DevOps
Provision EKS Auto Mode with Terraform: Simplified Kubernetes on AWS
Provision AWS EKS Auto Mode with Terraform. Automated node management, built-in Karpenter, pod identity, and comparison with standard EKS managed node groups.
4 min read
DevOps
Terraform for Talos Linux: Immutable Kubernetes Nodes
Provision Talos Linux Kubernetes nodes with Terraform on AWS, vSphere, and Proxmox: machine config, talosctl bootstrap, and automated upgrades.
LLuca Berton1 min read
Talos Linux is an immutable, API-driven Kubernetes OS: no SSH, no shell, no package manager — only talosctl. The siderolabs/talos Terraform provider generates and applies machine configs. Combined with aws_instance (or vSphere / Proxmox), Terraform fully bootstraps a cluster.
Provider
#terraform {
required_providers {
talos = {
source = "siderolabs/talos"
version = "~> 0.7"
}
}
}Generate Cluster Secrets and Configs
#resource "talos_machine_secrets" "this" {}
data "talos_machine_configuration" "controlplane" {
cluster_name = var.cluster_name
machine_type = "controlplane"
cluster_endpoint = "https://${aws_lb.cp.dns_name}:6443"
machine_secrets = talos_machine_secrets.this.machine_secrets
}
data "talos_machine_configuration" "worker" {
cluster_name = var.cluster_name
machine_type = "worker"
cluster_endpoint = "https://${aws_lb.cp.dns_name}:6443"
machine_secrets = talos_machine_secrets.this.machine_secrets
}Apply to Nodes
#resource "talos_machine_configuration_apply" "cp" {
for_each = aws_instance.controlplane
client_configuration = talos_machine_secrets.this.client_configuration
machine_configuration_input = data.talos_machine_configuration.controlplane.machine_configuration
node = each.value.private_ip
}
resource "talos_machine_bootstrap" "this" {
depends_on = [talos_machine_configuration_apply.cp]
client_configuration = talos_machine_secrets.this.client_configuration
node = aws_instance.controlplane["0"].private_ip
}
data "talos_cluster_kubeconfig" "this" {
client_configuration = talos_machine_secrets.this.client_configuration
node = aws_instance.controlplane["0"].private_ip
depends_on = [talos_machine_bootstrap.this]
}Best Practices
#- Use the Sidero Talos AMIs rather than building from scratch — saves the kernel signing pain.
- Three control planes across AZs — Talos doesn't tolerate split brain better than upstream Kubernetes.
- Store the kubeconfig in HCP Vault Secrets, not git.
- Upgrade with
talos_machine_upgrade— never SSH (you can't anyway). - Pair with Cilium (built-in via Talos config) for the strongest security default.
Related
##Terraform#Talos Linux#Kubernetes#Sidero#Immutable Infrastructure
Related articles
DevOps
Terraform for Bottlerocket OS on Amazon EKS
Provision Bottlerocket OS Kubernetes nodes with Terraform on Amazon EKS: managed node groups, custom AMIs, settings, and automated updates.
1 min read
DevOps
Terraform for Flatcar Container Linux on AWS and Azure
Provision Flatcar Container Linux nodes with Terraform: Ignition config, immutable updates, and Kubernetes worker pools on AWS, Azure, and bare metal.
1 min read
Troubleshooting
Fix Terraform Error - Kubernetes Provider - Unauthorized
Fix Kubernetes provider unauthorized errors in Terraform. Covers kubeconfig, service account tokens, and EKS cluster authentication issues.
2 min read