Terraform Modular EKS + Istio โ Part 3
EKS Cluster Module (What Actually Creates Kubernetes) After setting up VPC and IAM, the next step is creating the actual Kubernetes control plane using Amazon EKS. This module is responsible for: Creating the EKS cluster Configuring networking Enabling authentication Setting up OIDC (required for IR
POTHURAJU JAYAKRISHNA YADAV
EKS Cluster Module (What Actually Creates Kubernetes)
After setting up VPC and IAM, the next step is creating the actual Kubernetes control plane using Amazon EKS.
This module is responsible for:
- Creating the EKS cluster
- Configuring networking
- Enabling authentication
- Setting up OIDC (required for IRSA)
๐ Module Files
modules/eks-cluster/
โโโ main.tf
โโโ variables.tf
โโโ outputs.tf
๐ variables.tf
variable "cluster_name" {
description = "Name of the EKS cluster"
type = string
}
variable "cluster_version" {
description = "Kubernetes version"
type = string
default = "1.29"
}
variable "cluster_role_arn" {
description = "ARN of the EKS cluster IAM role"
type = string
}
variable "private_subnet_ids" {
description = "List of private subnet IDs"
type = list(string)
}
variable "public_subnet_ids" {
description = "List of public subnet IDs"
type = list(string)
}
๐ง What this module expects
This module doesnโt create everything itself. It depends on:
- VPC module โ for subnets
- IAM module โ for cluster role
Inputs tell it:
- what to name the cluster
- which version to run
- where to place it
๐ main.tf
This is where the actual EKS cluster is created.
1. EKS Cluster Resource
resource "aws_eks_cluster" "cluster" {
name = var.cluster_name
version = var.cluster_version
role_arn = var.cluster_role_arn
What this does
This creates the EKS control plane.
Important point:
๐ You are NOT creating master nodes
๐ AWS manages them for you
2. Networking Configuration
vpc_config {
subnet_ids = concat(var.private_subnet_ids, var.public_subnet_ids)
}
Why both private and public subnets?
- Private subnets โ worker nodes
- Public subnets โ load balancers
If you only pass private:
- ALB/NLB creation can fail later
If you only pass public:
- not secure
๐ Passing both is correct production setup.
3. Access Configuration (Very Important)
access_config {
authentication_mode = "API_AND_CONFIG_MAP"
bootstrap_cluster_creator_admin_permissions = true
}
What this solves
Newer EKS versions changed authentication behavior.
This block ensures:
- API-based authentication is enabled
- IAM + aws-auth both work
This line is critical
bootstrap_cluster_creator_admin_permissions = true
๐ Gives admin access to the creator
Without this:
- cluster gets created
- but you cannot access it
4. Dependency Handling
depends_on = [var.cluster_role_arn]
Why needed?
Even though role ARN is passed:
Terraform may not always detect dependency properly.
This ensures:
๐ IAM role exists before cluster creation
๐ฅ OIDC Setup (Core Concept)
This is the most important part of this module.
5. Fetch TLS Certificate
data "tls_certificate" "cluster" {
url = aws_eks_cluster.cluster.identity[0].oidc[0].issuer
}
What is happening?
- EKS creates an OIDC endpoint
- This block fetches its certificate
Used for:
๐ Trust verification in IAM
6. Create OIDC Provider
resource "aws_iam_openid_connect_provider" "cluster" {
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = [data.tls_certificate.cluster.certificates[0].sha1_fingerprint]
url = aws_eks_cluster.cluster.identity[0].oidc[0].issuer
What this actually does
This creates a bridge:
Kubernetes โ IAM
Why this is required
Without OIDC:
โ Pods cannot assume IAM roles
โ IRSA will not work
Thumbprint
thumbprint_list = [...]
๐ Ensures secure trust between AWS and OIDC provider
๐ outputs.tf
output "cluster_id" {
value = aws_eks_cluster.cluster.id
}
output "cluster_arn" {
value = aws_eks_cluster.cluster.arn
}
output "cluster_endpoint" {
value = aws_eks_cluster.cluster.endpoint
}
output "cluster_security_group_id" {
value = aws_eks_cluster.cluster.vpc_config[0].cluster_security_group_id
}
output "cluster_certificate_authority_data" {
value = aws_eks_cluster.cluster.certificate_authority[0].data
}
output "oidc_provider_arn" {
value = aws_iam_openid_connect_provider.cluster.arn
}
output "oidc_provider" {
value = replace(aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")
}
๐ง Why these outputs matter
These values are used by other modules:
- Kubernetes provider โ uses endpoint + certificate
- IAM module โ uses OIDC provider
- Node module โ uses cluster name
Example:
host = module.eks_cluster.cluster_endpoint
๐ฅ What You Actually Built
AWS Managed Control Plane
โ
โ
OIDC Provider (for IAM integration)
โ ๏ธ Real Issues People Face
- No OIDC โ IRSA breaks
- Wrong subnets โ cluster unstable
- Missing access_config โ login issues
- Wrong IAM role โ cluster creation fails
๐ง Key Takeaways
- EKS cluster = control plane only
- AWS manages master nodes
- OIDC is required for IAM integration
- Outputs connect modules together
๐ Next Step
Next module:
๐ Node Groups (actual compute layer)
๐ How EC2 instances join the cluster
๐ Scaling and updates
This module is where Kubernetes actually starts โ but without nodes, itโs still empty.
Found this useful? Share it!
Read the Full Story
Continue reading on Dev.to
Related Stories
Stop Copying Skills Between Claude Code, Cursor, and Codex
about 3 hours ago
Agentic Architectures โ Article 2: Advanced Coordination and Reasoning Patterns
about 3 hours ago
Agentic Architectures โ Article 1: The Agentic AI Maturity Model
about 3 hours ago
Reimagining Creativity: Inside IdeaForge
about 3 hours ago