SQLite Cloud and the AWS Journey (Part 2) – Deploying a Secure EKS Cluster with Pod Identities & ALB using Terraform Modules

In the first part, we explored why AWS was the ideal choice for our Kubernetes infrastructure, focusing on scalability, flexibility, and managed services.

Now, in this second part, we’ll dive deeper and extend our EKS cluster by implementing Pod Identities for secure IAM integration and deploying the AWS Load Balancer Controller using Terraform modules.

This setup will allow us to securely expose our applications via an Application Load Balancer (ALB) with TLS termination, all managed declaratively and modularly.

• Enable EKS Pod Identities for IAM integration

• Deploy AWS Load Balancer Controller with Pod Identity permissions

• Expose your services securely using ALB Ingress with TLS

• Keep infrastructure declarative, modular, and reusable

1. Provision EKS Cluster with Pod Identity Enabled

Use the well-maintained Terraform AWS EKS module to create your cluster with Pod Identity support.

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = ">= 3.0"

  name = "my-vpc"
  cidr = "10.0.0.0/16"

  azs             = ["us-west-2a", "us-west-2b", "us-west-2c"]
  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]

  enable_nat_gateway = true
  single_nat_gateway = true
}

module "eks" {
  source          = "terraform-aws-modules/eks/aws"
  version         = ">= 19.0"
  cluster_name    = "my-app-eks"
  cluster_version = "1.29"

  vpc_id     = module.vpc.vpc_id
  subnet_ids = module.vpc.private_subnets

  enable_pod_identity = true

  node_groups = {
    default = {
      desired_capacity = 2
      max_capacity     = 3
      min_capacity     = 1
      instance_type    = "t3.medium"
    }
  }
}

2. Create IAM Role with Pod Identity Permissions for ALB Controller

Use the official terraform-aws-iam-role-for-service-accounts-eks module to create an IAM role scoped to the ALB Controller’s service account.

module "alb_controller_iam_role" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
  version = ">= 5.0"

  name = "alb-controller-pod-identity-role"

  # The namespace and service account name the ALB controller uses
  service_account = {
    namespace = "kube-system"
    name      = "aws-load-balancer-controller"
  }

  # Attach AWS managed policy for ALB controller permissions
  additional_policy_arns = [
    "arn:aws:iam::aws:policy/AWSLoadBalancerControllerIAMPolicy"
  ]

  # Pod Identity uses "pods.eks.amazonaws.com" as the principal service
  assume_role_policy_service_principal = "pods.eks.amazonaws.com"

  # Associate with the EKS OIDC provider from the cluster module output
  oidc_provider_arn = module.eks.oidc_provider_arn
}

3. Register the Pod Identity Association

Use the terraform-aws-eks-pod-identity module to link the IAM role to the service account automatically.

module "alb_pod_identity" {
  source  = "git::https://github.com/terraform-aws-modules/terraform-aws-eks-pod-identity.git?ref=v1.0.0"

  cluster_name      = module.eks.cluster_name
  namespace         = "kube-system"
  service_account   = "aws-load-balancer-controller"
  iam_role_arn      = module.alb_controller_iam_role.iam_role_arn
}

This module creates the necessary Kubernetes ServiceAccount annotated for Pod Identity and manages the AWS Pod Identity resource.

4. Deploy AWS Load Balancer Controller via EKS Add-ons Module

Use the Terraform EKS Add-ons module to install and manage the ALB Controller:

module "alb_controller_addon" {
  source  = "terraform-aws-modules/eks-addons/aws"
  version = ">= 1.0"

  cluster_name        = module.eks.cluster_name
  addon_name          = "aws-load-balancer-controller"
  addon_version       = "v2.7.1"
  service_account_role_arn = module.alb_controller_iam_role.iam_role_arn

  resolve_conflicts   = "OVERWRITE"
}

5. Define Your Ingress Resource for Secure ALB Exposure

Deploy a Kubernetes Ingress manifest to expose your app. Here’s a generic example (apply with kubectl or via Helm):

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myapp-ingress
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:region:account-id:certificate/your-cert-id
spec:
  ingressClassName: alb
  rules:
    - host: myapp.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: myapp-service
                port:
                  number: 8080

Summary

Using Terraform modules, we built a robust, secure EKS environment with:

• Pod Identity enabled cluster for simplified IAM management

• Modular IAM roles tied to Kubernetes service accounts

• Managed ALB controller add-on integrated seamlessly

• Secure ALB ingress with TLS and scalable routing

This architecture works perfectly for any cloud-native app you want to run on AWS EKS with minimal operational overhead and maximum security.

Next Steps

In Part 3, we will explore:

• Horizontal pod autoscaling using Cluster Autoscaler or Karpenter

• Persistent storage with EBS CSI driver