SSH
Security group
VPC-Web
EC2 Key Pair
Terraform Input Variables
Terraform Output Values
Terraform Datasources
Terraform
Concepts
AWS Services
Dynamically get latest AMI ID

StackSimplify
Terraform
Variables
Terraform
Input
Variables
Terraform
Output
Values
Terraform
Local
Values

StackSimplify
Terraform Input Variables
Terraform
Input
Variables
Input Variables - Basics
Provide Input Variables when prompted
during terraform plan or apply
Override default variable values using
CLI argument -var
Override default variable values using
Environment Variables (TF_var_aa)
Provide Input Variables using
terraform.tfvars files
Provide Input Variables using <any-
name>.tfvars file with CLI
argument -var-file
Provide Input Variables using
auto.tfvars files
Implement complex type constructors
like List & Map in Input Variables
Implement Custom Validation Rules in
Variables
Protect Sensitive Input Variables
Input variables serve as parameters for a Terraform module, allowing aspects of the module to be customized without
altering the module's own source code, and allowing modules to be shared between different configurations.
1
2
3
4
5
6
7
8
9
10

StackSimplify
Data sources allow data to be fetched or computed for use elsewhere
in Terraform configuration.
Use of data sources allows a Terraform configuration to make use of
information defined outside of Terraform, or defined by another
separate Terraform configuration.
A data source is accessed via a special kind of resource known as
a data resource, declared using a data block
Each data resource is associated with a single data source, which
determines the kind of object (or objects) it reads and what query
constraint arguments are available
Data resources have the same dependency resolution behavior as
defined for managed resources. Setting the depends_on meta-
argument within data blocks defers reading of the data source until
after all changes to the dependencies have been applied.

StackSimplify
We can refer the data resource in a resource as depicted
Data resources support count and for_each meta-arguments as defined for managed resources, with the same syntax and
behavior.
Each instance will separately read from its data source with its own variant of the constraint arguments, producing an
indexed result.
Data resources support the provider meta-argument as defined for managed resources, with the same syntax and behavior.
Data resources do not currently have any customization settings available for their lifecycle, but the lifecycle nested block is
reserved in case any are added in future versions.
Meta-Arguments for
Datasources

StackSimplify
Terraform Variables – Output Values
Terraform
Variables
Outputs
A root module can use
outputs to print certain
values in the CLI output
after running terraform
apply.
When using remote state,
root module outputs can be
accessed by other
configurations via
a terraform_remote_state d
ata source.
A child module can use
outputs to expose a
subset of its resource
attributes to a parent
module.
Output values are like the return values of a Terraform module and have several uses
1 2
3
Advanced

StackSimplify
Terraform
For Loops
Lists & Maps
Meta-Argument
Count & for_each

StackSimplify
Meta-Argument: count
Variables: Lists & Maps
For Loop with Lists
For Loop with Maps
For Loops with Advanced Maps
Legacy Splat Operator (.*.)
Latest Splat Operator [*]
Meta-Argument: for_each
Function: toset
Function: tomap
Datasource:
aws_availability_zones
Datasource:
aws_ec2_instance_type_offerings
Datasource:
aws_availability_zones
For Loop with Maps
For Loop with if
Function: keys
Section-1 Section-2 Section-3
Section-4
Fix issues in Section-2 with
section-3
Final Output
Utility Project
with
Datasources

StackSimplify
AWS VPC
3-Tier
Web, App and DB
Amazon Virtual Private Cloud
(Amazon VPC)
Internet gateway NAT gateway Elastic IP
address
Route table Public Subnet
Private Subnet

StackSimplify
AWS VPC
3-Tier
Architecture VPC
AWS Cloud
Availability Zone 1 Availability Zone 2
Private subnet
Public subnet
For
EC2 Instances
NAT gateway
Private subnet
For
Databases
Private subnet
Public subnet
For
EC2 Instances
NAT gateway
Private subnet
For
Databases
Internet gateway
Outbound Communication
Build manually using AWS Mgmt Console
Build same using Terraform
Terraform Modules
Terraform Local Values
Terraform Variables – terraform.tfvars
Terraform Variables – vpc.auto.tfvars
Terraform Version Constraints
Terraform Code Organizing – Production
Grade style
Elastic IP
address
Elastic IP
address

StackSimplify
What are we going to Learn ?
Build VPC manually using AWS
Management Console
Build VPC using Terraform
Modules
Standardize the Terraform Code
at Production Grade

StackSimplify
Terraform Modules
Modules are containers for multiple resources that are used together. A module consists
of a collection of .tf files kept together in a directory.
Modules are the main way to package and reuse
resource configurations with Terraform.
Every Terraform configuration has at least one
module, known as its root module, which consists of
the resources defined in the .tf files in the main
working directory
A Terraform module (usually the root module of a
configuration) can call other modules to include
their resources into the configuration.
Child modules can be called multiple times within the
same configuration, and multiple configurations can use
the same child module.
In addition to modules from the local filesystem,
Terraform can load modules from a public or private
registry.
This makes it possible to publish modules for others to
use, and to use modules that others have published.
A module that has been called by another module is
often referred to as a child module.

StackSimplify
AWS EC2
Bastion Host
Terraform
Provisioners
(Amazon VPC)
address
Private Subnet
EC2 VM

StackSimplify
VPC
AWS Cloud
Availability Zone 1 Availability Zone 2
Private subnet
Public subnet
NAT gateway
Private subnet
For
Databases
Private subnet
Public subnet
Private subnet
For
Databases
Internet gateway
Outbound Communication
Elastic IP
address Bastion EC2 Instance
Bastion Host Security group port 22
Destination: 0.0.0.0/0
AWS VPC + EC2 Instance + Security Groups
Terraform & AWS Concepts
Terraform Module: VPC
Terraform Module: Security Group
Terraform Module: AWS EC2 Instance
Meta-Argument: depends_on
Terraform null_resource
Terraform File Provisioner
Terraform Remote-exec Provisioner
Terraform Local-exec Provisioner
Admin
SSH Port 22
EKS Cluster Tags for VPC Subnets
Elastic IP
address
Terraform Datasource:
aws_availability_zones (Dynamic)

StackSimplify
Create AWS VPC using Terraform Modules + Update AZs
Create AWS Security Groups using Terraform Modules
Create AWS EC2 Instance using Terraform Modules
Null Resource
File Provisioner
Remote-exec Provisioner
Create AWS AMI Datasource to get latest AMI ID
dynamically
Local-exec Provisioner
Variables defined in .tfvars and .auto.tfvars formats
Define generic variables and Local Values
Create AWS EC2 Elastic IP for Bastion Host EC2 Instance
Create Terraform Provisioners with Null Resource
EKS
Variables

StackSimplify
Types of Provisioners
Provisioner Types
File Provisioner
remote-exec Provisioner
local-exec Provisioner
Null Resource
Connection
Block
Terraform
Provisioners
Concepts

StackSimplify
Terraform Provisioners
Provisioners can be used to model specific actions on the local machine or on a remote
machine in order to prepare servers
Passing data into virtual machines
and other compute resources
Running configuration management
software (packer, chef, ansible)
Provisioners are a Last Resort
First-class Terraform provider
functionality may be available
Creation-Time Provisioners Destroy-Time Provisioners
Failure Behaviour: Continue: Ignore
the error and continue with creation
or destruction.
Failure Behaviour: Fail: Raise an error and
stop applying (the default behavior). If
creation provisioner fails, taint resource
Most provisioners require access to the remote resource via SSH or
WinRM, and expect a nested connection block with details about how
to connect.
Connection
Block

StackSimplify
Provisioners Introduction
File Provisioner
• File Provisioner is used to copy files or directories from the machine executing Terraform
to the newly created resource.
• The file provisioner supports both ssh and winrm type of connections
remote-exec
Provisioner
• The remote-exec provisioner invokes a script on a remote resource after it is
created.
• This can be used to run a configuration management tool, bootstrap into a
cluster, etc.
local-exec
Provisioner
• The local-exec provisioner invokes a local executable after a resource is created.
• This invokes a process on the machine running Terraform, not on the resource.
null_resource
• If you need to run provisioners that aren't directly associated with a specific
resource, you can associate them with a null_resource.
• Instances of null_resource are treated like normal resources, but they don't do
anything.
• Same as other resource, you can configure provisioners and connection
details on a null_resource.

StackSimplify
AWS EKS
Cluster

StackSimplify
AWS EKS – Core Objects
EKS Cluster
EKS Control Plane
Worker Nodes &
Node Groups
Fargate Profiles
(Serverless)
VPC
Contains Kubernetes
Master components
like etcd, kube-
apiserver, kube-
controller.
It’s a managed
service by AWS
Group of EC2
Instances where we
run our Application
workloads
Instead of EC2
Instances, we run
our Application
workloads on
Serverless Fargate
profiles
With AWS VPC we
follow secure
networking
standards which will
allow us to run
production
workloads on EKS.

StackSimplify
How does EKS work?
© Amazon

StackSimplify
EKS Control
Plane
1. EKS runs a single tenant Kubernetes control plane for each cluster, and control plane infrastructure
is not shared across clusters or AWS accounts.
2. This control plane consists of at least two API server nodes and three etcd nodes that run across
three Availability Zones within a Region
3. EKS automatically detects and replaces unhealthy control plane instances, restarting them across
the Availability Zones within the Region as needed.
Worker Nodes
&
Node Groups
1. Worker machines in Kubernetes are called nodes. These are EC2 Instances
2. EKS worker nodes run in our AWS account and connect to our cluster's control plane via the cluster
API server endpoint.
3. A node group is one or more EC2 instances that are deployed in an EC2 Autoscaling group.
4. All instances in a node group must
1. Be the same instance type
2. Be running the same AMI
3. Use the same EKS worker node IAM role
EKS Cluster – Core Objects Detailed

StackSimplify
Fargate Profiles
1. AWS Fargate is a technology that provides on-demand, right-sized compute capacity for containers
2. With Fargate, we no longer have to provision, configure, or scale groups of virtual machines to run
containers.
3. Each pod running on Fargate has its own isolation boundary and does not share the underlying
kernel, CPU resources, memory resources, or elastic network interface with another pod.
4. AWS specially built Fargate controllers that recognizes the pods belonging to fargate and schedules
them on Fargate profiles.
5. We will see more in our Fargate learning section.
VPC
1. EKS uses AWS VPC network policies to restrict traffic between control plane components to within a
single cluster.
2. Control plane components for a EKS cluster cannot view or receive communication from other
clusters or other AWS accounts, except as authorized with Kubernetes RBAC policies.
3. This secure and highly-available configuration makes EKS reliable and recommended for production
workloads.
EKS Cluster – Core Objects Detailed

StackSimplify
Kubernetes
Architecture

StackSimplify
Kubernetes - Architecture
Kube
Controller
Manager
Cloud
Controller
Manager
kube-apiserver
kube-
scheduler
etcd
Container Runtime (Docker)
Master
Kube-Proxy
Worker Node
Kubelet
Kube-Proxy
Worker Node
Kubelet

StackSimplify
Kubernetes Architecture - Master
Kube
Controller
Manager
Cloud
Controller
Manager
kube-apiserver
kube-
scheduler
etcd
Master • kube-apiserver
• It acts as front end for the Kubernetes control plane. It
exposes the Kubernetes API
• Command line tools (like kubectl), Users and even
Master components (scheduler, controller manager,
etcd) and Worker node components like (Kubelet)
everything talk with API Server.
• etcd
• Consistent and highly-available key value store used as
Kubernetes’ backing store for all cluster data.
• It stores all the masters and worker node information.
• kube-scheduler
• Scheduler is responsible for distributing containers
across multiple nodes.
• It watches for newly created Pods with no assigned
node, and selects a node for them to run on.

StackSimplify
Kube
Controller
Manager
Cloud
Controller
Manager
kube-apiserver
kube-
scheduler
etcd
Master • kube-controller-manager
• Controllers are responsible for noticing and
responding when nodes, containers or endpoints
go down. They make decisions to bring up new
containers in such cases.
• Node Controller: Responsible for noticing and
responding when nodes go down.
• Replication Controller: Responsible for maintaining
the correct number of pods for every replication
controller object in the system.
• Endpoints Controller: Populates the Endpoints
object (that is, joins Services & Pods)
• Service Account & Token Controller: Creates default
accounts and API Access for new namespaces.

StackSimplify
Kube
Controller
Manager
Cloud
Controller
Manager
kube-apiserver
kube-
scheduler
etcd
Master • cloud-controller-manager
• A Kubernetes control plane component that
embeds cloud-specific control logic.
• It only runs controllers that are specific to your
cloud provider.
• On-Premise Kubernetes clusters will not have
this component.
• Node controller: For checking the cloud
provider to determine if a node has been
deleted in the cloud after it stops responding
• Route controller: For setting up routes in the
underlying cloud infrastructure
• Service controller: For creating, updating and
deleting cloud provider load balancer

StackSimplify
• Kubelet
• Kubelet is the agent that runs on every node
in the cluster
• This agent is responsible for making sure that
containers are running in a Pod on a node.
• Kube-Proxy
• It is a network proxy that runs on each node
in your cluster.
• It maintains network rules on nodes
• In short, these network rules allow network
communication to your Pods from network
sessions inside or outside of your cluster.
Kubernetes Architecture – Worker Nodes
Kube-Proxy
Worker Node
Kubelet
• Container Runtime
• Container Runtime is the underlying
software where we run all these
Kubernetes components.
• We are using Docker, but we have
other runtime options like rkt,
container-d etc.

StackSimplify
EKS Kubernetes - Architecture
EKS
Controller
Manager
Fargate
Controller
Manager
kube-apiserver
kube-
scheduler
etcd
Container Runtime
Master
Kube-Proxy
Worker Node -1
Kubelet
Kube-Proxy
Worker Node - 2
Kubelet
Container Runtime
EKS Control Plane EKS Node Group

StackSimplify
AWS EKS
Cluster & Node
Groups
using Terraform
(Amazon VPC)
address
Private Subnet
EC2 VM
EKS
Cluster

StackSimplify
EKS Cluster Creation Options using Terraform
Terraform Resources Terraform Module from Terraform Public Registry

StackSimplify
AWS EKS Resources - High Level Breakdown
Subnets (Public /
Private)
Route Tables
NAT Gateway + Elastic
IP
Internet Gateway
EKS Cluster
IAM Role
EKS Cluster
Security Group
EKS Cluster
Network Interfaces
EKS Node Group
IAM Role
EKS Node Group
Security Group
EKS Node Group
Network Interfaces
EKS Worker Nodes
EC2 Instances
Bastion Host
EC2 Instance
Bastion Host
Security Group
Bastion Host
Elastic IP
VPC
Bastion Host
(Optional) EKS Cluster
EKS Node
Group
Pre-requisite Resources EKS Resources
EKS Cluster

StackSimplify
VPC (our AWS Account)
AWS Cloud Availability Zone 1 Availability Zone 2
Private subnet
Public subnet
NAT gateway
Private subnet
Public subnet
Internet gateway
Private NG Security group – Port 22
Bastion EC2 Instance
EKS Worker Node
EKS Worker Node
Bastion Security group
EKS Cluster & EKS Node Groups in Public and Private Subnets
Admin
SSH 22
EKS Node Group in Private Subnets
Public NG Security group – Port 22
EKS Worker Node
EKS Worker Node
EKS Node Group in Public Subnets
Elastic IP
EKS Elastic
network interface
EKS Elastic
network interface
VPC (Amazon EKS)
EKS
Control Plane
Amazon Elastic Container
Registry (Amazon ECR)
Public Node Group – Access to EKS API Server Endpoint
Private Node Group – Access to EKS API Server Endpoint via NAT Gateway
NATGW Elastic IP
IAM Role for
EKS Cluster
IAM Role for
EKS Node
Groups
AWS Identity and Access
Management (IAM)
EKS Cluster
Security group
kubectl
Client
Run kubectl commands
by accessing EKS API
Server Endpoint via
Internet
EKS Elastic Network Interfaces
A

StackSimplify
Private subnet
Public subnet
NAT gateway
Private subnet
Public subnet
Internet gateway
Private NG Security group – Port 22
Bastion EC2 Instance
EKS Node Instance
EKS Node Instance
Bastion Security group
EKS Cluster & EKS Node Groups in Public and Private Subnets
Admin
SSH 22
EKS Node Group in Private Subnets
Public NG Security group – Port 22
EKS Node Instance
EKS Node Instance
Elastic IP
EKS Elastic
network interface
EKS Elastic
network interface
VPC (Amazon EKS)
EKS
Control Plane
Amazon Elastic Container
Registry (Amazon ECR)
Public Node Group – Access to EKS API Server Endpoint
Private Node Group – Access to EKS API Server Endpoint via NAT Gateway
NATGW Elastic IP
IAM Role for
EKS Cluster
IAM Role for
EKS Node
Groups
AWS Identity and Access
Management (IAM)
EKS Cluster
Security group
kubectl
Client
Server Endpoint via
Internet

StackSimplify
Create AWS VPC using Terraform Modules
Create AWS EC2 Bastion Host
Define generic variables and Local Values
C1 to C4-07 same as previous
Section-07

StackSimplify
Define EKS Outputs
Define EKS Variables
Create EKS Security Groups – Placeholder file
Define IAM Roles for EKS Cluster and Node Groups
Define EKS Node Group in Public Subnet
Define EKS Cluster TF Configs
EKS Variables autoload during Terraform Apply
Define EKS Node Group in Private Subnet

StackSimplify
Time it
takes to
complete
this Demo
Real-World
Demo 3

StackSimplify
• Elastic Network Interfaces (ENI)
• When you create the cluster, Amazon EKS creates and manages network
interfaces in your account that have Amazon EKS <cluster name> in their
description.
• These network interfaces allow AWS Fargate and Amazon EC2 instances to
communicate with the EKS control plane present in Amazon VPC in Amazon
Account (Not our AWS Account).
• The Amazon EKS created cluster security group and any additional security
groups that you specify when you create your cluster are applied to these
network interfaces.
• Very Important Note: These Network Interfaces were created in our EKS VPC
in our AWS account but attached to EKS Control Plane Master Node instances
of Amazon VPC.
AWS EKS Resources - High Level Breakdown

StackSimplify
EKS Control Plane - Network Interfaces
Network Interfaces created by
EKS Control Plane in our EKS
VPC.
These are created and
managed by EKS
Network Interface description
is outlined as
Amazon EKS <CLUSTER-NAME>

StackSimplify
EKS
ENI
Our Amazon
Account ID
Private IP of
from our EKS
VPC Public
Subnet
Amazon VPC Account ID
where EKS Control
Plane is hosted
Our EKS VPC
ID

StackSimplify
AWS
Elastic Network
Interface
Basic
Understanding
Just to understand AWS
Elastic Network Interface
concept

StackSimplify
AWS EKS
Deployment & Service
(Amazon VPC)
address
Private Subnet
EC2 VM
EKS
Cluster

StackSimplify
Kubernetes Sample Application
default namespace
NodePort Service
Load Balancer Service
(AWS Classic LB)
Service (AWS NLB)
EKS Cluster
k8s Pods k8s ReplicaSet k8s Deployment
http://<worker-node-publicip>:<node-port>
http//<clb-dns-url>
http//<nlb-dns-url>

StackSimplify
Public subnet Public subnet
Internet gateway
Kubernetes Deployment & Services - Architecture
Public NG Security group
EKS Node Instance
EKS Elastic
network interface
EKS Elastic
network interface
VPC (Amazon EKS)
EKS
Control Plane
Access to EKS API Server
Endpoint
EKS Cluster
Security group
kubectl
Client
Server Endpoint via
Internet
EKS Node Instance
Kubernetes Service: LoadBalancer (AWS CLB)
Kubernetes Service: LoadBalancer (AWS NLB)
Kubernetes Service: NodePort
k8s Services
Deploy
kube-manifests
Users
Docker Hub
Pull Docker Image from Docker Hub

StackSimplify
Create k8s Load Balancer Service Manifest (AWS CLB)
Create k8s Deployment Manifest
Create k8s Load Balancer Service Manifest (AWS NLB)
Create k8s Node Port Service Manifest (Not recommended
for prod)
Kubernetes Manifests using
YAML

StackSimplify
AWS EKS
Deployment & Service
using Terraform Provider
(Amazon VPC)
address
Private Subnet
EC2 VM
EKS
Cluster

StackSimplify
Kubernetes Sample Application
default namespace
NodePort Service
Load Balancer Service
(AWS Classic LB)
Service (AWS NLB)
EKS Cluster
http//<clb-dns-url>
http//<nlb-dns-url>
Terraform Kubernetes
Provider

StackSimplify
Terraform Remote State Datasource
The terraform_remote_state data source retrieves the root module output values from project-1 Terraform
configuration, using the latest state snapshot from the remote backend.
Project-1 Project-2
project-1/terraform.tfstate project-2/terraform.tfstate
terraform_remote_state
data source
Terraform Resources
1. AWS VPC
2. Bastion Host
3. EKS Cluster
4. EKS Node Groups
5. EKS Outputs
Terraform Resources
1. Kubernetes Provider
2. Kubernetes Deployment
3. Kubernetes Load Balancer
Service (CLB)
Service (NLB)
5. Kubernetes NodePort Service
EKS Outputs from Project-1
1. cluster_id
2. cluster_endpoint
3. cluster_certificate_authority_data
4. token

StackSimplify
Create k8s Load Balancer Service Manifest (AWS CLB)
Create k8s Deployment Manifest
Create k8s Load Balancer Service Manifest (AWS NLB)
Create k8s Node Port Service Manifest (Not recommended
for prod)
Kubernetes Manifests using Terraform
Define AWS and Kubernetes Providers & Datasources
Create Remote State Datasource
Define Terraform Settings - AWS and Kubernetes Provider
Versions
C1
C2
C3
C4
C5
C6
C7

StackSimplify
Terraform
Remote State Storage & State
Locking
using
AWS S3 & DynamoDB
VPC Internet gateway NAT gateway
Elastic IP
address Route table Public Subnet Private Subnet
EC2 VM
EKS
Cluster
Amazon Simple Storage
Service (Amazon S3)
Amazon
DynamoDB
Classic Load
Balancer
Autoscaling AWS IAM
Network Load
Balancer

StackSimplify
Terraform
Local
State
Storage
Terraform
Remote
State
Storage
Terraform State

StackSimplify
What is Terraform Backend ?
Backends are responsible for storing state and providing an API for state locking.
Terraform
State Storage
Terraform
State Locking
AWS S3 Bucket AWS DynamoDB

StackSimplify
Local State File
Admin1
Desktop
terraform.tfstate
Admin1 Admin2 Admin3
Remote State File
AWS Cloud
EC2
Instance
Admin1
Desktop
terraform.tfstate
AWS Cloud
EC2
Instance
Admin2
Desktop
Admin3
Desktop
AWS S3 Bucket
Multiple Team members
cannot update the
infrastructure as they
don’t have access to State
File
This means we need
store the state file in a
shared location.
Using Terraform
Backend concept we
can use AWS S3 as the
shared storage for
State Files
If two team members
are running Terraform
at the same time, you
may run into race
conditions as multiple
Terraform processes
make concurrent
updates to the state
files, leading to
conflicts, data loss,
and state file
corruption.
Implement State Locking

StackSimplify
Terraform Remote State File with State Locking
Admin1
Desktop
terraform.tfstate
AWS Cloud
EC2
Instance
Admin2
Desktop
Admin3
Desktop
AWS S3 Bucket AWS DynamoDB
Not all backends support State Locking. AWS S3 supports State
Locking
State locking happens automatically on all operations that
could write state.
If state locking fails, Terraform will not continue.
You can disable state locking for most commands with the -
lock flag but it is not recommended.
If acquiring the lock is taking longer than expected, Terraform
will output a status message.
If Terraform doesn't output a message, state locking is still
occurring if your backend supports it.
Terraform has a force-unlock command to manually unlock
the state if unlocking failed.

StackSimplify
Terraform Remote
State File with
State Locking
Terraform State Storage using
Remote Backend AWS S3
Terraform State Locking

StackSimplify
EKS Cluster EKS k8s Resources
S3
Bucket
AWS
DynamoDB

StackSimplify
The terraform_remote_state data source retrieves the root module output values from project-1 Terraform
configuration, using the latest state snapshot from the remote backend.
Project-1 Project-2
project-1/terraform.tfstate project-2/terraform.tfstate
data source
Terraform Resources
1. AWS VPC
2. Bastion Host
3. EKS Cluster
4. EKS Node Groups
5. EKS Outputs
Terraform Resources
Service (CLB)
Service (NLB)
1. cluster_id
2. cluster_endpoint
4. token
State Files in project local
working directory
In Section-11
Demo

StackSimplify
Project-1 Project-2
data source
Terraform Resources
1. AWS VPC
2. Bastion Host
3. EKS Cluster
4. EKS Node Groups
5. EKS Outputs
Terraform Resources
Service (CLB)
Service (NLB)
1. cluster_id
2. cluster_endpoint
4. token
AWS S3 AWS DynamoDB
Project-1: terraform.tfstate
AWS S3 AWS DynamoDB
Project-2: terraform.tfstate

StackSimplify
In Project-2, Terraform getting EKS Cluster information from project-1
terraform state file stored in AWS S3 Bucket using Terraform Remote State
Datasource.

StackSimplify
Update Terraform Remote Backend Information for
Project-1: EKS Cluster
Update Terraform Remote Backend Information for
Project-2: Kubernetes Resources (Deployment & Services)
Update Terraform Remote State Datasource from local to
remote backend (AWS S3 Bucket) to access Project-1 EKS
Cluster Outputs needed for Kubernetes Provider in
Project-02
C1
C1
C2

StackSimplify
Terraform
Backends

StackSimplify
Terraform Backends
Each Terraform configuration can specify a backend, which defines where and how
operations are performed, where state snapshots are stored, etc.
Where Backends are Used Backend configuration is only used by Terraform CLI.
Terraform Cloud and Terraform Enterprise always use
their own state storage when performing Terraform
runs, so they ignore any backend block in the
configuration.
For Terraform Cloud users also it is always
recommended to use backend block in Terraform
configuration for commands like terraform taint
which can be executed only using Terraform CLI

StackSimplify
Terraform Backends
What Backends Do There are two things backends will be used for
1. Where state is stored
2. Where operations are performed.
Terraform uses persistent state data
to keep track of the resources it
manages.
Store State State Locking Operations
State Locking is to prevent conflicts
and inconsistencies when the
operations are being performed
"Operations" refers to performing
API requests against infrastructure
services in order to create, read,
update, or destroy resources.
Everyone working with a given
collection of infrastructure
resources must be able to access
the same state data (shared state
storage).
Not every terraform subcommand
performs API operations; many of
them only operate on state data.
Only two backends actually perform
operations: local and remote.
The remote backend can perform API
operations remotely, using Terraform
Cloud or Terraform Enterprise.
What are Operations ?
terraform apply
terraform destroy

StackSimplify
Terraform Backends
Backend
Types
Enhanced Backends Standard Backends
Enhanced backends can both store
state and perform operations. There
are only two enhanced
backends: local and remote
Standard backends only store state,
and rely on the local backend for
performing operations.
Example for Remote Backend
Performing Operations : Terraform
Cloud, Terraform Enterprise
Example: AWS S3, Azure RM, Consul,
etcd, gcs http and many more

StackSimplify
AWS EKS
IRSA
IAM Roles for Service Accounts
Elastic IP
EC2 VM
EKS
Cluster
AWS S3 DynamoDB
Autoscaling
IAM IAM Policy AWS STS
IAM Role Temporary security
credential
Kubernetes Job
Kubernetes
Service Account
VERY VERY IMPORTANT CONCEPT FOR AWS EKS Section-13

StackSimplify
How to access AWS Services from Workloads
running in EKS Cluster?
AWS S3 Bucket1 Bucket2 Bucket3 Bucket4
default namespace
EKS Cluster
k8s Job
List S3 Buckets
Other AWS Services EKS Cluster
AWS Cloud
Bucket5
Demo Usecase: Kubernetes Workload (k8s Job with AWS CLI Container) when run with a command “s3 ls”, it should list
the S3 Buckets. In short, Kubernetes Workload in EKS Cluster should be able to access AW Services.
K8s Job don’t have access to
AWS S3 APIs (this Job will fail)

StackSimplify
Why do Kubernetes Workloads need to access AWS
Services ?
EBS CSI Controller +
Kubernetes Storage Class,
PVC, PV
EFS CSI Controller +
Kubernetes Storage Class +
PVC + PV
AWS Load Balancer
Controller + Kubernetes
Ingress Resources
We can create / resize / delete / retain AWS EBS Volumes from
Kubernetes Resources in EKS Cluster
We can map EFS File system to our Kubernetes Pods in our EKS
Cluster.
We can create AWS Application, Network Load Balancer with all
the settings from our EKS Cluster using k8s Ingress Resources
External DNS Controller
We can create / update / delete AWS Route53 DNS records using
External DNS
For all the above, we need to understand the
IRSA (IAM Roles for Service Accounts concept)
in detail.
Same applies if our
Application Pods want to
access AWS Services from
EKS Cluster

StackSimplify
Key Items for IRSA Implementation
IRSA
IAM Roles
for Service
Accounts
EKS Cluster OpenID
Connect Provider
AWS IAM Identity
Provider
AWS
STS AssumeRoleWi
thWebIdentity API
operation
AWS IAM
Temporary Role
Credentials
Kubernetes Service
Accounts
Kubernetes
ProjectedServiceAcco
untToken feature
(OIDC JSON Web
Token)

StackSimplify
EKS Cluster OpenID Connect Provider URL
EKS Cluster acts as an
OpenID Connect Provider
(It can act as External
Identity Provider to AWS
IAM)
EKS Cluster contains the
OpenID Connect Provider
Issuer URL
We can configure this
OpenID Connect Issuer
URL in AWS IAM Identity
Provider

StackSimplify
EKS Cluster OpenID Connect Configuration
Endpoint
https://<EKS Cluster OpenID Connect provider URL>/.well-known/openid-configuration

StackSimplify
AWS IAM Identity Provider
Add EKS OpenID Connect Provider as Identity Provider in AWS IAM

StackSimplify
AWS IAM Roles for Kubernetes Service Accounts
credential
AWS S3 Bucket1 Bucket2 Bucket3 Bucket4
default namespace
EKS Cluster
k8s Service Account
k8s Job
List S3 Buckets
Annotated with IAM Role
AWS Cloud
Bucket5
k8s Pod

StackSimplify
IRSA - Functional Flow
default namespace
EKS Cluster
k8s Service Account k8s Job
AWS Cloud
k8s Pod
EKS Cluster acting as External IDP to AWS IAM
AWS IAM
Feature: Federated
Identities using OIDC
Validate and accept JWT Token
from EKS Cluster
JWT will be sent to
AWS STS
1
IAM Policy
AWS STS
IAM Role
Temporary security
credential
AssumeRoleWithWebIdenti
ty API operation
ProjectedServiceAccountToken JWT
Token will passed to AWS IAM
2
AWS STS will generate
IAM temporary role
credentials
3
k8s service account annotated with IAM Role AWS S3
Access AWS Services using
Temp creds based on IAM
role permissions
4

StackSimplify
Kubernetes Service Account Mounted Secret - JWT Token

StackSimplify
Kubernetes Service Account Mounted Secret - JWT Token
Decoded
JWT Token
Website: https://jwt.io/

StackSimplify
..........................
Add EKS Cluster as OpenID Connect
Provider in AWS IAM Service

StackSimplify
c1
Update Terraform Remote Backend information –
AWS S3 Bucket Key & DynamoDB Table
c2
Define Terraform Remote State Datasource for
Project-1 EKS Cluster
c3-01
c3-02
Define generic variables and local values
c4-01 Define AWS Provider and Kubernetes Provider
c4-02
Create IAM Policy and IAM Role with
Action: AssumeRoleWithWebIdentity
c4-03
Create Kubernetes Service Account in EKS Cluster and
annotate with IAM Role
c4-04
Create Kubernetes Job with Kubernetes Service
Account and AWS CLI Container

StackSimplify
AWS EKS
Storage

StackSimplify
EKS Storage
In-Tree EBS Provisioner EBS CSI Driver EFS CSI Driver FSx for Luster CSI
CSI means Container Storage Interface
Latest & Greatest available today & ready for production use
As on today, not supported on AWS EKS Fargate (Serverless)
Allows EKS Clusters to manage lifecycle of EBS Volumes for persistent storage, EFS File
systems & FSx for Luster File systems
Supported for k8s 1.14 & later
Supported for k8s 1.16 &
later
Legacy
Will be deprecated soon

StackSimplify
• EBS provides block level storage volumes for use with EC2 & Container
instances.
• We can mount these volumes as devices on our EC2 & Container instances.
• EBS volumes that are attached to an instance are exposed as storage
volumes that persist independently from the life of the EC2 or Container
instance.
• We can dynamically change the configuration of a volume attached to an
instance.
• AWS recommends EBS for data that must be quickly accessible and requires
long-term persistence.
• EBS is well suited to both database-style applications that rely on random
reads and writes, and to throughput-intensive applications that perform
long, continuous reads and writes.
AWS Elastic Block Store - Introduction

StackSimplify
AWS EKS
Storage
Elastic Block Store
Elastic IP
EC2 VM
EKS
Cluster
AWS S3 DynamoDB
Autoscaling
credential
Kubernetes
Service Account
AWS EBS CSI Driver Install Section-14
Kubernetes
Deployment
Kubernetes
Daemon Set
AWS EBS

StackSimplify
AWS EBS CSI Driver
Why do we need to use EBS CSI Driver in EKS Cluster?
AWS EBS Container Storage Interface
(CSI) driver allows EKS clusters to
manage the lifecycle of EBS volumes for
persistent volumes in k8s (Create /
Resize / Delete Volumes).

StackSimplify
AWS EBS CSI Driver
Managing the EBS
CSI Driver self-
managed add-on
Managing the EBS
CSI driver as an
EKS add-on
EBS CSI Driver - Deployment Options
Terraform Helm Provider
Terraform EKS Add On
Resource

StackSimplify
AWS EBS CSI Driver
credential
kube-system namespace
EKS Cluster
EBS CSI k8s
Service Account
Annotated with IAM Role
AWS Cloud
EBS CSI Controller
Deployment
EBS CSI Node Daemon Set
AWS EBS Volume Volume Volume Volume Volume
Can Create / Update / Delete EBS Volumes

StackSimplify
What are we going to
learn ? c1
c2
c3-01
c3-02
c4-01
Define Terraform HTTP Datasource to download the
EBS CSI IAM Role from Github
c4-02
AssumeRoleWithWebIdentity
c4-03 Define Helm provider
c4-04 Install EBS CSI Driver using Helm Resource
c4-05 Create EBS CSI Outputs

StackSimplify
AWS EKS
Storage
Elastic Block Store
Elastic IP
EC2 VM
EKS
Cluster
AWS S3 DynamoDB
Autoscaling
AWS EBS CSI Driver – Sample App using YAML
AWS EBS
Section-15
credential
Kubernetes
Service Account
Kubernetes
Deployment
Kubernetes
Daemon Set

StackSimplify
User Management Web Application - Architecture
User Management
Web Application
Java Spring Boot
Create User
List User
Delete User
MySQL DB
schema: webappdb
Table: User
Default User: admin101

StackSimplify
POD
ReplicaSet
Deployment (mysql)
MySQL – ClusterIP Service
MySql
EKS Cluster
Environment Variables
Volumes
Volume Mounts
ClusterIP Service
Storage Class
Persistent Volume Claim
Config Map
Deployment
AWS Elastic Block Store - EBS
EKS Storage
EBS CSI Driver
YAML
EKS Storage with EBS CSI Driver - Demo

StackSimplify
POD
REST
API
ReplicaSet
Deployment (UserMgmt)
UserMgmt - LB Service - CLB
POD
ReplicaSet
Deployment (mysql)
MySql
EKS Cluster
Volumes
Volume Mounts
ClusterIP Service
Storage Class
Config Map
Deployment
NodePort Service
Deployment
YAML
LB Services – CLB & NLB
UserMgmt - NodePort Service
UserMgmt - LB Service - NLB
Users
http://<workernode-publicip>:<node-port>
http://<CLB-DNS-URL>
http://<NLB-DNS-URL>
EKS Storage
EBS CSI Driver

StackSimplify
NodePort Service
LB Service - CLB
LB Service - NLB
http//<nlb-dns-url>
http//<clb-dns-url>
k8s Persistent Volume Claim
k8s Persistent Volume
k8s Storage Class
default namespace
EKS Cluster
MySQL Deployment
UserMgmt Deployment
MySQL k8s ClusterIP Service
Note-1: PVC Claims must exist in the
same namespace as the Pod using the
claim. The cluster finds the claim in the
Pod's namespace and uses it to get the
PersistentVolume backing the claim
Note-2: A PersistentVolume (PV) is a
piece of storage in the cluster that has
been provisioned by an administrator or
dynamically provisioned using Storage
Classes. It is a resource in the cluster just
like a node is a cluster resource
Note-3: PVC Status changes
from Pending to Bound after
MySQL Deployment

StackSimplify
learn ? 1 Create Kubernetes Storage Class
2 Create Kubernetes Persistent Volume Claim
3
Create Kubernetes Config Map which will create the
database schema in MySQL DB
4 Create Kubernetes Deployment for MySQL DB
5 Create Cluster IP Service for MySQL DB
6
Create Kubernetes Deployment for UserMgmt
WebApp
7
Create Kubernetes Service of type Load Balancer
(AWS Classic Load Balancer)
8
(AWS Network Load Balancer)
9
Create Kubernetes Node Port
Service
Kubernetes Manifests using YAML

StackSimplify
AWS EKS
Storage
Elastic Block Store
Elastic IP
EC2 VM
EKS
Cluster
AWS S3 DynamoDB
Autoscaling
AWS EBS CSI Driver – Sample App using Terraform
AWS EBS
Section-16
credential
Kubernetes
Service Account
Kubernetes
Deployment
Kubernetes
Daemon Set

StackSimplify
POD
ReplicaSet
Deployment (mysql)
MySql
EKS Cluster
Volumes
Volume Mounts
ClusterIP Service
Storage Class
Config Map
Deployment
EKS Storage
EBS CSI Driver

StackSimplify
POD
REST
API
ReplicaSet
Deployment (UserMgmt)
UserMgmt - LB Service - CLB
POD
ReplicaSet
Deployment (mysql)
MySql
EKS Cluster
Volumes
Volume Mounts
ClusterIP Service
Storage Class
Config Map
Deployment
NodePort Service
Deployment
LB Services – CLB & NLB
UserMgmt - NodePort Service
UserMgmt - LB Service - NLB
Users
http://<workernode-publicip>:<node-port>
http://<CLB-DNS-URL>
http://<NLB-DNS-URL>

StackSimplify
NodePort Service
LB Service - CLB
LB Service - NLB
http//<nlb-dns-url>
http//<clb-dns-url>
k8s Persistent Volume Claim
k8s Persistent Volume
k8s Storage Class
default namespace
EKS Cluster
MySQL Deployment
UserMgmt Deployment
MySQL k8s ClusterIP Service
Note-1: PVC Claims must exist in the
same namespace as the Pod using the
claim. The cluster finds the claim in the
Pod's namespace and uses it to get the
PersistentVolume backing the claim
Note-2: A PersistentVolume (PV) is a
piece of storage in the cluster that has
been provisioned by an administrator or
dynamically provisioned using Storage
Classes. It is a resource in the cluster just
like a node is a cluster resource
Note-3: PVC Status changes
from Pending to Bound after
MySQL Deployment
Terraform Kubernetes
Provider

StackSimplify
learn ? c1
c2
c3 Define AWS & Kubernetes Terraform Providers
c4-01 Create Kubernetes Storage Class
c4-02 Create Kubernetes Persistent Volume Claim
c4-03
Create Kubernetes Config Map which will create the
database schema in MySQL DB
c4-04 Create Kubernetes Deployment for MySQL DB
c4-05 Create Kubernetes Cluster IP Service for MySQL DB
Terraform

StackSimplify
c4-06
Create Kubernetes Deployment for UserMgmt
WebApp
c4-07
(AWS Classic Load Balancer)
c4-08
(AWS Network Load Balancer)
c4-09 Create Kubernetes Node Port Service
sql file
Create webappdb.sql file which contains the DB
Schema creation queries used in k8s configMap c4-03
Terraform

StackSimplify
AWS EKS
Storage
Elastic Block Store
Elastic IP
EC2 VM
EKS
Cluster
AWS S3 DynamoDB
Autoscaling
EBS Volumes – Resize and Retain Features
AWS EBS
Section-17
credential
Kubernetes
Service Account
Kubernetes
Deployment
Kubernetes
Daemon Set

StackSimplify
EBS Volumes - Resize & Retain Features

StackSimplify
Update Kubernetes Storage Class
arguments to support Volume
Expansion (Resizing Volumes) and
Reclaim Policy as Retain.
Default Reclaim Policy is Delete if
not defined when PVC is deleted,
volume will be deleted
automatically
Very Important Note: As part of
Volume Resizing, we can only
increase the size of EBS Volume.
We cannot reduce the Volume size

StackSimplify
AWS EKS
Storage
Elastic Block Store
Elastic IP
EC2 VM
EKS
Cluster
AWS S3 DynamoDB
Autoscaling
Managing the EBS CSI driver as an EKS add-on
AWS EBS
Section-18
credential
Kubernetes
Service Account
Kubernetes
Deployment
Kubernetes
Daemon Set

StackSimplify
AWS EBS CSI Driver
Managing the EBS
CSI Driver self-
managed add-on
using HELM
Managing the EBS
CSI driver as an
EKS add-on
EBS CSI Driver - Deployment Options

StackSimplify
EBS CSI driver as an EKS add-on
EBS CSI Driver as
EKS Add-On
Currently it is in
preview mode
Has good number of limitations as
on today unlike Self-Managed
Add-On approach using HELM
(Section-14).
In future, this might become the
default deployment option for EBS
CSI Driver
That said we will
also automate this
using Terraform
now
Additional Reference: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html

StackSimplify
c1
c2
c3-01
c3-02
c4-01
Define Terraform HTTP Datasource to download the
EBS CSI IAM Role from Github
c4-02
AssumeRoleWithWebIdentity
c4-03 Install EBS CSI Driver using EKS Add-On option
c4-04 Define EBS CSI Driver Outputs

StackSimplify
Once the EBS CSI Driver is
installed using EKS Add-On
option, Deploy our User
Management Sample
Application and test and
ensure everything good from
EBS Volumes excluding the
limitations with this
approach.

StackSimplify
AWS EKS
Identity & Access Management
using AWS IAM
Elastic IP
EC2 VM
EKS
Cluster
AWS S3 DynamoDB
Autoscaling
Introduction
EKS IAM
IAM IAM Policy
IAM Role Kubernetes
Config Map
IAM User IAM Group

StackSimplify
AWS EKS
using AWS IAM
Elastic IP
EC2 VM
EKS
Cluster
AWS S3 DynamoDB
Autoscaling
AWS EKS Authentication and Authorization EKS IAM
IAM IAM Policy
IAM Role Kubernetes
Config Map
IAM User IAM Group

StackSimplify
EKS Authentication & Authorization
Reference: https://docs.aws.amazon.com/eks/latest/userguide/cluster-auth.html
Authorization
Authentication
AWS IAM
k8s RBAC

StackSimplify
EKS Cluster
k8s ConfigMap aws-auth
AWS Cloud
AWS IAM
K8s API Server
Role Binding Role Cluster Role Binding Cluster Role
Authorization
Authentication
kubectl
client
aws-iam-authenticator
Server
Kubernetes Role-based Access
Control (RBAC)
Verify IAM Identity
IAM Identity
Kubernetes User Check
IAM Identity Token
Approve/Decline
Allow/Deny
Kubernetes User
Kubernetes Action
IAM Identity Token
Kubernetes Action
Allow / Deny
1 2
3
IAM Policy
IAM Role
4
5
6
7
8

StackSimplify
0 Kubernetes Action: From kubectl cli, run the command like kubectl get pods
1
Kubectl client makes a request to k8s API server passing an access-token with the user’s
information
2 k8s API server passes this token to EKS Control Plane’s service: aws-iam-authenticator
3
aws-iam-authenticator calls AWS IAM service and passes the access-token to check if this is
valid user and whether that user has permissions to access the EKS cluster
3-1 Authentication Check: AWS IAM makes internal authentication check by using access-token
3-2
Authorization Check: AWS IAM makes internal authorization check by checking IAM policies
tied to this user (User with API calls to eks::* resources should be allowed)
4 aws-iam-authenticator checks with aws-auth ConfigMap whether this user has permissions to
access this EKS cluster resources

StackSimplify
5 aws-iam-authenticator returns approve/decline response to the k8s API server
6
k8s API Server will pass a user who already was validated with an authentication module to
an authorization module to check for its permissions (Role Based Access Control – RBAC)
7 Authorization Module will send the Allow / Deny response to k8s API Server
8
k8s API Server will perform (Allow) the Kubernetes action (Example: kubectl get pods) or Deny
based on response from Authorization Module

StackSimplify
AWS EKS
using AWS IAM
Elastic IP
EC2 VM
EKS
Cluster
AWS S3 DynamoDB
Autoscaling AWS EKS IAM Usecases EKS IAM
IAM IAM Policy
IAM Role Kubernetes
Config Map
IAM User IAM Group

StackSimplify
A Developer requesting full access to
a namespace (dev) in EKS Cluster
and in addition, also asking for read-
only access to EKS Cluster
1. Kubernetes Role
2. Kubernetes Role Binding
3. Kubernetes Cluster Role
4. Kubernetes Cluster Role Binding
Section-19
Section-20
Section-21
Section-22
Section-23
Section-24
Section-25
IAM
IAM Policy
IAM Role
Kubernetes
Config Map
IAM User
IAM Group
Role Binding
Role
Cluster Role
Binding
Cluster Role
AWS EKS IAM Usecases
Provision AWS IAM
Admins as EKS Admins
Provision AWS IAM Basic
User as EKS Admin
Automate Section-19,20
with Terraform
Provision EKS Admins with
AWS IAM Roles & IAM
Groups
Automate Section-22 with
Terraform
Provision EKS Read-Only Users with IAM Roles, IAM
Groups, Kubernetes Cluster Role and Cluster Role Binding

StackSimplify
EKS Authentication & Authorization - Admin User
EKS Cluster
AWS Cloud
AWS IAM
K8s API Server
Authorization
Authentication
kubectl
client
Server
Control (RBAC)
Verify IAM Identity
IAM Identity
IAM Identity Token
Approve
IAM Identity Token
Kubernetes Action
Allow
1 2
3
IAM Policy
IAM Role
4
5
6 ACCESS
GRANTED

StackSimplify
Provision AWS Admins as EKS Admins
EKS Cluster
k8s ConfigMap
aws-auth
AWS Cloud
AWS IAM
IAM Policy
Administrator
Access
IAM User
eksadmin1
ACCESS
GRANTED

StackSimplify
EKS Authentication & Authorization - Basic User
EKS Cluster
AWS Cloud
AWS IAM
K8s API Server
Authorization
Authentication
kubectl
client
Server
Control (RBAC)
Verify IAM Identity
IAM Identity
IAM Identity Token
Approve
IAM Identity Token
Kubernetes Action
Allow
1 2
3
IAM Policy
IAM Role
4
5
6 ACCESS
GRANTED
EKS
Full
Access
IAM
Policy

StackSimplify
Provision AWS Basic User as EKS Admin
EKS Cluster
k8s ConfigMap
aws-auth
AWS Cloud
AWS IAM
IAM Policy
EKS Full
Access
IAM User
eksadmin2
ACCESS
GRANTED

StackSimplify
Usecase - Multiple EKS Admin Users
IAM Users
AWS IAM
Adding all these users
in aws-auth ConfigMap
is not a feasible Option
from maintenance
perspective
Complexity
increases
If we need to add
many IAM Users as
EKS Admins (20, 30,
40, 50) what should
we do ?
Option-1: Add those
User ARNs in
mapUsers section of
aws-auth ConfigMap
Every time we add a new user, we need to update the Kubernetes
aws-auth ConfigMap in EKS Cluster

StackSimplify
Usecase - Multiple EKS Admin Users
IAM Users
AWS IAM
IAM Group: eksadmins
Can we use IAM Groups to simplify this EKS
Admin Access Process ? YES
Setting up the whole base for this is complex,
many things like below are involved
1. STS Assume Role Trust Policy
2. IAM Policy
3. IAM Role
4. IAM Group Policy
5. IAM Groups
After all steps are completed, provisioning EKS
Admins becomes so so easy
Step-1: Create IAM User
Step-2: Associate that User to IAM Group:
eksadmins. (User gets access to EKS Cluster)

StackSimplify
Provision EKS Admins using IAM Roles & IAM Groups
EKS Cluster
k8s ConfigMap
aws-auth
AWS Cloud
AWS IAM
IAM Policy
EKS Full
Access
ACCESS
GRANTED
IAM Trust Policy
STS Assume
Role
IAM User
eksadmin3
IAM Role
IAM Group
eksadmins
IAM Group
Policy
IAM User
eksadmin4
IAM User
eksadmin5

StackSimplify
Provision EKS ReadOnly Users using IAM Roles & IAM Groups
EKS Cluster
k8s ConfigMap
aws-auth
AWS Cloud
AWS IAM
IAM Policy
EKS Read-
Only
Access
ACCESS
GRANTED
IAM Trust Policy
STS Assume
Role
IAM User
eksread1
IAM Role
IAM Group
eksreadon
ly
IAM Group
Policy
IAM User
eksread2
IAM User
eksread3
Kubernetes RBAC

StackSimplify
Cluster Role

StackSimplify
ClusterRoleBinding & aws-auth ConfigMap
How does the aws-auth ConfigMap enforce the Kubernetes RBAC permissions defined in ClusterRole & ClusterRoleBinding?
Subject Name in ClusterRoleBinding should match the groups value in aws-auth ConfigMap

StackSimplify
Usecase
EKS Cluster Read-Only Access
EKS Dev Namespace Full Access
(All Verbs – Create , Apply, Get,
List, Delete Resources)
Kubernetes
Cluster Role
Kubernetes Cluster
Role Binding
Kubernetes
Role
Kubernetes
Role Binding
EKS Developer
IAM User
A Developer requesting full access to a namespace (dev) in EKS Cluster and in addition,
also asking for read-only access to EKS Cluster

StackSimplify
Provision EKS Developer Users using IAM Roles & IAM Groups
EKS Cluster
k8s ConfigMap
aws-auth
AWS Cloud
AWS IAM
IAM Policy
EKS
ReadOnly
Access
ACCESS
GRANTED
IAM Trust Policy
STS Assume
Role
IAM User
eksdeveloper1
IAM Role
IAM Group
Developer
IAM Group
Policy
IAM User
eksdeveloper2
DEV namespace
Cluster
Role
Cluster Role
Binding
Role Binding
Role
Kubernetes
RBAC

StackSimplify
aws-auth
ConfigMap
EKS Admins with IAM Users,
Groups and Roles
Section-
22, 23
Section-24
Section-25
Section-
19, 20, 21
EKS ReadOnly Access with IAM Users,
Groups, Roles & k8s ClusterRole &
ClusterRoleBinding
EKS Developer Access with IAM Users,
Groups, Roles & k8s ClusterRole,
ClusterRoleBinding & Role, RoleBinding
IAM Users as EKS Admins

StackSimplify
AWS EKS
using AWS IAM
Elastic IP
EC2 VM
EKS
Cluster
AWS S3 DynamoDB
Autoscaling
EKS Cluster Creator User
EKS IAM
IAM IAM Policy Kubernetes
Config Map
IAM User

StackSimplify
AWS EKS Cluster Creator User
EKS Cluster
k8s ConfigMap
aws-auth
AWS Cloud
AWS IAM
IAM Policy
Administrator
Access
IAM User
kalyandev
User: kalyandev
AWS CLI
aws configure
with Security
Credentials
Terraform to
create EKS cluster
kalyandev
becomes the
EKS Cluster
Creator User
The user with which we create the EKS Cluster is called Cluster_Creator_User
This user information is not stored in AWS EKS Cluster aws-auth configmap
If we face any issues with `k8s aws-auth configmap` and if we lost access to EKS Cluster
we need the `cluster_creator` user to restore the stuff
ALWAYS REMEMBER
WITH WHICH USER
EKS CLUSTER IS
CREATED
EKS Cluster Creator User

StackSimplify
AWS EKS
using AWS IAM
Elastic IP
EC2 VM
EKS
Cluster
AWS S3 DynamoDB
Autoscaling
Section-19
Config Map
IAM User

StackSimplify
EKS Cluster
k8s ConfigMap
aws-auth
AWS Cloud
AWS IAM
IAM Policy
Administrator
Access
IAM User
eksadmin1
NO ACCESS

StackSimplify
EKS Authentication & Authorization - Admin User
EKS Cluster
AWS Cloud
AWS IAM
K8s API Server
Authorization
Authentication
kubectl
client
Server
Control (RBAC)
Verify IAM Identity
IAM Identity
IAM Identity Token
Decline
IAM Identity Token
Kubernetes Action
Deny
1 2
3
IAM Policy
IAM Role
4
5
6
NO ACCESS

StackSimplify
AWS EKS - Default ConfigMap

StackSimplify
AWS EKS - ConfigMap with mapUsers

StackSimplify
AWS EKS
using AWS IAM
Elastic IP
EC2 VM
EKS
Cluster
AWS S3 DynamoDB
Autoscaling
Provision AWS Basic User as EKS Admin using
IAM EKS Full Access Policy Section-20
Config Map
IAM User

StackSimplify
You want to give
FULL ACCESS to AWS
EKS Cluster but for
other AWS Services
NO ACCESS
Usecase
Step-1: Create IAM Basic User
Step-2: Create IAM Policy with EKS Full
Access and associate to IAM User
Step-3: Update user information in EKS
Cluster aws-auth ConfigMap

StackSimplify
EKS Cluster
k8s ConfigMap
aws-auth
AWS Cloud
AWS IAM
IAM Policy
EKS Full
Access
IAM User
eksadmin2
ACCESS
GRANTED
IAM Policy
Administrator
Access
IAM User
eksadmin1

StackSimplify
AWS IAM Policy - EKS Full Access
AWS IAM
IAM Policy
EKS Full
Access Policy
IAM User
eksadmin2

StackSimplify
AWS EKS
using AWS IAM
Elastic IP
EC2 VM
EKS
Cluster
AWS S3 DynamoDB
Autoscaling
Section-19 & Section-20
Automate using Terraform Section-21
Config Map
IAM User

StackSimplify
EKS Cluster
k8s ConfigMap
aws-auth
AWS Cloud
AWS IAM
IAM Policy
EKS Full
Access
IAM User
eksadmin2 ACCESS
GRANTED
IAM Policy
Administrator
Access
IAM User
eksadmin1

StackSimplify
Provision EKS Admins with IAM Users
Task-1: Create IAM
User with Admin
Access Policy
Task-2: Create IAM
User with EKS Full
Access policy
Task-3: Define
Terraform
Kubernetes Provider
Task-4: Define
aws_caller_identity
to get AWS Account
ID
Task-5: Create locals
block to define k8s
config map roles and
users
Task-6: Create
Kubernetes Config
Map Resource aws-
auth
Task-7: Update EKS
Node Group resource to
get created only after
Config Map aws-auth is
created
EKS Admins
with IAM
Users

StackSimplify
c7-01 Create Terraform Kubernetes Provider
c7-02 Create Kubernetes ConfigMap Resource
c8-01 Create IAM Admin User with Admin Access Policy
c8-02 Create IAM Basic User with EKS Full Access Policy
Terraform Manifests
…………….
…………….
c5-07
Add depends_on Meta-argument to ensure EKS
Node Group gets created only after aws-auth
ConfigMap is created

StackSimplify
AWS EKS
using AWS IAM
Elastic IP
EC2 VM
EKS
Cluster
AWS S3 DynamoDB
Autoscaling
Provision EKS Admins with IAM Roles & IAM Groups
Section-22
IAM IAM Policy
IAM Role Kubernetes
Config Map
IAM User IAM Group

StackSimplify
AWS EKS - ConfigMap with mapRoles

StackSimplify
Section-22
Implement
with manual
steps
Section-23
Automate
using
Terraform
Provision EKS Admins using IAM Roles &
IAM Groups

StackSimplify
AWS EKS
using AWS IAM
Elastic IP
EC2 VM
EKS
Cluster
AWS S3 DynamoDB
Autoscaling
Provision EKS Admins with IAM Roles & IAM Groups
Automate with Terraform Section-23
IAM IAM Policy
IAM Role Kubernetes
Config Map
IAM User IAM Group

StackSimplify
Provision EKS Admins using IAM Roles & IAM Groups
EKS Cluster
k8s ConfigMap
aws-auth
AWS Cloud
AWS IAM
IAM Policy
EKS Full
Access
ACCESS
GRANTED
IAM Trust Policy
STS Assume
Role
IAM User
eksadmin1
IAM Role
IAM Group
eksadmins
IAM Group
Policy
IAM User
eksadmin2
IAM User
eksadmin3

StackSimplify
Provision EKS Admins using IAM Roles & IAM
Groups
Task-1: Define
Terraform
Kubernetes Provider
block to define k8s
users
Task-3: Define
aws_caller_identity
to get AWS Account
ID
Task-4: Create IAM
Role with STS Assume
Role Policy and EKS
full access policy
Task-5: Create IAM
Group Policy and
IAM Group
Task-6: Create IAM
users and associate
to IAM Group
EKS Admins
with IAM Roles
& IAM Groups

StackSimplify
c7-02
Create Kubernetes ConfigMap Resource + UPDATE
with mapRoles changes
c8-01 Create IAM Admin User with Admin Access Policy
c8-02 Create IAM Basic User with EKS Full Access Policy
c9-01
Create IAM Role with STS Assume Role Policy and EKS
Full Access Policy
Terraform Manifests
…………….
c9-02
Create IAM Group and IAM Users and associate IAM
Users to IAM Group

StackSimplify
Sample Output of aws-auth ConfigMap after creating EKS Cluster using Terraform

StackSimplify
AWS EKS
using AWS IAM
Elastic IP
EC2 VM
EKS
Cluster
AWS S3 DynamoDB
Autoscaling Kubernetes RBAC Fundamentals Section-24
IAM IAM Policy
IAM Role Kubernetes
Config Map
IAM User IAM Group Kubernetes
Cluster Role
Kubernetes Cluster
Role Binding

StackSimplify
Kubernetes RBAC
Subjects API Groups Verbs
Users or processes that need
access to the Kubernetes API
The k8s API objects that we
grant access to
List of actions that can be taken
on a resource
Kind: Group, User
Kind: Service Account
core
extensions
apps
batch
Create
List
Watch
Delete
Patch
get
Replace
Read
Kubernetes RBAC - Fundamentals
Pods
Deployments
Services
StatefulSets
Resources
Kubernetes API Reference: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/
API Groups Reference: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#-strong-api-
groups-strong-

StackSimplify
Kubernetes RBAC
A ClusterRole can be used to grant
the same permissions as a Role, but
because they are cluster-scoped,
access will be granted across cluster
A Cluster Role Binding is used to tie
the Cluster Role and Subject
together
A Role can only be used to grant
access to resources within a single
namespace.
A Role Binding is used to tie the Role
and Subject together
Section-24 Demo Section-25 Demo

StackSimplify
Kubernetes RBAC
Role
Create
(Verb)
Pod
(Resource)
Namespace: DEV
Role Binding
User / Group
(Subject)
Role
Create
(Verb)
Pod
(Resource)
Namespace: QA
Role Binding
User / Group
(Subject)
Cluster Role
Create
(Verb)
Cluster Role Binding
User / Group
(Subject)
Kubernetes Cluster RBAC

StackSimplify
Cluster Role Binding

StackSimplify
AWS EKS
using AWS IAM
Elastic IP
EC2 VM
EKS
Cluster
AWS S3 DynamoDB
Autoscaling
Provision EKS Read-Only Users with IAM Roles & IAM Groups
IAM IAM Policy
IAM Role Kubernetes
Config Map
Cluster Role
Kubernetes Cluster
Role Binding

StackSimplify
aws-auth
ConfigMap

StackSimplify
Provision EKS ReadOnly Users using IAM Roles, IAM Groups with
Kubernetes RBAC (Cluster Role & Cluster Role Binding)
Task-1: Define
Terraform
Kubernetes Provider
block to define k8s
users
Task-3: Define
aws_caller_identity
to get AWS Account
ID
Task-4: Create IAM
Role with STS Assume
Role Policy and EKS
Read-Only access
policy
Task-5: Create IAM
Group Policy and
IAM Group
(eksreadonly)
Task-6: Create IAM
users and associate
to IAM Group
(eksreaduser1)
EKS Read-Only
Users with IAM
Roles & IAM
Groups
Task-7: Create Cluster
Role and Cluster Role
Binding k8s RBAC
Resources
Task-8: update aws-
auth ConfigMap

StackSimplify
c7-02
Create Kubernetes ConfigMap Resource + UPDATE
with mapRoles changes
c8 & c9
Create IAM Admin User with mapUsers in aws-auth
Create EKS Admins with IAM Roles & mapRoles
c10-01
Create IAM Role with STS Assume Role Policy and EKS
READONLY Access Policy
c10-02
Create IAM Group and IAM Users and associate IAM
Users to IAM Group
Terraform Manifests
…………….
c10-03
Create Kubernetes RBAC ClusterRole &
ClusterRoleBinding Resources

StackSimplify
AWS EKS
using AWS IAM
Elastic IP
EC2 VM
EKS
Cluster
AWS S3 DynamoDB
Autoscaling
Provision EKS Developer Users with IAM Roles & IAM Groups
IAM IAM Policy
IAM Role Kubernetes
Config Map
Cluster Role
Kubernetes Cluster
Role Binding
Kubernetes
Role
Kubernetes
Role Binding

StackSimplify
Usecase
EKS Cluster Read-Only Access
EKS Dev Namespace Full Access
(All Verbs – Create , Apply, Get,
List, Delete Resources)
Kubernetes
Cluster Role
Kubernetes Cluster
Role Binding
Kubernetes
Role
Kubernetes
Role Binding
EKS Developer
IAM User
A Developer requesting full access to a namespace (dev) in EKS Cluster and in addition, also asking for read-only access
to EKS Cluster

Terraform-on-AWS-EKS-v5 adshdhddhowahaaaaaaaaaaa.pptx

Terraform-on-AWS-EKS-v5 adshdhddhowahaaaaaaaaaaa.pptx

Recommended

Recommended

More Related Content

Similar to Terraform-on-AWS-EKS-v5 adshdhddhowahaaaaaaaaaaa.pptx

Similar to Terraform-on-AWS-EKS-v5 adshdhddhowahaaaaaaaaaaa.pptx (20)

Recently uploaded

Recently uploaded (20)

Terraform-on-AWS-EKS-v5 adshdhddhowahaaaaaaaaaaa.pptx