diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index bdad379..fbcb79b 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -14,7 +14,7 @@ repos:
     - id: trailing-whitespace
       args: [--markdown-linebreak-ext=md]
       exclude: CHANGELOG.md
-    - id: check-yaml
+    # - id: check-yaml
     - id: check-merge-conflict
     - id: check-executables-have-shebangs
 
diff --git a/README.md b/README.md
index 519c385..33fa384 100644
--- a/README.md
+++ b/README.md
@@ -8,23 +8,12 @@ The module configures an eks cluster with additional components after the cluste
   - A gp2-encrypted storage class is created
   - An efs storage class is created
     - This storage class is returned as the `rwx_storage_class`
-- cluster-autoscaler
-  - Monitors cpu/memory usage by components being deployed to the clsuter.
-    - When the cluster is out of capacity, the autoscaler will add nodes to the cluster up to the maximum size of the node group.
-    - When the autoscaler detects excess capacity, the autoscaler will cause EKS to migrate pods running on the node to a different node and then remove the node from the cluster.
-
-When selecting which version of the cluster-autoscaler to install, use the one that is closest to the same version as the `cluster_version` or slightly higher.
-The cluster-autoscaler uses the kuberentes scheduling algorithm to appropriate scale the cluster, and if the autoscaler version sufficiently divirges from the kubernetes version, the autoscaler will scale the node groups incorrectly.
 
 A successful apply will yield:
 Apply complete! Resources: 14 added, 0 changed, 0 destroyed.
 Outputs:
-kubectl_image_full_path = "224384469011.dkr.ecr.us-gov-east-1.amazonaws.com/platform-eng-eks-mcm/kubectl:1.27.14"
-kubectl_image_registry = "224384469011.dkr.ecr.us-gov-east-1.amazonaws.com"
-kubectl_image_repository = "platform-eng-eks-mcm/kubectl"
-kubectl_image_tag = "1.27.14"
 module_name = "tfmod-eks-configuration"
-module_version = "0.0.2"
+module_version = "0.1.1"
 rwo_storage_class = "gp3-encrypted"
 rwx_storage_class = "efs"
 real    2m4.048s
@@ -44,51 +33,43 @@ sys     0m2.015s
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.14.0 |
-| <a name="requirement_http"></a> [http](#requirement\_http) | >= 2.1.0 |
-| <a name="requirement_kubectl"></a> [kubectl](#requirement\_kubectl) | >= 1.14.0 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.11.0 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.23.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.73.0 |
-| <a name="provider_http"></a> [http](#provider\_http) | 3.4.5 |
-| <a name="provider_kubectl"></a> [kubectl](#provider\_kubectl) | 1.14.0 |
-| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.33.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.84.0 |
+| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.17.0 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.35.1 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_efs"></a> [efs](#module\_efs) | git@github.e.it.census.gov:terraform-modules/aws-efs.git | master |
-| <a name="module_images"></a> [images](#module\_images) | git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git/ | tf-upgrade |
 
 ## Resources
 
 | Name | Type |
 |------|------|
-| [kubectl_manifest.deploy_cluster_roles](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
+| [helm_release.console_access](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_storage_class.ebs_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
 | [kubernetes_storage_class.efs_sc](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
 | [kubernetes_storage_class.gp3_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
 | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source |
 | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
-| [http_http.cluster_roles](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
-| [kubectl_file_documents.access_documents](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/data-sources/file_documents) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
-| <a name="input_eks_managed_node_groups_autoscaling_group_names"></a> [eks\_managed\_node\_groups\_autoscaling\_group\_names](#input\_eks\_managed\_node\_groups\_autoscaling\_group\_names) | List of the autoscaling group names created by EKS managed node groups | `list(string)` | n/a | yes |
-| <a name="input_kubectl_image_tag"></a> [kubectl\_image\_tag](#input\_kubectl\_image\_tag) | The version of bitnami/kubectl image to use. | `string` | `"1.30.4"` | no |
-| <a name="input_oidc_provider_arn"></a> [oidc\_provider\_arn](#input\_oidc\_provider\_arn) | The ARN of the OIDC Provider if `enable_irsa = true` | `string` | n/a | yes |
 | <a name="input_operators_ns"></a> [operators\_ns](#input\_operators\_ns) | Namespace to create where operators will be installed. | `string` | `"operators"` | no |
-| <a name="input_profile"></a> [profile](#input\_profile) | AWS config profile | `string` | `""` | no |
 | <a name="input_region"></a> [region](#input\_region) | AWS region | `string` | n/a | yes |
+| <a name="input_release_version"></a> [release\_version](#input\_release\_version) | The version of helm charts to use | `string` | n/a | yes |
 | <a name="input_security_group_all_worker_mgmt_id"></a> [security\_group\_all\_worker\_mgmt\_id](#input\_security\_group\_all\_worker\_mgmt\_id) | The security group representing all of the worker nodes in the cluster. | `string` | n/a | yes |
 | <a name="input_subnets"></a> [subnets](#input\_subnets) | Specify the subnets used by this cluster | `list(string)` | n/a | yes |
 | <a name="input_tag_costallocation"></a> [tag\_costallocation](#input\_tag\_costallocation) | Tag CostAllocation (default) | `string` | `"csvd:infrastructure"` | no |
@@ -99,10 +80,6 @@ sys     0m2.015s
 
 | Name | Description |
 |------|-------------|
-| <a name="output_kubectl_image_full_path"></a> [kubectl\_image\_full\_path](#output\_kubectl\_image\_full\_path) | The full URI to access the kubectl image including the registry/repository:tag |
-| <a name="output_kubectl_image_registry"></a> [kubectl\_image\_registry](#output\_kubectl\_image\_registry) | The registry portion of the URI to access the kubectl image |
-| <a name="output_kubectl_image_repository"></a> [kubectl\_image\_repository](#output\_kubectl\_image\_repository) | The repository portion of the URI to access the kubectl image |
-| <a name="output_kubectl_image_tag"></a> [kubectl\_image\_tag](#output\_kubectl\_image\_tag) | The tag portion of the URI to access the kubectl image |
 | <a name="output_module_name"></a> [module\_name](#output\_module\_name) | The name of this module. |
 | <a name="output_module_version"></a> [module\_version](#output\_module\_version) | The version of this module. |
 | <a name="output_rwo_storage_class"></a> [rwo\_storage\_class](#output\_rwo\_storage\_class) | Kubernetes storage class that supports read/write once. |
diff --git a/aws_data.tf b/aws_data.tf
new file mode 100644
index 0000000..96cd77c
--- /dev/null
+++ b/aws_data.tf
@@ -0,0 +1,5 @@
+data "aws_ebs_default_kms_key" "current" {}
+
+data "aws_kms_key" "ebs_key" {
+  key_id = data.aws_ebs_default_kms_key.current.key_arn
+}
diff --git a/copy_images.tf b/copy_images.tf.off
similarity index 51%
rename from copy_images.tf
rename to copy_images.tf.off
index b3c0dcd..dccba9e 100644
--- a/copy_images.tf
+++ b/copy_images.tf.off
@@ -1,17 +1,7 @@
 locals {
-  # autoscaler_key = format("%v#%v", "cluster-autoscaler", var.cluster_autoscaler_tag)
   kubectl_key = format("%v#%v", "kubectl", var.kubectl_image_tag)
 
   image_config = [
-    # {
-    #   enabled         = true
-    #   dest_path       = null
-    #   name            = "cluster-autoscaler"
-    #   source_image    = "autoscaling/cluster-autoscaler"
-    #   source_registry = "registry.k8s.io"
-    #   source_tag      = null
-    #   tag             = var.cluster_autoscaler_tag
-    # },
     {
       enabled         = true
       dest_path       = null
@@ -20,7 +10,7 @@ locals {
       source_registry = "docker.io"
       source_tag      = var.kubectl_image_tag
       tag             = var.kubectl_image_tag
-    },
+    }
   ]
 }
 
@@ -32,18 +22,8 @@ module "images" {
   image_config     = local.image_config
   tags             = {}
 
-  ### optional
-  ##  account_alias        = ""
-  ##  account_id           = ""
-  ##  destination_password = ""
-  ##  destination_username = ""
-  ##  override_prefixes    = {}
-  ##  region               = ""
-  ##  source_password      = ""
-  ##  source_username      = ""
-
   enable_lifecycle_policy = true
   lifecycle_policy_all    = true
   force_delete            = true
-
+  lifecycle_policy_keep_count = 3
 }
diff --git a/eks-console-full-access/.helmignore b/eks-console-full-access/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/eks-console-full-access/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/eks-console-full-access/Chart.yaml b/eks-console-full-access/Chart.yaml
new file mode 100644
index 0000000..137d260
--- /dev/null
+++ b/eks-console-full-access/Chart.yaml
@@ -0,0 +1,21 @@
+apiVersion: v2
+name: eks-console-full-access
+description: A Helm chart for Kubernetes to install aws console access for eks
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.1.0"
diff --git a/eks-console-full-access/templates/_helpers.tpl b/eks-console-full-access/templates/_helpers.tpl
new file mode 100644
index 0000000..8fca6cc
--- /dev/null
+++ b/eks-console-full-access/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "eks-console-full-access.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "eks-console-full-access.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "eks-console-full-access.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "eks-console-full-access.labels" -}}
+helm.sh/chart: {{ include "eks-console-full-access.chart" . }}
+{{ include "eks-console-full-access.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "eks-console-full-access.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "eks-console-full-access.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "eks-console-full-access.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "eks-console-full-access.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/eks-console-full-access/templates/binding-rbac.yaml b/eks-console-full-access/templates/binding-rbac.yaml
new file mode 100644
index 0000000..7f19abc
--- /dev/null
+++ b/eks-console-full-access/templates/binding-rbac.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "eks-console-full-access.fullname" . }}-binding
+  labels:
+  {{- include "eks-console-full-access.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: '{{ include "eks-console-full-access.fullname" . }}-clusterrole'
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: eks-console-dashboard-full-access-group
+  namespace: '{{ .Release.Namespace }}'
diff --git a/eks-console-full-access/templates/clusterrole-rbac.yaml b/eks-console-full-access/templates/clusterrole-rbac.yaml
new file mode 100644
index 0000000..f1613b2
--- /dev/null
+++ b/eks-console-full-access/templates/clusterrole-rbac.yaml
@@ -0,0 +1,107 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "eks-console-full-access.fullname" . }}-clusterrole
+  labels:
+  {{- include "eks-console-full-access.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  - namespaces
+  - pods
+  - configmaps
+  - endpoints
+  - events
+  - limitranges
+  - persistentvolumeclaims
+  - podtemplates
+  - replicationcontrollers
+  - resourcequotas
+  - secrets
+  - serviceaccounts
+  - services
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - daemonsets
+  - statefulsets
+  - replicasets
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  - cronjobs
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - events.k8s.io
+  resources:
+  - events
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - extensions
+  resources:
+  - daemonsets
+  - deployments
+  - ingresses
+  - networkpolicies
+  - replicasets
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  - networkpolicies
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  - roles
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - csistoragecapacities
+  verbs:
+  - get
+  - list
diff --git a/eks-console-full-access/values.yaml b/eks-console-full-access/values.yaml
new file mode 100644
index 0000000..e4779cd
--- /dev/null
+++ b/eks-console-full-access/values.yaml
@@ -0,0 +1 @@
+kubernetesClusterDomain: cluster.local
diff --git a/eks-console-restricted-access/.helmignore b/eks-console-restricted-access/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/eks-console-restricted-access/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/eks-console-restricted-access/Chart.yaml b/eks-console-restricted-access/Chart.yaml
new file mode 100644
index 0000000..03fca01
--- /dev/null
+++ b/eks-console-restricted-access/Chart.yaml
@@ -0,0 +1,21 @@
+apiVersion: v2
+name: eks-console-restricted-access
+description: A Helm chart for Kubernetes to install eks console access in aws
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.1.0"
diff --git a/eks-console-restricted-access/templates/_helpers.tpl b/eks-console-restricted-access/templates/_helpers.tpl
new file mode 100644
index 0000000..c1918ee
--- /dev/null
+++ b/eks-console-restricted-access/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "eks-console-restricted-access.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "eks-console-restricted-access.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "eks-console-restricted-access.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "eks-console-restricted-access.labels" -}}
+helm.sh/chart: {{ include "eks-console-restricted-access.chart" . }}
+{{ include "eks-console-restricted-access.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "eks-console-restricted-access.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "eks-console-restricted-access.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "eks-console-restricted-access.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "eks-console-restricted-access.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/eks-console-restricted-access/templates/clusterrole-binding-rbac.yaml b/eks-console-restricted-access/templates/clusterrole-binding-rbac.yaml
new file mode 100644
index 0000000..86910b3
--- /dev/null
+++ b/eks-console-restricted-access/templates/clusterrole-binding-rbac.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "eks-console-restricted-access.fullname" . }}-clusterrole-binding
+  labels:
+  {{- include "eks-console-restricted-access.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: '{{ include "eks-console-restricted-access.fullname" . }}-clusterrole'
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: eks-console-dashboard-restricted-access-group
+  namespace: '{{ .Release.Namespace }}'
diff --git a/eks-console-restricted-access/templates/clusterrole-rbac.yaml b/eks-console-restricted-access/templates/clusterrole-rbac.yaml
new file mode 100644
index 0000000..bdb4739
--- /dev/null
+++ b/eks-console-restricted-access/templates/clusterrole-rbac.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "eks-console-restricted-access.fullname" . }}-clusterrole
+  labels:
+  {{- include "eks-console-restricted-access.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  - namespaces
+  verbs:
+  - get
+  - list
diff --git a/eks-console-restricted-access/templates/role-binding-rbac.yaml b/eks-console-restricted-access/templates/role-binding-rbac.yaml
new file mode 100644
index 0000000..84cc221
--- /dev/null
+++ b/eks-console-restricted-access/templates/role-binding-rbac.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "eks-console-restricted-access.fullname" . }}-role-binding
+  labels:
+  {{- include "eks-console-restricted-access.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: '{{ include "eks-console-restricted-access.fullname" . }}-role'
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: eks-console-dashboard-restricted-access-group
+  namespace: '{{ .Release.Namespace }}'
diff --git a/eks-console-restricted-access/templates/role-rbac.yaml b/eks-console-restricted-access/templates/role-rbac.yaml
new file mode 100644
index 0000000..63dbd0a
--- /dev/null
+++ b/eks-console-restricted-access/templates/role-rbac.yaml
@@ -0,0 +1,105 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "eks-console-restricted-access.fullname" . }}-role
+  labels:
+  {{- include "eks-console-restricted-access.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - configmaps
+  - endpoints
+  - events
+  - limitranges
+  - persistentvolumeclaims
+  - podtemplates
+  - replicationcontrollers
+  - resourcequotas
+  - secrets
+  - serviceaccounts
+  - services
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - daemonsets
+  - statefulsets
+  - replicasets
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  - cronjobs
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - events.k8s.io
+  resources:
+  - events
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - extensions
+  resources:
+  - daemonsets
+  - deployments
+  - ingresses
+  - networkpolicies
+  - replicasets
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  - networkpolicies
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  - roles
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - csistoragecapacities
+  verbs:
+  - get
+  - list
diff --git a/eks-console-restricted-access/values.yaml b/eks-console-restricted-access/values.yaml
new file mode 100644
index 0000000..e4779cd
--- /dev/null
+++ b/eks-console-restricted-access/values.yaml
@@ -0,0 +1 @@
+kubernetesClusterDomain: cluster.local
diff --git a/eks_console_access.tf b/eks_console_access.tf
index a8a0637..d93964b 100644
--- a/eks_console_access.tf
+++ b/eks_console_access.tf
@@ -21,34 +21,17 @@ locals {
     {
       name    = "eks-console-restricted-access"
       url     = "https://s3.us-west-2.amazonaws.com/amazon-eks/docs/eks-console-restricted-access.yaml"
-      enabled = false
+      enabled = true
     },
   ]
-  cluster_roles_map = { for cr in local.cluster_roles : cr.name => cr }
-}
-
-
-data "http" "cluster_roles" {
-  for_each = local.cluster_roles_map
-  url      = each.value.url
+  cluster_roles_map = { for cr in local.cluster_roles : cr.name => cr if cr.enabled }
 }
 
-data "kubectl_file_documents" "access_documents" {
-  for_each = { for k, v in local.cluster_roles_map : k => v if v.enabled }
-
-  content = data.http.cluster_roles[each.key].body
-}
-
-locals {
-  all_access_documents = flatten([
-    for cr_name, cr_data in local.cluster_roles_map : [
-      for doc in data.kubectl_file_documents.access_documents[cr_name].manifests : doc
-    ] if cr_data.enabled
-  ])
-}
-
-resource "kubectl_manifest" "deploy_cluster_roles" {
-  count = length(local.all_access_documents)
-
-  yaml_body = local.all_access_documents[count.index]
+resource "helm_release" "console_access" {
+  for_each   = local.cluster_roles_map
+  chart      = each.key
+  name       = each.key
+  namespace  = "default"
+  version    = var.release_version
+  repository = "./"
 }
diff --git a/main.tf b/main.tf
index 09b0604..dfa9dc5 100644
--- a/main.tf
+++ b/main.tf
@@ -1,9 +1,3 @@
-data "aws_ebs_default_kms_key" "current" {}
-
-data "aws_kms_key" "ebs_key" {
-  key_id = data.aws_ebs_default_kms_key.current.key_arn
-}
-
 locals {
   base_tags = {
     "eks-cluster-name"      = var.cluster_name
diff --git a/outputs.tf b/outputs.tf
index ab60443..d5e5656 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -25,27 +25,3 @@ output "rwx_storage_class" {
   description = "Kubernetes storage class that supports read/write many."
   value       = kubernetes_storage_class.efs_sc.metadata[0].name
 }
-
-################################################################################
-# Details about kubectl image
-################################################################################
-
-output "kubectl_image_full_path" {
-  description = "The full URI to access the kubectl image including the registry/repository:tag"
-  value       = module.images.images[local.kubectl_key].dest_full_path
-}
-
-output "kubectl_image_registry" {
-  description = "The registry portion of the URI to access the kubectl image"
-  value       = module.images.images[local.kubectl_key].dest_registry
-}
-
-output "kubectl_image_repository" {
-  description = "The repository portion of the URI to access the kubectl image"
-  value       = module.images.images[local.kubectl_key].dest_repository
-}
-
-output "kubectl_image_tag" {
-  description = "The tag portion of the URI to access the kubectl image"
-  value       = module.images.images[local.kubectl_key].tag
-}
diff --git a/requirements.tf b/requirements.tf
index 48cbf58..ae62e15 100644
--- a/requirements.tf
+++ b/requirements.tf
@@ -6,18 +6,13 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 5.14.0"
     }
-    http = {
-      source  = "hashicorp/http"
-      version = ">= 2.1.0"
-    }
-    kubectl = {
-      source  = "gavinbunney/kubectl"
-      version = ">= 1.14.0"
+    helm = {
+      source  = "hashicorp/helm"
+      version = ">= 2.11.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
       version = ">= 2.23.0"
     }
-
   }
 }
diff --git a/variables.tf b/variables.tf
index 5c4c702..4fad9b2 100644
--- a/variables.tf
+++ b/variables.tf
@@ -9,12 +9,6 @@ variable "region" {
   type        = string
 }
 
-variable "profile" {
-  description = "AWS config profile"
-  type        = string
-  default     = ""
-}
-
 variable "vpc_id" {
   description = "Specify the VPC id that is used by this cluster"
   type        = string
@@ -30,18 +24,6 @@ variable "security_group_all_worker_mgmt_id" {
   type        = string
 }
 
-# tflint-ignore: terraform_unused_declarations
-variable "eks_managed_node_groups_autoscaling_group_names" {
-  description = "List of the autoscaling group names created by EKS managed node groups"
-  type        = list(string)
-}
-
-# tflint-ignore: terraform_unused_declarations
-variable "oidc_provider_arn" {
-  description = "The ARN of the OIDC Provider if `enable_irsa = true`"
-  type        = string
-}
-
 variable "operators_ns" {
   description = "Namespace to create where operators will be installed."
   type        = string
@@ -60,23 +42,7 @@ variable "tags" {
   default     = {}
 }
 
-variable "kubectl_image_tag" {
-  description = "The version of bitnami/kubectl image to use."
+variable "release_version" {
+  description = "The version of helm charts to use"
   type        = string
-  default     = "1.30.4"
 }
-
-# # helm add repo autoscaler "https://kubernetes.github.io/autoscaler"
-# # helm search repo -l autoscaler/cluster-autoscaler
-# variable "cluster_autoscaler_chart_version" {
-#   description = "The helm chart of the cluster-autoscaler most closely matching the Kuberentes version.  Review output of `helm add repo autoscaler 'https://kubernetes.github.io/autoscaler'` (if the repo hasn't been added previously) and `helm search repo -l autoscaler/cluster-autoscaler`"
-#   type        = string
-#   default     = "9.37.0"
-# }
-
-# # helm show values --version [cluster_autoscaler_chart_version] autoscaler/cluster-autoscaler | grep tag:
-# variable "cluster_autoscaler_tag" {
-#   description = "Image tag of cluster-autoscaler associated with the cluster_autoscaler_chart_version helm chart.  `helm show values --version [cluster_autoscaler_chart_version] autoscaler/cluster-autoscaler | grep tag:`"
-#   type        = string
-#   default     = "v1.30.0"
-# }