AWS Amazon EKS Cluster
This page shows how to write Terraform and CloudFormation for Amazon EKS Cluster and write them securely.
aws_eks_cluster (Terraform)
The Cluster in Amazon EKS can be configured in Terraform with the resource name aws_eks_cluster
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_eks_cluster" "allowed" {
encryption_config {
provider = "x"
resources = ["y"]
}
enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
resource "aws_eks_cluster" "denied" {
vpc_config {
}
}
resource "aws_eks_cluster" "denied_2" {
resource "aws_eks_cluster" "allowed" {
vpc_config {
endpoint_public_access = false
}
}
resource "aws_eks_cluster" "enabled" {
name = "eks"
role_arn = var.role_arn
vpc_config {
subnet_ids = var.subnet_ids
resource "aws_eks_cluster" "example" {
name = "example"
role_arn = aws_iam_role.example.arn
vpc_config {
subnet_ids = [aws_subnet.example1.id, aws_subnet.example2.id]
}
Security Best Practices for aws_eks_cluster
There are 4 settings in aws_eks_cluster that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure public access for AWS EKS cluster endpoint is disabled
It is better to disable public access for the AWS EKS cluster endpoint. To reduce the security risks, it is recommended to disable public access and to use VPC to connect to the cluster.
Ensure a CIDR range for AWS EKS cluster endpoint access is restricted enough
It is better to restrict a CIDR range for AWS EKS cluster endpoint access.
Ensure to enable control plane logging of your EKS cluster
It is better to enable EKS control plane logging, which provides diagnostic logs of your clusters to detect anomalous activities.
Ensure to enable envelope encryption of EKS secrets
It is better to enable envelope encryption of EKS secrets. Envelope encryption of EKS secrets works as an additional layer of encryption.
Parameters
-
arn
optional computed - string -
certificate_authority
optional computed - list of object-
data
- string
-
-
created_at
optional computed - string -
enabled_cluster_log_types
optional - set of string -
endpoint
optional computed - string -
id
optional computed - string -
identity
optional computed - list of object -
name
required - string -
platform_version
optional computed - string -
role_arn
required - string -
status
optional computed - string -
tags
optional - map from string to string -
version
optional computed - string -
encryption_config
list block -
kubernetes_network_config
list block-
service_ipv4_cidr
optional computed - string
-
-
timeouts
single block -
vpc_config
list block-
cluster_security_group_id
optional computed - string -
endpoint_private_access
optional - bool -
endpoint_public_access
optional - bool -
public_access_cidrs
optional computed - set of string -
security_group_ids
optional - set of string -
subnet_ids
required - set of string -
vpc_id
optional computed - string
-
Explanation in Terraform Registry
Manages an EKS Cluster. > Hands-on: For an example of
aws_eks_cluster
in use, follow the Provision an EKS Cluster tutorial on HashiCorp Learn.
AWS::EKS::Cluster (CloudFormation)
The Cluster in EKS can be configured in CloudFormation with the resource name AWS::EKS::Cluster
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: 'AWS::EKS::Cluster'
Properties:
Name: prod
Version: '1.14'
RoleArn: >-
arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-EXAMPLEBQ4PI
Type: 'AWS::EKS::Cluster'
Properties:
Name: prod
Version: '1.14'
RoleArn: >-
arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-EXAMPLEBQ4PI
Type: 'AWS::EKS::Cluster'
Properties:
Name: prod
Version: '1.14'
RoleArn: >-
arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-EXAMPLEBQ4PI
Type: 'AWS::EKS::Cluster'
Properties:
Name: prod
Version: '1.14'
RoleArn: >-
arn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-EXAMPLEBQ4PI
Type: 'AWS::EKS::Cluster'
Properties:
Name: capstone
Version: '1.17'
RoleArn: >-
arn:aws:iam::482702493340:role/capstone-eksClusterRole-1R1BL5XNESDCS
"resourceType": "AWS::EKS::Cluster",
"resourceId": "kapil-dev",
"resourceName": "kapil-dev"
}
],
"ResponseMetadata": {}
"Type": "AWS::EKS::Cluster",
"Properties": {
"Name": "prod",
"Version": "1.9",
"RoleArn": "arn:aws:iam::349006084872:role/EKS",
"ResourcesVpcConfig": {
"Type":"AWS::EKS::Cluster",
"Properties":{
"Name":{
"Ref":"ClusterName"
},
"Version":{
"Type": "AWS::EKS::Cluster",
"Properties":
{
"Name": {"Ref": "ClusterName"},
"Version": "1.11",
"RoleArn": { "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/${ServiceRole}"},
"Type": "AWS::EKS::Cluster",
"Properties":
{
"Name": {"Ref": "ClusterName"},
"Version": "1.11",
"RoleArn": { "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/${ServiceRole}"},
Parameters
-
Version
optional - String -
EncryptionConfig
optional - List of EncryptionConfig -
RoleArn
required - String -
ResourcesVpcConfig
required - ResourcesVpcConfig -
KubernetesNetworkConfig
optional - KubernetesNetworkConfig -
Name
optional - String
Explanation in CloudFormation Registry
Creates an Amazon EKS control plane. The Amazon EKS control plane consists of control plane instances that run the Kubernetes software, such as
etcd
and the API server. The control plane runs in an account managed by AWS, and the Kubernetes API is exposed via the Amazon EKS API server endpoint. Each Amazon EKS cluster control plane is single-tenant and unique and runs on its own set of Amazon EC2 instances.The cluster control plane is provisioned across multiple Availability Zones and fronted by an Elastic Load Balancing Network Load Balancer. Amazon EKS also provisions elastic network interfaces in your VPC subnets to provide connectivity from the control plane instances to the nodes (for example, to support
kubectl exec
,logs
, andproxy
data flows).Amazon EKS nodes run in your AWS account and connect to your cluster's control plane via the Kubernetes API server endpoint and a certificate file that is created for your cluster.
Cluster creation typically takes several minutes. After you create an Amazon EKS cluster, you must configure your Kubernetes tooling to communicate with the API server and launch nodes into your cluster. For more information, see Managing Cluster Authentication and Launching Amazon EKS nodes in the Amazon EKS User Guide.
Frequently asked questions
What is AWS Amazon EKS Cluster?
AWS Amazon EKS Cluster is a resource for Amazon EKS of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon EKS Cluster?
For Terraform, the snyk-labs/infrastructure-as-code-goof, snyk-labs/infrastructure-as-code-goof and snyk-labs/infrastructure-as-code-goof source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the bridgecrewio/checkov, melscoop-test/check and melscoop-test/check source code examples are useful. See the CloudFormation Example section for further details.