Reusable Terraform modules for deploying and managing a production-ready Kubernetes platform on AWS EKS. Used by kubelaunch-essentials as the module source for all platform components.
| Layer | Module | Purpose | Chart Version |
|---|---|---|---|
| Core Platform | karpenter | Node auto-provisioning | v1.10.0 |
| external-dns | Route53 DNS automation | - | |
| cert-manager | Certificate lifecycle (ACME/Let's Encrypt) | - | |
| external-secrets | AWS Secrets Manager sync | v2.2.0 | |
| Service Mesh | istio | Service mesh with mTLS | - |
| kong-gw | API gateway with RDS backend | - | |
| jaeger | Distributed tracing (OTEL) | - | |
| Security | kyverno | Admission control & policies | v3.7.1 |
| falco | Runtime threat detection (eBPF) | v8.0.1 | |
| velero | Backup & disaster recovery | v12.0.0 | |
| Observability | loki-stack | Log aggregation (S3 backend) | - |
| kubecost | FinOps / cost monitoring | - | |
| compliance-scanner | CIS benchmark scanning | v1.2.0 | |
| Platform Tools | argocd | GitOps deployment | - |
| atlantis | Terraform PR automation | v5.1.0 | |
| vault | Secrets management (HA + KMS) | - | |
| airflow | Workflow orchestration | - |
graph TB
subgraph Core["Core Platform"]
Karpenter & ExDNS["External DNS"] & CertMgr["Cert Manager"] & ExtSec["External Secrets"]
end
subgraph Mesh["Service Mesh"]
Istio & Kong["Kong GW"] & Jaeger
end
subgraph Sec["Security"]
Kyverno & Falco & Velero
end
subgraph Obs["Observability"]
Loki["Loki Stack"] & Kubecost & Compliance["CIS Scanner"]
end
subgraph Tools["Platform Tools"]
ArgoCD & Atlantis & Vault & Airflow
end
CertMgr --> Istio & Kong
ExtSec --> ArgoCD & Vault
Kyverno -.->|Policy| Tools & Mesh
Falco -.->|Monitor| Core
Velero -.->|Backup| Tools
Deployment order: Core Platform -> Service Mesh -> Security -> Observability -> Platform Tools
# Example: Deploy ArgoCD via Terragrunt
module "argocd" {
source = "git::https://github.com/cloudon-one/k8s-platform-modules.git//k8s-platform-argocd?ref=main"
environment = "dev"
eks_cluster_name = "dev-eks-cluster"
}Each module supports IRSA (IAM Roles for Service Accounts) for secure AWS access without hardcoded credentials.
k8s-platform-<component>/
├── main.tf # Resources (Helm releases, IAM, K8s objects)
├── variables.tf # Input variables
├── outputs.tf # Output values
├── versions.tf # Provider constraints (aws ~>6.0, k8s ~>3.0, helm ~>3.1)
├── data.tf # Data sources (optional)
├── templates/ # Helm values templates (optional)
│ └── values.yaml
└── examples/ # Example usage (optional)
└── main.tf
| Requirement | Version |
|---|---|
| Terraform | >= 1.12.0 |
| AWS Provider | ~> 6.0 |
| Kubernetes Provider | ~> 3.0 |
| Helm Provider | ~> 3.1 |
| EKS Cluster | With IRSA enabled |
| Helm | v3.x |
- IRSA: All modules use IAM Roles for Service Accounts (no hardcoded credentials)
- Least privilege IAM: Specific permissions instead of wildcards
- Pod security: Non-root containers, dropped capabilities, read-only filesystems
- Encryption: Data at rest and in transit across all components
- Network isolation: Security groups and network policies
- Fork the repository
- Create feature branch
- Follow existing module patterns (versions.tf, variables.tf, outputs.tf)
- Add outputs for all created resources
- Open a Pull Request
MIT License - see LICENSE for details.
