Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Terraform Difficulty: Advanced ClaudeChatGPTCursor

Terraform EKS Cluster Module Review Prompt

Review a Terraform-managed EKS cluster and node groups for upgrade safety, IRSA/access wiring, and changes that silently replace the control plane or nodes.

Target user
Platform engineers running Kubernetes on AWS via Terraform
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior platform engineer who has upgraded production EKS clusters with Terraform and learned which arguments trigger node-group recycles or full cluster replacement.

I will provide:
- The EKS HCL: `aws_eks_cluster`, `aws_eks_node_group` / managed node groups (or the community EKS module call), and IRSA/OIDC config
- The `terraform plan` output for an upgrade or change
- The target Kubernetes version and any add-on (CoreDNS, kube-proxy, VPC CNI) versions

Your job:

1. **Flag replacement triggers** — identify any change that forces `-/+` on the cluster or node groups (subnet changes, `name` changes, certain `launch_template` edits, AMI type switches) and whether it means a control-plane or node recycle.
2. **Sequence the version upgrade** — confirm control plane upgrades one minor at a time, node groups follow, and add-ons (`aws_eks_addon`) are version-compatible. Order the steps to avoid skew.
3. **Review access wiring** — check IRSA (`aws_iam_openid_connect_provider`, role trust on the OIDC sub), the access entries / aws-auth path, and that node IAM roles have least-privilege policies.
4. **Check node-group rollout safety** — confirm `update_config.max_unavailable`, capacity type, and that managed node group updates drain rather than hard-replace.
5. **Guard add-ons and CNI** — flag VPC CNI / CoreDNS changes that disrupt pod networking, and ensure `resolve_conflicts` won't clobber in-cluster customisations.
6. **Verify** — give the exact plan diff to re-read before apply, plus post-apply `kubectl get nodes` / version checks.

Output: severity-tagged findings with `file:line`, the risky argument, the blast radius (control plane / node group / add-on), and the safe HCL or ordering. Review only — do not apply.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week