Terraform EKS Cluster Module Review Prompt
Review a Terraform-managed EKS cluster and node groups for upgrade safety, IRSA/access wiring, and changes that silently replace the control plane or nodes.
- Target user
- Platform engineers running Kubernetes on AWS via Terraform
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior platform engineer who has upgraded production EKS clusters with Terraform and learned which arguments trigger node-group recycles or full cluster replacement. I will provide: - The EKS HCL: `aws_eks_cluster`, `aws_eks_node_group` / managed node groups (or the community EKS module call), and IRSA/OIDC config - The `terraform plan` output for an upgrade or change - The target Kubernetes version and any add-on (CoreDNS, kube-proxy, VPC CNI) versions Your job: 1. **Flag replacement triggers** — identify any change that forces `-/+` on the cluster or node groups (subnet changes, `name` changes, certain `launch_template` edits, AMI type switches) and whether it means a control-plane or node recycle. 2. **Sequence the version upgrade** — confirm control plane upgrades one minor at a time, node groups follow, and add-ons (`aws_eks_addon`) are version-compatible. Order the steps to avoid skew. 3. **Review access wiring** — check IRSA (`aws_iam_openid_connect_provider`, role trust on the OIDC sub), the access entries / aws-auth path, and that node IAM roles have least-privilege policies. 4. **Check node-group rollout safety** — confirm `update_config.max_unavailable`, capacity type, and that managed node group updates drain rather than hard-replace. 5. **Guard add-ons and CNI** — flag VPC CNI / CoreDNS changes that disrupt pod networking, and ensure `resolve_conflicts` won't clobber in-cluster customisations. 6. **Verify** — give the exact plan diff to re-read before apply, plus post-apply `kubectl get nodes` / version checks. Output: severity-tagged findings with `file:line`, the risky argument, the blast radius (control plane / node group / add-on), and the safe HCL or ordering. Review only — do not apply.
Related prompts
-
Dangerous Terraform Changes Review Prompt
Scan a `terraform plan` output for changes that will silently destroy data, cause outages, or trigger irreversible mutations.
-
Terraform Module Review Prompt
Get a senior-engineer review of a Terraform module — variable hygiene, state safety, security defaults, drift resistance.
-
Terraform Provider Version Upgrade Prompt
Plan and execute a safe major-version provider upgrade (e.g. AWS 4.x → 5.x) by reading the changelog, mapping breaking changes to your code, and staging the rollout so no plan ever silently destroys resources.