With our AWS partnership, we jointly created two Kong Konnect AWS EKS Terraform Blueprints AddOns, eks-blueprint-konnect-runtime-instance and eks-blueprint-konnect-kic, to help bootstrap your Kong Konnect instances on EKS.
In this post, we'll discuss what AWS EKS Blueprints AddOns for Terraform are and their benefits. We'll also demo the Kong Konnect AddOns we’ve built out.
When it comes fundamentally to standing up a production-ready EKS cluster, there’s more to it than meets the eye: deploying drivers, integrating with AWS Secrets Manager, integrating with AWS logging infrastructure, and understanding the AWS IAM Roles for Service Accounts (IRSA) integration. The AWS EKS Blueprints in Terraform framework was designed to solve these needs by providing guardrails while adhering to community-wide infrastructure as code standards.
[AWS EKS Blueprints AddOns](https://aws-ia.github.io/terraform-aws-eks-blueprints-addons/main/amazon-eks-addons/)AWS EKS Blueprints AddOns is an AWS-developed framework based on Terraform and Helm to easily bootstrap EKS clusters. It comes with native EKS Addons, such as AWS CNI, AWS EBS CSI driver, and the most popular third-party technologies such as Kong Konnect. The objective of the framework is to get you to a production-ready environment quickly by simplifying and consolidating Day 2 operations with AWS best practices built into the AddOns themselves.
Overall, AWS EKS Blueprints for Terraform helps customers get a production-ready EKS Cluster as quickly as possible.
The Kong AddOns deploy Kong with either the Kong Gateway data plane independently or alongside Kong Ingress Controller, both of which integrate with Kong Konnect.
Under the hood, it’s still the Kong Helm chart deployed by the AWS EKS Add-On framework. However, what we’ve done is create an AWS-specific default Helm configuration for you, so that all you need to provide is a small subset of required values — runtime group ExID, the region, etc. Bear in mind, you still have the opportunity to override the defaults, if required.
But the Kong modules are more than just another deployment mechanism for the Kong data planes; they also prescribe to AWS EKS best practices. For Kong, this means providing a production-ready mechanism for managing the data plane certificates.
Kong Konnect uses a hybrid deployment model — Kong Konnect acts as the control plane and each gateway is a data plane with an mTLS connection to Konnect (See [Konnect Architecture](https://docs.konghq.com/konnect/architecture/)Konnect Architecture for more details.) As such, each data plane needs the certificates, stored as secrets in Kubernetes, to complete the mutual TLS handshake.
To achieve this, the Kong Konnect Blueprints modules install the [External Secrets Operator](https://external-secrets.io/latest/)External Secrets Operator, which is also a part of the add-on ecosystem. Then they configure the necessary AWS IRSA privileges and the necessary CRDs in order to leverage AWS Secrets Manager. With this integration in place, the data plane TLS certificates stored in AWS Secrets Manager are automatically injected as a Kubernetes Secret.
Overall, the Kong modules will do the following:
**There are a few prerequisites to be aware of before getting started. **
First, you need an EKS cluster. Don’t worry. The AWS team has a very robust Terraform module for that as well, [AWS EKS Terraform module](https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest)AWS EKS Terraform module, and it will run inline without addon modules.
Secondly, there are a few Kong Konnect prerequisites that need to be in place.
With those criteria in place, you’re ready to bootstrap your EKS cluster with Kong Konnect.
The name of the game is how fast we can automate provisioning an EKS cluster with Kong Ingress Controller to Kong Konnect. I’m going to bet we’ll be up and running in about 15 minutes.
First, go ahead and clone the [examples github repo](https://github.com/aws-samples/terraform-eks-blueprints-kong-samples/blob/main/README.md)examples github repo.
**Let’s take care of the prerequisites:**
Log into Kong Konnect, navigate to Runtime Manager, and create a Kong Ingress Controller Runtime Group.
And we can see below I’ve created a new Runtime Group called KIC Demo:
Now, create the data plane certificates.
We put together a CLI tool ([kong-konnect-runtime-cert-generator](https://github.com/anshrma/kong-konnect-runtime-cert-generator)kong-konnect-runtime-cert-generator) to get you jump-started here. The CLI tool is going to create a self-signed cert, push it to the new Kong Konnect Runtime Group and also to AWS Secrets Manager:
./kong-konnect-runtime-cert-generator -api-endpoint "https://us.api.konghq.com" -api-version "v2" -personal-access-token "<my-PAT>" -runtime-group-name "KIC Demo"The output should be something similar to below. Save this output — you’ll need it for the next step.
Detected existing runtime group, skipping creation
Runtime Group ID: bc7dc4ac-f541-4e56-ab07-43f61ab3ea0a
{ControlPlaneEndpoint:https://bf06a54c3e.us.cp0.konghq.com TelemetryEndpoint:https://bf06a54c3e.us.tp0.konghq.com Name:KIC Demo AWSCertManagerCRT:bc7dc4ac-f541-4e56-ab07-43f61ab3ea0a-cert AWSCertManagerKey:bc7dc4ac-f541-4e56-ab07-43f61ab3ea0a-key}
Terraform
OK! Now for the finale. In the example repo, navigate into the **konnect-kic** directory. The Terraform script does three main things:
To run the Terraform script, create a terraform.tfvars file with the following output from the CLI tool:
konnect_region = "us"
runtimeGroupID = "bc7dc4ac-f541-4e56-ab07-43f61ab3ea0a"
personal_access_token = "<YOUR PAT>"
cert_secret_name = "86070330-fdd3-4bb4-a1bc-d1b3f873c0fc-cert"
key_secret_name = "86070330-fdd3-4bb4-a1bc-d1b3f873c0fc-key"And now run the Terraform with `terraform apply`:
And that is it. KIC is Fully Operational.
We really enjoyed this project, and we’re looking forward to the community’s reaction.
Give it a go and let us know what you think! hould we cover more Day 2 Operations? Are there more configurations you’d like to see? Don’t hesitate to create a [GitHub issue](https://github.com/Kong/terraform-aws-eks-blueprint-konnect-runtime-instance/issues)GitHub issue.
In the meantime, we have several more [examples](https://github.com/aws-samples/terraform-eks-blueprints-kong-samples/tree/main/examples)examples to get you kickstarted — Fargate, AWS Graviton — and there’s a [video](https://youtu.be/9j7y6BHHOL8)video if you’d rather watch.
Find us on the [AWS Partner Addon docs](https://aws-ia.github.io/terraform-aws-eks-blueprints-addons/main/aws-partner-addons/)AWS Partner Addon docs as well!
Managed Redis cache is a turnkey "Shared State" add-on for Kong Dedicated Cloud Gateways. It is designed to combine the performance of an in-memory data store with the simplicity of a SaaS product. When you spin up a Dedicated Cloud Gateway in Kong
[](https://konghq.com/blog/product-releases/multicloud-cloud-gateways-managed-redis-cache)
Using Konnect Advanced Analytics for a faster real-time measurement of what your users are experiencing Earlier this year the Kong Konnect Analytics team was looking to leverage the stability and flexibility of our own Kong Gateway to handle the e
[](https://konghq.com/blog/engineering/konnect-advanced-analytics-faster-than-statsd)
Deploying Kong Mesh on ECS The focus of this blog is to provide step-by-step instructions for deploying and configuring Kong Mesh with Kong Konnect on an AWS ECS instance so that anyone will be able to get pre-production installation of Kong Mesh st
[](https://konghq.com/blog/engineering/kong-mesh-with-konnect-on-aws-ecs)
Today we’re launching the Kong Konnect Engineering Tech Blog, dedicated to exploring the technology challenges and solutions we’ve encountered. The objective? To offer valuable technical content that enables our readers to broaden their engineering
[](https://konghq.com/blog/engineering/meet-the-engineers-behind-konnect)
Now you can find and purchase Kong Konnect through the Google Cloud Marketplace! Kong Konnect is the unified API platform that allows you to manage multiple gateways across service meshes, ingress, cloud, and Kubernetes providers no matter where t
[](https://konghq.com/blog/engineering/konnect-google-cloud-marketplace)
Zero to Hero on Amazon EKS with Konnect’s Mesh Manager We’re excited to announce a new addition to our Kong Konnect EKS Blueprint Family: the Kong Konnect Mesh EKS Blueprint Add-on to deploy your Mesh Zones. Deploy your zones securely on AWS with
[](https://konghq.com/blog/engineering/konnect-mesh-eks-blueprint-add-on)
Today, APIs are based on modern communication patterns: REST, GraphQL, or gRPC. But two decades ago, the majority of Web Services were developed with SOAP/XML. In this blog, we’ll explain how Kong Konnect can manage SOAP/XML Web Services by creat
[](https://konghq.com/blog/engineering/chatgpt-soap-xml-kong-plugin)