DigitalOcean DOKS Cluster

do-doks-cluster

Production DOKS with node pools, VPC, registry hookup, and maintenance windows in one apply. The module provisions a dedicated VPC, a DOKS cluster with an autoscaling default pool, any number of additional (optionally tainted) pools, surge upgrades pinned to an explicit maintenance window, and — when you name your container registry — automatic in-cluster pull integration plus CI docker credentials. Works with Terraform and OpenTofu (>= 1.6), DigitalOcean provider >= 2.29, < 3.0.

Opinionated defaults:

• Dedicated VPC per cluster (never the region default VPC)
• Newest non-deprecated DOKS version resolved at plan time (pin with kubernetes_version, or track a minor line with kubernetes_version_prefix)
• auto_upgrade + surge_upgrade on, constrained to a Sunday 04:00 UTC window
• Autoscaling default pool (1–3 × s-2vcpu-4gb)
• Registry credentials are read-only unless you opt in to write

Usage

module "doks" {
  source = "./do-doks-cluster"

  name   = "platform"
  region = "fra1"

  kubernetes_version_prefix = "1.32."
  registry_name             = "my-registry"

  additional_node_pools = {
    ingress = {
      size       = "s-2vcpu-4gb"
      node_count = 2
      taints     = [{ key = "dedicated", value = "ingress", effect = "NoSchedule" }]
    }
  }

  tags = ["env:prod"]
}

Inputs

Name	Type	Default	Description
name	string	—	Cluster name (required)
region	string	—	DO region slug (required)
kubernetes_version	string	null	Exact DOKS version slug; null = newest
kubernetes_version_prefix	string	null	Track a minor line, e.g. "1.32."
auto_upgrade	bool	true	Auto patch upgrades in the window
surge_upgrade	bool	true	Surge node replacement on upgrade
ha	bool	false	HA control plane (surcharge)
destroy_all_associated_resources	bool	false	Destroy cluster-created LBs/volumes too
maintenance_policy	object	{day="sunday", start_time="04:00"}	Weekly upgrade window (UTC)
create_vpc	bool	true	Create a dedicated VPC
vpc_uuid	string	null	Existing VPC (when create_vpc = false)
vpc_ip_range	string	null	CIDR for the created VPC (null = auto)
default_node_pool	object	autoscale 1–3 × s-2vcpu-4gb	{name, size, auto_scale, node_count, min_nodes, max_nodes, labels}
additional_node_pools	map(object)	{}	Extra pools keyed by name, with labels/taints/autoscale
registry_name	string	null	Account registry name; enables integration + CI creds
registry_credentials_write	bool	false	Allow push with the emitted credentials
registry_credentials_expiry_seconds	number	null	Credential expiry (null = no expiry)
tags	list(string)	[]	DO tags for cluster and pools

Outputs

cluster_id, cluster_urn, cluster_version, cluster_endpoint, cluster_status, kube_config_raw (sensitive), cluster_ca_certificate (sensitive), vpc_uuid, default_node_pool_id, additional_node_pool_ids, registry_docker_credentials (sensitive).

Notes

• registry_name must reference a registry that already exists in the account; cluster registry integration is account-scoped on DigitalOcean.
• The data-source version lookup needs API access at plan time. Air-gapped plans should pin kubernetes_version explicitly.

Requirements

• Terraform or OpenTofu >= 1.6
• digitalocean/digitalocean provider >= 2.29, < 3.0 (the 2.29 floor is binding: destroy_all_associated_resources is set unconditionally and was added in 2.29.0; cluster registry integration needs 2.28.0; latest 2.x recommended)

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).