Amazon EKS Blueprints for Terraform

Customers can use the Amazon EKS Shared Services Platform (SSP) for Terraform to easily architect and deploy a multi-tenant SSP built on EKS that aims to accelerate the delivery of a batteries-included, multi-tenant container platform on top of Amazon EKS according to AWS best practices and recommendations.

Motivation

🎯 The Amazon EKS Shared Service Platform (SSP) for Terraform allows customers to easily configure and deploy a multi-tenant, enterprise-ready container platform on top of EKS.

• With a large number of design choices, deploying production-grade container platform can take a significant about of time, involve integrating a wide range or AWS services and open source tools, and require deep understand of AWS and Kubernetes concepts.
• This solution handles integrating EKS with popular open source and partner tools, in addition to AWS services, in order to allow customers to deploy a cohesive container platform that can be offered as a service to application teams. It provides out-of-the-box support for common operational tasks such as auto-scaling workloads, collecting logs and metrics from both clusters and running applications, managing ingress and egress, configuring network policy, managing secrets, deploying workloads via GitOps, and more.
• Customers can leverage the solution to deploy a container platform and start onboarding workloads in days, rather than months.

What can I do with EKS SSP using Terraform?

🐬 Provides a framework and methodology for building Shared Services Platforms (SSP) on Amazon EKS.

• 🎯 The purpose of this guide is to provide solution architects and technical leaders with the knowledge needed to design production-ready Amazon EKS with Terraform. It describes the outcome, design, architecture, and implementation of Amazon EKS to run modernized applications.
• 🎯 Using SSP Framework, you can set up and launch Amazon EKS clusters across multiple AWS accounts and AWS regions, each with an individual Terraform configuration and state file.
• 🎯 Provisioning Amazon EKS clusters, managed Node Groups with On-Demand and Spot Amazon EC2 instance types, AWS Fargate profiles, and plugins or add-ons for creating Production-ready Amazon EKS Clusters ✅🚀. The Terraform Helm provider also deploys common Kubernetes add-ons by using Helm charts.

---

• ✅ Deploy Well-Architected EKS clusters across any number of accounts and regions.
• ✅ Manage cluster configuration, including add-ons that run in each cluster, from a single Git repository.
• ✅ Define teams, namespaces, and their associated access permissions for your clusters.
• ✅ Create Continuous Delivery (CD) pipelines that are responsible for deploying your infrastructure.
• ✅ Leverage GitOps-based workflows for onboarding and managing workloads for your teams.

EKS-Accelerator >> Solution Objectives

• Enable your cross-functional teams to use the same Amazon EKS cluster by provisioning Amazon EKS clusters that support multi-tenancy based on applications and namespaces.
• Provision Amazon EKS clusters in new or existing Virtual Private Clouds (VPCs), which means that you can use existing VPCs if required.
• Define your scaling metrics as a Kubernetes manifest by using Kubernetes Horizontal Pod Autoscaling and configurable options for expanding resource quotas and pod security policies.
• Ensure Role-Based Access Control (RBAC) for your developers and administrators by using AWS Identity and Access Management (IAM) roles.
• Deploy a private Amazon EKS cluster to secure your application and meet your compliance requirements.
• Monitor and log applications and system pods by using Amazon CloudWatch to collect and track metrics.
• Flexibly provision your Amazon EKS clusters with different node group types by running a combination of self-managed nodes, Amazon EKS managed node groups, and Fargate.
• Deploy a Bottlerocket Amazon Machine Image (AMI) in self-managed node groups to run container workloads in a purpose-built operating system (OS) on the AWS Cloud.

1. Development Environment

🎯 Provides software, tools, and a GitHub repository to implement this guide's solution.

• https://terraform.job4u.io/en/prerequisites.html
• K9s or Kubernetes Lens: User interface (UI) for cluster monitoring

2. High-level Architecture

✅ https://terraform.job4u.io/en/public-eks.html

✅ https://terraform.job4u.io/en/private-eks.html

Outlines the high-level architecture, AWS services, and Helm modules used.

• [x] Amazon EKS clusters in different environments in AWS accounts across multiple AWS Regions, with a unique Terraform configuration and state file for each Amazon EKS cluster.
• [x] One VPC with private subnets in each Availability Zone for nodes.
• [x] VPC endpoints to access AWS services across AWS accounts.
• [x] Managed node groups with On-Demand Instances.
• [x] Managed node groups with Spot Instances.
• [ ] Fargate profiles run serverless workloads.
• [x] Amazon Elastic Container Registry (Amazon ECR) stores the Docker images for application microservices and Helm add-ons for application deployments.
• [x] On-Demand instances in an Amazon EC2 Auto Scaling group that are used as underlying computing infrastructure for the Amazon EKS cluster.
• [x] Nodes deployed over multiple Availability Zones and using Amazon EC2 Auto Scaling groups.
• [x] An Amazon Route 53 Domain Name System (DNS) zone for service discovery and a Network Load Balancer configured for HTTPS encrypted traffic.
• [ ] AWS Certificate Manager (ACM) to provision Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for secure communication.
• [x] Kubernetes Metrics Server to collect metrics from running pods, such as CPU and memory utilization.
• [x] Kubernetes Cluster Autoscaler to scale in and out of nodes.
• [x] An Application Load Balancer ingress controller to load balance the application traffic.
• [ ] Amazon CloudWatch with Fluent Bit for logging application logs and cluster logs.
• [ ] Amazon Elasticsearch Service (Amazon ES) and Amazon Simple Storage Service (Amazon S3) for centralized logging.

3. Helm Add-ons & Autoscaler

Helm package manager helps you install and manage applications in your Kubernetes cluster.

• [x] [kube-system] cluster-autoscaler
• [x] [kube-system] metric-server
• [ ] [kube-system] newrelicinfrastructure
• [ ] [logging] aws-for-fluent-bit
• [x] [aws-loadbalancercontroller] aws-load-balancer-controller

4. Logging and Monitoring

🎯 The centralized logging and monitoring solutions that can be implemented for EKS clusters.

Control Plane logs: Amazon EKS control plane logging provides audit and diagnostic logs from the control plane to Amazon CloudWatch Logs groups in your AWS account.

Application logs: To collect application logs you must install a log aggregator, such as Fluent Bit, Fluentd, or CloudWatch Container Insights, in your Amazon EKS cluster.

• [x] Option 1: Use Fluent Bit as the log collector and forwarder to send application and cluster logs to CloudWatch. You can then stream the logs to Amazon Elasticsearch Service (Amazon ES) using an Elasticsearch subscription filter in CloudWatch. https://aws.amazon.com/blogs/opensource/implementing-cloudwatch-centric-observability-for-kubernetes-native-developers-in-amazon-elastic-kubernetes-service/
• [ ] Option 2: Use a Datadog agent as the log and metric collector and forwarder to stream logs and metrics to the Datadog UI.
• [ ] Option 3: Use a New Relic agent as the log and metric collector and forwarder to stream logs and metrics to the New Relic UI.

5. 🐳 MVP

🎯 The MVP/Pilot workloads should be implemented based on the organization's policies and requirements.

• ✅ [Go] Listmonk
• ✅ [Java] Camunda
• ✅ [LAMP] Wordpress & Mautic
• ✅ [MERN] Strapi
• ☑️ [.NET]