Skip to main content

Overview

With accounts bootstrapped and integrations configured, you’re ready to deploy the core AWS infrastructure. This includes networking (VPC, subnets, NAT), EKS clusters, and application-specific resources like S3 buckets and IAM roles.

Decisions

Before deploying, review and customize these configuration options in each stack’s config.tm.hcl:

Networking

EKS Cluster

Hardcoded Values You May Want to Customize

These values are set in the Terraform modules and require editing the module source code to change:

Infrastructure Deployment Order

Terramate manages dependencies between stacks automatically. The deployment order is:
Each stack declares its dependencies, so Terramate applies them in the correct order.

Initial Deployment (Local)

For the first deployment, you must run Terraform locally. The CI/CD workflow only applies changed stacks, and new stacks without any Terraform state aren’t detected as changed.
Terramate can deploy all stacks at once with automatic dependency ordering (terramate run --tags staging -- terraform apply). However, deploying stacks sequentially makes it easier to follow progress, verify each component is working, and troubleshoot issues.
1

Authenticate to AWS

Use Leapp to start a session for the Infrastructure account:
2

Initialize and deploy networking

3

Deploy EKS

After networking is complete:
EKS cluster creation takes 10-15 minutes.
4

Deploy example application resources (optional)

If you have application-specific infrastructure:
5

Commit the lock files

After successful deployment, commit any updated .terraform.lock.hcl files:

Subsequent Changes via Pull Request

After the initial deployment, use pull requests for all infrastructure changes. This ensures changes are reviewed and tracked.
1

Make your changes

Edit the relevant config.tm.hcl or module files, then regenerate:
2

Create a branch and push

3

Open a PR and review the plan

The CI workflow will:
  1. Run terraform plan for each changed stack
  2. Post plan output to Terramate Cloud (if configured)
  3. Post a plan summary as a PR comment (if using Terramate Cloud)
Review the plan carefully before approving.
4

Merge to apply

Once approved, merge the PR. The deploy workflow will apply changes in dependency order.

What Gets Created

Networking Stack

EKS Stack

Application Resources (go-backend example)

Configuration Options

NAT Gateway Modes

The networking module supports three NAT modes via nat_mode variable: Configure in terraform/live/staging/<REGION>/networking/config.tm.hcl:

EKS Node Configuration

Karpenter handles most node provisioning, but you can configure the initial managed node group:

Verify Deployment

After deployment completes:
1

Check Terraform outputs

Note the cluster_name output; you’ll need it for later steps.
2

Verify cluster health in AWS Console

Navigate to the EKS console and verify:
  • Cluster status is Active
  • Node group shows nodes in Ready state
  • Add-ons (CoreDNS, kube-proxy, VPC CNI, EBS CSI) are Active
If you configured private-only endpoint access (endpoint_public_access = false), you cannot run kubectl commands from your local machine without first connecting through the bastion host. Console verification is sufficient for now; you’ll configure cluster access via ArgoCD in the next step.

Deploy Production

Production deployment follows the same pattern with production-specific configuration:

Next Steps

With infrastructure deployed, proceed to Cluster Access to configure kubectl access to your EKS cluster.