Wiki.js on AWS EKS Auto Mode
Production-grade knowledge management platform deployed with Terraform, GitHub Actions, and ArgoCD. Nine independent Terraform layers, Parameter Store contract, and secrets in AWS Secrets Manager only.
Production-grade knowledge management platform deployed with Terraform, GitHub Actions, and ArgoCD. Nine independent Terraform layers, Parameter Store contract, and secrets in AWS Secrets Manager only.
This repository deploys a production-grade Wiki.js knowledge management platform on Amazon EKS Auto Mode using Infrastructure as Code. The deployment follows a layered architecture with strict separation of concerns: nine independent Terraform layers with isolated state, automated GitHub Actions workflows (OIDC to AWS, no repository secrets), and GitOps delivery via ArgoCD.
Apply in order 00 → 01 → … → 50. Destroy in reverse 50 → … → 00.
${prefix}-${region}-<name>-${env} (e.g. wikijs-us-east-1-eks-sandbox)terraform.tfvars with env, region, prefix (e.g. wikijs). Bootstrap expects domain_name, wikijs_fqdn, hosted_zone_id, acm_cert_arn.Provision: 00-bootstrap → 01-dns-main → 10-network → 20-eks → 30-data-rds → 35-storage-s3-assets → 40-platform → 45-argocd → 50-app-wikijs.
Destroy: 50-app-wikijs → 45-argocd → … → 01-dns-main → 00-bootstrap. Per-layer destroy requires confirmation string DESTROY-<layer>-<env>-<region>. For tf-all-destroy, use DESTROY-ALL-<env>-<region> once.
RDS has deletion protection by default; disable it before destroying layer 30 (see Teardown).
terraform/<layer>/ is a standalone root module with its own backend key. No terraform_remote_state across layers; inter-layer values only via SSM Parameter Store (prefix /<prefix>/<region>/<env>/<layer>/<key>).| Layer | Scope | Responsibility |
|---|---|---|
| 00-bootstrap | Deployment acct | State bucket (SSE-KMS), KMS keys, Parameter Store contract |
| 01-dns-main | Domain acct (via assume) | DNS IAM role trusted by deployment role |
| 10-network | Deployment acct | VPC, subnets, security groups, VPC endpoints |
| 20-eks | Deployment acct | EKS Auto Mode cluster, OIDC/IRSA |
| 30-data-rds | Deployment acct | RDS PostgreSQL, managed master password |
| 35-storage-s3-assets | Deployment acct | S3 bucket (SSE-KMS), Wiki.js IRSA role |
| 40-platform | Deployment acct | Namespaces, Secrets Store CSI, storage, logging |
| 45-argocd | Deployment acct | ArgoCD install (internal by default) |
| 50-app-wikijs | Deployment + domain (via assume) | ArgoCD Application, ALB ingress, Route 53 A record |
Diagrams: Terraform layer dependency, Request and data flows, GitOps delivery flow, Cross-account DNS. Full text: Architecture.
Summary of the security model (full details in Security considerations):
tf-<env>-<layer> to gate destroy.Scope, design drivers, layer topology, Parameter Store contract
Implementation plan, workflow structure, layer-by-layer steps
Resource naming pattern and per-layer variables
Overview of setup, teardown, prerequisites, and diagram tooling
AWS resources and copy-paste CLI commands before first deploy
Layer apply order, provision options, validation, two-apply note for layer 50
Destroy order, confirmation patterns, RDS deletion protection
Diagram tooling and specs
State bucket, KMS, Parameter Store
DNS IAM role in domain account
VPC, subnets, security groups, endpoints
EKS Auto Mode cluster, OIDC/IRSA
RDS PostgreSQL for Wiki.js
S3 bucket and Wiki.js IRSA role
Namespaces, CSI, storage, logging
ArgoCD installation
Wiki.js application via ArgoCD, ingress, Route 53
IAM, secrets, network, state, and access control