# PRD: Layer 20 - EKS

**Scope:** Deployment account. Amazon EKS Auto Mode cluster and identity foundations (OIDC for IRSA/pod identity).

**Dependencies:** PRD_00-cross-cutting, PRD_00-bootstrap, PRD_10-network (VPC, subnets, security groups).

## 1. Purpose and Execution Order

| ID | Requirement |
| ---- | ------------- |
| R-E20-001 | This layer SHALL provision the Amazon EKS cluster in Auto Mode. |
| R-E20-002 | The cluster SHALL run in the private subnets provided by the network layer. |
| R-E20-003 | The layer SHALL run after network and before platform, ArgoCD, and application layers. |
| R-E20-004 | Outputs SHALL be published to Parameter Store for cluster name, OIDC issuer/provider identifiers, and cluster security group ID. |

## 2. EKS Cluster Configuration

| ID | Requirement |
| ---- | ------------- |
| R-E20-101 | The EKS cluster SHALL be created using Amazon EKS Auto Mode (managed control plane and managed node capacity). |
| R-E20-102 | Required Auto Mode capabilities for compute, load balancing, and storage SHALL be enabled as needed for ArgoCD, Wiki.js, and ingress. |
| R-E20-103 | The cluster SHALL use the private subnets and security groups provided by the network layer (read from Parameter Store). |
| R-E20-104 | Cluster configuration SHALL support private endpoint access or the chosen network exposure model. |

## 3. Identity (OIDC / IRSA)

| ID | Requirement |
| ---- | ------------- |
| R-E20-201 | OIDC identity provider SHALL be enabled for the cluster to support IRSA (IAM Roles for Service Accounts) and/or pod identity. |
| R-E20-202 | The OIDC issuer URL and provider identifiers SHALL be published to Parameter Store so that downstream layers (e.g. 35-storage-s3-assets, 50-app-wikijs) can create IAM roles trust policies. |
| R-E20-203 | The cluster SHALL be configured so that workloads can assume IAM roles via IRSA or pod identity for S3, Secrets Manager, etc. |

## 4. Parameter Store Outputs

| ID | Requirement |
| ---- | ------------- |
| R-E20-301 | The layer SHALL publish to Parameter Store under `wikijs/<region>/<env>/20-eks/`: cluster name, OIDC issuer/provider identifiers, and cluster security group ID. |
| R-E20-302 | Outputs SHALL be sufficient for platform, ArgoCD, and app-wikijs layers to configure add-ons, ArgoCD, and workload identity. |
| R-E20-303 | The layer SHALL publish only under its own prefix. |

## 5. Destroy Behavior

| ID | Requirement |
| ---- | ------------- |
| R-E20-401 | On `terraform destroy`, the layer SHALL remove the EKS cluster and related resources after all workloads and add-ons have been removed (layers 50, 45, 40). |
| R-E20-402 | The layer SHALL delete its own Parameter Store prefix after successful destroy. |
| R-E20-403 | A provision workflow and a destroy workflow SHALL exist; destroy SHALL run after 50-app-wikijs, 45-argocd, and 40-platform. |

## 6. Implementation Notes

- **Reads from Parameter Store** (10-network): `vpc_id`, `private_subnet_ids` (JSON array), `workload_sg_id`. Layer 10-network must be applied before this layer.
- **Writes to Parameter Store** under `wikijs/<region>/<env>/20-eks/`: `cluster_name`, `oidc_issuer_url`, `oidc_provider_arn`, `cluster_security_group_id`, `node_security_group_id`, `cluster_endpoint`. All type `String`.
- Terraform root module: `terraform/20-eks/`. Workflows: `tf-20-eks-provision.yaml`, `tf-20-eks-destroy.yaml` (extension `.yaml`).