IaC Bazaar
Get started
Huawei CloudPlan-validated

Huawei Cloud CCE Cluster

CCE Kubernetes with VPC/subnet, node pool, and EIP-attached ingress.

terraformAlt & Specialty Clouds#huaweicloud

Compare Managed Kubernetes across clouds →

huawei-cce-clusterterraform v1.7

Verification

Plan-validated

Passed: module logic verified on a mocked plan — inputs, validation rules, conditional creation and outputs resolve (no real provider, no cloud).

Conformance

  • Static validation (fmt · validate · tflint)
  • No applicable security policies for this provider
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live test pending (no cloud run yet)

Last verified 2026-06-28 · how we verify

Documentation

huawei-cce-cluster

A production-ready Huawei Cloud CCE (Cloud Container Engine) managed Kubernetes cluster. The module owns its network end to end — it creates the VPC and a DNS-enabled node subnet, stands up the CCE control plane, and attaches autoscaling worker node pools with KMS-encryptable disks.

Status: static-validated, live-test pending. Validated with tofu validate + tflint + checkov against the huaweicloud/huaweicloud provider. Not yet applied against a live Huawei Cloud account (no sandbox subscription; CCE clusters take ~10-15 min to create and bill a per-cluster fee), so it ships under live-test quarantine.

Design & secure defaults

  • Private API server. No public EIP is bound by default (eip = null) — the Kubernetes API server is reachable only from inside the VPC (use a bastion, VPN, or Direct Connect). Bind an EIP explicitly only if you must reach it from the internet.
  • Secrets envelope encryption. Pass kms_key_id to encrypt Kubernetes Secrets at rest in etcd via a customer-managed KMS key (encryption_config mode = KMS). Recommended for regulated workloads.
  • Encrypted worker disks. Node-pool root and data volumes accept a kms_key_id for at-rest encryption; data volumes default to a 100 GB SSD.
  • Storage retained on destroy. delete_all_on_destroy = "false" so a Terraform destroy cannot silently delete associated EVS/SFS/OBS volumes. Flip to "true"/"try" only when you intend a full cleanup.
  • HA control plane. On the s2 flavors you can spread masters across three AZs (master_availability_zones) for an availability-zone-resilient control plane. The s2 family is the production default.
  • RBAC by default (authentication_mode = "rbac") and ipvs kube-proxy for service scalability.
  • Key-pair login only. Node pools authenticate via an SSH key_pair name — no plaintext passwords are accepted into Terraform state.
  • Production CNI. vpc-router by default (VPC-routed pod IPs); choose eni (CCE Turbo) for per-pod ENIs and Kubernetes NetworkPolicy / security groups.

Cross-field invariants (HA masters need an s2 flavor; autoscaling needs min <= max; data volumes ≥ 10 GB; valid taint effects) are enforced with precondition/validation blocks, so misconfigurations fail at plan time.

Usage

module "cce" {
  source = "github.com/ITfreak/iacbazaar//artifacts/terraform/huawei-cce-cluster"

  name                   = "prod"
  region                 = "ap-southeast-3"
  cluster_version        = "v1.30"
  vpc_cidr               = "10.0.0.0/16"
  subnet_cidr            = "10.0.1.0/24"
  container_network_type = "vpc-router"

  node_pools = {
    default = {
      flavor_id      = "s6.large.2"
      min_node_count = 2
      max_node_count = 6
      key_pair       = "prod-keypair"
    }
  }
}

See examples/basic for a complete, runnable configuration.

Key inputs

VariableDescriptionDefault
nameCluster + VPC/subnet name prefixrequired
node_poolsMap of { flavor_id, min_node_count, max_node_count, … }required
regionHuawei Cloud regionprovider default
cluster_versionKubernetes version (e.g. v1.30), or nullnull
cluster_flavorControl-plane flavor (cce.s2.* = HA-capable)cce.s2.small
vpc_cidr / subnet_cidrVPC / node-subnet CIDRs10.0.0.0/16 / 10.0.1.0/24
container_network_typevpc-router, overlay_l2, or eni (Turbo)vpc-router
container_network_cidrPod CIDR (non-eni)172.16.0.0/16
service_network_cidrService CIDR10.247.0.0/16
eni_subnet_idENI subnet (eni/Turbo only)module subnet
kube_proxy_modeipvs or iptablesipvs
authentication_moderbac or authenticating_proxyrbac
master_availability_zones3 AZs for HA control plane, or [][]
eipPublic API-server EIP addressnull (private)
kms_key_idKMS key for Secrets-at-rest encryptionnull
delete_all_on_destroyDelete associated storage on destroy"false"
subnet_dns_serversDNS resolvers on the node subnetHW public resolvers
tagsTags for VPC/subnet/cluster/nodes{}

Outputs

cluster_id, cluster_name, cluster_status, cluster_category, vpc_id, subnet_id, subnet_ipv4_subnet_id, kube_config_raw (sensitive), certificate_clusters (sensitive), node_pool_ids (map), node_pool_status (map).

Provider

huaweicloud/huaweicloud >= 1.0, < 2.0. Requires Terraform/OpenTofu >= 1.6.

License

Commercial — LicenseRef-IaCBazaar-Commercial. See the IaC Bazaar terms.