Back to Projects

AWS EKS Infrastructure Portfolio

Ongoing

Production-grade Kubernetes platform demonstrating enterprise-level Terraform automation, security, and observability on AWS

Terraform AWS EKS Kubernetes GitLab CI/CD Prometheus Grafana Traefik Authentik SSO
View on GitLab
AWS EKS Demo Environment - Cloud infrastructure diagram

Overview

A comprehensive Infrastructure-as-Code project demonstrating enterprise-level AWS, Kubernetes, and DevOps practices. This project deploys a fully functional EKS cluster with SSO authentication, security hardening, observability, and cost optimization—entirely automated via Terraform and GitLab CI/CD.

The entire infrastructure stack is defined in modular Terraform configurations, enabling on-demand deployment of a production-grade Kubernetes platform. From VPC networking to application ingress, every component is version-controlled, reproducible, and demonstrates real-world patterns used in enterprise environments.

Deployed Services

All services are protected with SSO authentication and CrowdSec WAF, demonstrating enterprise security patterns.

Homepage Dashboard

Service dashboard with Kubernetes auto-discovery, displaying all running workloads

Visit Dashboard

Grafana + Prometheus

Full observability stack with metrics visualization, alerting, and Loki log aggregation

SSO + WAF Protected

Authentik SSO

Domain-wide single sign-on with forward authentication protecting all services

Identity Provider

Traefik Ingress

Modern ingress controller with automatic TLS, middleware chains, and CrowdSec integration

Traffic Management

CrowdSec WAF

Community-driven threat intelligence with real-time IP reputation scoring

Security Layer

Cost Optimized

Production-grade platform running at ~$75-100/month using spot instances and fck-nat

Monthly: ~$75-100

Infrastructure Architecture

Cloud Platform AWS (EKS, VPC, IAM, EC2, EBS)
Infrastructure as Code Terraform 1.14, modular architecture with remote state
Container Orchestration Kubernetes 1.34 on EKS with managed node groups
CI/CD GitLab Pipelines (API-triggered deployments)
Ingress & Networking Traefik, AWS NLB, Cloudflare DNS/CDN
Authentication Authentik SSO with forward auth middleware
Security CrowdSec WAF, threat intelligence, VPC endpoints
Observability Prometheus, Grafana, Loki, Alertmanager
Edge Layer (Cloudflare)
DNS Management CDN Caching DDoS Protection Origin Certificates
AWS VPC (10.0.0.0/22)
Public Subnets (2 AZs) Private Subnets (2 AZs) fck-nat (t4g.nano) Network Load Balancer VPC Endpoints (S3, ECR, EC2, STS)
EKS Cluster (Kubernetes 1.34)
Managed Node Group Spot Instances (t3.medium x2) OIDC Provider EBS CSI Driver
Ingress & Security
Traefik Ingress Authentik SSO CrowdSec WAF Forward Auth Middleware
Observability Stack
Prometheus Grafana Loki (Logs) Alertmanager
Applications
Homepage Dashboard Helm Deployments IngressRoute CRDs

Dependency Flow: networking → eks → ingress → security → monitoring → apps 

├── main.tf                 # Root orchestration
├── variables.tf            # Input definitions
├── outputs.tf              # Output values
├── locals.tf               # Centralized configuration
├── versions.tf             # Provider constraints
├── providers.tf            # Provider setup└── modules/
    ├── networking/         # VPC, subnets, NAT, VPC endpoints (~374 lines)
    ├── eks/                # EKS cluster, node groups, OIDC, EBS CSI
    ├── ingress/            # Traefik, TLS, Cloudflare DNS records
    ├── security/           # Authentik SSO, CrowdSec WAF (~631 lines)
    ├── monitoring/         # Prometheus, Grafana, Loki, Alertmanager
    └── apps/               # Homepage dashboard, service routing

Hover over components for details

WWW EDGE Cloudflare DNS + CDN + DDoS Protection + TLS AWS VPC 10.0.0.0/22 • us-west-1 • 2 Availability Zones NETWORK Network Load Balancer Public Subnets • fck-nat (t4g.nano) COMPUTE EKS Cluster Kubernetes 1.34 • 2x t3.medium Spot • OIDC • EBS CSI PLATFORM Traefik Ingress Controller + IngressRoute CRDs SECURITY Authentik SSO + Forward Auth SECURITY CrowdSec WAF + Threat Intel OBSERVABILITY + APPS Homepage Dashboard Prometheus Metrics Grafana Visualization Loki Logs Alertmgr Notifications
Internet Users

External traffic from web browsers and API clients reaching your infrastructure.

Edge Layer: Cloudflare
DNS ManagementCloudflare DNS with proxy
CDN CachingGlobal edge caching
DDoS ProtectionLayer 3/4/7 mitigation
TLS/SSLOrigin certificates
Network Layer
VPC CIDR10.0.0.0/22
Public Subnets10.0.2.0/24, 10.0.3.0/24
Private Subnets10.0.0.0/24, 10.0.1.0/24
NAT Solutionfck-nat (t4g.nano) - 95% cost savings
VPC EndpointsS3, ECR (API+DKR), EC2, STS
Compute Layer: EKS
Kubernetesv1.34 (managed)
Node Group2x t3.medium Spot instances
Cost Savings~60% with Spot
OIDC ProviderIAM roles for service accounts
StorageEBS CSI Driver for persistent volumes
Platform Layer: Traefik
RoleKubernetes Ingress Controller
CRDsIngressRoute, Middleware
TLSAutomatic certificate management
FeaturesDynamic config, middleware chains
PluginsCrowdSec bouncer integration
Security: Authentik SSO
TypeIdentity Provider (IdP)
Auth MethodForward authentication
ProtocolsOIDC, SAML, LDAP
IntegrationTraefik middleware
ConfigBlueprint-based (GitOps)
Security: CrowdSec WAF
TypeWeb Application Firewall
IntelligenceCommunity-driven threat feeds
FeaturesReal-time IP reputation scoring
DeploymentKubernetes-native
IntegrationTraefik bouncer plugin
Observability Stack
PrometheusMetrics collection & storage
GrafanaDashboards & visualization
LokiLog aggregation (like Prometheus for logs)
AlertmanagerAlert routing & notifications
HomepageService dashboard with K8s auto-discovery

GitLab CI/CD Pipeline

The GitLab pipeline enables on-demand infrastructure deployment with API-triggered workflows, automated secret injection, and multi-stage verification. All infrastructure changes flow through version control with full auditability.

Validate
Terraform validation + lock check
Plan
Generate execution plan
Deploy
Apply infrastructure
Verify
kubectl health checks
Destroy
Scheduled cleanup

Challenge and Approach

The Challenge

Demonstrating DevOps and cloud infrastructure skills to potential employers is challenging with just words on a resume. I needed a tangible, live environment that showcases my ability to design, implement, and maintain production-grade Kubernetes infrastructure on AWS.

The Approach

I built a complete EKS environment using infrastructure-as-code principles. Terraform manages all AWS resources, Kubernetes manifests define the workloads, and GitLab CI/CD orchestrates the entire lifecycle. The result is a fully automated, reproducible infrastructure that demonstrates real-world DevOps practices.

Skills Demonstrated

Infrastructure & Cloud

VPC design, EKS cluster management, IAM roles/policies, security groups, multi-AZ deployment

Terraform Expertise

Modular IaC design, state management, provider configuration, dependency ordering

Kubernetes & EKS

Managed node groups, OIDC provider integration, Helm charts, IngressRoute CRDs

Security Implementation

SSO/Identity with forward auth, WAF integration, private subnets, VPC endpoints

Technical Decisions

Key architectural choices made to balance functionality, cost, and production-readiness.

Traefik over NGINX

Ingress Controller Choice

  • Native Kubernetes CRD support (IngressRoute)
  • Built-in middleware chain for auth/security
  • Dynamic configuration without restarts
  • Plugin ecosystem (CrowdSec bouncer)

Authentik over Keycloak

Identity Provider Choice

  • Modern Python/Django stack
  • Blueprint-based config (GitOps-friendly)
  • Embedded outpost for forward auth
  • Lower resource footprint

CrowdSec for WAF

Security Layer Choice

  • Community-driven threat intelligence
  • Real-time IP reputation scoring
  • Kubernetes-native deployment
  • Traefik plugin integration

fck-nat over NAT Gateway

Cost Optimization Choice

  • 95% cost reduction (~$30/month saved)
  • Same functionality for outbound traffic
  • ARM-based for additional savings
  • Appropriate for demo/dev environments

Cost Engineering

Real-world cost optimization without sacrificing functionality. Estimated total: ~$75-100/month for a production-grade K8s platform.

NAT
fck-nat (t4g.nano) vs AWS NAT Gateway
~$30/month saved
Compute
Spot instances for EKS nodes
~60% reduction
Storage
Right-sized EBS volumes
Variable savings
Network
VPC endpoints reduce data transfer
Variable savings

Results & Impact

100%
Infrastructure as Code
~$75-100
Monthly Platform Cost
6
Terraform Modules
7+
Deployed Services

This project demonstrates proficiency with Terraform, AWS, and Kubernetes while serving as a live portfolio piece. The infrastructure is fully reproducible from a single API-triggered pipeline, showcasing enterprise-level automation, security practices, and cost optimization strategies used in production environments.

Explore This Project

Interested in seeing more? Check out the live demo or browse the source code.

View on GitLab

Deploy On-Demand Demo Environment

This feature spins up a real AWS infrastructure environment using Terraform and GitLab CI/CD. The deployment typically takes 10-15 minutes and includes a full EKS cluster with monitoring, ingress, and SSO authentication.

Status
Pipeline Logs