IBM Cloud Kubernetes (IKS) on VPC

ibm-iks-cluster

IBM Cloud Kubernetes Service (IKS) on VPC Gen2 — a managed Kubernetes cluster with a multizone default worker pool, optional additional worker pools, a COS-backed Container Registry namespace for private images, and an optional dedicated Cloud Object Storage instance. Works with Terraform and OpenTofu (>= 1.6), IBM Cloud provider >= 2.0, < 3.0.

Status: static-validated, live-test pending. This module ships under live-test quarantine — IKS provisioning takes ~20 minutes and requires a paid IBM Cloud account, so the real apply → verify → destroy gate runs once a cloud sandbox is available. The configuration is validated with tofu fmt, tofu validate, and tflint.

Secure defaults

• Private-only Kubernetes API — disable_public_service_endpoint = true by default; the master is reachable only over the VPC private service endpoint.
• Customer-managed secrets encryption — wire Key Protect / Hyper Protect Crypto Services through kms_config to encrypt the cluster's etcd secrets with your own root key; KMS traffic stays on the private endpoint by default.
• Multizone by design — supply three zones for an HA control plane and worker spread; each zone places worker_count nodes.
• Persistent storage preserved on destroy — force_delete_storage = false by default so block volumes survive an accidental destroy.
• No hardcoded secrets — the IBM API key is supplied to the provider, never to the module.

Requirements

• Terraform or OpenTofu >= 1.6
• IBM-Cloud/ibm provider >= 2.0, < 3.0
• An IBM Cloud paid account with VPC Infrastructure and Kubernetes Service access, and an API key supplied to the provider (ibmcloud_api_key).

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — LicenseRef-IaCBazaar-Commercial. © IaC Bazaar. Original work (not derived from a third-party module).