How-to guides
Edera install
Installing Edera with AWS EKS

Installing Edera with AWS EKS

🚀 Now available in AWS GovCloud (US-West)!
Edera now supports GovCloud users. Once your GovCloud account is granted access, you can launch Edera just like in any other region.
We’ll share the Edera AMI with your GovCloud account ID—just reach out to support@edera.dev.

This guide walks you through a fast setup of Edera on AWS EKS. It’s built for users who are comfortable with AWS and already have an EKS cluster (or are provisioning one) and want to get up and running—quick.

You’ll prep your local system with the required tools and use Terraform to deploy Edera to your EKS cluster.

ℹ️
This guide is intentionally light—just the essentials to get Edera deployed and operational.

Prerequisites

Before you begin, ensure you have the following tools installed:

  • AWS CLI
  • kubectl
  • Access to the Edera AMI and Edera AWS account ID (not your own).
ℹ️
Important: Edera AMIs are only available in us-west-2 and AWS GovCloud (US-West).
To gain access to Edera, reach out to the customer engineering team at support@edera.dev to discuss your requirements.

Let’s get started

On your local system (install machine)

Once your AWS or AWS GovCloud account has been granted access by the Edera team, you can list available AMIs:

If you’re using GovCloud, set REGION=us-gov-west-1
Otherwise, use REGION=us-west-2

aws ec2 describe-images --owners $EDERA_ACCOUNT_ID \
  --region $REGION \
  --query 'reverse(sort_by(Images[*].[CreationDate, ImageId, Name, State], &[0]))' \
  --output table

Edera AMI names follow this pattern:

edera-protect-{version}-{os}-amazon-eks-node-{k8s version}-{build date}

Example output:

|  2025-08-08T18:52:27.000Z|  ami-0e63122ccd16cb2fd |  edera-protect-v1.3.0-al2023-amazon-eks-node-1.31-v20250808       |  available  |

Using Terraform to deploy

Pin the Edera AMI using a data source:

data "aws_ami" "protect_al2023" {
  owners      = ["<EDERA_ACCOUNT_ID>"] // not your own account ID
  most_recent = true

  filter {
    name   = "name"
    values = [
      "edera-protect-v1.*-al2023-amazon-eks-node-${local.cluster_version}-*"
    ]
  }

  filter {
    name   = "state"
    values = ["available"]
  }

  // For GovCloud, change this to: provider = aws.govwest1
  provider = aws.west2
}

Example main.tf with terraform-aws-modules/eks/aws 

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 5.0"
    }
  }
  required_version = ">= 1.3"
}

provider "aws" {
  alias  = "west2"
  region = "us-west-2"
}

provider "aws" {
  alias  = "govwest1"
  region = "us-gov-west-1"
}

locals {
  cluster_name    = "edera-cluster"
  cluster_version = "1.32" // updated version
  node_group_name = "protect-al2023"

  ng_defaults = {
    instance_types = ["t3.medium"]
    desired_size   = 2
    min_size       = 1
    max_size       = 3
  }
}

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "20.37.1" // latest as of July 2025

  cluster_name    = local.cluster_name
  cluster_version = local.cluster_version
  subnet_ids      = ["subnet-abc123", "subnet-def456"]  # Replace with your subnets
  vpc_id          = "vpc-xyz789"                        # Replace with your VPC

  eks_managed_node_groups = {
    (local.node_group_name) = merge(local.ng_defaults, {
      ami_id   = data.aws_ami.protect_al2023.id
      ami_type = "AL2023_x86_64_STANDARD"

      labels = {
        "node-type"   = "al2023"
        "ng-name"     = local.node_group_name
        "protect-ami" = "true"
      }

      tags = {
        "Name"      = "${local.cluster_name}-${local.node_group_name}"
        "EderaAMI"  = "true"
      }

      enable_bootstrap_user_data = true
    })
  }
}

Deploy it 

terraform init
terraform plan
terraform apply

Testing it out

Connect to your cluster 

aws eks --region $REGION update-kubeconfig --name edera-cluster

Verify the Edera AMI 

for node in $(kubectl get nodes -o name); do
  instance_id=$(kubectl get "$node" -o json | jq -r '.spec.providerID' | cut -d'/' -f5)
  ami_id=$(aws ec2 describe-instances --instance-ids "$instance_id" --query 'Reservations[0].Instances[0].ImageId' --output text)
  ami_name=$(aws ec2 describe-images --image-ids "$ami_id" --query 'Images[0].Name' --output text)
  echo "$node is running AMI $ami_id ($ami_name)"
done

Apply the Edera RuntimeClass 

kubectl apply -f runtime.yaml

runtime.yaml:

apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
  name: edera
handler: edera

Verify it was created:

kubectl get runtimeclass

Expected output:

NAME    HANDLER   AGE
edera   edera     12s

Test with a pod

Create a namespace and deploy a test pod:

kubectl create namespace edera-protect
kubectl apply -f edera-protect-pod.yaml

edera-protect-pod.yaml:

apiVersion: v1
kind: Pod
metadata:
  name: edera-protect-pod
  namespace: edera-protect
spec:
  runtimeClassName: edera
  containers:
    - name: nginx
      image: nginx:1.25.3

Verify:

kubectl get pods -n edera-protect

Expected output:

NAME                READY   STATUS    RESTARTS   AGE
edera-protect-pod   1/1     Running   0          2m37s

Troubleshooting

If the pod isn’t coming up:

Check pod status:

kubectl describe pod edera-protect-pod -n edera-protect

View logs:

kubectl logs edera-protect-pod -n edera-protect

Confirm runtime class:

kubectl get pod edera-protect-pod -n edera-protect -o=jsonpath="{.spec.runtimeClassName}"

Expected output:

edera

Want more?

Full documentation: docs.edera.dev
Still stuck? Email support@edera.dev—we like solving problems.

Last updated on