diff --git a/.github/workflows/conductor-workflow.yml b/.github/workflows/conductor-workflow.yml
new file mode 100644
index 0000000..ca3d4a1
--- /dev/null
+++ b/.github/workflows/conductor-workflow.yml
@@ -0,0 +1,35 @@
+name: Infrastructure CI/CD Conductor
+
+on:
+  push:
+    branches:
+      - '*feature*'
+      - 'dev'
+  pull_request:
+    branches:
+      - 'dev'
+
+jobs:
+  trigger-terragrunt-plan:
+    if: github.event_name == 'push' && contains(github.ref, 'feature')
+    uses: ./.github/workflows/terragrunt-plan-workflow.yml
+    with:
+      environment: dev
+
+  trigger-security-scan:
+    if: github.event_name == 'push' && contains(github.ref, 'feature')
+    needs: trigger-terragrunt-plan
+    uses: ./.github/workflows/security-scan-workflow.yml
+
+  trigger-pr-terragrunt-plan:
+    if: github.event_name == 'pull_request' && github.base_ref == 'dev'
+    uses: ./.github/workflows/pr-terragrunt-plan-workflow.yml
+
+  trigger-pr-security-scan:
+    if: github.event_name == 'pull_request' && github.base_ref == 'dev'
+    needs: trigger-pr-terragrunt-plan
+    uses: ./.github/workflows/pr-security-scan-workflow.yml
+
+  trigger-infrastructure-provision:
+    if: github.event_name == 'push' && github.ref == 'refs/heads/dev'
+    uses: ./.github/workflows/infrastructure-provision-workflow.yml
diff --git a/.github/workflows/infrastructure-provision-workflow.yml b/.github/workflows/infrastructure-provision-workflow.yml
new file mode 100644
index 0000000..ffeed4d
--- /dev/null
+++ b/.github/workflows/infrastructure-provision-workflow.yml
@@ -0,0 +1,51 @@
+name: Infrastructure Provision
+
+on:
+  workflow_call:
+
+env:
+  NODE_TLS_REJECT_UNAUTHORIZED: '0'
+  tg_root_dir: 'terragrunt' 
+  ACCOUNT_PROFILE_NAME: "lab-dev-gov"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+  issues: read
+  checks: write
+  pull-requests: write
+
+jobs:
+  provision-infrastructure:
+    runs-on: [self-hosted, Linux, X64, buildkitsandbox]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Configure AWS credentials
+        uses: etools/configure-aws-credentials@main
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: "arn:aws-us-gov:iam::${{ vars.AWS_ACCOUNT_ID }}:role/r-inf-terraform-eks"
+          role-skip-session-tagging: true
+
+      - name: Add profile credentials to ~/.aws/credentials 
+        run: |
+          aws configure set aws_region ${{ vars.AWS_REGION }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          aws configure set aws_access_key_id ${{ env.AWS_ACCESS_KEY_ID }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          aws configure set aws_secret_access_key ${{ env.AWS_SECRET_ACCESS_KEY }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          aws configure set aws_session_token ${{ env.AWS_SESSION_TOKEN }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          aws sts get-caller-identity --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+
+      - name: Provision Infrastructure
+        run: |
+          pwd
+          cd lab/development/us-gov-east-1/vpc/platform-test-cicd
+          https_proxy=http://proxy.tco.census.gov:3128 \
+          http_proxy=http://proxy.tco.census.gov:3128 \
+          NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev \
+          TERRAGRUNT_PROVIDER_CACHE=1 \
+          terragrunt run-all apply --terragrunt-non-interactive
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/pr-checks-workflow.yml b/.github/workflows/pr-checks-workflow.yml
new file mode 100644
index 0000000..3055085
--- /dev/null
+++ b/.github/workflows/pr-checks-workflow.yml
@@ -0,0 +1,84 @@
+name: PR Checks
+
+on:
+  workflow_call:
+
+env:
+  NODE_TLS_REJECT_UNAUTHORIZED: '0'
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+  issues: read
+  checks: write
+  pull-requests: write
+
+jobs:
+  pr-checks:
+    runs-on: [self-hosted, Linux, X64, buildkitsandbox]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Set up Terraform
+        run: |
+          terraform init
+
+      - name: Configure AWS credentials
+        uses: etools/configure-aws-credentials@main
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Set AWS environment variables
+        run: |
+          export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }}
+          export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          export AWS_REGION=${{ vars.AWS_REGION }}
+        shell: bash
+
+      - name: Terragrunt Plan
+        run: |
+          pwd
+          cd project-x-infra-live/development
+          https_proxy=http://proxy.tco.census.gov:3128 \
+          http_proxy=http://proxy.tco.census.gov:3128 \
+          NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev \
+          TERRAGRUNT_PROVIDER_CACHE=1 \
+          terragrunt run-all plan --terragrunt-non-interactive
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Scan for Vulnerabilities and Misconfigurations
+        run: |
+          export TRIVY_INSECURE=true
+          export http_proxy=http://proxy.tco.census.gov:3128
+          export https_proxy=http://proxy.tco.census.gov:3128
+          trivy fs --scanners misconfig,secret --skip-dirs ".terragrunt-cache,.terraform" --format sarif -o trivy-results.sarif .
+          unset http_proxy
+          unset https_proxy
+
+
+
+      - name: Fail if Critical or High severity issues found
+        run: |
+          critical_high_count=$(jq '[.runs[].results[] | select(.properties.severity=="CRITICAL" or .properties.severity=="HIGH")] | length' trivy-results.sarif)
+          if [ "$critical_high_count" -gt 0 ]; then
+            echo "Found $critical_high_count critical or high severity issues."
+            exit 1
+          else
+            echo "No critical or high severity issues found."
+          fi
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      - name: Prevent merge on security issues
+        if: failure()
+        run: |
+          echo "Security issues found. PR cannot be merged."
+          exit 1
diff --git a/.github/workflows/pr-security-scan-workflow.yml b/.github/workflows/pr-security-scan-workflow.yml
new file mode 100644
index 0000000..e63f3b5
--- /dev/null
+++ b/.github/workflows/pr-security-scan-workflow.yml
@@ -0,0 +1,34 @@
+name: PR Security Scan
+
+on:
+  workflow_call:
+
+env:
+  NODE_TLS_REJECT_UNAUTHORIZED: '0'
+
+jobs:
+  pr-security-scan:
+    runs-on: [self-hosted, Linux, X64, buildkitsandbox]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Scan for Vulnerabilities and Misconfigurations
+        run: |
+          export TRIVY_INSECURE=true
+          export http_proxy=http://proxy.tco.census.gov:3128
+          export https_proxy=http://proxy.tco.census.gov:3128
+          trivy fs --scanners misconfig,secret --skip-dirs ".terragrunt-cache,.terraform" --format sarif -o trivy-results.sarif --exit-code 0 --severity CRITICAL,HIGH .
+          unset http_proxy
+          unset https_proxy
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      - name: Prevent merge on security issues
+        if: failure()
+        run: |
+          echo "Security issues found. PR cannot be merged."
+          exit 1
diff --git a/.github/workflows/pr-terragrunt-plan-workflow.yml b/.github/workflows/pr-terragrunt-plan-workflow.yml
new file mode 100644
index 0000000..f4fb9d1
--- /dev/null
+++ b/.github/workflows/pr-terragrunt-plan-workflow.yml
@@ -0,0 +1,50 @@
+name: PR Terragrunt Plan
+
+on:
+  workflow_call:
+
+env:
+  NODE_TLS_REJECT_UNAUTHORIZED: '0'
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+  issues: read
+  checks: write
+  pull-requests: write
+
+jobs:
+  pr-terragrunt-plan:
+    runs-on: [self-hosted, Linux, X64, buildkitsandbox]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Configure AWS credentials
+        uses: etools/configure-aws-credentials@main
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: "arn:aws-us-gov:iam::${{ vars.AWS_ACCOUNT_ID }}:role/r-inf-terraform-eks"
+          role-skip-session-tagging: true
+
+      - name: Add profile credentials to ~/.aws/credentials 
+        run: |
+          aws configure set aws_region ${{ vars.AWS_REGION }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          aws configure set aws_access_key_id ${{ env.AWS_ACCESS_KEY_ID }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          aws configure set aws_secret_access_key ${{ env.AWS_SECRET_ACCESS_KEY }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          aws configure set aws_session_token ${{ env.AWS_SESSION_TOKEN }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          aws sts get-caller-identity --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+
+      - name: Terragrunt Plan
+        run: |
+          pwd
+          aws sts get-caller-identity --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          cd lab/development/us-gov-east-1/vpc/platform-test-cicd
+          https_proxy=http://proxy.tco.census.gov:3128 \
+          http_proxy=http://proxy.tco.census.gov:3128 \
+          NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev \
+          TERRAGRUNT_PROVIDER_CACHE=1 \
+          terragrunt run-all plan --terragrunt-non-interactive
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  
diff --git a/.github/workflows/security-scan-workflow.yml b/.github/workflows/security-scan-workflow.yml
new file mode 100644
index 0000000..143b7d6
--- /dev/null
+++ b/.github/workflows/security-scan-workflow.yml
@@ -0,0 +1,46 @@
+name: Security Scan
+
+on:
+  workflow_call:
+
+jobs:
+  security-scan:
+    runs-on: self-hosted
+    env:
+      NODE_TLS_REJECT_UNAUTHORIZED: '0'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Set up Terraform
+        run: |
+          # Initialize Terraform/Terragrunt to download modules
+          export http_proxy=http://proxy.tco.census.gov:3128
+          export https_proxy=http://proxy.tco.census.gov:3128
+          pwd
+          cd lab/development/us-gov-east-1/vpc/platform-test-cicd
+          terraform init
+          terragrunt run-all init --terragrunt-non-interactive
+          unset http_proxy
+          unset https_proxy
+      - name: Scan for Vulnerabilities and Misconfigurations # I need to check if the report can be adjusted from trivy itself, pre-scan, using flags
+        run: |
+          export TRIVY_INSECURE=true
+          export http_proxy=http://proxy.tco.census.gov:3128
+          export https_proxy=http://proxy.tco.census.gov:3128
+          trivy fs --scanners misconfig,secret --format sarif -o trivy-results.sarif .
+          unset http_proxy
+          unset https_proxy
+          jq 'walk(
+                if type == "object" and .uri? and (.uri | test("git@")) then
+                  .uri |= sub("git@([^:]+):"; "\\1/") 
+                else
+                  .
+                end
+              )' trivy-results.sarif > trivy-results-fixed.sarif
+
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results-fixed.sarif'
diff --git a/.github/workflows/terragrunt-plan-workflow.yml b/.github/workflows/terragrunt-plan-workflow.yml
new file mode 100644
index 0000000..3559284
--- /dev/null
+++ b/.github/workflows/terragrunt-plan-workflow.yml
@@ -0,0 +1,61 @@
+name: Terragrunt Plan
+
+on:
+  workflow_dispatch:
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
+
+env:
+  NODE_TLS_REJECT_UNAUTHORIZED: '0'
+  tg_root_dir: 'terragrunt'
+  ACCOUNT_PROFILE_NAME: "lab-dev-gov"
+#   aws-region: 'us-east-1'
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+  issues: read
+  checks: write
+  pull-requests: write
+
+jobs:
+  terragrunt-plan:
+    runs-on: [self-hosted, Linux, X64, buildkitsandbox]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Configure AWS credentials
+        uses: etools/configure-aws-credentials@main
+        with:
+#          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+#          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: "arn:aws-us-gov:iam::${{ vars.AWS_ACCOUNT_ID }}:role/r-inf-terraform-eks"
+          role-skip-session-tagging: true
+
+      - name: Add profile credentials to ~/.aws/credentials 
+        run: |
+          aws configure set aws_region ${{ vars.AWS_REGION }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          aws configure set aws_access_key_id ${{ env.AWS_ACCESS_KEY_ID }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          aws configure set aws_secret_access_key ${{ env.AWS_SECRET_ACCESS_KEY }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          aws configure set aws_session_token ${{ env.AWS_SESSION_TOKEN }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          aws sts get-caller-identity --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+ 
+      - name: Terragrunt Plan
+        run: |
+          pwd
+          aws sts get-caller-identity --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}"
+          rm -rf ~/.kube/config
+          cd lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm
+          https_proxy=http://proxy.tco.census.gov:3128 \
+          http_proxy=http://proxy.tco.census.gov:3128 \
+          NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev \
+          TERRAGRUNT_PROVIDER_CACHE=1 \
+          terragrunt run-all plan --terragrunt-non-interactive --terragrunt-log-level debug
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/lab/_envcommon/aws-provider.hcl b/lab/_envcommon/aws-provider.hcl
deleted file mode 100644
index 18483ac..0000000
--- a/lab/_envcommon/aws-provider.hcl
+++ /dev/null
@@ -1,45 +0,0 @@
-# lab/_envcommon/aws-provider.hcl
-
-include "root" {
-  path           = find_in_parent_folders("root.hcl")
-  merge_strategy = "deep"
-  expose         = false
-}
-
-# Generate an AWS provider block
-generate "aws_provider" {
-  path      = "${get_original_terragrunt_dir()}/aws_provider.tf"
-  if_exists = "overwrite_terragrunt"
-  contents  = <<EOF
-  terraform {
-    required_version = "~> ${include.root.inputs.tf_version}"
-  }
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "~> ${include.root.inputs.aws_version}"
-    }
-  }
-  provider "aws" {
-    region = "${include.root.inputs.aws_region}"
-    profile = "${include.root.inputs.aws_profile}"
-    default_tags {
-      tags = {
-        "Project Identifier" = "${include.root.inputs.project_number}:${include.root.inputs.project_name}"
-        "Project Name" = "${include.root.inputs.project_name}"
-        "Project Role" = "${include.root.inputs.project_role}"
-        created_by = "${include.root.inputs.creator}"
-        created_for = "${include.root.inputs.creator}"
-        created_reason = "${include.root.inputs.created_reason}"
-        Environment = "${include.root.inputs.environment_abbr}"
-        Organization = "${include.root.inputs.organization}"
-        ProjectNumber = "${include.root.inputs.project_number}"
-        Terraform = "${include.root.inputs.terraform}"
-        Terragrunt = "${include.root.inputs.terragrunt}"
-      }
-    }
-    # Only these AWS Account IDs may be operated on by this template
-    allowed_account_ids = ["${include.root.inputs.account_id}"]
-  }
-EOF
-}
diff --git a/lab/_envcommon/helm-provider.hcl b/lab/_envcommon/helm-provider.hcl
deleted file mode 100644
index 9de71e8..0000000
--- a/lab/_envcommon/helm-provider.hcl
+++ /dev/null
@@ -1,46 +0,0 @@
-# lab/_envcommon/helm-provider.hcl
-
-dependency "eks" {
-  config_path = "${get_original_terragrunt_dir()}/../eks"
-  mock_outputs = {
-    cluster_name = "a-cluster-name"
-  }
-}
-
-# Generate a helm provider block
-generate "helm_provider" {
-  path      = "${get_original_terragrunt_dir()}/helm_provider.tf"
-  if_exists = "overwrite_terragrunt"
-  contents  = <<-EOF
-    terraform {
-    required_version = "~> ${include.root.inputs.tf_version}"
-  }
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "~> ${include.root.inputs.aws_version}"
-    }
-    helm = {
-      source  = "hashicorp/helm"
-      version = "~> ${include.root.inputs.helm_version}"
-    }
-    kubernetes = {
-      source  = "hashicorp/kubernetes"
-      version = "~> ${include.root.inputs.kubernetes_version}"
-    }
-  }
-  data "aws_eks_cluster" "helm" {
-    name = "${dependency.eks.outputs.cluster_name}"
-  }
-  data "aws_eks_cluster_auth" "helm" {
-    name = "${dependency.eks.outputs.cluster_name}"
-  }
-  provider "helm" {
-    kubernetes {
-      host                   = data.aws_eks_cluster.helm[0].endpoint
-      cluster_ca_certificate = base64decode(data.aws_eks_cluster.helm[0].certificate_authority[0].data)
-      token                  = data.aws_eks_cluster_auth.helm.token
-    }
-  }
-EOF
-}
diff --git a/lab/_envcommon/kubernetes-provider.hcl b/lab/_envcommon/kubernetes-provider.hcl
deleted file mode 100644
index a004d43..0000000
--- a/lab/_envcommon/kubernetes-provider.hcl
+++ /dev/null
@@ -1,40 +0,0 @@
-# lab/_envcommon/kubernetes-provider.hcl
-
-dependency "eks" {
-  config_path = "${get_original_terragrunt_dir()}/../eks"
-  mock_outputs = {
-    cluster_name = "a-cluster-name"
-  }
-}
-
-# Generate a k8s provider block
-generate "kube_provider" {
-  path      = "${get_original_terragrunt_dir()}/kube_provider.tf"
-  if_exists = "overwrite_terragrunt"
-  contents  = <<-EOF
-  terraform {
-    required_version = "~> ${include.root.inputs.tf_version}"
-  }
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "~> ${include.root.inputs.aws_version}"
-    }
-    kubernetes = {
-      source  = "hashicorp/kubernetes"
-      version = "~> ${include.root.inputs.kubernetes_version}"
-    }
-  }
-  data "aws_eks_cluster" "kube" {
-    name = "${dependency.eks.outputs.cluster_name}"
-  }
-  data "aws_eks_cluster_auth" "kube" {
-    name = "${dependency.eks.outputs.cluster_name}"
-  }
-  provider "kubernetes" {
-    host                   = data.aws_eks_cluster.kube.endpoint
-    cluster_ca_certificate = base64decode(data.aws_eks_cluster.kube.certificate_authority[0].data)
-    token                  = data.aws_eks_cluster_auth.kube.token
-  }
-EOF
-}
diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl
index 98d12d7..e43148a 100644
--- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl
+++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl
@@ -5,6 +5,7 @@
 locals {
   cluster_endpoint_public_access           = true
   cluster_name                             = "platform-eng-eks-mcm"
+  created_reason                           = "Terragrunt Development for CICD Delivered EKS Platform"
   creator                                  = "matthew.c.morgan@census.gov"
   eks_instance_disk_size                   = 100
   eks_ng_desired_size                      = 2
@@ -17,8 +18,4 @@ locals {
     "slim:schedule" = "8:00-17:00"
     "cluster:size"  = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}"
   }
-  eks_version = "0.1.1"
-  eks_enabled = true
-
-
 }
diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl
index 5fb18d0..ad0fbe2 100644
--- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl
+++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl
@@ -24,11 +24,34 @@ dependency "eks" {
     oidc_provider_arn                               = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA"
     security_group_all_worker_mgmt_id               = "sg-00b0000000000000"
     subnets                                         = ["subnet-00000000000000001", "subnet-00000000000000002", "subnet-00000000000000003"]
-    token                                           = [{ token = "THISISTHETOKENTHATDOESNTEXISTTHEREAREMANYLIKEITBUTHISONEISFORACLUSTER" }]
     vpc_id                                          = "a-vpc-id"
   }
 }
 
+generate "kubectl-provider" {
+  path      = "kubectl-provider.tf"
+  if_exists = "overwrite"
+  contents  = <<-EOF
+  %{ if dependency.eks.outputs.cluster_name != "a-cluster-name" ~}
+  data "aws_eks_cluster" "kubectl" {
+    name = "${dependency.eks.outputs.cluster_name}"
+  }
+  provider "kubectl" {
+    apply_retry_count      = 5
+    host                   = data.aws_eks_cluster.kubectl.endpoint
+    cluster_ca_certificate = base64decode(data.aws_eks_cluster.kubectl.certificate_authority[0].data)
+    load_config_file       = false
+
+    exec {
+      api_version = "client.authentication.k8s.io/v1beta1"
+      command     = "aws"
+      args = ["eks", "get-token", "--cluster-name", "${dependency.eks.outputs.cluster_name}", "--region", "${include.root.inputs.aws_region}"]
+    }
+  }
+  %{ endif ~}
+  EOF
+}
+
 inputs = {
   cluster_name                                    = dependency.eks.outputs.cluster_name
   eks_managed_node_groups_autoscaling_group_names = dependency.eks.outputs.eks_managed_node_groups_autoscaling_group_names
diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl
index fa9300c..61ea560 100644
--- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl
+++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl
@@ -18,6 +18,7 @@ dependency "eks" {
     cluster_name = "a-cluster-name"
   }
 }
+
 dependency "eks-karpenter" {
   config_path  = "../eks-karpenter"
   skip_outputs = true
diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl
index 2c6b6be..70b8b09 100644
--- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl
+++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl
@@ -19,10 +19,12 @@ dependency "eks" {
     oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA"
   }
 }
+
 dependency "eks-istio" {
   config_path  = "../eks-istio"
   skip_outputs = true
 }
+
 dependency "eks-prometheus" {
   config_path  = "../eks-prometheus"
   skip_outputs = true
diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl
index cc7c893..ba46766 100644
--- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl
+++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl
@@ -4,9 +4,15 @@ include "root" {
   expose         = true
 }
 
-locals {
-  # Set cluster/platform specific variables, or extract from the hierarchy. 
-  account_id                               = include.root.inputs.aws_account_id
+terraform {
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}"
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20m"]
+  }
+}
+
+inputs = {
   cluster_endpoint_public_access           = include.root.inputs.cluster_endpoint_public_access
   cluster_name                             = include.root.inputs.cluster_name
   cluster_version                          = include.root.inputs.cluster_version
@@ -18,39 +24,6 @@ locals {
   eks_vpc_name                             = include.root.inputs.vpc_name
   enable_cluster_creator_admin_permissions = include.root.inputs.enable_cluster_creator_admin_permissions
   environment_abbr                         = include.root.inputs.environment_abbr
-  organization                             = include.root.inputs.organization
-  profile                                  = include.root.inputs.aws_profile
-  project_name                             = include.root.inputs.project_name
-  project_number                           = include.root.inputs.project_number
-  project_role                             = include.root.inputs.project_role
-  region                                   = include.root.inputs.aws_region
   tags                                     = include.root.inputs.tags
-  terraform                                = include.root.inputs.terraform
-  terragrunt                               = include.root.inputs.terragrunt
-  vpc_domain_name                          = include.root.inputs.vpc_domain_name
-}
-
-terraform {
-  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}"
-  extra_arguments "retry_lock" {
-    commands  = get_terraform_commands_that_need_locking()
-    arguments = ["-lock-timeout=20m"]
-  }
-}
-
-inputs = {
-  aws_account_id                           = local.account_id
-  cluster_endpoint_public_access           = local.cluster_endpoint_public_access
-  cluster_name                             = local.cluster_name
-  cluster_version                          = local.cluster_version
-  creator                                  = local.creator
-  eks_instance_disk_size                   = local.eks_instance_disk_size
-  eks_ng_desired_size                      = local.eks_ng_desired_size
-  eks_ng_max_size                          = local.eks_ng_max_size
-  eks_ng_min_size                          = local.eks_ng_min_size
-  eks_vpc_name                             = local.eks_vpc_name
-  enable_cluster_creator_admin_permissions = local.enable_cluster_creator_admin_permissions
-  os_username                              = local.creator
-  shared_vpc_label                         = local.environment_abbr
-  tags                                     = local.tags
+  vpc_name                                 = include.root.inputs.vpc_name
 }
diff --git a/lab/root.hcl b/lab/root.hcl
index 87fe323..7253386 100644
--- a/lab/root.hcl
+++ b/lab/root.hcl
@@ -9,18 +9,18 @@ locals {
   # Automatically load account-level variables (NOTE: In our environment account = environment so there is not separate environment layer)
   account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
 
-  # Automatically load _envcommon, cross account and environment common variables
-  common_vars = read_terragrunt_config(find_in_parent_folders("./_envcommon/common-variables.hcl"))
-
-  # Automatically load versions
-  versions = read_terragrunt_config(find_in_parent_folders("./_envcommon/default-versions.hcl"))
-
   # Automatically load cluster-level variables
   cluster_vars = read_terragrunt_config(find_in_parent_folders("cluster.hcl"))
 
+  # Automatically load _envcommon, cross account and environment common variables
+  common_vars = read_terragrunt_config(find_in_parent_folders("./_envcommon/common-variables.hcl"))
+
   # Automatically load region-level variables
   region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
 
+  # Automatically load versions
+  versions = read_terragrunt_config(find_in_parent_folders("./_envcommon/default-versions.hcl"))
+
   # Automatically load vpc-level variables
   vpc_vars = read_terragrunt_config(find_in_parent_folders("vpc.hcl"))
 
@@ -28,8 +28,18 @@ locals {
   account_id          = local.account_vars.locals.aws_account_id
   aws_profile         = local.account_vars.locals.aws_profile
   aws_region          = local.region_vars.locals.aws_region
+  created_reason      = local.cluster_vars.locals.created_reason
+  creator             = local.cluster_vars.locals.creator
+  environment_abbr    = local.account_vars.locals.environment_abbr
+  organization        = local.common_vars.locals.organization
+  project_name        = local.common_vars.locals.project_name
+  project_number      = local.common_vars.locals.project_number
+  project_role        = local.common_vars.locals.project_role
   state_bucket_prefix = local.common_vars.locals.state_bucket_prefix
   state_table_name    = local.common_vars.locals.state_table_name
+  terraform           = local.cluster_vars.locals.terraform
+  terragrunt          = local.cluster_vars.locals.terragrunt
+  module_name         = get_terragrunt_dir()
 }
 
 # Configure Terragrunt to automatically store tfstate files in an S3 bucket
@@ -55,6 +65,79 @@ remote_state {
   }
 }
 
+# Generate an AWS provider block
+generate "aws-provider" {
+  path      = "aws-provider.tf"
+  if_exists = "overwrite"
+  contents  = <<-EOF
+provider "aws" {
+  region = "${local.aws_region}"
+  profile = "${local.aws_profile}"
+  default_tags {
+    tags = {
+      project_identifier = "${local.project_number}:${local.project_name}"
+      project_name = "${local.project_name}"
+      project_role = "${local.project_role}"
+      created_by = "${local.creator}"
+      created_for = "${local.creator}"
+      created_reason = "${local.created_reason}"
+      environment = "${local.environment_abbr}"
+      organization = "${local.organization}"
+      project_number = "${local.project_number}"
+      terraform = "${local.terraform}"
+      terragrunt = "${local.terragrunt}"
+    }
+  }
+  # Only these AWS Account IDs may be operated on by this template
+  allowed_account_ids = ["${local.account_id}"]
+}
+EOF
+}
+
+generate "kube-provider" {
+  path      = "kube-provider.tf"
+  if_exists = "overwrite"
+  contents  = <<-EOF
+%{ if startswith(local.module_name, "tfmod-eks-") ~}
+data "aws_eks_cluster" "kube" {
+  name = "${local.cluster_name}"
+}
+provider "kubernetes" {
+  host                   = data.aws_eks_cluster.kube.endpoint
+  cluster_ca_certificate = base64decode(data.aws_eks_cluster.kube.certificate_authority[0].data)
+  exec {
+    api_version = "client.authentication.k8s.io/v1beta1"
+    command     = "aws"
+    args = ["eks", "get-token", "--cluster-name", "${local.cluster_name}", "--region", "${local.aws_region}"]
+  }
+}
+%{ endif }
+EOF
+}
+
+generate "helm-provider" {
+  path      = "helm-provider.tf"
+  if_exists = "overwrite"
+  contents  = <<-EOF
+%{ if startswith(local.module_name, "tfmod-eks-") ~}
+data "aws_eks_cluster" "helm" {
+  name = "${local.cluster_name}"
+}
+provider "helm" {
+  kubernetes {
+    host                   = data.aws_eks_cluster.helm.endpoint
+    cluster_ca_certificate = base64decode(data.aws_eks_cluster.helm.certificate_authority[0].data)
+    exec {
+      api_version = "client.authentication.k8s.io/v1beta1"
+      command     = "aws"
+      args = ["eks", "get-token", "--cluster-name", "${local.cluster_name}", "--region", "${local.aws_region}"]
+    }
+  }
+}
+%{ endif }
+EOF
+}
+
 # ---------------------------------------------------------------------------------------------------------------------
 # GLOBAL PARAMETERS
 # These variables apply to all configurations in this subfolder. These are automatically merged into the child