Skip to content


Repository files navigation


Terraform Module for EKS with built-in Flux GitOps


module "example_cluster" {
  source = "git::https://Efrat19/terraform-eks-with-gitops.git"

  account             = "12345678"
  region              = "us-east-1"
  vpc_id              = "vpc-12345678"
  igw_id              = "igw-12345678"
  vpc_private_subnets = ["x.x.x.x/x", "x.x.x.x/x","x.x.x.x/x"]
  vpc_public_subnets  = "x.x.x.x/x"]
  nat_gateways        = ["nat-123456", "nat-654321", "nat-112233"] # NAT for each AZ, to save cross-AZ traffic costs
  cluster_name        = "example"
  cluster_version     = "1.21"
  vpc_cidr            = "x.x.x.x/x"
  auth_users          = ["terraform-iam-user", "my-iam-user"]
  managed_node_groups = [
      name                          = "example_spot_managed_node_group_v1"
      capacity_type                 = "SPOT"
      desired_capacity              = 2
      instance_types                = ["t3.2xlarge", "m5.xlarge", "m5.large", "c5.xlarge", "t2.xlarge"]
      max_capacity                  = 4
      min_capacity                  = 2
      additional_security_group_ids = []
      k8s_labels = {
        spot = "true"
        env  = "example"
      name                          = "example_ondemand_managed_node_group_v1"
      capacity_type                 = "ON_DEMAND"
      desired_capacity              = 0
      instance_types                = ["t3.2xlarge", "m5.xlarge", "m5.large", "c5.xlarge", "t2.xlarge"]
      max_capacity                  = 2
      min_capacity                  = 0
      additional_security_group_ids = []
      k8s_labels = {
        spot = "false"
        env  = "example"
  flux_github_url        = "ssh://[email protected]/me/my_repo.git"
  flux_target_path       = "example_cluster_source"
  flux_repo              = "my_repo"
  flux_branch            = "main"
  flux_auto_image_update = true
  extra_flux_sources = [
      source_name     = "another-source"
      github_owner    = "another-owner"
      repository_name = "another_repo"
      branch          = "main"
      target_path     = "charts"
      read_only       = true
  tags                   = {
    Env                = "example"
  irsa_roles = [
      role_name       = "k8s-secretmanager-example-cluster"
      service_account = "system:serviceaccount:management:kubernetes-external-secrets"
      policies_to_assign = [

Base Modules Documentation


Name Version
terraform >= 0.13.1
aws >= 3.40.0
http >= 2.4.1
kubernetes >= 1.11.1
local >= 1.4
flux ~> 0.2
github ~> 4.5
kubectl ~> 1.0


Name Version
aws >= 3.40.0
http >= 2.4.1
local >= 1.4
flux ~> 0.2
github ~> 4.5
helm ~> 2.0
kubectl ~> 1.0
kubernetes ~> 2.0
tls n/a


No modules.


Name Type
aws_iam_role.irsa_role Resource
aws_route_table.cluster_private_rtb Resource
aws_route_table.cluster_public_rtb_dynamic Resource
aws_route_table_association.cluster_private Resource=
aws_route_table_association.cluster_public Resource
aws_security_group.workers_sg Resource
aws_subnet.cluster_private Resource
aws_subnet.cluster_public Resource
github_repository_deploy_key.main Resource
github_repository_file.ecr-sync Resource
github_repository_file.sync Resource
kubectl_manifest.ecr-sync Resource
kubectl_manifest.sync Resource
kubernetes_secret.main Resource
tls_private_key.main Resource
module.addons_flux.github_repository_deploy_key.main Resource
module.addons_flux.github_repository_file.install Resource
module.addons_flux.github_repository_file.kustomize Resource
module.addons_flux.github_repository_file.sync Resource
module.addons_flux.kubectl_manifest.apply Resource
module.addons_flux.kubectl_manifest.sync Resource
module.addons_flux.kubernetes_namespace.flux2 Resource
module.addons_flux.kubernetes_network_policy.flux2_allow_monitoring Resource
module.addons_flux.kubernetes_network_policy.flux2_allow_namespace Resource
module.addons_flux.kubernetes_priority_class.kubernetes_addons Resource
module.addons_flux.kubernetes_priority_class.kubernetes_addons_ds Resource
module.addons_flux.kubernetes_secret.main Resource
module.addons_flux.tls_private_key.identity Resource
module.eks.aws_eks_cluster.this Resource
module.eks.aws_iam_openid_connect_provider.oidc_provider Resource
module.eks.aws_iam_policy.cluster_elb_sl_role_creation Resource
module.eks.aws_iam_role.cluster Resource
module.eks.aws_iam_role.workers Resource
module.eks.aws_iam_role_policy_attachment.cluster_AmazonEKSClusterPolicy Resource
module.eks.aws_iam_role_policy_attachment.cluster_AmazonEKSServicePolicy Resource
module.eks.aws_iam_role_policy_attachment.cluster_AmazonEKSVPCResourceControllerPolicy Resource
module.eks.aws_iam_role_policy_attachment.cluster_elb_sl_role_creation Resource
module.eks.aws_iam_role_policy_attachment.workers_AmazonEC2ContainerRegistryReadOnly Resource
module.eks.aws_iam_role_policy_attachment.workers_AmazonEKSWorkerNodePolicy Resource
module.eks.aws_iam_role_policy_attachment.workers_AmazonEKS_CNI_Policy Resource
module.eks.aws_security_group.cluster Resource
module.eks.aws_security_group.workers Resource
module.eks.aws_security_group_rule.cluster_egress_internet Resource
module.eks.aws_security_group_rule.cluster_https_worker_ingress Resource
module.eks.aws_security_group_rule.workers_egress_internet Resource
module.eks.aws_security_group_rule.workers_ingress_cluster Resource
module.eks.aws_security_group_rule.workers_ingress_cluster_https Resource
module.eks.aws_security_group_rule.workers_ingress_self Resource
module.eks.kubernetes_config_map.aws_auth Resource
module.eks.local_file.kubeconfig Resource
module.eks.module.node_groups.aws_eks_node_group.workers Resource
module.eks.module.node_groups.aws_launch_template.workers Resource
data.aws_availability_zones.available Data Source
data.aws_eks_cluster.cluster Data Source
data.aws_eks_cluster_auth.cluster Data Source
data.aws_nat_gateway.cluster_networking Data Source
data.aws_subnet.cluster_networking Data Source
data.flux_sync.main Data Source
data.github_repository.main Data Source
data.kubectl_file_documents.sync Data Source Data Source Data Source Data Source Data Source Data Source Data Source Data Source Data Source Data Source Data Source Data Source Data Source Data Source Data Source



Name Description
cloudwatch_log_group_arn Arn of cloudwatch log group created
cloudwatch_log_group_name Name of cloudwatch log group created
cluster_arn The Amazon Resource Name (ARN) of the cluster.
cluster_certificate_authority_data Nested attribute containing certificate-authority-data for your cluster. This is the base64 encoded certificate data required to communicate with your cluster.
cluster_endpoint The endpoint for your EKS Kubernetes API.
cluster_iam_role_arn IAM role ARN of the EKS cluster.
cluster_iam_role_name IAM role name of the EKS cluster.
cluster_id The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready.
cluster_oidc_issuer_url The URL on the EKS cluster OIDC Issuer
cluster_primary_security_group_id The cluster primary security group ID created by the EKS cluster on 1.14 or later. Referred to as 'Cluster security group' in the EKS console.
cluster_security_group_id Security group ID attached to the EKS cluster. On 1.14 or later, this is the 'Additional security groups' in the EKS console.
cluster_version The Kubernetes server version for the EKS cluster.
config_map_aws_auth A kubernetes configuration to authenticate to this EKS cluster.
fargate_iam_role_arn IAM role ARN for EKS Fargate pods
fargate_iam_role_name IAM role name for EKS Fargate pods
fargate_profile_arns Amazon Resource Name (ARN) of the EKS Fargate Profiles.
fargate_profile_ids EKS Cluster name and EKS Fargate Profile names separated by a colon (:).
kubeconfig kubectl config file contents for this EKS cluster. Will block on cluster creation until the cluster is really ready.
kubeconfig_filename The filename of the generated kubectl config. Will block on cluster creation until the cluster is really ready.
node_groups Outputs from EKS node groups. Map of maps, keyed by var.node_groups keys
oidc_provider_arn The ARN of the OIDC Provider if enable_irsa = true.
security_group_rule_cluster_https_worker_ingress Security group rule responsible for allowing pods to communicate with the EKS cluster API.
worker_iam_instance_profile_arns default IAM instance profile ARN for EKS worker groups
worker_iam_instance_profile_names default IAM instance profile name for EKS worker groups
worker_iam_role_arn default IAM role ARN for EKS worker groups
worker_iam_role_name default IAM role name for EKS worker groups
worker_security_group_id Security group ID attached to the EKS workers.
workers_asg_arns IDs of the autoscaling groups containing workers.
workers_asg_names Names of the autoscaling groups containing workers.
workers_default_ami_id ID of the default worker group AMI
workers_default_ami_id_windows ID of the default Windows worker group AMI
workers_launch_template_arns ARNs of the worker launch templates.
workers_launch_template_ids IDs of the worker launch templates.
workers_launch_template_latest_versions Latest versions of the worker launch templates.
workers_user_data User data of worker groups
private_subnets_ids IDs of the created private subnets
public_subnets_ids IDs of the created public subnets
cluster_private_rtb_ids IDs of the created private route tables
cluster_publi\c_rtb_id ID of the created public route table
irsa_roles ARNs of the created IRSA roles


Terraform Module for EKS with built-in Flux GitOps








No releases published


No packages published
