This step executes Terraform to create all AWS infrastructure. The process takes 15-25 minutes and provisions:
After completion, you will have a fully provisioned AWS environment ready for Kubernetes workloads.
When you run terraform apply, Terraform:
terraform.tfvarsThe process is mostly automated, but you’ll need to monitor for errors and potentially troubleshoot issues.
From the aws directory, initialize the working directory:
This command:
Expected output:
Backend initialization errors usually mean:
If you see “Error loading state,” verify your backend configuration in provider.tf.
Before creating anything, preview what Terraform will do:
This shows all resources that will be created, modified, or destroyed. For a fresh deployment, you should see only resource additions (green + symbols).
Key resources in the plan:
Save the plan for audit purposes: bash terraform plan -out=plan.tfplan You can then apply this exact plan with terraform apply plan.tfplan.
This is useful if you need approval before applying.
Review the plan carefully if you see any deletions or modifications. For a
new deployment, there should be no - (destroy) or ~ (modify) symbols. If
you see them, something may be misconfigured.
Once you’ve reviewed the plan, create the resources:
Terraform shows the plan again and asks for confirmation. Type yes to proceed.
Expected duration: 15-25 minutes
Don’t interrupt the process. If you press Ctrl+C or close your terminal,
Terraform may leave resources in a partially created state. If this happens,
just run terraform apply again—it will pick up where it left off.
Your IAM user/role lacks permission to create IAM resources. You need:
iam:CreateRole, iam:AttachRolePolicy, iam:CreatePolicyiam:CreateOpenIDConnectProvider (for EKS Pod Identity)Many organizations restrict IAM creation. If you can’t get these permissions, you may need a platform team member to run the deployment or pre-create the required roles.
You’ve hit an AWS service quota. Common limits:
Quota increases can take hours to days. If you’re in a new AWS account, request increases before starting deployment.
Resource names must be globally unique (S3) or unique within your account (most others). If you get naming conflicts:
confident_application_name to something uniqueEKS can occasionally take longer than expected. Usually just re-running terraform apply continues where it left off. If it keeps failing:
Organization SCPs can block resource creation. Many enterprises have Service Control Policies that:
If you get persistent errors, check with your cloud governance team about SCPs.
Terraform can’t authenticate to AWS. Verify:
aws sts get-caller-identity worksaws sso login)This usually means EKS isn’t fully ready when Helm tries to install charts. Re-running terraform apply typically resolves it.
After successful completion, Terraform displays outputs. Save these—you’ll need them for subsequent steps:
You can always retrieve outputs later by running terraform output in the
same directory with access to the state file.
Here’s what now exists in your AWS account:
Read the error message carefully. Terraform errors usually indicate exactly what went wrong.
Don’t panic. Terraform is idempotent—you can run apply again and it will continue from where it failed.
Check common causes:
If stuck, don’t destroy and recreate. This can leave orphaned resources. Instead, fix the configuration and re-apply.
Never run terraform destroy unless you intend to delete everything. If
you’re troubleshooting, fix the issue and re-run apply. Destroying and
recreating can lose data and create inconsistent state.
After infrastructure is provisioned, proceed to SSL Certificates to validate your HTTPS certificate.