Are you an LLM? Read llms.txt for a summary of the docs, or llms-full.txt for the full context.
Skip to content

EKS External Mode (Infrastructure Only)

Terraform provisions an EKS cluster and networking, but does not deploy workloads. Designed for GitOps workflows where ArgoCD, Flux, or a CI/CD pipeline manages Kubernetes deployments separately from infrastructure.

Architecture

┌── Terraform manages ────────────────────────┐
│                                              │
│  AWS VPC + subnets + NAT Gateway             │
│  EKS Cluster (managed control plane)         │
│  ECS Cluster (service orchestration)         │
│  IAM roles for service accounts              │
│                                              │
└──────────────────────────────────────────────┘

          │ workload_handoff output (kubeconfig, secret ARNs, configs)

┌── Your GitOps / CI/CD deploys ──────────────┐
│                                              │
│  ArgoCD / Flux / Helm / kubectl              │
│  ├── eRPC deployment                         │
│  └── rindexer deployment                     │
│       └── writes to ClickHouse (external)    │
│                                              │
└──────────────────────────────────────────────┘

What Gets Deployed (by Terraform)

  • VPC with public/private subnets, NAT Gateway, security groups
  • EKS cluster with managed control plane
  • ECS cluster for service orchestration
  • IAM roles and policies for EKS service accounts
  • Networking configuration for pod-to-internet egress

Not deployed by Terraform: No Kubernetes Deployments, Services, ConfigMaps, or Secrets. The workload_handoff output provides the cluster endpoint and configuration for your GitOps tool.

Prerequisites

  • Terraform >= 1.5.0
  • AWS CLI v2 with configured credentials (EC2, VPC, IAM, EKS)
  • kubectl and a GitOps tool (ArgoCD, Flux) or CI/CD pipeline
  • A ClickHouse instance

Quick Start

git clone https://github.com/ExoMonk/evm-cloud.git
cd evm-cloud/examples/minimal_aws_external_eks_byo
 
cp secrets.auto.tfvars.example secrets.auto.tfvars
# Edit secrets.auto.tfvars with your values
 
terraform init
terraform apply
 
# Get the handoff output for your GitOps pipeline
terraform output -json workload_handoff
 
# Configure kubectl
aws eks update-kubeconfig --name <cluster-name> --region us-east-1
 
# Deploy workloads via your preferred method (ArgoCD, Helm, kubectl apply)

Key Variables

VariableTypeDefaultDescription
workload_modestringexternalMust be external for this example
compute_enginestringeksEKS compute backend
indexer_clickhouse_urlstring-ClickHouse HTTP endpoint (sensitive)
indexer_clickhouse_passwordstring-ClickHouse password (sensitive)
network_enable_nat_gatewaybooltrueRequired for private subnet egress

The workload_handoff Output

When workload_mode = "external" with EKS, the workload_handoff output contains:

  • EKS cluster endpoint and certificate authority
  • Cluster name for aws eks update-kubeconfig
  • IAM role ARNs for service accounts
  • Config payloads (erpc.yaml, rindexer.yaml, ABIs) if provided at plan time

Feed this into ArgoCD Application manifests, Flux HelmReleases, or your CI/CD pipeline.

When to Use This

Choose this example when:
  • Your organization uses GitOps (ArgoCD, Flux) for Kubernetes deployments
  • You want strict separation between infrastructure provisioning and application delivery
  • Multiple teams share the EKS cluster and manage their own workloads
  • You need audit trails for who changed what (infra vs. app changes in separate repos)
Consider alternatives when:
  • You want Terraform to deploy workloads too -- use EKS managed
  • You want external mode without EKS cost -- see external EC2
  • You do not need Kubernetes -- Docker Compose examples are simpler

See examples/minimal_aws_external_eks_byo for complete details.