Production-ready AWS infrastructure for Cloud Solutions Inc., deployed using Terraform and Amazon EKS with a modern two-pipeline architecture.
- ARCHITECTURE - Infrastructure components and design decisions
- ARGOCD - ArgoCD deployment and access guide
- AWS LOAD BALANCER CONTROLLER - ALB/NLB controller documentation
- BOOTSTRAP - Remote state backend setup
- CICD - CI/CD pipeline documentation
- DISCLAIMER - Important notes about the use of AI tools and development process
- EKS - EKS deployment, configuration, and operations
- EXAMPLES - Sample application deployment examples
- KUBERNETES - Kubernetes infrastructure deployment
- TERRAFORM - Terraform module and variable reference
- Two-Pipeline Architecture: Separate infrastructure and Kubernetes resource deployments
- Multi-environment: Separate configurations for development, staging, and production
- EKS Cluster: Managed Kubernetes 1.34 with auto-scaling node groups
- Multi-AZ: High availability across 3 availability zones
- End-to-End Encryption: KMS-encrypted secrets and EBS volumes, TLS in transit
- Network Isolation: Private subnets for workloads, VPC Flow Logs
- Storage: EFS for shared storage, EBS CSI driver
- Monitoring: CloudWatch logs, metrics dashboard, SNS alerts
- CI/CD: Automated GitHub Actions workflows with two-stage deployment
- GitOps: ArgoCD for declarative application deployment
- IRSA: IAM Roles for Service Accounts with OIDC provider
- Custom Helm Charts: Professional wrapper charts for better maintainability
This project uses a two-pipeline, two-state architecture for better separation of concerns:
flowchart TB
subgraph P1["Pipeline 1: terraform-deploy"]
direction TB
I1["Infrastructure Layer"]
I2["- VPC, EKS, IAM"]
I3["- KMS, EFS, ALB, CloudWatch"]
I4["State: {env}/infra/tfstate"]
I1 --> I2 --> I3 --> I4
end
subgraph P2["Pipeline 2: kubernetes-deploy"]
direction TB
K1["Kubernetes Resources Layer"]
K2["- AWS Load Balancer Controller"]
K3["- ArgoCD"]
K4["State: {env}/kubernetes/tfstate"]
K1 --> K2 --> K3 --> K4
end
P1 -->|triggers on success| P2
Benefits:
- ✅ Separation of infrastructure and applications
- ✅ Independent deployments and rollbacks
- ✅ Reduced blast radius for changes
- ✅ Follows HashiCorp best practices
See ARCHITECTURE.md for detailed information.
git clone https://github.com/your-username/cloud-solutions-inc.git
cd cloud-solutions-inc./scripts/bootstrap-terraform-backend.shOr with custom settings:
export TF_STATE_BUCKET="my-terraform-state"
export AWS_REGION="eu-west-1"
./scripts/bootstrap-terraform-backend.shCreate environments/production/terraform.tfvars:
aws_region = "eu-west-1"
environment = "production"
project_name = "cloud-solutions"
vpc_cidr = "10.0.0.0/16"
availability_zones = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
# EKS Configuration
kubernetes_version = "1.34"
node_instance_types = ["t3.medium"]
capacity_type = "ON_DEMAND"
node_disk_size = 20
# Scaling
desired_size = 2
min_size = 1
max_size = 4
# Optional: Email alerts
# alarm_email = "[email protected]"# Deploy infrastructure layer
terraform init -backend-config="environments/production/tfbackend.hcl"
terraform plan -var-file="environments/production/terraform.tfvars"
terraform apply -var-file="environments/production/terraform.tfvars"# Deploy Kubernetes resources
cd kubernetes
terraform init -backend-config="environments/production/tfbackend.hcl"
terraform plan -var-file="environments/production/terraform.tfvars"
terraform apply -var-file="environments/production/terraform.tfvars"Automated deployments via GitHub Actions on main branch push. The deployment happens in two stages:
- terraform-deploy: Deploys infrastructure (VPC, EKS, etc.)
- kubernetes-deploy: Deploys Kubernetes resources (triggered automatically on success)
Required secrets:
AWS_ROLE_ARN
Required variables:
AWS_REGIONTF_VERSION
See CICD.md for detailed information.
All data encrypted at rest (KMS for secrets/EBS) and in transit (TLS 1.2+). Key features:
- Customer-managed KMS keys with automatic rotation
- IMDSv2 enforced on all EC2 instances
- Network isolation with security groups
- VPC Flow Logs for auditing
- IRSA for pod-level IAM permissions
- Separate IAM roles for infrastructure and Kubernetes resources
View encryption keys:
terraform output eks_kms_key_id
terraform output ebs_kms_key_idSee ARCHITECTURE.md for comprehensive security documentation.
This project is organized into two main layers:
- kms: Encryption key management
- vpc: Network infrastructure
- eks: EKS cluster and node groups
- alb: Security groups for load balancers
- efs: Shared file system
- cloudwatch: Monitoring and logging
- Custom Charts: Helm chart wrappers for better maintainability
- IAM Roles: IRSA roles for Kubernetes service accounts
- ArgoCD: GitOps deployment from shared module
See TERRAFORM.md for detailed module documentation.
# Cluster information
terraform output eks_cluster_name
terraform output eks_cluster_endpoint
terraform output configure_kubectl
# Security
terraform output eks_kms_key_id
terraform output ebs_kms_key_id
# OIDC for IRSA
terraform output eks_oidc_provider
terraform output eks_oidc_provider_arn
# Sensitive outputs
terraform output -raw eks_cluster_arncd kubernetes
# ArgoCD information
terraform output argocd_namespace
terraform output argocd_server_url
# Load Balancer Controller
terraform output aws_load_balancer_controller_role_arnImportant: Delete resources in reverse order to avoid orphaned AWS resources.
# 1. Delete all Kubernetes-created AWS resources (while controllers are still running)
kubectl delete ingress --all --all-namespaces
kubectl delete svc --all --all-namespaces
kubectl delete pvc --all --all-namespaces
# 2. Delete Kubernetes resources (removes controllers and ArgoCD)
cd kubernetes
terraform destroy
# 3. Delete infrastructure (removes EKS cluster and VPC)
cd ..
terraform destroyThis project is licensed under the MIT License.
Built with ❤️ for Cloud Solutions Inc.