What's Happening
DevOps teams are building custom Terraform modules to provision Amazon EKS clusters rather than relying on AWS Console wizards or community-maintained code. The modular approach breaks infrastructure into discrete components: VPC networking, IAM roles with OIDC for service accounts (IRSA), the EKS control plane, worker node groups, and container registries.
Typical structure includes five modules. VPC creates private/public subnets across three availability zones with NAT gateways. IAM provisions cluster roles and OIDC providers for Kubernetes-AWS integration. EKS spins up the managed control plane and node groups in private subnets. ECR handles container registry. Secrets Manager stores credentials. Each module exposes outputs (VPC IDs, subnet CIDRs, security groups) consumed by dependent modules.
Why It Matters
Custom modules enforce organizational standards that community code can't guarantee. You control encryption policies, tagging schemes, subnet layouts, and RBAC configurations. Private module registries let you version and distribute approved patterns across teams. When compliance requires specific VPC CNI networking or Fargate profile configurations, you own the template.
Trade-offs are real. The popular terraform-aws-modules/eks/aws module has thousands of production hours behind it and handles edge cases your team hasn't hit yet. Custom code means you maintain compatibility with EKS version upgrades, debug subnet routing issues, and update IAM policies when AWS changes service requirements.
The Pattern
Production setups deploy worker nodes in private subnets (10.0.11-13.0/24 ranges are common), use single NAT gateways for cost optimization, and tag subnets for EKS discovery (kubernetes.io/role/internal-elb for private load balancers). IRSA replaces node-level IAM roles for pod permissions. Control plane encryption via KMS is standard. Public endpoint access stays enabled for kubectl but locked to specific CIDRs.
Kubernetes holds roughly 75% of container orchestration deployments. EKS commands about 40% of managed Kubernetes services. Terraform IaC adoption grew 60% year-over-year through 2025. The question isn't whether to use modules, but whether to build or borrow them.
What to Watch
EKS upgrade cadence matters. When Kubernetes 1.31 drops, custom modules need updates before community modules merge fixes. Teams running custom VPC CNI configurations (eniconfig for custom networking) carry additional validation work. Fargate profiles add another module layer.
If your organization runs multiple EKS clusters with identical compliance requirements, custom modules pay off. If you're deploying one cluster and moving fast, community modules ship faster. The architecture diagram showing three-AZ layouts with private subnets is correct. The maintenance commitment behind it is also real.