What is terraform-aws-eks?
terraform-aws-eks is a Terraform module that creates and manages Amazon EKS (Elastic Kubernetes Service) resources on AWS. Rather than writing dozens of individual resource blocks yourself, you call this module with a handful of variables and it provisions a production-ready EKS cluster along with all the supporting infrastructure it depends on.
The module is maintained by the terraform-aws-modules community and published on the Terraform Registry at terraform-aws-modules/eks/aws.
Why use this module?
Provisioning EKS from scratch requires coordinating many AWS resource types — IAM roles and policies, security groups, KMS keys, CloudWatch log groups, OIDC providers, access entries, and the cluster itself. Getting the dependencies between these resources correct, and keeping them up to date as EKS evolves, is time-consuming and error-prone. This module solves that by:- Encoding the correct resource relationships and dependency ordering so you don’t have to.
- Providing sensible, secure defaults (private endpoint enabled, KMS encryption for secrets, IRSA enabled, control-plane audit/api/authenticator logs on by default) while still letting you override everything.
- Supporting all three EKS compute models — EKS Auto Mode, EKS managed node groups, and self-managed node groups — from a single, consistent interface.
- Handling cluster access management (access entries) so you don’t need to manage
aws-authConfigMap manually.
Architecture overview
When you invoke the module, it creates and manages the following AWS resources:| Resource | Purpose |
|---|---|
aws_eks_cluster | The EKS control plane |
aws_iam_role | Cluster IAM service role |
aws_iam_role (node) | EKS Auto Mode node IAM role |
aws_iam_policy | Cluster encryption policy, CNI IPv6 policy, custom policies |
aws_iam_role_policy_attachment | Attaches managed and custom policies to the cluster and node roles |
aws_iam_openid_connect_provider | OIDC provider for IAM Roles for Service Accounts (IRSA) |
aws_security_group | Cluster security group and node shared security group |
aws_security_group_rule | Rules for cluster and node security groups |
aws_ec2_tag | Tags on the EKS-managed primary security group |
aws_eks_access_entry | Cluster access entries (replaces aws-auth ConfigMap) |
aws_eks_access_policy_association | Associates IAM policies with access entries |
aws_eks_addon | EKS add-ons (e.g., coredns, vpc-cni, kube-proxy) |
aws_eks_identity_provider_config | External OIDC identity provider configurations |
aws_cloudwatch_log_group | Log group for EKS control-plane logs |
KMS key (via terraform-aws-modules/kms/aws) | Encrypts Kubernetes secrets at rest |
time_sleep | Waits for the control plane to become ready before creating node groups |
| Sub-module | What it manages |
|---|---|
modules/eks-managed-node-group | EKS managed node groups |
modules/self-managed-node-group | Self-managed node groups (Auto Scaling Groups) |
modules/fargate-profile | Fargate profiles |
modules/karpenter | IAM roles, SQS queue, and EventBridge rules for Karpenter autoscaler |
modules/hybrid-node-role | IAM role for EKS Hybrid Nodes (SSM or IAM Roles Anywhere) |
modules/capability | EKS Capabilities (ACK, ArgoCD, KRO) |
Provider and Terraform requirements
The module requires the following versions, as defined inversions.tf:
| Dependency | Required version |
|---|---|
| Terraform | >= 1.5.7 |
AWS provider (hashicorp/aws) | >= 6.28 |
TLS provider (hashicorp/tls) | >= 4.0 |
Time provider (hashicorp/time) | >= 0.9 |
Next steps
Quickstart
Deploy your first EKS cluster with EKS Auto Mode in minutes.
EKS Auto Mode
Let AWS manage node lifecycle automatically with built-in node pools.
EKS managed node groups
Provision EC2 worker nodes managed by the EKS service.
Cluster access
Manage Kubernetes API access using EKS access entries.