Top / Amazon Web Service / AWS Amazon EKS / Node Group

AWS Amazon EKS Node Group

This page shows how to write Terraform and CloudFormation for Amazon EKS Node Group and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_eks_node_group (Terraform)

The Node Group in Amazon EKS can be configured in Terraform with the resource name aws_eks_node_group. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

eks_node_group_test.tf#L12
resource "aws_eks_node_group" "example" {
  cluster_name    = "test_aws_eks_node_group"
  node_group_name = "example"
  node_role_arn   = "node_role_arn"
  subnet_ids      = ["subnet_id"]
terraform.tf#L86
resource "aws_eks_node_group" "Node1" {
  cluster_name = aws_eks_cluster.eks_cluster.name
  node_group_name = "eks-node1"
  node_role_arn = aws_iam_role.ec2_iam_role.arn
  subnet_ids = ["subnet-45acc854", "subnet-4ba59e89", "subnet-cda915a1"]
  instance_types = ["t2.micro"]
aws-eks.tf#L20
resource "aws_eks_node_group" "k8s_ng-public" {
  cluster_name    = aws_eks_cluster.k8s-cluster.name
  node_group_name = "k8s-ng-devtest-public"
  node_role_arn   = aws_iam_role.eks_nodegroup_role.arn
  subnet_ids      = concat(aws_subnet.k8s_public_subnet.*.id)
eks_node_group_test.tf#L12
resource "aws_eks_node_group" "example" {
  cluster_name    = "test_aws_eks_node_group"
  node_group_name = "example"
  node_role_arn   = "node_role_arn"
  subnet_ids      = ["subnet_id"]
terraform.tf#L86
resource "aws_eks_node_group" "Node1" {
  cluster_name = aws_eks_cluster.eks_cluster.name
  node_group_name = "eks-node1"
  node_role_arn = aws_iam_role.ec2_iam_role.arn
  subnet_ids = ["subnet-45acc854", "subnet-4ba59e89", "subnet-cda915a1"]
  instance_types = ["t2.micro"]

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Manages an EKS Node Group, which can provision and optionally update an Auto Scaling Group of Kubernetes worker nodes compatible with EKS. Additional documentation about this functionality can be found in the EKS User Guide.

>> from Terraform Registry

Tips: Best Practices for The Other AWS Amazon EKS Resources

In addition to the aws_eks_cluster, AWS Amazon EKS has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_eks_cluster

Ensure public access for AWS EKS cluster endpoint is disabled

It is better to disable public access for the AWS EKS cluster endpoint. To reduce the security risks, it is recommended to disable public access and to use VPC to connect to the cluster.

Review your AWS Amazon EKS settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::EKS::Nodegroup (CloudFormation)

The Nodegroup in EKS can be configured in CloudFormation with the resource name AWS::EKS::Nodegroup. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

EKSNodeGroupRemoteAccess-PASSED.yml#L4
    Type: 'AWS::EKS::Nodegroup'
    Properties:
      ClusterName: test
      NodeRole: 'arn:aws:iam::012345678910:role/eksInstanceRole'
      ScalingConfig:
        MinSize: 3
EKSNodeGroupRemoteAccess-PASSED.yml#L4
    Type: 'AWS::EKS::Nodegroup'
    Properties:
      ClusterName: test
      NodeRole: 'arn:aws:iam::012345678910:role/eksInstanceRole'
      ScalingConfig:
        MinSize: 3
EKSNodeGroupRemoteAccess-PASSED.yml#L4
    Type: 'AWS::EKS::Nodegroup'
    Properties:
      ClusterName: test
      NodeRole: 'arn:aws:iam::012345678910:role/eksInstanceRole'
      ScalingConfig:
        MinSize: 3
EKSNodeGroupRemoteAccess-PASSED.yml#L4
    Type: 'AWS::EKS::Nodegroup'
    Properties:
      ClusterName: test
      NodeRole: 'arn:aws:iam::012345678910:role/eksInstanceRole'
      ScalingConfig:
        MinSize: 3
nodegroup.yml#L15
    Type: "AWS::EKS::Nodegroup"
    Properties:
      ClusterName: !Sub "${EnvironmentName}-cluster"
      NodeRole:
        Fn::ImportValue: !Sub "${EnvironmentName}-NODEGROUP-ROLE"
      ScalingConfig:
negative2.json#L45
      "Type": "AWS::EKS::Nodegroup"
    }
  }
}
positive2.json#L4
      "Type": "AWS::EKS::Nodegroup",
      "Properties": {
        "ClusterName": "prod",
        "NodeRole": "arn:aws:iam::012345678910:role/eksInstanceRole",
        "ScalingConfig": {
          "MinSize": 3,
launch_template_custom_ami.json#L3
        "Type": "AWS::EKS::Nodegroup",
        "Properties": {
            "ClusterName": "lt",
            "Labels": {
                "alpha.eksctl.io/cluster-name": "lt",
                "alpha.eksctl.io/nodegroup-name": "template-custom-ami"
launch_template.json#L3
        "Type": "AWS::EKS::Nodegroup",
        "Properties": {
            "AmiType": "AL2_x86_64",
            "ClusterName": "lt",
            "Labels": {
                "alpha.eksctl.io/cluster-name": "lt",
launch_template_custom_ami.json#L3
        "Type": "AWS::EKS::Nodegroup",
        "Properties": {
            "ClusterName": "lt",
            "Labels": {
                "alpha.eksctl.io/cluster-name": "lt",
                "alpha.eksctl.io/nodegroup-name": "template-custom-ami"

Parameters

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

Creates a managed node group for an Amazon EKS cluster. You can only create a node group for your cluster that is equal to the current Kubernetes version for the cluster. All node groups are created with the latest AMI release version for the respective minor Kubernetes version of the cluster, unless you deploy a custom AMI using a launch template. For more information about using launch templates, see Launch template support.

An Amazon EKS managed node group is an Amazon EC2 Auto Scaling group and associated Amazon EC2 instances that are managed by AWS for an Amazon EKS cluster. Each node group uses a version of the Amazon EKS optimized Amazon Linux 2 AMI. For more information, see Managed Node Groups in the Amazon EKS User Guide.

>> from AWS CloudFormation Documentation

The Other Related AWS Amazon EKS Resources

Frequently asked questions

What is AWS Amazon EKS Node Group?

AWS Amazon EKS Node Group is a resource for Amazon EKS of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Amazon EKS Node Group?

For Terraform, the infracost/infracost, deepakkapse/EKS-task and faisal-soomro/slowcalc-deployment source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the melscoop-test/check, sprathod369/iac-example and SnidermanIndustries/checkov-fork source code examples are useful. See the CloudFormation Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents