Foundations

This batch covers everything you need in place before the first resource gets created. Work through each section in order — they build on each other.

Toolchain — what we use and why

The walkthrough assumes a specific toolchain. Here’s what we use and the reasoning behind each choice so you can decide if it fits your context or what to swap.

• AWS account

• IAM Identity Center

• AWS CLI

• Terraform

• kubectl

• Git

• What else

AWS account

Required You need an AWS AWS
Amazon Web Services — the cloud platform used throughout this walkthrough. account with permissions to create and manage a VPC VPC
Virtual Private Cloud — an isolated, private network in AWS where your cluster resources run. , EKS EKS
Elastic Kubernetes Service — AWS-managed Kubernetes control plane; you manage nodes and workloads, AWS runs the API server, etcd, and scheduler. cluster, node groups, and related resources (broad admin or scoped IAM IAM
Identity and Access Management — the AWS service that controls permissions and roles for all resources. ).

Prefer IAM over root

Use a dedicated IAM user or role with least privilege. Configure credentials in Prerequisites.

IAM Identity Center

Recommended / Required for ArgoCD

IAM Identity Center IAM Identity Center
IAM Identity Center (formerly AWS SSO) — centralised identity and access for AWS and applications, with SSO and OIDC; used for human and GitOps (e.g. ArgoCD) access. (formerly AWS SSO) — centralised access, SSO SSO
Single Sign-On — one login for multiple apps or services; IAM Identity Center and other IdPs use SSO so you sign in once to access AWS or Git. , and short-lived credentials instead of long-lived keys.

• Best practice for your own access to AWS.
• Required for Platform batch: ArgoCD ArgoCD
  ArgoCD — a declarative, GitOps continuous delivery tool for Kubernetes that syncs cluster state from a Git repo. uses OIDC OIDC
  OpenID Connect — the federation protocol EKS uses to link IAM roles to Kubernetes service accounts (IRSA). + IAM Identity Center for temporary Git sync credentials (no static keys).
• Set up or confirm in Prerequisites; we use it again when configuring ArgoCD.

AWS CLI

The AWS CLI CLI
Command Line Interface — a text-based interface used to interact with systems and tools by running commands in a terminal. is how you authenticate to AWS from your machine.

• Terraform uses your credentials (aws configure or env) to create resources.
• Ad-hoc checks — describe VPCs, EKS clusters, etc.
• kubectl/EKS — aws eks update-kubeconfig writes your local kubeconfig.

Required even though most creation happens via Terraform.

Infrastructure as Code — Terraform

All infrastructure is defined and applied with Terraform (no manual console creation except where we say so). Terraform gives you:

• Declarative config — desired state in code; changes are reviewable and repeatable.
• State — tracks what it created so it can update and destroy safely.
• AWS and Kubernetes — AWS provider for VPC, EKS, IAM, etc.; add Kubernetes Kubernetes
  Kubernetes — an open-source container orchestration platform that automates the deployment, scaling, and management of containerised applications. provider for post-create config if needed.
• Widely used — easy to find examples and reuse in real projects.

kubectl

kubectl kubectl
kubectl — the Kubernetes command-line tool used to interact with the cluster after it is provisioned. is the standard client for any Kubernetes cluster, including EKS.

• After cluster is up: verify control plane, list nodes.
• Later batches: deploy and inspect workloads.
• EKS gives you a managed control plane; kubectl remains the primary client.

Git and the Git CLI

Git is used to clone the Terraform repo and (if you do the full walkthrough) to work with app and GitOps repos.

• Infra — separate repo so you can version and reuse it.
• Platform batch — ArgoCD syncs cluster state from Git; GitOps is covered there.

What else to have in mind

• Region — Pick an AWS region and stick to it for the walkthrough (e.g. ap-southeast-6). Commands and Terraform use a default region once configured.
• Terraform state — The Prerequisites use local state. For real use you’d move to remote state (e.g. S3 S3
  Amazon S3 — an object storage service used to store and retrieve files, backups, logs, and static assets at virtually unlimited scale. + DynamoDB DynamoDB
  Amazon DynamoDB — a fully managed NoSQL key-value and document database designed for high availability, low latency, and massive scale. ) so multiple people or CI can run Terraform safely; we keep it simple here.
• Cost — EKS, NAT Gateway NAT Gateway
  NAT Gateway — allows instances in private subnets to reach the internet without being directly reachable from it. , and nodes incur cost. Tear down when you’re done (terraform destroy) and follow AWS best practices for accounts and billing.

Cost and cleanup

Remember to run terraform destroy when you’re finished so you don’t leave EKS, NAT gateways, or nodes running. Check the AWS billing console if unsure.

---

When you’re ready, go through the checklist and steps in Prerequisites to install and configure the tools, then continue to Networking to build the VPC.

Prerequisites Tools, AWS account, and permissions checklist.