Kubernetes Platform Terraform Modules: Supercharge Your DevOps Journey
Building and maintaining a production-ready Kubernetes platform requires managing a large number of interdependent components — cluster autoscaling, service mesh, observability, secrets management, CI/CD tooling, and more. The CloudOn Kubernetes Platform Terraform Modules collection provides a curated, opinionated set of reusable modules that let you assemble a full platform stack from proven building blocks instead of starting from scratch.
Why Use These Modules
Time Savings — Skip the boilerplate. Each module encapsulates the installation and configuration of a specific platform component so you can go from zero to a working cluster add-on in minutes rather than days.
Consistency — Modules enforce naming conventions, label standards, and configuration patterns across every environment, reducing drift between development, staging, and production clusters.
Modularity — Compose only the components you need. Each module is independently usable; there is no requirement to adopt the entire collection.
Security First — RBAC, TLS, network policies, and secret management are built into the modules by default rather than treated as afterthoughts.
Core Modules at a Glance
Core Infrastructure
| Module | Purpose |
|---|---|
| Karpenter | Node autoprovisioning based on pending pod scheduling constraints |
| External DNS | Automatic DNS record management from Kubernetes Service and Ingress resources |
| Cert Manager | Automated TLS certificate issuance and renewal via Let’s Encrypt or private CAs |
| External Secrets | Synchronize secrets from AWS Secrets Manager, GCP Secret Manager, or HashiCorp Vault into Kubernetes Secrets |
Service Mesh and Networking
| Module | Purpose |
|---|---|
| Istio | mTLS between services, traffic management, and fine-grained authorization policies |
| Kong | API gateway with rate limiting, authentication plugins, and developer portal |
| Jaeger | Distributed tracing with OpenTelemetry-compatible instrumentation |
Observability
| Module | Purpose |
|---|---|
| Loki | Log aggregation and querying with Grafana integration |
| Kubecost | Real-time Kubernetes cost allocation and showback |
| ArgoCD | GitOps continuous delivery with drift detection and automated sync |
Platform Tools
| Module | Purpose |
|---|---|
| Airflow | Workflow orchestration for data pipelines and scheduled jobs |
| Atlantis | Terraform pull request automation with plan/apply workflows |
| Vault | Secrets management, dynamic credentials, and PKI |
Architecture Overview
The modules are organized into five logical layers that map to the platform stack from bottom to top:
| Layer | Components |
|---|---|
| Infrastructure Management | Karpenter, External DNS, Cert Manager, External Secrets |
| Service Mesh and Security | Istio, Kong, Jaeger |
| Observability | Loki, Kubecost, Prometheus, Grafana |
| Automation and CI/CD | ArgoCD, Atlantis, Airflow |
| External Access | Ingress controllers, API gateways, load balancers |
Each layer depends only on layers below it, making it straightforward to add or replace components at any level without affecting the rest of the stack.
Getting Started
1. Clone the Repository
git clone https://github.com/cloudon-one/k8s-platform-modules.git
cd k8s-platform-modules2. Pick Your Modules
Reference only the modules you need from your root Terraform configuration:
module "cert_manager" {
source = "./modules/cert-manager"
version = "~> 1.0"
cluster_name = var.cluster_name
lets_encrypt_email = var.lets_encrypt_email
}
module "external_secrets" {
source = "./modules/external-secrets"
cluster_name = var.cluster_name
aws_region = var.aws_region
service_account = "external-secrets-sa"
}3. Configure Your Modules
Each module exposes a focused set of input variables. For example, to configure the Loki module:
module "loki" {
source = "./modules/loki"
cluster_name = var.cluster_name
storage_bucket_name = var.loki_bucket
retention_days = 30
replicas = 2
}4. Deploy
terraform init
terraform plan -out=tfplan
terraform apply tfplanSecurity Built In
RBAC — Every module creates the minimum set of ClusterRoles and RoleBindings required for the component to function. Service accounts are namespaced and never granted cluster-admin.
TLS — Modules that expose endpoints configure TLS by default using Cert Manager. Istio enforces mTLS in STRICT mode across all mesh-enrolled namespaces.
Network Policies — Modules ship with default NetworkPolicy resources that restrict ingress and egress to only the traffic paths each component legitimately requires.
Secret Management — Sensitive values (credentials, tokens, certificates) are never stored in Terraform state in plaintext. Modules integrate with External Secrets or Vault to pull secrets at runtime.
Observability and Monitoring
The observability modules provide a cohesive monitoring stack out of the box:
- Prometheus scrapes metrics from all platform components using pre-built ServiceMonitor and PodMonitor resources.
- Grafana ships with pre-configured dashboards for each installed module, giving immediate visibility into cluster health, cost allocation, and application performance.
- Alarms — Key SLO-aligned alerting rules are included for each component, covering availability, latency, and error rate thresholds.
Best Practices
- Pin each module to a specific version tag rather than using a branch reference to ensure reproducible deployments.
- Use separate Terraform workspaces or state backends for each environment (development, staging, production).
- Run
terraform planin CI on every pull request and require approval beforeterraform applyreaches production — the Atlantis module automates this workflow. - Review Kubecost dashboards weekly to identify namespace-level cost anomalies early.
- Rotate secrets and certificates on a defined schedule; use Vault’s dynamic secrets capabilities wherever possible to reduce the blast radius of a compromised credential.
Contributing and Support
Contributions are welcome. To propose a new module or an improvement to an existing one:
- Open an issue describing the use case and the component you want to add or change.
- Fork the repository and implement the change following the existing module structure.
- Submit a pull request with a description of what the module does, the variables it exposes, and a working example in the
examples/directory.
For questions and discussion, open a GitHub issue on the repository.
Ready to Explore
Clone the repository, pick the modules that match your platform requirements, and have a production-ready Kubernetes stack running in your next sprint rather than your next quarter.