From b684883b23492284552eca657082acccdaa86680 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 20 Mar 2025 19:27:26 -0400
Subject: [PATCH 01/29] move data items to aws_data.tf

---
 aws_data.tf | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/aws_data.tf b/aws_data.tf
index 2c6aade..1402bc0 100644
--- a/aws_data.tf
+++ b/aws_data.tf
@@ -3,3 +3,31 @@ data "aws_caller_identity" "current" {}
 data "aws_arn" "current" {
   arn = data.aws_caller_identity.current.arn
 }
+data "aws_vpc" "eks_vpc" {
+  filter {
+    name   = "tag:Name"
+    values = [var.vpc_name]
+  }
+}
+
+data "aws_subnets" "subnets" {
+  filter {
+    name   = "tag:Name"
+    values = [var.subnets_name]
+  }
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.eks_vpc.id]
+  }
+}
+
+data "aws_subnet" "subnets" {
+  for_each = toset(data.aws_subnets.subnets.ids)
+  id       = each.key
+}
+
+data "aws_ebs_default_kms_key" "current" {}
+
+data "aws_kms_key" "ebs_key" {
+  key_id = data.aws_ebs_default_kms_key.current.key_arn
+}

From 8dc600300153f4d8980846e5e6fce20ed1e7b94c Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 20 Mar 2025 19:27:53 -0400
Subject: [PATCH 02/29] update irsa role names

---
 irsa_roles.tf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/irsa_roles.tf b/irsa_roles.tf
index a1129b5..ee75c98 100644
--- a/irsa_roles.tf
+++ b/irsa_roles.tf
@@ -2,7 +2,7 @@
 module "vpc_cni_irsa_role" {
   source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
 
-  role_name = "${var.cluster_name}-vpc-cni"
+  role_name = format("%v%v-%v", local.prefixes["eks-role"], var.cluster_name, "vpc-cni")
 
   attach_vpc_cni_policy = true
   vpc_cni_enable_ipv4   = true
@@ -20,7 +20,7 @@ module "vpc_cni_irsa_role" {
 module "ebs_csi_irsa_role" {
   source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
 
-  role_name             = "${var.cluster_name}-ebs-csi-driver"
+  role_name             = format("%v%v-%v", local.prefixes["eks-role"], var.cluster_name, "ebs-csi-driver")
   attach_ebs_csi_policy = true
 
   oidc_providers = {
@@ -36,7 +36,7 @@ module "ebs_csi_irsa_role" {
 module "efs_csi_irsa_role" {
   source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
 
-  role_name             = "${var.cluster_name}-efs-csi-driver"
+  role_name             = format("%v%v-%v", local.prefixes["eks-role"], var.cluster_name, "efs-csi-driver")
   attach_efs_csi_policy = true
 
   oidc_providers = {
@@ -52,7 +52,7 @@ module "efs_csi_irsa_role" {
 module "cloudwatch_observability_irsa_role" {
   source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
 
-  role_name                              = "${var.cluster_name}-cloudwatch-observability"
+  role_name                              = format("%v%v-%v", local.prefixes["eks-role"], var.cluster_name, "cloudwatch-observability")
   attach_cloudwatch_observability_policy = true
 
   oidc_providers = {

From 0e6d0fe57ee62e8fbc448a9cdb9241b762c0ac3c Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 20 Mar 2025 19:42:37 -0400
Subject: [PATCH 03/29] update sg naming

---
 security_groups.tf | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/security_groups.tf b/security_groups.tf
index 6683944..f19e47a 100644
--- a/security_groups.tf
+++ b/security_groups.tf
@@ -50,15 +50,11 @@ resource "aws_security_group" "additional_eks_cluster_sg" {
       aws_security_group.all_worker_mgmt.id,
     ]
   }
-  # this grants in-VPC access to the K8S api
-  # updated to get all census private cidrs to get on-prem, as we are now       sending the interface traffic over
-  # a private IP only (disabling public access). This is to reach a cluster     api from another account and VPC
-  # so we open all the cloud accounts too
+
   ingress {
-    from_port = 443
-    to_port   = 443
-    protocol  = "tcp"
-    #    cidr_blocks = [ var.vpc_cidr_block ]
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
     cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"])
   }
 

From f8bc8d7845df3ad014bdbcb5f07b6555276727a1 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 20 Mar 2025 19:42:54 -0400
Subject: [PATCH 04/29] use updated prefixes

---
 README.md   |  2 +-
 main.tf     | 32 ++------------------------------
 prefixes.tf |  2 +-
 3 files changed, 4 insertions(+), 32 deletions(-)

diff --git a/README.md b/README.md
index a450348..d67d537 100644
--- a/README.md
+++ b/README.md
@@ -111,7 +111,7 @@ efs-csi-controller    0         5m
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cloudwatch_observability_irsa_role"></a> [cloudwatch\_observability\_irsa\_role](#module\_cloudwatch\_observability\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
-| <a name="module_cluster"></a> [cluster](#module\_cluster) | git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git | v20.33.1 |
+| <a name="module_cluster"></a> [cluster](#module\_cluster) | git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git | v20.34.0 |
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_vpc_cni_irsa_role"></a> [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
diff --git a/main.tf b/main.tf
index 709cb98..907f035 100644
--- a/main.tf
+++ b/main.tf
@@ -1,31 +1,3 @@
-data "aws_vpc" "eks_vpc" {
-  filter {
-    name   = "tag:Name"
-    values = [var.vpc_name]
-  }
-}
-
-data "aws_subnets" "subnets" {
-  filter {
-    name   = "tag:Name"
-    values = [var.subnets_name]
-  }
-  filter {
-    name   = "vpc-id"
-    values = [data.aws_vpc.eks_vpc.id]
-  }
-}
-
-data "aws_subnet" "subnets" {
-  for_each = toset(data.aws_subnets.subnets.ids)
-  id       = each.key
-}
-
-data "aws_ebs_default_kms_key" "current" {}
-
-data "aws_kms_key" "ebs_key" {
-  key_id = data.aws_ebs_default_kms_key.current.key_arn
-}
 
 locals {
   additional_policies = {}
@@ -55,7 +27,7 @@ resource "terraform_data" "subnet_validation" {
 }
 
 module "cluster" {
-  source = "git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git?ref=v20.33.1"
+  source = "git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git?ref=v20.34.0"
 
   cluster_name                             = var.cluster_name
   cluster_version                          = var.cluster_version
@@ -124,7 +96,7 @@ module "cluster" {
       max_size     = var.eks_ng_max_size
       desired_size = var.eks_ng_desired_size
 
-      iam_role_name                = local.ng_name
+      iam_role_name                = format("%v%v-nodegroup", local.prefixes["eks-role"], var.cluster_name)
       iam_role_additional_policies = local.additional_policies
 
       block_device_mappings = {
diff --git a/prefixes.tf b/prefixes.tf
index f677e0a..ac7b000 100644
--- a/prefixes.tf
+++ b/prefixes.tf
@@ -29,6 +29,6 @@ locals {
     "eks-user"           = "s-eks-"
     "eks-role"           = "r-eks-"
     "eks-policy"         = "p-eks-"
-    "eks-security-group" = "eks-" # "sg-eks-"
+    "eks-security-group" = "sg-eks-" # "sg-eks-"
   }
 }

From e3220fb9ea1c6416e869ddea5cbe80f8349ba802 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 20 Mar 2025 19:44:20 -0400
Subject: [PATCH 05/29] cannot start with sg

---
 prefixes.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/prefixes.tf b/prefixes.tf
index ac7b000..4e2709e 100644
--- a/prefixes.tf
+++ b/prefixes.tf
@@ -29,6 +29,6 @@ locals {
     "eks-user"           = "s-eks-"
     "eks-role"           = "r-eks-"
     "eks-policy"         = "p-eks-"
-    "eks-security-group" = "sg-eks-" # "sg-eks-"
+    "eks-security-group" = "eks-sg-" # "sg-eks-"
   }
 }

From 2085f9c55085204668587aa932b853746e715688 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 20 Mar 2025 20:28:11 -0400
Subject: [PATCH 06/29] enable private access

---
 README.md    | 1 +
 main.tf      | 2 ++
 variables.tf | 6 ++++++
 3 files changed, 9 insertions(+)

diff --git a/README.md b/README.md
index d67d537..2271ec6 100644
--- a/README.md
+++ b/README.md
@@ -143,6 +143,7 @@ efs-csi-controller    0         5m
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_entries"></a> [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster | `any` | `{}` | no |
 | <a name="input_census_private_cidr"></a> [census\_private\_cidr](#input\_census\_private\_cidr) | Census Private CIR Blocks | `list(string)` | <pre>[<br/>  "148.129.0.0/16",<br/>  "172.16.0.0/12",<br/>  "192.168.0.0/16"<br/>]</pre> | no |
+| <a name="input_cluster_endpoint_private_access"></a> [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Whether the EKS cluster API server endpoint is privately accessible | `bool` | `true` | no |
 | <a name="input_cluster_endpoint_public_access"></a> [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether the EKS cluster API server endpoint is publicly accessible | `bool` | `false` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | Kubernetes version to use for the EKS cluster | `string` | n/a | yes |
diff --git a/main.tf b/main.tf
index 907f035..958476e 100644
--- a/main.tf
+++ b/main.tf
@@ -32,6 +32,7 @@ module "cluster" {
   cluster_name                             = var.cluster_name
   cluster_version                          = var.cluster_version
   cluster_endpoint_public_access           = var.cluster_endpoint_public_access
+  cluster_endpoint_private_access          = var.cluster_endpoint_private_access
   enable_cluster_creator_admin_permissions = var.enable_cluster_creator_admin_permissions
   access_entries                           = local.access_entries
 
@@ -42,6 +43,7 @@ module "cluster" {
     "controllerManager",
     "scheduler",
   ]
+  cloudwatch_log_group_retention_in_days = "14"
 
   vpc_id     = local.vpc_id
   subnet_ids = local.subnets
diff --git a/variables.tf b/variables.tf
index 4153048..527a25e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -16,6 +16,12 @@ variable "cluster_version" {
   }
 }
 
+variable "cluster_endpoint_private_access" {
+  description = "Whether the EKS cluster API server endpoint is privately accessible"
+  type        = bool
+  default     = true
+}
+
 variable "cluster_endpoint_public_access" {
   description = "Whether the EKS cluster API server endpoint is publicly accessible"
   type        = bool

From ddd6d641bef7fd0230f26057d350d30ac9324286 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 20 Mar 2025 20:47:06 -0400
Subject: [PATCH 07/29] align with upstream

---
 README.md          |  3 ++-
 security_groups.tf | 67 +++++++++++++++++++++++++++++++++++++++++-----
 variables.tf       |  2 +-
 3 files changed, 63 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 2271ec6..efeafc5 100644
--- a/README.md
+++ b/README.md
@@ -123,6 +123,7 @@ efs-csi-controller    0         5m
 | [aws_ec2_tag.container_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
 | [aws_security_group.additional_eks_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group.all_worker_mgmt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group.extra_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group_rule.allow_sidecar_injection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [terraform_data.subnet_validation](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
@@ -142,7 +143,7 @@ efs-csi-controller    0         5m
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_entries"></a> [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster | `any` | `{}` | no |
-| <a name="input_census_private_cidr"></a> [census\_private\_cidr](#input\_census\_private\_cidr) | Census Private CIR Blocks | `list(string)` | <pre>[<br/>  "148.129.0.0/16",<br/>  "172.16.0.0/12",<br/>  "192.168.0.0/16"<br/>]</pre> | no |
+| <a name="input_census_private_cidr"></a> [census\_private\_cidr](#input\_census\_private\_cidr) | Census Private CIR Blocks | `list(string)` | <pre>[<br/>  "148.129.0.0/16",<br/>  "172.16.0.0/12",<br/>  "192.168.0.0/16",<br/>  "10.0.0.0/16"<br/>]</pre> | no |
 | <a name="input_cluster_endpoint_private_access"></a> [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Whether the EKS cluster API server endpoint is privately accessible | `bool` | `true` | no |
 | <a name="input_cluster_endpoint_public_access"></a> [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether the EKS cluster API server endpoint is publicly accessible | `bool` | `false` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
diff --git a/security_groups.tf b/security_groups.tf
index f19e47a..f14eae0 100644
--- a/security_groups.tf
+++ b/security_groups.tf
@@ -4,6 +4,47 @@ locals {
   additional_eks_cluster_sg_name = format("%v%v-cluster", local.prefixes["eks-security-group"], var.cluster_name)
 }
 
+resource "aws_security_group" "additional_eks_cluster_sg" {
+  name = local.additional_eks_cluster_sg_name
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+    tomap({ "Name" = local.additional_eks_cluster_sg_name }),
+  )
+
+  vpc_id = data.aws_vpc.eks_vpc.id
+
+  ingress {
+    from_port = 0
+    to_port   = 0
+    protocol  = -1
+
+    security_groups = [
+      aws_security_group.all_worker_mgmt.id,
+    ]
+  }
+
+  # in-VPC access to K8s API
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"])
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  lifecycle {
+    ignore_changes = [ingress, egress]
+  }
+}
+
+
 resource "aws_security_group" "all_worker_mgmt" {
   name = local.all_worker_mgmt_name
 
@@ -28,15 +69,19 @@ resource "aws_security_group" "all_worker_mgmt" {
     protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
   }
+  lifecycle {
+    ignore_changes = [ingress, egress]
+  }
 }
 
-resource "aws_security_group" "additional_eks_cluster_sg" {
-  name = local.additional_eks_cluster_sg_name
+resource "aws_security_group" "extra_cluster_sg" {
+  name        = format("%v%v-extra", local._prefixes["eks-security-group"], var.cluster_name)
+  description = format("Security group for additional access for EKS cluster %v", var.cluster_name)
 
   tags = merge(
     local.base_tags,
     var.tags,
-    tomap({ "Name" = local.additional_eks_cluster_sg_name }),
+    { "Name" = format("%v%v-extra", local._prefixes["eks-security-group"], var.cluster_name) },
   )
 
   vpc_id = data.aws_vpc.eks_vpc.id
@@ -45,10 +90,7 @@ resource "aws_security_group" "additional_eks_cluster_sg" {
     from_port = 0
     to_port   = 0
     protocol  = -1
-
-    security_groups = [
-      aws_security_group.all_worker_mgmt.id,
-    ]
+    self      = true
   }
 
   ingress {
@@ -58,10 +100,21 @@ resource "aws_security_group" "additional_eks_cluster_sg" {
     cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"])
   }
 
+  # kubectl logs
+  ingress {
+    from_port   = 10250
+    to_port     = 10250
+    protocol    = "tcp"
+    cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"])
+  }
+
   egress {
     from_port   = 0
     to_port     = 0
     protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
   }
+  lifecycle {
+    ignore_changes = [ingress, egress]
+  }
 }
diff --git a/variables.tf b/variables.tf
index 527a25e..50af93f 100644
--- a/variables.tf
+++ b/variables.tf
@@ -133,7 +133,7 @@ variable "access_entries" {
 variable "census_private_cidr" {
   description = "Census Private CIR Blocks"
   type        = list(string)
-  default     = ["148.129.0.0/16", "172.16.0.0/12", "192.168.0.0/16"]
+  default     = ["148.129.0.0/16", "172.16.0.0/12", "192.168.0.0/16", "10.0.0.0/16"]
   validation {
     condition = alltrue([
       for cidr in var.census_private_cidr : can(cidrhost(cidr, 0))

From 520dbb21537d31bb2953908067d47a444b9f688b Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 20 Mar 2025 21:04:48 -0400
Subject: [PATCH 08/29] fix typo

---
 security_groups.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security_groups.tf b/security_groups.tf
index f14eae0..6d4a61c 100644
--- a/security_groups.tf
+++ b/security_groups.tf
@@ -75,13 +75,13 @@ resource "aws_security_group" "all_worker_mgmt" {
 }
 
 resource "aws_security_group" "extra_cluster_sg" {
-  name        = format("%v%v-extra", local._prefixes["eks-security-group"], var.cluster_name)
+  name        = format("%v%v-extra", local.prefixes["eks-security-group"], var.cluster_name)
   description = format("Security group for additional access for EKS cluster %v", var.cluster_name)
 
   tags = merge(
     local.base_tags,
     var.tags,
-    { "Name" = format("%v%v-extra", local._prefixes["eks-security-group"], var.cluster_name) },
+    { "Name" = format("%v%v-extra", local.prefixes["eks-security-group"], var.cluster_name) },
   )
 
   vpc_id = data.aws_vpc.eks_vpc.id

From 6c60a5ead37136c72959a29296240a79e3ea35bf Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 20 Mar 2025 21:10:19 -0400
Subject: [PATCH 09/29] enable admin for creator

---
 README.md    | 2 +-
 variables.tf | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index efeafc5..46a7476 100644
--- a/README.md
+++ b/README.md
@@ -153,7 +153,7 @@ efs-csi-controller    0         5m
 | <a name="input_eks_ng_desired_size"></a> [eks\_ng\_desired\_size](#input\_eks\_ng\_desired\_size) | Desired size of the EKS node group | `number` | `4` | no |
 | <a name="input_eks_ng_max_size"></a> [eks\_ng\_max\_size](#input\_eks\_ng\_max\_size) | Maximum size of the EKS node group | `number` | `15` | no |
 | <a name="input_eks_ng_min_size"></a> [eks\_ng\_min\_size](#input\_eks\_ng\_min\_size) | Minimum size of the EKS node group | `number` | `4` | no |
-| <a name="input_enable_cluster_creator_admin_permissions"></a> [enable\_cluster\_creator\_admin\_permissions](#input\_enable\_cluster\_creator\_admin\_permissions) | Grant admin permissions to the cluster creator | `bool` | `false` | no |
+| <a name="input_enable_cluster_creator_admin_permissions"></a> [enable\_cluster\_creator\_admin\_permissions](#input\_enable\_cluster\_creator\_admin\_permissions) | Grant admin permissions to the cluster creator | `bool` | `true` | no |
 | <a name="input_subnets_name"></a> [subnets\_name](#input\_subnets\_name) | Name pattern for subnets to be used by EKS cluster | `string` | `"*-container-*"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags to apply to all resources | `map(string)` | `{}` | no |
 | <a name="input_vpc_name"></a> [vpc\_name](#input\_vpc\_name) | Name of the VPC where EKS cluster will be created | `string` | n/a | yes |
diff --git a/variables.tf b/variables.tf
index 50af93f..a9b4fb7 100644
--- a/variables.tf
+++ b/variables.tf
@@ -31,7 +31,7 @@ variable "cluster_endpoint_public_access" {
 variable "enable_cluster_creator_admin_permissions" {
   description = "Grant admin permissions to the cluster creator"
   type        = bool
-  default     = false
+  default     = true
 }
 
 variable "vpc_name" {

From f01790337ea3e06256c1fa6197fdc0cc3015fdc9 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 20 Mar 2025 21:38:41 -0400
Subject: [PATCH 10/29] public with cird restricts

---
 README.md    | 2 +-
 variables.tf | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 46a7476..457f0b5 100644
--- a/README.md
+++ b/README.md
@@ -145,7 +145,7 @@ efs-csi-controller    0         5m
 | <a name="input_access_entries"></a> [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster | `any` | `{}` | no |
 | <a name="input_census_private_cidr"></a> [census\_private\_cidr](#input\_census\_private\_cidr) | Census Private CIR Blocks | `list(string)` | <pre>[<br/>  "148.129.0.0/16",<br/>  "172.16.0.0/12",<br/>  "192.168.0.0/16",<br/>  "10.0.0.0/16"<br/>]</pre> | no |
 | <a name="input_cluster_endpoint_private_access"></a> [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Whether the EKS cluster API server endpoint is privately accessible | `bool` | `true` | no |
-| <a name="input_cluster_endpoint_public_access"></a> [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether the EKS cluster API server endpoint is publicly accessible | `bool` | `false` | no |
+| <a name="input_cluster_endpoint_public_access"></a> [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether the EKS cluster API server endpoint is publicly accessible | `bool` | `true` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | Kubernetes version to use for the EKS cluster | `string` | n/a | yes |
 | <a name="input_eks_instance_disk_size"></a> [eks\_instance\_disk\_size](#input\_eks\_instance\_disk\_size) | Size of the EKS node disk in GB | `number` | `80` | no |
diff --git a/variables.tf b/variables.tf
index a9b4fb7..c8caa39 100644
--- a/variables.tf
+++ b/variables.tf
@@ -25,7 +25,7 @@ variable "cluster_endpoint_private_access" {
 variable "cluster_endpoint_public_access" {
   description = "Whether the EKS cluster API server endpoint is publicly accessible"
   type        = bool
-  default     = false
+  default     = true
 }
 
 variable "enable_cluster_creator_admin_permissions" {

From e03e47255ecab3983b7db15aea52218e4d26500a Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 20 Mar 2025 21:43:01 -0400
Subject: [PATCH 11/29] set support to standard

---
 main.tf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/main.tf b/main.tf
index 958476e..f9130cc 100644
--- a/main.tf
+++ b/main.tf
@@ -44,6 +44,9 @@ module "cluster" {
     "scheduler",
   ]
   cloudwatch_log_group_retention_in_days = "14"
+  upgrade_policy = {
+    support_type = "STANDARD"
+  }
 
   vpc_id     = local.vpc_id
   subnet_ids = local.subnets

From 847b4e7fd7946657813a045400c1dfc430302f7c Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 20 Mar 2025 21:44:58 -0400
Subject: [PATCH 12/29] syntax

---
 main.tf | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/main.tf b/main.tf
index f9130cc..f092612 100644
--- a/main.tf
+++ b/main.tf
@@ -44,10 +44,9 @@ module "cluster" {
     "scheduler",
   ]
   cloudwatch_log_group_retention_in_days = "14"
-  upgrade_policy = {
+  upgrade_policy {
     support_type = "STANDARD"
   }
-
   vpc_id     = local.vpc_id
   subnet_ids = local.subnets
 

From 405c35d3e70399a293e8f678910941d3565cfdae Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 20 Mar 2025 21:47:37 -0400
Subject: [PATCH 13/29] fmt

---
 main.tf | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/main.tf b/main.tf
index f092612..91a9501 100644
--- a/main.tf
+++ b/main.tf
@@ -35,7 +35,7 @@ module "cluster" {
   cluster_endpoint_private_access          = var.cluster_endpoint_private_access
   enable_cluster_creator_admin_permissions = var.enable_cluster_creator_admin_permissions
   access_entries                           = local.access_entries
-
+  cluster_upgrade_policy                   = "STANDARD"
   cluster_enabled_log_types = [
     "api",
     "audit",
@@ -44,9 +44,7 @@ module "cluster" {
     "scheduler",
   ]
   cloudwatch_log_group_retention_in_days = "14"
-  upgrade_policy {
-    support_type = "STANDARD"
-  }
+
   vpc_id     = local.vpc_id
   subnet_ids = local.subnets
 

From 25f1d9999fadc256314fe377f148fccf020ba410 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 20 Mar 2025 22:00:56 -0400
Subject: [PATCH 14/29] maybe

---
 main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 91a9501..ae2bf73 100644
--- a/main.tf
+++ b/main.tf
@@ -35,7 +35,7 @@ module "cluster" {
   cluster_endpoint_private_access          = var.cluster_endpoint_private_access
   enable_cluster_creator_admin_permissions = var.enable_cluster_creator_admin_permissions
   access_entries                           = local.access_entries
-  cluster_upgrade_policy                   = "STANDARD"
+  cluster_upgrade_policy                   = { support_type = "STANDARD" }
   cluster_enabled_log_types = [
     "api",
     "audit",

From 433ec046f28e5b581336a116de04378f4eb68201 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 20 Mar 2025 22:29:46 -0400
Subject: [PATCH 15/29] try arm

---
 README.md    | 2 +-
 main.tf      | 2 +-
 variables.tf | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 457f0b5..cd70304 100644
--- a/README.md
+++ b/README.md
@@ -149,7 +149,7 @@ efs-csi-controller    0         5m
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | Kubernetes version to use for the EKS cluster | `string` | n/a | yes |
 | <a name="input_eks_instance_disk_size"></a> [eks\_instance\_disk\_size](#input\_eks\_instance\_disk\_size) | Size of the EKS node disk in GB | `number` | `80` | no |
-| <a name="input_eks_instance_types"></a> [eks\_instance\_types](#input\_eks\_instance\_types) | List of EC2 instance types for the EKS node group | `list(string)` | <pre>[<br/>  "t3a.large"<br/>]</pre> | no |
+| <a name="input_eks_instance_types"></a> [eks\_instance\_types](#input\_eks\_instance\_types) | List of EC2 instance types for the EKS node group | `list(string)` | <pre>[<br/>  "t4g.medium"<br/>]</pre> | no |
 | <a name="input_eks_ng_desired_size"></a> [eks\_ng\_desired\_size](#input\_eks\_ng\_desired\_size) | Desired size of the EKS node group | `number` | `4` | no |
 | <a name="input_eks_ng_max_size"></a> [eks\_ng\_max\_size](#input\_eks\_ng\_max\_size) | Maximum size of the EKS node group | `number` | `15` | no |
 | <a name="input_eks_ng_min_size"></a> [eks\_ng\_min\_size](#input\_eks\_ng\_min\_size) | Minimum size of the EKS node group | `number` | `4` | no |
diff --git a/main.tf b/main.tf
index ae2bf73..3983d0a 100644
--- a/main.tf
+++ b/main.tf
@@ -80,7 +80,7 @@ module "cluster" {
   }
 
   eks_managed_node_group_defaults = {
-    ami_type = "BOTTLEROCKET_x86_64"
+    ami_type = "BOTTLEROCKET_ARM_64_FIPS"
   }
 
   node_security_group_enable_recommended_rules = true
diff --git a/variables.tf b/variables.tf
index c8caa39..8f65969 100644
--- a/variables.tf
+++ b/variables.tf
@@ -67,7 +67,7 @@ variable "eks_instance_types" {
   description = "List of EC2 instance types for the EKS node group"
   type        = list(string)
   default = [
-    "t3a.large"
+    "t4g.medium"
   ]
   validation {
     condition     = length(var.eks_instance_types) > 0

From 7721141c1545ff7c4a3cc6824c192ba2a6ca2310 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 20 Mar 2025 22:31:17 -0400
Subject: [PATCH 16/29] not fips

---
 main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 3983d0a..152f369 100644
--- a/main.tf
+++ b/main.tf
@@ -80,7 +80,7 @@ module "cluster" {
   }
 
   eks_managed_node_group_defaults = {
-    ami_type = "BOTTLEROCKET_ARM_64_FIPS"
+    ami_type = "BOTTLEROCKET_ARM_64"
   }
 
   node_security_group_enable_recommended_rules = true

From 042bc93deeddf149a0e163793bb71983043b9684 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 20 Mar 2025 23:38:26 -0400
Subject: [PATCH 17/29] nop

---
 main.tf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/main.tf b/main.tf
index 152f369..c37cb9d 100644
--- a/main.tf
+++ b/main.tf
@@ -1,4 +1,3 @@
-
 locals {
   additional_policies = {}
   base_tags = {

From a5eb48325d310e0ceda4f31bb1af5a3880c69883 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Fri, 21 Mar 2025 14:29:25 -0400
Subject: [PATCH 18/29] not arm

---
 README.md    | 2 +-
 main.tf      | 2 +-
 variables.tf | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index cd70304..4050d3e 100644
--- a/README.md
+++ b/README.md
@@ -149,7 +149,7 @@ efs-csi-controller    0         5m
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | Kubernetes version to use for the EKS cluster | `string` | n/a | yes |
 | <a name="input_eks_instance_disk_size"></a> [eks\_instance\_disk\_size](#input\_eks\_instance\_disk\_size) | Size of the EKS node disk in GB | `number` | `80` | no |
-| <a name="input_eks_instance_types"></a> [eks\_instance\_types](#input\_eks\_instance\_types) | List of EC2 instance types for the EKS node group | `list(string)` | <pre>[<br/>  "t4g.medium"<br/>]</pre> | no |
+| <a name="input_eks_instance_types"></a> [eks\_instance\_types](#input\_eks\_instance\_types) | List of EC2 instance types for the EKS node group | `list(string)` | <pre>[<br/>  "t3a.medium"<br/>]</pre> | no |
 | <a name="input_eks_ng_desired_size"></a> [eks\_ng\_desired\_size](#input\_eks\_ng\_desired\_size) | Desired size of the EKS node group | `number` | `4` | no |
 | <a name="input_eks_ng_max_size"></a> [eks\_ng\_max\_size](#input\_eks\_ng\_max\_size) | Maximum size of the EKS node group | `number` | `15` | no |
 | <a name="input_eks_ng_min_size"></a> [eks\_ng\_min\_size](#input\_eks\_ng\_min\_size) | Minimum size of the EKS node group | `number` | `4` | no |
diff --git a/main.tf b/main.tf
index c37cb9d..3d13ed8 100644
--- a/main.tf
+++ b/main.tf
@@ -79,7 +79,7 @@ module "cluster" {
   }
 
   eks_managed_node_group_defaults = {
-    ami_type = "BOTTLEROCKET_ARM_64"
+    ami_type = "BOTTLEROCKET_x86_64"
   }
 
   node_security_group_enable_recommended_rules = true
diff --git a/variables.tf b/variables.tf
index 8f65969..2b73269 100644
--- a/variables.tf
+++ b/variables.tf
@@ -67,7 +67,7 @@ variable "eks_instance_types" {
   description = "List of EC2 instance types for the EKS node group"
   type        = list(string)
   default = [
-    "t4g.medium"
+    "t3a.medium"
   ]
   validation {
     condition     = length(var.eks_instance_types) > 0

From 494be7b65aa418e075740504e96686fd5e19cbf6 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Fri, 21 Mar 2025 18:29:14 -0400
Subject: [PATCH 19/29] sort

---
 main.tf | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/main.tf b/main.tf
index 3d13ed8..66ed764 100644
--- a/main.tf
+++ b/main.tf
@@ -28,13 +28,15 @@ resource "terraform_data" "subnet_validation" {
 module "cluster" {
   source = "git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git?ref=v20.34.0"
 
+  access_entries                           = local.access_entries
+  cloudwatch_log_group_retention_in_days   = "14"
+  cluster_endpoint_private_access          = var.cluster_endpoint_private_access
+  cluster_endpoint_public_access           = var.cluster_endpoint_public_access
   cluster_name                             = var.cluster_name
+  cluster_upgrade_policy                   = { support_type = "STANDARD" }
   cluster_version                          = var.cluster_version
-  cluster_endpoint_public_access           = var.cluster_endpoint_public_access
-  cluster_endpoint_private_access          = var.cluster_endpoint_private_access
   enable_cluster_creator_admin_permissions = var.enable_cluster_creator_admin_permissions
-  access_entries                           = local.access_entries
-  cluster_upgrade_policy                   = { support_type = "STANDARD" }
+
   cluster_enabled_log_types = [
     "api",
     "audit",
@@ -42,7 +44,6 @@ module "cluster" {
     "controllerManager",
     "scheduler",
   ]
-  cloudwatch_log_group_retention_in_days = "14"
 
   vpc_id     = local.vpc_id
   subnet_ids = local.subnets

From c3ad022c55f7a00ffdca2111259779e439f1fe4b Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 1 Apr 2025 11:39:26 -0400
Subject: [PATCH 20/29] add release process, update cloudwatch retention

---
 .github/workflows/terraform-release.yaml  |  73 ++++++++++++++++
 .github/workflows/terraform-validate.yaml |  42 +++++++++
 .github/workflows/terragrunt-cicd.yml     | 101 ----------------------
 README.md                                 |   1 +
 main.tf                                   |   2 +-
 variables.tf                              |   6 ++
 6 files changed, 123 insertions(+), 102 deletions(-)
 create mode 100644 .github/workflows/terraform-release.yaml
 create mode 100644 .github/workflows/terraform-validate.yaml
 delete mode 100644 .github/workflows/terragrunt-cicd.yml

diff --git a/.github/workflows/terraform-release.yaml b/.github/workflows/terraform-release.yaml
new file mode 100644
index 0000000..90910bc
--- /dev/null
+++ b/.github/workflows/terraform-release.yaml
@@ -0,0 +1,73 @@
+name: Terraform CI/CD
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [closed]
+    branches:
+      - main
+jobs:
+  terraform-ci-cd:
+    runs-on: 229685449397
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout code
+        uses: CSVD/gh-actions-checkout@v4
+
+      - name: Setup Terraform
+        uses: CSVD/gh-actions-setup-terraform@v3
+        with:
+          terraform_version: "1.9.1"
+
+      - name: Setup GITHUB Credentials
+        id: github_credentials
+        uses: CSVD/gh-auth@main
+        with:
+          github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }}
+          github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }}
+          github_app_id: ${{ vars.GH_APP_ID }}
+
+
+      - name: Debug Authentication
+        run: |
+          # Print the GitHub server URL
+          echo "GitHub Server URL: ${{ github.server_url }}"
+
+          # Extract the host from the URL
+          HOST="${{ github.server_url }}"
+          HOST="${HOST#*//}"
+          HOST="${HOST%%/*}"
+          echo "GitHub Host: $HOST"
+
+          # Check if token exists
+          if [[ -n "${{ steps.github_credentials.outputs.github_token }}" ]]; then
+            echo "Token generated successfully"
+            # Test the token with a simple GitHub API call (without exposing the token)
+            STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer ${{ steps.github_credentials.outputs.github_token }}" "${{ github.server_url }}/api/v3/user")
+            echo "API Test Status Code: $STATUS"
+          else
+            echo "No token was generated!"
+          fi
+
+      - name: Setup GitHub CLI
+        run: |
+          # Force manual authentication since setup-git might not work with GitHub Enterprise
+          echo "${{ steps.github_credentials.outputs.github_token }}" > /tmp/token.txt
+          gh auth login --with-token --hostname "github.e.it.census.gov" < /tmp/token.txt
+          rm /tmp/token.txt
+
+          # Test GitHub CLI auth status
+          gh auth status || echo "GitHub CLI authentication failed"
+
+      - name: AWS Auth
+        id: aws_auth
+        uses: CSVD/aws-auth@main
+        with:
+          ecs: true
+
+      - name: Run Terraform Module Release Action
+        uses: CSVD/terraform-module-release@main
+        with:
+          github-token: ${{ steps.github_credentials.outputs.github_token }}
+          working-directory: '.'
diff --git a/.github/workflows/terraform-validate.yaml b/.github/workflows/terraform-validate.yaml
new file mode 100644
index 0000000..72829d8
--- /dev/null
+++ b/.github/workflows/terraform-validate.yaml
@@ -0,0 +1,42 @@
+name: Terraform Validate
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+
+  terraform-validate:
+    runs-on: "229685449397"
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout code
+        uses: CSVD/gh-actions-checkout@v4
+
+      - name: Setup Terraform
+        uses: CSVD/gh-actions-setup-terraform@v2
+        with:
+          terraform_version: '1.7.3'
+
+      - name: Validate Terraform Configuration
+        id: validate
+        uses: CSVD/terraform-validate@main
+
+      - name: Check Validation/Test Results
+        if: always()
+        run: |
+          # Set default values if outputs are empty
+          IS_VALID="${{ steps.validate.outputs.is_valid }}"
+          TESTS_PASSED="${{ steps.validate.outputs.tests_passed }}"
+
+          # If outputs are empty, set them to false
+          [ -z "$IS_VALID" ] && IS_VALID="false"
+          [ -z "$TESTS_PASSED" ] && TESTS_PASSED="false"
+
+          if [[ "$IS_VALID" != "true" || "$TESTS_PASSED" != "true" ]]; then
+            echo "Validation or test errors found:"
+            echo "${{ steps.validate.outputs.stderr }}"
+            exit 1
+          else
+            echo "All validations and tests passed successfully!"
+          fi
diff --git a/.github/workflows/terragrunt-cicd.yml b/.github/workflows/terragrunt-cicd.yml
deleted file mode 100644
index a78523e..0000000
--- a/.github/workflows/terragrunt-cicd.yml
+++ /dev/null
@@ -1,101 +0,0 @@
-name: 'Terraform Module CI'
-
-on:
-  push:
-    branches:
-      - main
-    paths:
-      - '**/*.hcl'
-      - '**/*.tf'
-  pull_request:
-    branches:
-      - main
-    paths:
-      - '**/*.hcl'
-      - '**/*.tf'
-
-permissions:
-  contents: read
-  pull-requests: write
-
-jobs:
-  validate:
-    name: 'Validate Module'
-    runs-on: self-hosted
-
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v3
-
-    - name: Setup Terraform
-      uses: hashicorp/setup-terraform@v2
-      with:
-        terraform_version: 1.5.0
-
-    - name: Terraform Init
-      run: |
-        terraform init -backend=false
-
-    - name: Terraform Format
-      run: |
-        terraform fmt -check
-
-    - name: Terraform Validate
-      run: |
-        terraform validate
-
-    - name: Run tflint
-      uses: terraform-linters/setup-tflint@v3
-      if: github.event_name == 'pull_request'
-
-    - name: Lint Terraform
-      if: github.event_name == 'pull_request'
-      run: |
-        tflint --format compact
-
-  release:
-    name: 'Create Release'
-    needs: validate
-    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
-    runs-on: self-hosted
-    permissions:
-      contents: write
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Setup Python
-        uses: actions/setup-python@v4
-        with:
-          python-version: '3.9'
-
-      - name: Install Commitizen
-        run: |
-          pip install commitizen
-
-      - name: Configure Git
-        run: |
-          git config --local user.email "action@github.com"
-          git config --local user.name "GitHub Action"
-
-      - name: Bump Version and Generate Changelog
-        id: cz
-        run: |
-          cz bump --yes
-          echo "new_version=$(cz version --project)" >> $GITHUB_OUTPUT
-          echo "changelog=$(cz changelog --dry-run)" >> $GITHUB_OUTPUT
-
-      - name: Create Release
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: v${{ steps.cz.outputs.new_version }}
-          release_name: Release v${{ steps.cz.outputs.new_version }}
-          draft: false
-          prerelease: false
-          body: ${{ steps.cz.outputs.changelog }}
diff --git a/README.md b/README.md
index 4050d3e..d3905fc 100644
--- a/README.md
+++ b/README.md
@@ -144,6 +144,7 @@ efs-csi-controller    0         5m
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_entries"></a> [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster | `any` | `{}` | no |
 | <a name="input_census_private_cidr"></a> [census\_private\_cidr](#input\_census\_private\_cidr) | Census Private CIR Blocks | `list(string)` | <pre>[<br/>  "148.129.0.0/16",<br/>  "172.16.0.0/12",<br/>  "192.168.0.0/16",<br/>  "10.0.0.0/16"<br/>]</pre> | no |
+| <a name="input_cloudwatch_retention_days"></a> [cloudwatch\_retention\_days](#input\_cloudwatch\_retention\_days) | number of days to retain logs in cloudwatch | `string` | `"14"` | no |
 | <a name="input_cluster_endpoint_private_access"></a> [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Whether the EKS cluster API server endpoint is privately accessible | `bool` | `true` | no |
 | <a name="input_cluster_endpoint_public_access"></a> [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether the EKS cluster API server endpoint is publicly accessible | `bool` | `true` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
diff --git a/main.tf b/main.tf
index 66ed764..786d79f 100644
--- a/main.tf
+++ b/main.tf
@@ -29,7 +29,7 @@ module "cluster" {
   source = "git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git?ref=v20.34.0"
 
   access_entries                           = local.access_entries
-  cloudwatch_log_group_retention_in_days   = "14"
+  cloudwatch_log_group_retention_in_days   = var.cloudwatch_retention_days
   cluster_endpoint_private_access          = var.cluster_endpoint_private_access
   cluster_endpoint_public_access           = var.cluster_endpoint_public_access
   cluster_name                             = var.cluster_name
diff --git a/variables.tf b/variables.tf
index 2b73269..8a9fb29 100644
--- a/variables.tf
+++ b/variables.tf
@@ -155,3 +155,9 @@ variable "tags" {
     error_message = "Tag keys must be <= 128 chars, values <= 256 chars, and both can only contain alphanumeric characters, spaces, and '.+-=@:_'."
   }
 }
+
+variable "cloudwatch_retention_days" {
+  description = "number of days to retain logs in cloudwatch"
+  type        = string
+  default     = "14"
+}

From cf8e81a29f50f6167da7ebca789514cbeaa1e345 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 1 Apr 2025 16:04:51 -0400
Subject: [PATCH 21/29] try new addons

---
 main.tf | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/main.tf b/main.tf
index 786d79f..c041406 100644
--- a/main.tf
+++ b/main.tf
@@ -61,15 +61,30 @@ module "cluster" {
       most_recent              = true
       service_account_role_arn = module.efs_csi_irsa_role.iam_role_arn
     }
+    cert-manager = {
+      most_recent = true
+    }
     coredns = {
       most_recent = true
     }
     eks-pod-identity-agent = {
       most_recent = true
     }
+    external-dns = {
+      most_recent = true
+    }
     kube-proxy = {
       most_recent = true
     }
+    kube-state-metrics = {
+      most_recent = true
+    }
+    metrics-server = {
+      most_recent = true
+    }
+    prometheus-node-exporter = {
+      most_recent = true
+    }
     snapshot-controller = {
       most_recent = true
     }

From 83965395b931976505ca65edf4bc210a45e879f9 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 1 Apr 2025 16:38:32 -0400
Subject: [PATCH 22/29] update latest upstream version

---
 README.md | 2 +-
 main.tf   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index d3905fc..28726bb 100644
--- a/README.md
+++ b/README.md
@@ -111,7 +111,7 @@ efs-csi-controller    0         5m
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cloudwatch_observability_irsa_role"></a> [cloudwatch\_observability\_irsa\_role](#module\_cloudwatch\_observability\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
-| <a name="module_cluster"></a> [cluster](#module\_cluster) | git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git | v20.34.0 |
+| <a name="module_cluster"></a> [cluster](#module\_cluster) | git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git | v20.35.0 |
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_vpc_cni_irsa_role"></a> [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
diff --git a/main.tf b/main.tf
index c041406..3e8ec05 100644
--- a/main.tf
+++ b/main.tf
@@ -26,7 +26,7 @@ resource "terraform_data" "subnet_validation" {
 }
 
 module "cluster" {
-  source = "git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git?ref=v20.34.0"
+  source = "git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git?ref=v20.35.0"
 
   access_entries                           = local.access_entries
   cloudwatch_log_group_retention_in_days   = var.cloudwatch_retention_days

From cc217c4acde21072e07ffab9958892b69f3e3eec Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 1 Apr 2025 16:57:17 -0400
Subject: [PATCH 23/29] tehse addons don't work

---
 main.tf | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/main.tf b/main.tf
index 3e8ec05..2d324c6 100644
--- a/main.tf
+++ b/main.tf
@@ -61,30 +61,15 @@ module "cluster" {
       most_recent              = true
       service_account_role_arn = module.efs_csi_irsa_role.iam_role_arn
     }
-    cert-manager = {
-      most_recent = true
-    }
     coredns = {
       most_recent = true
     }
     eks-pod-identity-agent = {
       most_recent = true
     }
-    external-dns = {
-      most_recent = true
-    }
     kube-proxy = {
       most_recent = true
     }
-    kube-state-metrics = {
-      most_recent = true
-    }
-    metrics-server = {
-      most_recent = true
-    }
-    prometheus-node-exporter = {
-      most_recent = true
-    }
     snapshot-controller = {
       most_recent = true
     }

From 17e502d134820d0742fbcbecce328490222b90eb Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 1 Apr 2025 17:28:03 -0400
Subject: [PATCH 24/29] use https to make CI easier

---
 README.md | 4 ++--
 main.tf   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 28726bb..9f7ad53 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,7 @@ The following addons are automatically installed and configured:
 
 ```hcl
 module "eks" {
-  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git"
+  source = "https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks.git?ref=v20.35.0"
 
   cluster_name    = "my-cluster"
   cluster_version = "1.28"
@@ -111,7 +111,7 @@ efs-csi-controller    0         5m
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cloudwatch_observability_irsa_role"></a> [cloudwatch\_observability\_irsa\_role](#module\_cloudwatch\_observability\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
-| <a name="module_cluster"></a> [cluster](#module\_cluster) | git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git | v20.35.0 |
+| <a name="module_cluster"></a> [cluster](#module\_cluster) | https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks.git | v20.35.0 |
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_vpc_cni_irsa_role"></a> [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
diff --git a/main.tf b/main.tf
index 2d324c6..0a72873 100644
--- a/main.tf
+++ b/main.tf
@@ -26,7 +26,7 @@ resource "terraform_data" "subnet_validation" {
 }
 
 module "cluster" {
-  source = "git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git?ref=v20.35.0"
+  source = "https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks.git?ref=v20.35.0"
 
   access_entries                           = local.access_entries
   cloudwatch_log_group_retention_in_days   = var.cloudwatch_retention_days

From 2248d8e16270fda86c6bcbaba75fabfa76e77cc1 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 1 Apr 2025 17:31:32 -0400
Subject: [PATCH 25/29] use the git hinting

---
 README.md | 2 +-
 main.tf   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 9f7ad53..a56e564 100644
--- a/README.md
+++ b/README.md
@@ -111,7 +111,7 @@ efs-csi-controller    0         5m
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cloudwatch_observability_irsa_role"></a> [cloudwatch\_observability\_irsa\_role](#module\_cloudwatch\_observability\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
-| <a name="module_cluster"></a> [cluster](#module\_cluster) | https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks.git | v20.35.0 |
+| <a name="module_cluster"></a> [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks.git | v20.35.0 |
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_vpc_cni_irsa_role"></a> [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
diff --git a/main.tf b/main.tf
index 0a72873..d4b4793 100644
--- a/main.tf
+++ b/main.tf
@@ -26,7 +26,7 @@ resource "terraform_data" "subnet_validation" {
 }
 
 module "cluster" {
-  source = "https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks.git?ref=v20.35.0"
+  source = "git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks.git?ref=v20.35.0"
 
   access_entries                           = local.access_entries
   cloudwatch_log_group_retention_in_days   = var.cloudwatch_retention_days

From cbba5377073265ae8f4d410b3847304d0cebcffa Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 1 Apr 2025 17:34:59 -0400
Subject: [PATCH 26/29] add the slash

---
 README.md | 2 +-
 main.tf   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index a56e564..a5064bd 100644
--- a/README.md
+++ b/README.md
@@ -111,7 +111,7 @@ efs-csi-controller    0         5m
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cloudwatch_observability_irsa_role"></a> [cloudwatch\_observability\_irsa\_role](#module\_cloudwatch\_observability\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
-| <a name="module_cluster"></a> [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks.git | v20.35.0 |
+| <a name="module_cluster"></a> [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks.git/ | v20.35.0 |
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_vpc_cni_irsa_role"></a> [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
diff --git a/main.tf b/main.tf
index d4b4793..bd9c609 100644
--- a/main.tf
+++ b/main.tf
@@ -26,7 +26,7 @@ resource "terraform_data" "subnet_validation" {
 }
 
 module "cluster" {
-  source = "git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks.git?ref=v20.35.0"
+  source = "git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks.git/?ref=v20.35.0"
 
   access_entries                           = local.access_entries
   cloudwatch_log_group_retention_in_days   = var.cloudwatch_retention_days

From f763a87906e1e3d88c4afbb271ac4111b43e0bc9 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 1 Apr 2025 17:37:51 -0400
Subject: [PATCH 27/29] remove extra tomap()s

---
 security_groups.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security_groups.tf b/security_groups.tf
index 6d4a61c..e62c641 100644
--- a/security_groups.tf
+++ b/security_groups.tf
@@ -10,7 +10,7 @@ resource "aws_security_group" "additional_eks_cluster_sg" {
   tags = merge(
     local.base_tags,
     var.tags,
-    tomap({ "Name" = local.additional_eks_cluster_sg_name }),
+    { "Name" = local.additional_eks_cluster_sg_name },
   )
 
   vpc_id = data.aws_vpc.eks_vpc.id
@@ -51,7 +51,7 @@ resource "aws_security_group" "all_worker_mgmt" {
   tags = merge(
     local.base_tags,
     var.tags,
-    tomap({ "Name" = local.all_worker_mgmt_name }),
+    { "Name" = local.all_worker_mgmt_name },
   )
 
   vpc_id = local.vpc_id

From 555b132f392b14943bc00f751c6ffb5de4c08443 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 1 Apr 2025 17:46:48 -0400
Subject: [PATCH 28/29] try dropping .git

---
 README.md | 2 +-
 main.tf   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index a5064bd..c9da336 100644
--- a/README.md
+++ b/README.md
@@ -111,7 +111,7 @@ efs-csi-controller    0         5m
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cloudwatch_observability_irsa_role"></a> [cloudwatch\_observability\_irsa\_role](#module\_cloudwatch\_observability\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
-| <a name="module_cluster"></a> [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks.git/ | v20.35.0 |
+| <a name="module_cluster"></a> [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/ | v20.35.0 |
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_vpc_cni_irsa_role"></a> [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
diff --git a/main.tf b/main.tf
index bd9c609..cf353f9 100644
--- a/main.tf
+++ b/main.tf
@@ -26,7 +26,7 @@ resource "terraform_data" "subnet_validation" {
 }
 
 module "cluster" {
-  source = "git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks.git/?ref=v20.35.0"
+  source = "git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/?ref=v20.35.0"
 
   access_entries                           = local.access_entries
   cloudwatch_log_group_retention_in_days   = var.cloudwatch_retention_days

From ac7d1c34c09c7fc7d0a75f3c99279fbc83ef60a0 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 1 Apr 2025 17:55:44 -0400
Subject: [PATCH 29/29] increase tf version in action

---
 .github/workflows/terraform-validate.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/terraform-validate.yaml b/.github/workflows/terraform-validate.yaml
index 72829d8..ac349eb 100644
--- a/.github/workflows/terraform-validate.yaml
+++ b/.github/workflows/terraform-validate.yaml
@@ -16,7 +16,7 @@ jobs:
       - name: Setup Terraform
         uses: CSVD/gh-actions-setup-terraform@v2
         with:
-          terraform_version: '1.7.3'
+          terraform_version: '1.10.5'
 
       - name: Validate Terraform Configuration
         id: validate