EKS Deployment Manual with Terraform
This manual provides step-by-step instructions for deploying an Amazon EKS (Elastic Kubernetes Service) cluster using Terraform. It includes the configuration of essential components such as AWS credentials, infrastructure provisioning, EBS CSI driver installation, and Kubernetes environment setup.
Make sure to click on the images to have a better view of the details.
Prerequisites
Before starting the deployment, you will need the following:
Compressed folder:
oneconnecEKS.zipAWS credentials (IAM user):
Access Key ID
Secret Access Key
Region name where the deployment will take place (e.g.,
us-east-1)Required software (either pre-installed or with installation instructions):
Terraform
AWS CLI
kubectl
Key pair for access authentication
Step-by-Step Instructions
1. Initial Setup
1.1 Locate the project folder
Open your terminal and navigate to the directory that contains the Terraform files:
cd eks-deployment
1.2 Configure your AWS credentials
Run the following command:
aws configure
Then enter the following when prompted:
Access Key ID
Secret Access Key
Default region name (must match your target deployment region)
Output format: leave it blank (press Enter)
2. Terraform Initialization
Run the following command:
terraform init
Wait for the process to complete (this may take a few minutes).
Ensure there are no error messages in red before proceeding.
3. Deployment Plan Review
Generate an execution plan:
terraform plan
Type you access key pair when requested.
Review the summary output — it should indicate how many resources will be created.
If any error messages appear, stop the process and contact the technical team before continuing.
4. EKS Cluster Deployment
Run the deployment command:
terraform apply
- Type your key pair when prompted.
- Type "yes" to confirm the deployment.
- Wait for the process to finish — this may take 10–20 minutes.
- Take note of any output displayed at the end, especially resource names or important URLs.
5. Accessing the AWS Console
Go to: https://console.aws.amazon.com
Navigate to Services > EKS > Clusters
Select your newly created cluster
Within the Cluster, click the Access tab
Select "Create access entry"
Select the IAM user who executed terraform apply (normally your logged-in user) and of standard type
On the next screen, select the following policies and click 'Add policy':
- AmazonEKSAdminPolicy
- AmazonEKSClusterAdminPolicy
Select the policy and click 'Add policy' for each one.
Then click 'Next'.
Finally, review that it has everything needed and click 'Create'.
6. kubectl Configuration
Update your kubectl configuration with the following command:
aws eks update-kubeconfig --region <your-region> --name <cluster-name>
(The command should appear in the output of the previous command)
Otherwise, replace:
REGION with the region where you created the cluster
Then verify the connection:
kubectl get nodes
If the connection is successful, you'll see a list of the nodes in your EKS cluster.
7. EBS CSI Driver Configuration
Retrieve Cluster Information
Run the following commands in your terminal:
# Get the OIDC URL for your cluster (replace "my-cluster" with your actual cluster name)
aws eks describe-cluster --name SmartGatewayDemo --query "cluster.identity.oidc.issuer" --output text
# Get your AWS Account ID
aws sts get-caller-identity --query "Account" --output text
Take note of these values — you’ll need them in the next steps.
Edit the file named aws-ebs-csi-driver-trust-policy.json with this content using the command
nano aws-ebs-csi-driver-trust-policy.json
Replace the following placeholders:
- TU_AWS_ACCOUNT_ID: Your AWS Account ID
- REGION: Your AWS region (e.g., us-east-1)
- OIDCID: The OIDC ID
Create the IAM Role
Run the following to update the existing role:
aws iam update-assume-role-policy --role-name AmazonEKS_EBS_CSI_DriverRole --policy-document file://aws-ebs-csi-driver-trust-policy.json
Attach Policy to the Role
Attach the AWS-managed policy to the IAM role:
aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \
--role-name AmazonEKS_EBS_CSI_DriverRole
Configure the ServiceAccount in Kubernetes
Execute the following command:
kubectl apply -k "github.com/kubernetes-sigs/aws-ebs-csi-driver/deploy/kubernetes/overlays/stable/?ref=release-1.20"
Configure the ServiceAccount in Kubernetes
Create the ServiceAccount:
kubectl create serviceaccount ebs-csi-controller-sa -n kube-system
Annotate the ServiceAccount with the IAM role:
kubectl annotate serviceaccount ebs-csi-controller-sa \
-n kube-system \
eks.amazonaws.com/role-arn=arn:aws:iam::ACCOUNTID:role/AmazonEKS_EBS_CSI_DriverRole
-n kube-system \
eks.amazonaws.com/role-arn=arn:aws:iam::ACCOUNTID:role/AmazonEKS_EBS_CSI_DriverRole
Replace ACCOUNTID with your actual AWS Account ID.
Then, navigate to the deployment directory:
cd oneconnect-kubernetes
8. Configure the .env File
Open the oneconnect.env file with a text editor (e.g., nano) and update the environment variables as needed for your deployment:
Modify the values according to your infrastructure, credentials, and environment-specific settings.
Make sure to save the file before exiting.
# Indicates whether to enable or disable the use of an Ingress resource in the Kubernetes cluster.
export KUBERNETES_ISINGRESSACTIVE=false
# Specifies the password used to authenticate access to the database.
export DBPASS=rootpassword
# Defines the connection URL for the database where the system's data is stored.
export DBURL=1.234.5678
# Specifies the username with permissions to access the database.
export DBUSER=root
# Determines the port on which the system's frontend will be accessible.
export FRONTENDPORT=5050
# Specifies the port used by the API Gateway.
export APIGATEWAYPORT=80
# Specifies the Docker token used for authentication.
export DOCKERHUB_TOKEN=
export KUBERNETES_ISINGRESSACTIVE=false
# Specifies the password used to authenticate access to the database.
export DBPASS=rootpassword
# Defines the connection URL for the database where the system's data is stored.
export DBURL=1.234.5678
# Specifies the username with permissions to access the database.
export DBUSER=root
# Determines the port on which the system's frontend will be accessible.
export FRONTENDPORT=5050
# Specifies the port used by the API Gateway.
export APIGATEWAYPORT=80
# Specifies the Docker token used for authentication.
export DOCKERHUB_TOKEN=
#Specifies the license manager for datasynchub.
export LICENSEMANAGER_LICENSE=
# Defines the Kubernetes namespace for the application (Do not change unless necessary).
export NAMESPACE_ONECONNECT=oneconnect
Configuration of Environment Variables for Kubernetes
Tolerations
Tolerations specify the conditions under which pods can be scheduled on nodes with specific taints.
Each toleration is configured using a set of variables that define KEY, OPERATOR, VALUE, and EFFECT.
Up to 10 optional toleration blocks can be defined:
TOLERATIONS_1_KEY= # Taint key
TOLERATIONS_1_OPERATOR= # Operator (e.g., "Equal" or "Exists")
TOLERATIONS_1_VALUE= # Associated value
TOLERATIONS_1_EFFECT= # Effect (e.g., "NoSchedule" or "PreferNoSchedule")
TOLERATIONS_1_KEY= # Taint key
TOLERATIONS_1_OPERATOR= # Operator (e.g., "Equal" or "Exists")
TOLERATIONS_1_VALUE= # Associated value
TOLERATIONS_1_EFFECT= # Effect (e.g., "NoSchedule" or "PreferNoSchedule")
If not needed, leave these variables empty.
Node Affinity
Controls scheduling preferences based on node labels (nodeAffinity).
Activate with ENABLE_NODE_AFFINITY=true. Configure the following variables as needed:
Affinity types: required (requiredDuringSchedulingIgnoredDuringExecution) or preferred (preferredDuringSchedulingIgnoredDuringExecution).
Set using:
NODE_AFFINITY_TYPES=required,preferred
NODE_AFFINITY_EXPR_TYPE=matchExpressions
NODE_AFFINITY_KEY=exampleKey
NODE_AFFINITY_OPERATOR=In
NODE_AFFINITY_REQUIRED_VALUES=exampleValue1,exampleValue2
NODE_AFFINITY_PREFERRED_VALUES=exampleValue1,exampleValue2
NODE_AFFINITY_EXPR_TYPE=matchExpressions
NODE_AFFINITY_KEY=exampleKey
NODE_AFFINITY_OPERATOR=In
NODE_AFFINITY_REQUIRED_VALUES=exampleValue1,exampleValue2
NODE_AFFINITY_PREFERRED_VALUES=exampleValue1,exampleValue2
Pod Anti-Affinity
Specifies whether pods should avoid running on the same zone or node as other pods based on labels (podAntiAffinity).
Activate with ENABLE_POD_ANTI_AFFINITY=true and configure similar to the podAffinity block:
POD_ANTI_AFFINITY_TYPE=preferred
POD_ANTI_AFFINITY_EXPR_TYPE=matchExpressions
POD_ANTI_AFFINITY_KEY=exampleKey
POD_ANTI_AFFINITY_OPERATOR=In
POD_ANTI_AFFINITY_REQUIRED_VALUE=exampleValue
POD_ANTI_AFFINITY_PREFERRED_VALUE=exampleValue
POD_ANTI_AFFINITY_TOPOLOGY_KEY=kubernetes.io/hostname
POD_ANTI_AFFINITY_EXPR_TYPE=matchExpressions
POD_ANTI_AFFINITY_KEY=exampleKey
POD_ANTI_AFFINITY_OPERATOR=In
POD_ANTI_AFFINITY_REQUIRED_VALUE=exampleValue
POD_ANTI_AFFINITY_PREFERRED_VALUE=exampleValue
POD_ANTI_AFFINITY_TOPOLOGY_KEY=kubernetes.io/hostname
Docker Image Versions
Docker image versions for services are managed with the following variables
export APIGATEWAY_VERSION=:v0.0.6
export AUTH_VERSION=:v0.0.6
export BUILDER_VERSION=:v0.3.20
export CWCBACK_VERSION=:v0.0.2
export DATASYNCHUB_VERSION=:v0.0.12
export EMAILBUILDER_VERSION=:v0.0.1
export FRONTEND_VERSION=:v2.3.7
export LOGS_VERSION=:v0.0.1
export METRICS_VERSION=:v0.1.13
export PRODUCER_VERSION=v0.0.1
export CONSUMER_VERSION=v0.0.12
export APIGATEWAY_VERSION=:v0.0.6
export AUTH_VERSION=:v0.0.6
export BUILDER_VERSION=:v0.3.20
export CWCBACK_VERSION=:v0.0.2
export DATASYNCHUB_VERSION=:v0.0.12
export EMAILBUILDER_VERSION=:v0.0.1
export FRONTEND_VERSION=:v2.3.7
export LOGS_VERSION=:v0.0.1
export METRICS_VERSION=:v0.1.13
export PRODUCER_VERSION=v0.0.1
export CONSUMER_VERSION=v0.0.12
Note: Do not modify these versions unless strictly necessary.
9. Run the OneConnect Deployment
Grant permissions to the scripts Run the following commands to grant permissions to the scripts we will need to run later:
dos2unix oneconnect.env
dos2unix generate-deployments.sh
chmod +x generate-deployments.sh
dos2unix setup.sh
chmod +x setup.sh
Once you have your oneconnect.env file ready, you'll need to run the generate-deployments.sh which will generate all the yaml archives needed to make the deployment.
./generate-deployments.sh
Run setup.sh after you run the generate-deployment.sh script, this will deploy all the services and deployments
./setup.sh
Related Articles
OneConnect Deployment and Configuration
One Connect Platform: Kubernetes Azure Deployment Manual for Private Network This manual outlines the steps required to deploy the One Connect system on a Kubernetes cluster within a Private Network (meaning the OneConnect Platform will not be ...One Connect Deployment - AWS Prerequisites
Technical Prerequisites for Proof of Concept (PoC) Kubernetes Deployment Options The OneConnect Platform can be deployed on Minikube or vanilla Kubernetes clusters. However, for better scalability and operational simplicity, we recommend using Amazon ...One Connect Cloud Deployment
Prerequisites Download the required .zip folders attached at the end of the document: sql.zip one-connect.zip kafka-compose.zip Requirements for the Virtual Machine System: Linux Architecture: 64-bit processors (x86_64) support Instance ...One Connect Deployment - Azure Prerequisites
Before you Begin: The following deployment manuals assumes a basic understanding of Kubernetes concepts. For more information, refer to Kubernetes core concepts for Azure Kubernetes Service (AKS). Before you begin: If you don't have an Azure account, ...Onibex Snowflake Sink Connector Benefits
The Onibex Snowflake Sink Connector enables real-time data ingestion from Confluent Platform and Confluent Cloud into topic-based subscription tables in Snowflake. It supports idempotent writes through elevator logic and allows for automatic table ...