Building a Production-Grade Kubernetes Platform on AWS with Terraform
Modern DevOps teams rely heavily on Infrastructure as Code to provision scalable and secure cloud platforms.
In this project, I built a production-style Kubernetes platform on AWS using Terraform.
The goal was to simulate how real platform engineering teams deploy Kubernetes infrastructure.
Project Architecture
The infrastructure is designed using a secure VPC architecture.
Developer
│
▼
GitHub Codespaces
│
▼
AWS Systems Manager (SSM)
│
▼
Bastion Host (Public Subnet)
│
▼
Private EKS API Endpoint
│
▼
EKS Worker Nodes (Private Subnets)
Key design principles:
Kubernetes nodes run in private subnets
No SSH access to instances
Infrastructure fully managed using Terraform
AWS Infrastructure Design
The platform uses a custom VPC.
VPC CIDR
10.0.0.0/16
Subnet Design
| Subnet Type | CIDR | Purpose |
|---|---|---|
| Public Subnet A | 10.0.1.0/24 | Bastion Host |
| Public Subnet B | 10.0.2.0/24 | Load Balancers |
| Private Subnet A | 10.0.10.0/24 | EKS Nodes |
| Private Subnet B | 10.0.11.0/24 | EKS Nodes |
Terraform Module Architecture
To maintain a clean infrastructure design, the project uses Terraform modules.
terraform
│
├── modules
│ ├── vpc
│ ├── eks
│ ├── ecr
│ └── bastion
│
└── environments
└── dev
main.tf
variables.tf
backend.tf
Module Responsibilities
VPC Module
Creates:
VPC
Subnets
NAT Gateway
Route tables
EKS Module
Creates:
Kubernetes cluster
Managed node groups
OIDC provider
IAM roles for service accounts (IRSA)
ECR Module
Creates container registry repositories used by CI pipelines.
Bastion Module
Deploys a secure bastion host for Kubernetes administration.
Secure Remote Terraform State
In production environments, Terraform state should never be stored locally.
This project uses:
Amazon S3 for remote state storage
DynamoDB for state locking
Example backend configuration:
terraform {
backend "s3" {
bucket = "eks-devops-platform-terraform-state"
key = "dev/terraform.tfstate"
region = "ap-south-1"
encrypt = true
dynamodb_table = "terraform-locks"
}
}
Benefits:
Team collaboration
State locking
Secure encrypted storage
Kubernetes Cluster
The EKS cluster is created using the official Terraform module:
terraform-aws-modules/eks/aws
Cluster configuration:
| Setting | Value |
|---|---|
| Kubernetes Version | 1.29 |
| Node Instance | t3.medium |
| Scaling | 1–2 nodes |
| IRSA | Enabled |
Worker nodes run inside private subnets only.
Bastion Host
To securely access the private Kubernetes cluster, a bastion host is deployed.
Security configuration:
No SSH access
Access via AWS Systems Manager (SSM)
This removes the need for managing SSH keys.
Amazon ECR
An Elastic Container Registry (ECR) repository is provisioned for storing application container images.
This will later integrate with CI pipelines to push Docker images.
Security Best Practices
This infrastructure follows several modern security practices:
Private Kubernetes cluster
IAM-based authentication
No static credentials
Remote Terraform state encryption
Least privilege IAM roles
What’s Next
This infrastructure is the foundation for a full DevOps platform.
Upcoming phases include:
GitHub Actions CI pipeline
GitOps deployments using ArgoCD
Observability stack with Prometheus and Grafana
Conclusion
This project demonstrates key DevOps and platform engineering skills:
Terraform module architecture
AWS networking design
Kubernetes infrastructure provisioning
Secure cloud access patterns
Infrastructure automation
The full repository is available here:
https://github.com/rasika-08061998/eks-devops-platform-infra