Create an Amazon VPC for EKS

Provisioning Virtual Private Cloud for EKS using Terraform

This article covers how to create an Amazon VPC (Virtual Private Cloud) using Terraform for the purposes of provisioning EKS (Elastic Kubernetes Service).

This will be particularly useful for those that use eksctl tool (see below for context). This will be a three part series with the following planned articles:

  1. Provisioning AWS VPC for EKS using Terraform
  2. Provisioning EKS with Existing VPC using eksctl
  3. Provisioning EKS with Existing VPC using Terraform

The eksctl tool is great because you can setup a complete production ready Amazon EKS cluster with a single command and a small eksctl config file to describe your cluster. The automation also can add canned policies, like access to ECR (Elastic Container Registry), Route53, ALB (Application Load Balancer), or custom policies for pods running on the cluster.

This automation is on top of automation that creates a VPC, private and public subnets, routing tables, gateways, and security groups need by EKS to function properly.

This automation is great, but comes with some drawbacks. What if you wanted to automate the VPC and EKS separately?

There can be many reasons for this, such having two EKS clusters, or perhaps integrating with other applications running outside of EKS on their own EC2 (Elastic Compute Cloud), or maybe a jump box or bastion host running on one of the public subnets.

You can add these things, but this will add frustration later when you try to delete either the VPC or EKS, as they are tethered together, and you won’t be and the deletion may fail, because of a security group or something else uses a component on the VPC created by eksctl.

For the greatest flexibility and re-use, the ideal scenario is to create these separately, and then use eksctl on the existing infrastructure. How do we do this?

The Tools Involved

You will need to get these tools:

  • Terraform: tool that does the cloud provisioning
  • AWS CLI: tool that allows access to automate AWS cloud services.

Part 1: The VPC Module

We’re going to create module that has the parameters we want, which then ultimately passes this Terraform AWS VPC module.

Create some place to put out code:

mkdir -p ~/my_vpc_project
export PROJECT=~/my_vpc_project

Using bash we create the files we’ll use for this exercise with:

mkdir -p $PROJECT/vpc
touch $PROJECT/vpc/{locals,main,variables,versions}.tf

This code will require Terraform 0.12 and above, and we should use a recent version of AWS provider.

vpc/versions.tf

We’ll set some default variables that’ll use for this the VPC. We’ll specify an optional eks_cluster_name used for tagging the subnets for a future EKS.

vpc/variables.tf

We can set a local variable to default to name if eks_cluster_name is blank.

vpc/locals.tf

We pass all these variables and locals to external public domain vpc module that is published on Terraform registry.

vpc/main.tf

Part 2: Using the VPC Module

So now we have a usable module, let’s use it.

First create files required for the exercise:

touch $PROJECT/{main,provider}.tf $PROJECT/terraform.tfvars

At this level, we want to specify all the providers that we will use, which in this case is just AWS. We have to tell the provider what region we’ll use.

We’ll only use two variables, name and region, which the operator should specify at time of provisioning these resources. We could supply an eks_cluster_name, but instead will rely on the default behavior.

For variables that outside of this code, we can set them in terraform.tfvars file, which we can create with bash.

cat <<-EOF > terraform.tfvars
region = "us-east-2"
name = "acme-test-cluster"
EOF

Part 3: Create It

To run this, you can do the following:

cd $PROJECT# download providers and modules
terraform init
# apply the infrastructure
terraform apply

Part 4: Destroy It

If you no longer need this infrastructure, you can delete it:

cd $PROJECT
terraform destroy

Resources

Next Article

Conclusion

This is a good introduction to AWS and Terraform modules, as well as useful in decoupling creating VPC infrastructure from EKS, or useful is creating a infrastructure with private and public subnets.

In some followup articles, I will cover how to create EKS using the existing VPC infrastructure created here.