# 🚒 Module Terraform β€” EKS cluster (Kubernetes AWS) **Format** : Terraform (.tf) Β· EKS 1.29 Β· production-ready **Auteur** : Γ‰quipe pΓ©dagogique ITAG Β· DevOps Pack **Mise Γ  jour** : 2026 --- ## 🎯 Description Module Terraform pour provisionner un cluster EKS managΓ© AWS, prΓͺt pour la production. Inclut : node groups managed, IRSA (IAM Roles for Service Accounts), autoscaling, addons (CoreDNS, kube-proxy, EBS CSI driver, VPC CNI). ## πŸ“‹ Ressources créées ### Cluster - `aws_eks_cluster` (version 1.29, encryption KMS, audit logs CloudWatch) - `aws_iam_role` cluster + node - `aws_security_group` (cluster + node + worker) - `aws_kms_key` pour encryption secrets ### Node groups - 1 Γ— node group `system` (t3.medium, taints CriticalAddonsOnly) - 1 Γ— node group `general` (m5.large, autoscaling 2-10) - Optionnel : node group `gpu` (g4dn.xlarge, taints nvidia.com/gpu) ### IRSA - OIDC provider configurΓ© - Roles prΓ©-créés pour : cluster-autoscaler, AWS Load Balancer Controller, External DNS, EBS CSI ### Addons - CoreDNS (managed) - kube-proxy (managed) - VPC CNI (managed) - EBS CSI Driver (managed avec IRSA) ### Observability - CloudWatch Container Insights - Prometheus operator (via Helm provider, optionnel) ## πŸ’Ύ Code Terraform complet ### main.tf ```hcl terraform { required_version = ">= 1.6" required_providers { aws = { source = "hashicorp/aws" version = "~> 5.0" } } } provider "aws" { region = "eu-west-1" } # ── IAM ROLE β€” EKS CLUSTER ──────────────────────────────────────────────────── resource "aws_iam_role" "eks_cluster_role" { name = "${var.cluster_name}-cluster-role" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [{ Action = "sts:AssumeRole" Effect = "Allow" Principal = { Service = "eks.amazonaws.com" } }] }) tags = { Environment = var.environment ManagedBy = "Terraform" } } resource "aws_iam_role_policy_attachment" "eks_cluster_policy" { policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" role = aws_iam_role.eks_cluster_role.name } # ── EKS CLUSTER ─────────────────────────────────────────────────────────────── resource "aws_eks_cluster" "main" { name = var.cluster_name version = var.k8s_version role_arn = aws_iam_role.eks_cluster_role.arn vpc_config { subnet_ids = var.subnet_ids endpoint_private_access = true endpoint_public_access = true } enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"] tags = { Name = var.cluster_name Environment = var.environment ManagedBy = "Terraform" } depends_on = [ aws_iam_role_policy_attachment.eks_cluster_policy ] } # ── IAM ROLE β€” NODE GROUP ───────────────────────────────────────────────────── resource "aws_iam_role" "node_group_role" { name = "${var.cluster_name}-node-group-role" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [{ Action = "sts:AssumeRole" Effect = "Allow" Principal = { Service = "ec2.amazonaws.com" } }] }) tags = { Environment = var.environment ManagedBy = "Terraform" } } resource "aws_iam_role_policy_attachment" "node_worker_policy" { policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" role = aws_iam_role.node_group_role.name } resource "aws_iam_role_policy_attachment" "node_cni_policy" { policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" role = aws_iam_role.node_group_role.name } resource "aws_iam_role_policy_attachment" "node_ecr_policy" { policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" role = aws_iam_role.node_group_role.name } # ── EKS NODE GROUP ──────────────────────────────────────────────────────────── resource "aws_eks_node_group" "general" { cluster_name = aws_eks_cluster.main.name node_group_name = "${var.cluster_name}-general" node_role_arn = aws_iam_role.node_group_role.arn subnet_ids = var.subnet_ids instance_types = var.instance_types disk_size = 50 scaling_config { min_size = var.min_size max_size = var.max_size desired_size = 3 } update_config { max_unavailable = 1 } labels = { environment = var.environment node-group = "general" } tags = { Name = "${var.cluster_name}-general-node" Environment = var.environment ManagedBy = "Terraform" } depends_on = [ aws_iam_role_policy_attachment.node_worker_policy, aws_iam_role_policy_attachment.node_cni_policy, aws_iam_role_policy_attachment.node_ecr_policy, ] } # ── EKS ADDONS ──────────────────────────────────────────────────────────────── resource "aws_eks_addon" "coredns" { cluster_name = aws_eks_cluster.main.name addon_name = "coredns" depends_on = [aws_eks_node_group.general] } resource "aws_eks_addon" "kube_proxy" { cluster_name = aws_eks_cluster.main.name addon_name = "kube-proxy" } resource "aws_eks_addon" "vpc_cni" { cluster_name = aws_eks_cluster.main.name addon_name = "vpc-cni" } ``` ### variables.tf ```hcl variable "cluster_name" { description = "Name of the EKS cluster" type = string default = "my-eks-cluster" } variable "k8s_version" { description = "Kubernetes version to use for the EKS cluster" type = string default = "1.29" } variable "environment" { description = "Deployment environment (dev / staging / prod)" type = string default = "dev" validation { condition = contains(["dev", "staging", "prod"], var.environment) error_message = "environment must be one of: dev, staging, prod." } } variable "subnet_ids" { description = "List of subnet IDs for the EKS cluster and node groups" type = list(string) } variable "instance_types" { description = "EC2 instance types for the node group" type = list(string) default = ["t3.medium"] } variable "min_size" { description = "Minimum number of nodes in the node group" type = number default = 2 } variable "max_size" { description = "Maximum number of nodes in the node group" type = number default = 5 } ``` ### outputs.tf ```hcl output "cluster_endpoint" { description = "Endpoint URL of the EKS cluster API server" value = aws_eks_cluster.main.endpoint } output "cluster_name" { description = "Name of the EKS cluster" value = aws_eks_cluster.main.name } output "cluster_ca_certificate" { description = "Base64-encoded CA certificate for the cluster" value = aws_eks_cluster.main.certificate_authority[0].data sensitive = true } output "kubeconfig_command" { description = "AWS CLI command to update local kubeconfig" value = "aws eks update-kubeconfig --region eu-west-1 --name ${aws_eks_cluster.main.name}" } output "node_group_role_arn" { description = "ARN of the IAM role used by the node group" value = aws_iam_role.node_group_role.arn } ``` ## πŸ’Ό Cas d'usage - Plateforme microservices Γ  scale - PrΓ©paration CKAD / CKA - Migration on-prem vers cloud Kubernetes - Blueprint AWS Well-Architected ## πŸ“₯ TΓ©lΓ©charger ce template [TΓ©lΓ©charger le fichier .md](/templates/view.php?file=terraform-eks-cluster&dl=1) Β· [← Catalogue Terraform](/templates.php?cat=terraform) Β· [Parcours DevOps β†’](/parcours/tech-devops.php) --- *ITAG Β· Non-affiliΓ©s HashiCorp / AWS / CNCF.*