Portefaix docs GitHub

Amazon Web Services

Portefaix deploys a production-ready EKS cluster on AWS with full supporting infrastructure: VPC with private subnets, IAM Roles for Service Accounts (IRSA), KMS encryption, Route53 DNS, ECR for container images, and S3 for Terraform state and backups.

Architecture

// infrastructure blueprint · eu-west-1
Portefaix AWS Infrastructure Architecture — Blueprint diagram showing VPC, EKS, observability stack, and AWS services
Component AWS Service Purpose
Kubernetes cluster EKS Container orchestration
Networking VPC, Subnets, NAT Gateway Private cluster networking
Identity IRSA, IAM Roles Pod-level AWS authentication
Secrets AWS KMS External Secrets Operator with AWS Secrets Manager
DNS Route53 External-DNS managed records
Registry ECR Container image storage
Storage S3 Terraform state, Velero backups, Loki

Prerequisites

  • AWS account with appropriate permissions
  • AWS CLI configured: aws configure
  • Terraform ≥ 1.5
  • kubectl, helm, and eksctl

Deploying Infrastructure

1. Configure Variables

# infrastructure/aws/<env>/terraform.tfvars
aws_region  = "eu-west-1"
environment = "production"
cluster_name = "portefaix-production"
organization = "my-org"

2. Initialize and Apply

cd infrastructure/aws/production

terraform init \
  -backend-config="bucket=my-tfstate-bucket" \
  -backend-config="key=portefaix/aws/production/terraform.tfstate" \
  -backend-config="region=eu-west-1"

terraform plan -out=tfplan
terraform apply tfplan

3. Configure kubectl

aws eks update-kubeconfig \
  --name portefaix-production \
  --region eu-west-1

EKS Pod Identity

Portefaix uses EKS Pod Identity (the modern successor to IRSA) to grant Kubernetes workloads fine-grained access to AWS services without static credentials. Each platform component (external-dns, Karpenter, Loki, ESO, etc.) gets its own IAM role bound to a Kubernetes ServiceAccount — no OIDC thumbprint management required. 

# EKS Pod Identity association (replaces IRSA / OIDC thumbprint)
resource "aws_eks_pod_identity_association" "external_dns" {
  cluster_name    = module.eks.cluster_name
  namespace       = "external-dns"
  service_account = "external-dns"
  role_arn        = module.external_dns_role.iam_role_arn
}

# EKS cluster — Pod Identity enabled, IRSA disabled
module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "~> 21.6"

  enable_pod_identity             = true
  create_pod_identity_association = true
  enable_irsa                     = false
}

Multi-Account Organisation

For production deployments, Portefaix recommends an AWS Organisation structure with separate accounts for each environment:

  • Management — root account, AWS Organisation, SCPs
  • Security — centralised logging, GuardDuty, Security Hub
  • Shared Services — ECR, Transit Gateway, shared DNS
  • Production — production EKS workloads
  • Staging — staging EKS workloads

Tip: Use AWS Control Tower to automate account vending and enforce guardrails via SCPs across the Organisation.

Compliance Testing

# Run InSpec tests against AWS
inspec exec portefaix-inspec-aws \
  -t aws:// \
  --input region=eu-west-1 \
  --reporter cli junit:reports/inspec-aws.xml