From Zero to a Working EKS Pipeline: Terraform, Ansible, and GitLab CI/CD (and Everything That Broke Along the Way)
From Zero to a Working EKS Pipeline: Terraform, Ansible, and GitLab CI/CD (and Everything That Broke Along the Way) I recently built an end-to-end deployment pipeline on AWS EKS using Terraform for infrastructure, Ansible for configuration, and GitLab CI/CD to tie it all together. On paper, that sentence sounds clean. In practice, it took several rounds of "why is this failing" before it actually worked. This post is not a "here's how EKS works" tutorial. There are plenty of those. This is the version with the failures left in, the quota limits, the IAM permission walls, the pods that wouldn't schedule, and the resources that refused to die. If you're building something similar, I'm hoping this saves you a few hours of confused Googling. Repo: gitlab.com/nenyeonyema/terraform-eks-ansible-cicd What I Was Building The goal was a full IaC-driven pipeline: Terraform to provision the EKS cluster and supporting AWS infrastructure (VPC, node groups, IAM roles) Ansible to handle configuration tasks on top of the provisioned infrastructure GitLab CI/CD to automate the whole thing — plan, apply, configure, deploy — on every push Simple enough in theory. Four separate blockers said otherwise. Blocker #1: Free Tier ASG Restrictions The first wall I hit was with the Auto Scaling Group for my EKS node group. AWS Free Tier limits how much compute you can provision, and my initial node group sizing quietly ran into those limits — the kind of failure that doesn't always throw an obvious, single-line error. Fix: I resized the node group to stay within Free Tier boundaries and got explicit about instance types and desired/min/max capacity in Terraform, instead of leaving Auto Scaling to make assumptions I couldn't afford. Lesson: If you're building on Free Tier, hardcode your capacity expectations early. Don't let the defaults surprise you later. Blocker #2: EKS Private Endpoint Access By default, EKS clusters can be configured with private-only API server endpoint access. That's grea