Gitlab - Terraform -EKS Deployment Images & Commands
Gitlab & Terraform Commands & Images
To reduce cost, Switched from Mumbai to North Virginia, EKS latest version updated, Disabled NAT Gateway, 1 EC2 instance set for desired instance count.Gitlab & Terraform Commands & Images
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::435182297172:oidc-provider/oidc.eks.ap-south-1.amazonaws.com/id/FA5DB1F4F3154F6F3B9F2252DB62716A"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.ap-south-1.amazonaws.com/id/FA5DB1F4F3154F6F3B9F2252DB62716A:sub": "system:serviceaccount:kube-system:aws-load-balancer-controller",
"oidc.eks.ap-south-1.amazonaws.com/id/FA5DB1F4F3154F6F3B9F2252DB62716A:aud": "sts.amazonaws.com"
}
}
}
]
}
Gitlab & Terraform Commands & Images
81m v1.34.2-eks-ecaa3a6
PS C:\Users\Kishore> kubectl get gateway express-gateway -n default
NAME CLASS ADDRESS PROGRAMMED AGE
express-gateway aws-alb Unknown 28m
PS C:\Users\Kishore> kubectl logs -n kube-system deployment/aws-load-balancer-controller --tail=50 --all-containers=true
Found 2 pods, using pod/aws-load-balancer-controller-6ffd66c66b-bmbfr
{"level":"info","ts":"2025-11-23T09:12:02Z","msg":"version","GitVersion":"v2.10.0","GitCommit":"8416a4320aeb4e86c61ddb301d9661c1cf26cb29","BuildDate":"2024-11-01T00:20:38+0000"}
{"level":"info","ts":"2025-11-23T09:12:02Z","logger":"setup","msg":"adding health check for controller"}
{"level":"info","ts":"2025-11-23T09:12:02Z","logger":"setup","msg":"adding readiness check for webhook"}
{"level":"info","ts":"2025-11-23T09:12:02Z","logger":"controller-runtime.webhook","msg":"Registering webhook","path":"/mutate-v1-pod"}
{"level":"info","ts":"2025-11-23T09:12:02Z","logger":"controller-runtime.webhook","msg":"Registering webhook","path":"/mutate-v1-service"}
{"level":"info","ts":"2025-11-23T09:12:02Z","logger":"controller-runtime.webhook","msg":"Registering webhook","path":"/validate-elbv2-k8s-aws-v1beta1-ingressclassparams"}
{"level":"info","ts":"2025-11-23T09:12:02Z","logger":"controller-runtime.webhook","msg":"Registering webhook","path":"/mutate-elbv2-k8s-aws-v1beta1-targetgroupbinding"}
{"level":"info","ts":"2025-11-23T09:12:02Z","logger":"controller-runtime.webhook","msg":"Registering webhook","path":"/validate-elbv2-k8s-aws-v1beta1-targetgroupbinding"}
{"level":"info","ts":"2025-11-23T09:12:02Z","logger":"controller-runtime.webhook","msg":"Registering webhook","path":"/validate-networking-v1-ingress"}
{"level":"info","ts":"2025-11-23T09:12:02Z","logger":"setup","msg":"starting deferred tgb reconciler"}
{"level":"info","ts":"2025-11-23T09:12:02Z","logger":"setup","msg":"starting podInfo repo"}
{"level":"info","ts":"2025-11-23T09:12:04Z","logger":"controller-runtime.metrics","msg":"Starting metrics server"}
{"level":"info","ts":"2025-11-23T09:12:04Z","msg":"starting server","name":"health probe","addr":"[::]:61779"}
{"level":"info","ts":"2025-11-23T09:12:04Z","logger":"controller-runtime.webhook","msg":"Starting webhook server"}
{"level":"info","ts":"2025-11-23T09:12:04Z","logger":"controller-runtime.metrics","msg":"Serving metrics server","bindAddress":":8080","secure":false}
{"level":"info","ts":"2025-11-23T09:12:04Z","logger":"controller-runtime.certwatcher","msg":"Updated current TLS certificate"}
{"level":"info","ts":"2025-11-23T09:12:04Z","logger":"controller-runtime.webhook","msg":"Serving webhook server","host":"","port":9443}
{"level":"info","ts":"2025-11-23T09:12:04Z","logger":"controller-runtime.certwatcher","msg":"Starting certificate watcher"}
{"level":"info","ts":"2025-11-23T09:12:04Z","msg":"attempting to acquire leader lease kube-system/aws-load-balancer-controller-leader..."}
PS C:\Users\Kishore> kubectl get sa -n kube-system aws-load-balancer-controller -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::435182297172:role/eksctl-express-app-production-eks-addon-iamse-Role1-GZsruX2L4Jj2
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"creationTimestamp":null,"name":"aws-load-balancer-controller","namespace":"kube-system"}}
creationTimestamp: "2025-11-23T08:46:53Z"
labels:
app.kubernetes.io/managed-by: eksctl
name: aws-load-balancer-controller
namespace: kube-system
resourceVersion: "7004"
uid: d0b0dd18-1425-44dd-8798-375c589b7a73
PS C:\Users\Kishore> kubectl get events -n default --field-selector involvedObject.name=express-gateway --sort-by='.lastTimestamp'
No resources found in default namespace.
PS C:\Users\Kishore> aws eks describe-cluster --name express-app-production-eks --region us-east-1 --query 'cluster.resourcesVpcConfig.vpcId' --output text
vpc-0665cee55055202db
PS C:\Users\Kishore> aws ec2 describe-subnets --filters "Name=vpc-id,Values=vpc-0665cee55055202db" --region us-east-1 --query 'Subnets[?MapPublicIpOnLaunch==`true`].SubnetId' --output text
subnet-048673a109ec226bf subnet-01aa2b7efe0660f74 subnet-09611eddea704ef7d
PS C:\Users\Kishore> kubectl get sa -n kube-system aws-load-balancer-controller -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::435182297172:role/eksctl-express-app-production-eks-addon-iamse-Role1-GZsruX2L4Jj2
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"creationTimestamp":null,"name":"aws-load-balancer-controller","namespace":"kube-system"}}
creationTimestamp: "2025-11-23T08:46:53Z"
labels:
app.kubernetes.io/managed-by: eksctl
name: aws-load-balancer-controller
namespace: kube-system
resourceVersion: "7004"
uid: d0b0dd18-1425-44dd-8798-375c589b7a73
PS C:\Users\Kishore> kubectl get gatewayclass aws-alb -o yaml
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"gateway.networking.k8s.io/v1beta1","kind":"GatewayClass","metadata":{"annotations":{},"name":"aws-alb"},"spec":{"controllerName":"eks.amazonaws.com/aws-gateway-controller","description":"AWS Application Load Balancer Gateway"}}
creationTimestamp: "2025-11-23T09:33:29Z"
generation: 1
name: aws-alb
resourceVersion: "18053"
uid: 9670adf7-e857-4f36-89e5-6b730481fc49
spec:
controllerName: eks.amazonaws.com/aws-gateway-controller
description: AWS Application Load Balancer Gateway
status:
conditions:
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
reason: Waiting
status: Unknown
type: Accepted
PS C:\Users\Kishore>
# Get VPC ID
VPC_ID=$(aws eks describe-cluster \
--name express-app-production-eks \
--region us-east-1 \
--query 'cluster.resourcesVpcConfig.vpcId' \
--output text)
echo "VPC ID: $VPC_ID"
# Find public subnets
PUBLIC_SUBNETS=$(aws ec2 describe-subnets \
--filters "Name=vpc-id,Values=$VPC_ID" \
--region us-east-1 \
--query 'Subnets[?MapPublicIpOnLaunch==`true`].SubnetId' \
--output text)
echo "Public Subnets: $PUBLIC_SUBNETS"
# Tag each public subnet
for subnet in $PUBLIC_SUBNETS; do
aws ec2 create-tags \
--resources $subnet \
--tags \
Key=kubernetes.io/role/elb,Value=1 \
Key=kubernetes.io/cluster/express-app-production-eks,Value=shared \
--region us-east-1
echo "Tagged subnet: $subnet"
done
# Verify tags
aws ec2 describe-subnets \
--subnet-ids $PUBLIC_SUBNETS \
--region us-east-1 \
--query 'Subnets[].[SubnetId,Tags[?Key==`kubernetes.io/role/elb`].Value|[0]]' \
--output table
C:\Users\Kishore>aws eks list-access-entries --cluster-name express-app-production-eks --region ap-south-1
{
"accessEntries": [
"arn:aws:iam::435182297172:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS",
"arn:aws:iam::435182297172:role/general-node-group-eks-node-group-20251109072634569400000003",
"arn:aws:iam::435182297172:role/gitlab-ci-role",
"arn:aws:iam::435182297172:user/mohanmaplas3access"
]
}
C:\Users\Kishore>aws eks list-access-entries --cluster-name express-app-production-eks --region ap-south-1
{
"accessEntries": [
"arn:aws:iam::435182297172:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS",
"arn:aws:iam::435182297172:role/general-node-group-eks-node-group-20251109072634569400000003",
"arn:aws:iam::435182297172:role/gitlab-ci-role",
"arn:aws:iam::435182297172:user/mohanmaplas3access"
]
}
C:\Users\Kishore>aws eks describe-access-entry --cluster-name express-app-production-eks --principal-arn arn:aws:iam::435182297172:role/gitlab-ci-role --region ap-south-1
{
"accessEntry": {
"clusterName": "express-app-production-eks",
"principalArn": "arn:aws:iam::435182297172:role/gitlab-ci-role",
"kubernetesGroups": [],
"accessEntryArn": "arn:aws:eks:ap-south-1:435182297172:access-entry/express-app-production-eks/role/435182297172/gitlab-ci-role/8acd33c5-f55d-c12a-a506-c98f9364118f",
"createdAt": "2025-11-09T13:06:54.348000+05:30",
"modifiedAt": "2025-11-09T13:06:54.348000+05:30",
"tags": {
"Project": "express-app",
"Environment": "production",
"ManagedBy": "Terraform"
},
"username": "arn:aws:sts::435182297172:assumed-role/gitlab-ci-role/{{SessionName}}",
"type": "STANDARD"
}
}
C:\Users\Kishore>kubectl get nodes
'kubectl' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\Kishore>aws eks describe-access-entry --cluster-name express-app-production-eks --principal-arn arn:aws:iam::435182297172:role/gitlab-ci-role --region ap-south-1
{
"accessEntry": {
"clusterName": "express-app-production-eks",
"principalArn": "arn:aws:iam::435182297172:role/gitlab-ci-role",
"kubernetesGroups": [],
"accessEntryArn": "arn:aws:eks:ap-south-1:435182297172:access-entry/express-app-production-eks/role/435182297172/gitlab-ci-role/34cd3400-778d-7882-3d8e-f000f5df8008",
"createdAt": "2025-11-09T15:14:43.510000+05:30",
"modifiedAt": "2025-11-09T15:14:43.510000+05:30",
"tags": {
"Project": "express-app",
"Environment": "production",
"ManagedBy": "Terraform"
},
"username": "arn:aws:sts::435182297172:assumed-role/gitlab-ci-role/{{SessionName}}",
"type": "STANDARD"
}
}
C:\Users\Kishore>aws eks list-access-entries --cluster-name express-app-production-eks --region ap-south-1
{
"accessEntries": [
"arn:aws:iam::435182297172:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS",
"arn:aws:iam::435182297172:role/general-node-group-eks-node-group-20251109093420221100000002",
"arn:aws:iam::435182297172:role/gitlab-ci-role",
"arn:aws:iam::435182297172:root",
"arn:aws:iam::435182297172:user/mohanmaplas3access"
]
}
C:\Users\Kishore>
Need to fix this -> aws iam create-role --role-name gitlab-ci-role --assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::435182297172:root"},"Action":"sts:AssumeRole"}]}'
aws eks describe-cluster --name express-app-production-eks --region us-east-1 --query 'cluster.resourcesVpcConfig.vpcId' --output text
vpc-0665cee55055202db
aws ec2 describe-subnets --filters "Name=vpc-id,Values=vpc-0665cee55055202db" --region us-east-1 --query 'Subnets[?MapPublicIpOnLaunch==`true`].SubnetId' --output text
subnet-048673a109ec226bf subnet-01aa2b7efe0660f74 subnet-09611eddea704ef7d
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\Kishore> aws eks update-kubeconfig --region us-east-1 --name express-app-production-eks
Added new context arn:aws:eks:us-east-1:435182297172:cluster/express-app-production-eks to C:\Users\Kishore\.kube\config
PS C:\Users\Kishore> kubectl get nodes
NAME STATUS ROLES AGE VERSION
ip-10-0-103-38.ec2.internal Ready