Skip to content

Portworx add-on for EKS Blueprints


Portworx is a Kubernetes data services platform that provides persistent storage, data protection, disaster recovery, and other capabilities for containerized applications. This blueprint installs Portworx on Amazon Elastic Kubernetes Service (EKS) environment.


For the add-on to work, Portworx needs additional permission to AWS resources which can be provided in the following way.

Note: Portworx currently does not support obtaining these permissions with an IRSA. Its support will be added with future releases.

Creating the required IAM policy resource

  1. Add the below code block in your terraform script to create a policy with the required permissions. Make a note of the resource name for the policy you created:
resource "aws_iam_policy" "<policy-resource-name>" {
  name = "<policy-name>"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
        Action = [
        Effect   = "Allow"
        Resource = "*"
  1. Run terraform apply command for the policy (replace it with your resource name):

terraform apply -target="aws_iam_policy.<policy-resource-name>"
3. Attach the newly created AWS policy ARN to the node groups in your cluster:

 managed_node_groups = {
    node_group_1 = {
      node_group_name           = "my_node_group_1"
      instance_types            = ["t2.small"]
      min_size                  = 3
      max_size                  = 3
      subnet_ids                = module.vpc.private_subnets

      #Add this line to the code block or add the new policy ARN to the list if it already exists
      additional_iam_policies   = [aws_iam_policy.<policy-resource-name>.arn]

4. Run the command below to apply the changes. (This step can be performed even if the cluster is up and running. The policy attachment happens without having to restart the nodes)
terraform apply -target="module.eks_blueprints"


After completing the requirement step, installing Portworx is simple, set enable_portworx variable to true inside the Kubernetes add-on module.

  enable_portworx = true

To customize Portworx installation, pass the configuration values as shown below:

  enable_portworx         = true

  portworx_helm_config = {
    set = [
        name  = "clusterName"
        value = "testCluster"
        name  = "imageVersion"
        value = "2.11.1"


Portworx Configuration

The following tables lists the configurable parameters of the Portworx chart and their default values.

Parameter Description Default
imageVersion The image tag to pull "2.11.0"
useAWSMarketplace Set this variable to true if you wish to use AWS marketplace license for Portworx "false"
clusterName Portworx Cluster Name portworx-\<random_string>
drives Semi-colon separated list of drives to be used for storage. (example: "/dev/sda;/dev/sdb" or "type=gp2,size=200;type=gp3,size=500") "type=gp2,size=200"
useInternalKVDB boolean variable to set internal KVDB on/off true
kvdbDevice specify a separate device to store KVDB data, only used when internalKVDB is set to true type=gp2,size=150
envVars semi-colon-separated list of environment variables that will be exported to portworx. (example: MYENV1=val1;MYENV2=val2) ""
maxStorageNodesPerZone The maximum number of storage nodes desired per zone 3
useOpenshiftInstall boolean variable to install Portworx on Openshift . false
etcdEndPoint The ETCD endpoint. Should be in the format etcd:http://(your-etcd-endpoint):2379. If there are multiple etcd endpoints they need to be ";" separated. ""
dataInterface Name of the interface . none
managementInterface Name of the interface . none
useStork Storage Orchestration for Hyperconvergence. true
storkVersion Optional: version of Stork. For eg: 2.11.0, when it's empty Portworx operator will pick up version according to Portworx version. "2.11.0"
customRegistryURL URL where to pull Portworx image from ""
registrySecret Image registry credentials to pull Portworx Images from a secure registry ""
licenseSecret Kubernetes secret name that has Portworx licensing information ""
monitoring Enable Monitoring on Portworx cluster false
enableCSI Enable CSI false
enableAutopilot Enable Autopilot false
KVDBauthSecretName Refer Securing with certificates in Kubernetes to create a kvdb secret and specify the name of the secret here none
deleteType Specify which strategy to use while Uninstalling Portworx. "Uninstall" values only removes Portworx but with "UninstallAndWipe" value all data from your disks including the Portworx metadata is also wiped permanently UninstallAndWipe