From 95f192ae84f3c29a9d761021176e4b2ce4d348af Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Wed, 1 Oct 2025 17:51:18 -0400
Subject: [PATCH 01/27] add more addons for testing

---
 README.md       |  2 +-
 main.tf         | 20 ++++++++++++++++++++
 requirements.tf |  2 +-
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 6109608..409cab1 100644
--- a/README.md
+++ b/README.md
@@ -97,7 +97,7 @@ efs-csi-controller    0         5m
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.100.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | ~> 3.2 |
 
 ## Providers
diff --git a/main.tf b/main.tf
index a3b1324..134ec3e 100644
--- a/main.tf
+++ b/main.tf
@@ -61,15 +61,35 @@ module "cluster" {
       most_recent              = true
       service_account_role_arn = module.efs_csi_irsa_role.iam_role_arn
     }
+    aws-guardduty-agent = {
+      most_recent              = true
+      service_account_role_arn = module.guardduty_agent_irsa_role.iam_role_arn
+    }
+    aws-mountpoint-s3-csi-driver = {
+      most_recent              = true
+      service_account_role_arn = module.mountpoint_s3_csi_driver_irsa_role.iam_role_arn
+    }
     coredns = {
       most_recent = true
     }
+    eks-node-monitoring-agent = {
+      most_recent = true
+    }
     eks-pod-identity-agent = {
       most_recent = true
     }
     kube-proxy = {
       most_recent = true
     }
+    kube-state-metrics = {
+      most_recent = true
+    }
+    metrics_server = {
+      most_recent = true
+    }
+    prometheus_node_exporter = {
+      most_recent = true
+    }
     snapshot-controller = {
       most_recent = true
     }
diff --git a/requirements.tf b/requirements.tf
index 970fa07..d5bb933 100644
--- a/requirements.tf
+++ b/requirements.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.0"
+      version = "~> 5.100.0"
     }
     null = {
       source  = "hashicorp/null"

From 108e31e46d2c567bab71b8e3a79a5a1c03454070 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 2 Oct 2025 17:28:10 -0400
Subject: [PATCH 02/27] s3 is more than i want to add now

---
 main.tf | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/main.tf b/main.tf
index 134ec3e..609b36a 100644
--- a/main.tf
+++ b/main.tf
@@ -62,12 +62,7 @@ module "cluster" {
       service_account_role_arn = module.efs_csi_irsa_role.iam_role_arn
     }
     aws-guardduty-agent = {
-      most_recent              = true
-      service_account_role_arn = module.guardduty_agent_irsa_role.iam_role_arn
-    }
-    aws-mountpoint-s3-csi-driver = {
-      most_recent              = true
-      service_account_role_arn = module.mountpoint_s3_csi_driver_irsa_role.iam_role_arn
+      most_recent = true
     }
     coredns = {
       most_recent = true
@@ -76,7 +71,8 @@ module "cluster" {
       most_recent = true
     }
     eks-pod-identity-agent = {
-      most_recent = true
+      most_recent    = true
+      before_compute = true
     }
     kube-proxy = {
       most_recent = true
@@ -96,6 +92,7 @@ module "cluster" {
     vpc-cni = {
       most_recent              = true
       service_account_role_arn = module.vpc_cni_irsa_role.iam_role_arn
+      before_compute           = true
     }
   }
 

From 4aa880ed84317a5a9c2c0ffb41a2341f4b9833ff Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 2 Oct 2025 17:50:26 -0400
Subject: [PATCH 03/27] hyphen replaces underscores

---
 main.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/main.tf b/main.tf
index 609b36a..489b400 100644
--- a/main.tf
+++ b/main.tf
@@ -80,10 +80,10 @@ module "cluster" {
     kube-state-metrics = {
       most_recent = true
     }
-    metrics_server = {
+    metrics-server = {
       most_recent = true
     }
-    prometheus_node_exporter = {
+    prometheus-node-exporter = {
       most_recent = true
     }
     snapshot-controller = {

From 969ae1510fc5bdd3103341c84d7a89527630c511 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 2 Oct 2025 17:51:12 -0400
Subject: [PATCH 04/27] fmt

---
 main.tf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/main.tf b/main.tf
index 489b400..7c9c504 100644
--- a/main.tf
+++ b/main.tf
@@ -64,6 +64,9 @@ module "cluster" {
     aws-guardduty-agent = {
       most_recent = true
     }
+    cert-manager = {
+      most_recent = true
+    }
     coredns = {
       most_recent = true
     }

From 48aa72e3fc9567f996ee1d6c0e467dbfda9cc203 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 2 Oct 2025 18:15:23 -0400
Subject: [PATCH 05/27] no guardduty

---
 main.tf | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/main.tf b/main.tf
index 7c9c504..67c4b41 100644
--- a/main.tf
+++ b/main.tf
@@ -61,9 +61,6 @@ module "cluster" {
       most_recent              = true
       service_account_role_arn = module.efs_csi_irsa_role.iam_role_arn
     }
-    aws-guardduty-agent = {
-      most_recent = true
-    }
     cert-manager = {
       most_recent = true
     }

From ad0b012558c529a33a347370337d0cd5f3919e3d Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 2 Oct 2025 18:35:16 -0400
Subject: [PATCH 06/27] graviton?

---
 README.md    | 2 +-
 main.tf      | 5 +----
 variables.tf | 2 +-
 3 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 409cab1..21b5867 100644
--- a/README.md
+++ b/README.md
@@ -172,7 +172,7 @@ efs-csi-controller    0         5m
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | Kubernetes version to use for the EKS cluster | `string` | n/a | yes |
 | <a name="input_eks_instance_disk_size"></a> [eks\_instance\_disk\_size](#input\_eks\_instance\_disk\_size) | Size of the EKS node disk in GB | `number` | `80` | no |
-| <a name="input_eks_instance_types"></a> [eks\_instance\_types](#input\_eks\_instance\_types) | List of EC2 instance types for the EKS node group | `list(string)` | <pre>[<br/>  "t3a.medium"<br/>]</pre> | no |
+| <a name="input_eks_instance_types"></a> [eks\_instance\_types](#input\_eks\_instance\_types) | List of EC2 instance types for the EKS node group | `list(string)` | <pre>[<br/>  "t4g.medium"<br/>]</pre> | no |
 | <a name="input_eks_ng_desired_size"></a> [eks\_ng\_desired\_size](#input\_eks\_ng\_desired\_size) | Desired size of the EKS node group | `number` | `2` | no |
 | <a name="input_eks_ng_max_size"></a> [eks\_ng\_max\_size](#input\_eks\_ng\_max\_size) | Maximum size of the EKS node group | `number` | `2` | no |
 | <a name="input_eks_ng_min_size"></a> [eks\_ng\_min\_size](#input\_eks\_ng\_min\_size) | Minimum size of the EKS node group | `number` | `2` | no |
diff --git a/main.tf b/main.tf
index 67c4b41..5ef061c 100644
--- a/main.tf
+++ b/main.tf
@@ -83,9 +83,6 @@ module "cluster" {
     metrics-server = {
       most_recent = true
     }
-    prometheus-node-exporter = {
-      most_recent = true
-    }
     snapshot-controller = {
       most_recent = true
     }
@@ -97,7 +94,7 @@ module "cluster" {
   }
 
   eks_managed_node_group_defaults = {
-    ami_type = "BOTTLEROCKET_x86_64"
+    ami_type = "BOTTLEROCKET"
   }
 
   node_security_group_enable_recommended_rules = true
diff --git a/variables.tf b/variables.tf
index 9e86fcb..834ae63 100644
--- a/variables.tf
+++ b/variables.tf
@@ -67,7 +67,7 @@ variable "eks_instance_types" {
   description = "List of EC2 instance types for the EKS node group"
   type        = list(string)
   default = [
-    "t3a.medium"
+    "t4g.medium"
   ]
   validation {
     condition     = length(var.eks_instance_types) > 0

From 2afbd2640040b0b3087427fe0ec3474f15e99c4d Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 2 Oct 2025 18:37:35 -0400
Subject: [PATCH 07/27] update to correct ami

---
 main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 5ef061c..f7b92b1 100644
--- a/main.tf
+++ b/main.tf
@@ -94,7 +94,7 @@ module "cluster" {
   }
 
   eks_managed_node_group_defaults = {
-    ami_type = "BOTTLEROCKET"
+    ami_type = "BOTTLEROCKET_ARM_64_FIPS"
   }
 
   node_security_group_enable_recommended_rules = true

From 24370e24d08b8dfbb40d833b58db62fdd019abb3 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Wed, 8 Oct 2025 14:38:54 -0400
Subject: [PATCH 08/27] not arm

---
 README.md    | 2 +-
 main.tf      | 2 +-
 variables.tf | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 21b5867..409cab1 100644
--- a/README.md
+++ b/README.md
@@ -172,7 +172,7 @@ efs-csi-controller    0         5m
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | Kubernetes version to use for the EKS cluster | `string` | n/a | yes |
 | <a name="input_eks_instance_disk_size"></a> [eks\_instance\_disk\_size](#input\_eks\_instance\_disk\_size) | Size of the EKS node disk in GB | `number` | `80` | no |
-| <a name="input_eks_instance_types"></a> [eks\_instance\_types](#input\_eks\_instance\_types) | List of EC2 instance types for the EKS node group | `list(string)` | <pre>[<br/>  "t4g.medium"<br/>]</pre> | no |
+| <a name="input_eks_instance_types"></a> [eks\_instance\_types](#input\_eks\_instance\_types) | List of EC2 instance types for the EKS node group | `list(string)` | <pre>[<br/>  "t3a.medium"<br/>]</pre> | no |
 | <a name="input_eks_ng_desired_size"></a> [eks\_ng\_desired\_size](#input\_eks\_ng\_desired\_size) | Desired size of the EKS node group | `number` | `2` | no |
 | <a name="input_eks_ng_max_size"></a> [eks\_ng\_max\_size](#input\_eks\_ng\_max\_size) | Maximum size of the EKS node group | `number` | `2` | no |
 | <a name="input_eks_ng_min_size"></a> [eks\_ng\_min\_size](#input\_eks\_ng\_min\_size) | Minimum size of the EKS node group | `number` | `2` | no |
diff --git a/main.tf b/main.tf
index f7b92b1..fe791a0 100644
--- a/main.tf
+++ b/main.tf
@@ -94,7 +94,7 @@ module "cluster" {
   }
 
   eks_managed_node_group_defaults = {
-    ami_type = "BOTTLEROCKET_ARM_64_FIPS"
+    ami_type = "BOTTLEROCKET_X86_64"
   }
 
   node_security_group_enable_recommended_rules = true
diff --git a/variables.tf b/variables.tf
index 834ae63..9e86fcb 100644
--- a/variables.tf
+++ b/variables.tf
@@ -67,7 +67,7 @@ variable "eks_instance_types" {
   description = "List of EC2 instance types for the EKS node group"
   type        = list(string)
   default = [
-    "t4g.medium"
+    "t3a.medium"
   ]
   validation {
     condition     = length(var.eks_instance_types) > 0

From d26634df51b9ef6bf7ecbd8b0d5d9a2f27847743 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Wed, 8 Oct 2025 14:40:37 -0400
Subject: [PATCH 09/27] case

---
 main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index fe791a0..60952d7 100644
--- a/main.tf
+++ b/main.tf
@@ -94,7 +94,7 @@ module "cluster" {
   }
 
   eks_managed_node_group_defaults = {
-    ami_type = "BOTTLEROCKET_X86_64"
+    ami_type = "BOTTLEROCKET_x86_64"
   }
 
   node_security_group_enable_recommended_rules = true

From 9a798901a874ef4721765fac10bf71f996cb8c8e Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Wed, 8 Oct 2025 15:45:16 -0400
Subject: [PATCH 10/27] disable

---
 main.tf | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/main.tf b/main.tf
index 60952d7..2c8ee91 100644
--- a/main.tf
+++ b/main.tf
@@ -61,9 +61,9 @@ module "cluster" {
       most_recent              = true
       service_account_role_arn = module.efs_csi_irsa_role.iam_role_arn
     }
-    cert-manager = {
-      most_recent = true
-    }
+    # cert-manager = {
+    #   most_recent = true
+    # }
     coredns = {
       most_recent = true
     }
@@ -77,12 +77,12 @@ module "cluster" {
     kube-proxy = {
       most_recent = true
     }
-    kube-state-metrics = {
-      most_recent = true
-    }
-    metrics-server = {
-      most_recent = true
-    }
+    # kube-state-metrics = {
+    #   most_recent = true
+    # }
+    # metrics-server = {
+    #   most_recent = true
+    # }
     snapshot-controller = {
       most_recent = true
     }

From 205c9fe4165947e81903ea24562763da22412480 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 9 Oct 2025 18:23:07 -0400
Subject: [PATCH 11/27] more updates for aws 6

---
 README.md        |  6 +++---
 cluster-admin.tf |  4 ++--
 main.tf          | 21 +++++++++------------
 requirements.tf  |  2 +-
 4 files changed, 15 insertions(+), 18 deletions(-)

diff --git a/README.md b/README.md
index 409cab1..5c9153f 100644
--- a/README.md
+++ b/README.md
@@ -97,14 +97,14 @@ efs-csi-controller    0         5m
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.100.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 6.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | ~> 3.2 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.100.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.16.0 |
 | <a name="provider_null"></a> [null](#provider\_null) | 3.2.4 |
 | <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
 
@@ -113,7 +113,7 @@ efs-csi-controller    0         5m
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cloudwatch_observability_irsa_role"></a> [cloudwatch\_observability\_irsa\_role](#module\_cloudwatch\_observability\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
-| <a name="module_cluster"></a> [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/ | v20.37.2 |
+| <a name="module_cluster"></a> [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/ | v21.3.2 |
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_vpc_cni_irsa_role"></a> [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
diff --git a/cluster-admin.tf b/cluster-admin.tf
index 3f0efa5..1f82da3 100644
--- a/cluster-admin.tf
+++ b/cluster-admin.tf
@@ -3,7 +3,7 @@
 #---
 locals {
   iam_arn       = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id)
-  common_arn    = format("arn:%v:%%v:%v:%v:%%v", data.aws_arn.current.partition, data.aws_region.current.name, data.aws_caller_identity.current.account_id)
+  common_arn    = format("arn:%v:%%v:%v:%v:%%v", data.aws_arn.current.partition, data.aws_region.current.id, data.aws_caller_identity.current.account_id)
   eks_resources = ["cluster", "addon", "nodegroup", "identityproviderconfig"]
 
   admin_policy_statements = {
@@ -58,7 +58,7 @@ locals {
         "ssm:GetParameter",
       ]
       resources = [
-        format("arn:%v:%v:%v:%v:%v", data.aws_arn.current.partition, "ssm", data.aws_region.current.name, "", "parameter/aws/service/eks/*")
+        format("arn:%v:%v:%v:%v:%v", data.aws_arn.current.partition, "ssm", data.aws_region.current.id, "", "parameter/aws/service/eks/*")
       ]
     }
     EKSReadMyClusters = {
diff --git a/main.tf b/main.tf
index 2c8ee91..d57d225 100644
--- a/main.tf
+++ b/main.tf
@@ -26,18 +26,18 @@ resource "terraform_data" "subnet_validation" {
 }
 
 module "cluster" {
-  source = "git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/?ref=v20.37.2"
+  source = "git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/?ref=v21.3.2"
 
   access_entries                           = local.access_entries
   cloudwatch_log_group_retention_in_days   = var.cloudwatch_retention_days
-  cluster_endpoint_private_access          = var.cluster_endpoint_private_access
-  cluster_endpoint_public_access           = var.cluster_endpoint_public_access
-  cluster_name                             = var.cluster_name
-  cluster_upgrade_policy                   = { support_type = "STANDARD" }
-  cluster_version                          = var.cluster_version
+  endpoint_private_access                  = var.cluster_endpoint_private_access
+  endpoint_public_access                   = var.cluster_endpoint_public_access
+  name                                     = var.cluster_name
+  upgrade_policy                           = { support_type = "STANDARD" }
+  kubernetes_version                       = var.cluster_version
   enable_cluster_creator_admin_permissions = var.enable_cluster_creator_admin_permissions
 
-  cluster_enabled_log_types = [
+  enabled_log_types = [
     "api",
     "audit",
     "authenticator",
@@ -48,7 +48,7 @@ module "cluster" {
   vpc_id     = local.vpc_id
   subnet_ids = local.subnets
 
-  cluster_addons = {
+  addons = {
     amazon-cloudwatch-observability = {
       most_recent              = true
       service_account_role_arn = module.cloudwatch_observability_irsa_role.iam_role_arn
@@ -93,10 +93,6 @@ module "cluster" {
     }
   }
 
-  eks_managed_node_group_defaults = {
-    ami_type = "BOTTLEROCKET_x86_64"
-  }
-
   node_security_group_enable_recommended_rules = true
 
   node_security_group_additional_rules = local.node_security_group_additional_rules
@@ -104,6 +100,7 @@ module "cluster" {
   eks_managed_node_groups = {
     karpenter_controllers = {
       name          = local.ng_name
+      ami_type      = "BOTTLEROCKET_x86_64"
       capacity_type = "ON_DEMAND"
 
       instance_types = var.eks_instance_types
diff --git a/requirements.tf b/requirements.tf
index d5bb933..a1b6903 100644
--- a/requirements.tf
+++ b/requirements.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.100.0"
+      version = "~> 6.0"
     }
     null = {
       source  = "hashicorp/null"

From 7ebfc04cd58199ec424208753b447a4fdb9651d6 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 9 Oct 2025 18:43:32 -0400
Subject: [PATCH 12/27] add metrics server

---
 main.tf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/main.tf b/main.tf
index d57d225..7e8a2e1 100644
--- a/main.tf
+++ b/main.tf
@@ -80,9 +80,9 @@ module "cluster" {
     # kube-state-metrics = {
     #   most_recent = true
     # }
-    # metrics-server = {
-    #   most_recent = true
-    # }
+    metrics-server = {
+      most_recent = true
+    }
     snapshot-controller = {
       most_recent = true
     }

From bdebdea2c9506dd07e0530b0f0ae8ca2a63f6fa8 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 9 Oct 2025 18:51:24 -0400
Subject: [PATCH 13/27] add port for metrics-server addon

---
 securitygroup.ports.tf | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/securitygroup.ports.tf b/securitygroup.ports.tf
index 0535c58..a366d18 100644
--- a/securitygroup.ports.tf
+++ b/securitygroup.ports.tf
@@ -70,6 +70,12 @@ locals {
       from_port   = 9443
       to_port     = 9443
     },
+    {
+      component   = "metrics-server"
+      description = "metrics-server endpoint"
+      from_port   = 10251
+      to_port     = 10251
+    },
     {
       component   = "cert-manager"
       description = "cert-manager-webhook"

From 22776d75551e2d5069ab4d3c76741fee496b5ceb Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 9 Oct 2025 19:43:38 -0400
Subject: [PATCH 14/27] set insecure tls for metrics-server

---
 main.tf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 7e8a2e1..f14e71c 100644
--- a/main.tf
+++ b/main.tf
@@ -81,7 +81,8 @@ module "cluster" {
     #   most_recent = true
     # }
     metrics-server = {
-      most_recent = true
+      most_recent          = true
+      configuration_values = "--kubelet-insecure-tls=true"
     }
     snapshot-controller = {
       most_recent = true

From 5f7dd42ad0b73d74698f2d50404e1b9211f10b77 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 9 Oct 2025 21:11:26 -0400
Subject: [PATCH 15/27] comment out metrics-server until we figure out how to
 configure it

---
 main.tf | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/main.tf b/main.tf
index f14e71c..5490bab 100644
--- a/main.tf
+++ b/main.tf
@@ -80,10 +80,9 @@ module "cluster" {
     # kube-state-metrics = {
     #   most_recent = true
     # }
-    metrics-server = {
-      most_recent          = true
-      configuration_values = "--kubelet-insecure-tls=true"
-    }
+    # metrics-server = {
+    #   most_recent          = true
+    # }
     snapshot-controller = {
       most_recent = true
     }

From b750feba793cd715dc80663131c4d1d379b1c611 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Fri, 10 Oct 2025 16:04:59 -0400
Subject: [PATCH 16/27] add 1.34 as allowed cluster version

---
 variables.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/variables.tf b/variables.tf
index 9e86fcb..131e9e4 100644
--- a/variables.tf
+++ b/variables.tf
@@ -11,8 +11,8 @@ variable "cluster_version" {
   description = "Kubernetes version to use for the EKS cluster"
   type        = string
   validation {
-    condition     = can(regex("^[0-9]+\\.[0-9]+$", var.cluster_version)) && contains(["1.31", "1.32", "1.33"], var.cluster_version)
-    error_message = "Cluster version must be in the format 'x.y' (e.g., '1.33') and must be one of: 1.31, 1.32, 1.33"
+    condition     = can(regex("^[0-9]+\\.[0-9]+$", var.cluster_version)) && contains(["1.31", "1.32", "1.33", "1.34"], var.cluster_version)
+    error_message = "Cluster version must be in the format 'x.y' (e.g., '1.33') and must be one of: 1.31, 1.32, 1.33, 1.34"
   }
 }
 

From 219d228ea4e1a7246e0244be85638e5fa000c296 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Fri, 10 Oct 2025 18:13:49 -0400
Subject: [PATCH 17/27] make metrics-server work

---
 additional_sg_rules.tf | 8 ++++++++
 main.tf                | 6 +++---
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/additional_sg_rules.tf b/additional_sg_rules.tf
index ae2b6f1..112b7b4 100644
--- a/additional_sg_rules.tf
+++ b/additional_sg_rules.tf
@@ -17,5 +17,13 @@ locals {
       to_port                       = 9443
       type                          = "ingress"
     }
+    ingress_metrics_server = {
+      description                   = "Metrics server"
+      from_port                     = 10251
+      protocol                      = "tcp"
+      source_cluster_security_group = true
+      to_port                       = 10251
+      type                          = "ingress"
+    }
   }
 }
diff --git a/main.tf b/main.tf
index 5490bab..7e8a2e1 100644
--- a/main.tf
+++ b/main.tf
@@ -80,9 +80,9 @@ module "cluster" {
     # kube-state-metrics = {
     #   most_recent = true
     # }
-    # metrics-server = {
-    #   most_recent          = true
-    # }
+    metrics-server = {
+      most_recent = true
+    }
     snapshot-controller = {
       most_recent = true
     }

From 382c67d1a1f7d08e3949c00b4ebb036298a38663 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Fri, 10 Oct 2025 18:55:39 -0400
Subject: [PATCH 18/27] enable cert-manager

---
 irsa_roles.tf => irsa-roles.tf          | 0
 main.tf                                 | 6 +++---
 security_groups.tf => securitygroups.tf | 0
 3 files changed, 3 insertions(+), 3 deletions(-)
 rename irsa_roles.tf => irsa-roles.tf (100%)
 rename security_groups.tf => securitygroups.tf (100%)

diff --git a/irsa_roles.tf b/irsa-roles.tf
similarity index 100%
rename from irsa_roles.tf
rename to irsa-roles.tf
diff --git a/main.tf b/main.tf
index 7e8a2e1..7c6cb1f 100644
--- a/main.tf
+++ b/main.tf
@@ -61,9 +61,9 @@ module "cluster" {
       most_recent              = true
       service_account_role_arn = module.efs_csi_irsa_role.iam_role_arn
     }
-    # cert-manager = {
-    #   most_recent = true
-    # }
+    cert-manager = {
+      most_recent = true
+    }
     coredns = {
       most_recent = true
     }
diff --git a/security_groups.tf b/securitygroups.tf
similarity index 100%
rename from security_groups.tf
rename to securitygroups.tf

From 8d8d1aabf31e568deec98cb8c21b499dfc2571b0 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 14 Oct 2025 20:05:35 -0400
Subject: [PATCH 19/27] update karpenter label

---
 main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 7c6cb1f..0aea351 100644
--- a/main.tf
+++ b/main.tf
@@ -125,7 +125,7 @@ module "cluster" {
         }
       }
       labels = {
-        intent = "control-apps"
+        "karpenter.sh/controller" = "true"
       }
     }
   }

From 5df581288c8703a9b295ab5c17ab47f54ac6b2c4 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 21 Oct 2025 20:02:33 -0400
Subject: [PATCH 20/27] remove tags as they are handled at the provider

---
 additional_sg_rules.tf |  8 ++++++++
 cluster-admin.tf       |  6 ------
 irsa-roles.tf          |  4 ----
 main.tf                | 18 +++++-------------
 4 files changed, 13 insertions(+), 23 deletions(-)

diff --git a/additional_sg_rules.tf b/additional_sg_rules.tf
index 112b7b4..b93a8bf 100644
--- a/additional_sg_rules.tf
+++ b/additional_sg_rules.tf
@@ -25,5 +25,13 @@ locals {
       to_port                       = 10251
       type                          = "ingress"
     }
+    ingress_cert_manager_webhook = {
+      description                   = "Cert Manager webhook"
+      from_port                     = 9402
+      protocol                      = "tcp"
+      source_cluster_security_group = true
+      to_port                       = 9402
+      type                          = "ingress"
+    }
   }
 }
diff --git a/cluster-admin.tf b/cluster-admin.tf
index 1f82da3..322c734 100644
--- a/cluster-admin.tf
+++ b/cluster-admin.tf
@@ -83,7 +83,6 @@ resource "aws_iam_role" "role_cluster-admin" {
 
   assume_role_policy    = data.aws_iam_policy_document.allow_sts.json
   force_detach_policies = true
-  tags                  = var.tags
 }
 
 resource "aws_iam_policy_attachment" "cluster-admin-attach" {
@@ -100,11 +99,6 @@ resource "aws_iam_policy" "cluster-admin-policy" {
   path        = "/"
   description = "Allow for administration of the cluster ${var.cluster_name} using AWS resources"
   policy      = data.aws_iam_policy_document.cluster-admin-policy.json
-
-  tags = merge(
-    local.base_tags,
-    var.tags
-  )
 }
 
 data "aws_iam_policy_document" "cluster-admin-policy" {
diff --git a/irsa-roles.tf b/irsa-roles.tf
index 9d06500..f3e20b7 100644
--- a/irsa-roles.tf
+++ b/irsa-roles.tf
@@ -14,7 +14,6 @@ module "vpc_cni_irsa_role" {
       namespace_service_accounts = ["kube-system:aws-node"]
     }
   }
-  tags = local.tags
 }
 
 module "ebs_csi_irsa_role" {
@@ -31,7 +30,6 @@ module "ebs_csi_irsa_role" {
       namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
     }
   }
-  tags = local.tags
 }
 
 module "efs_csi_irsa_role" {
@@ -48,7 +46,6 @@ module "efs_csi_irsa_role" {
       namespace_service_accounts = ["kube-system:efs-csi-controller-sa"]
     }
   }
-  tags = local.tags
 }
 
 module "cloudwatch_observability_irsa_role" {
@@ -67,5 +64,4 @@ module "cloudwatch_observability_irsa_role" {
       ]
     }
   }
-  tags = local.tags
 }
diff --git a/main.tf b/main.tf
index 0aea351..9392b05 100644
--- a/main.tf
+++ b/main.tf
@@ -1,17 +1,10 @@
 locals {
   additional_policies = {}
-  base_tags = {
-    "boc:eks_cluster_name"   = var.cluster_name
-    "boc:tf_module_name"     = local.module_name
-    "boc:tf_module_version"  = local.module_version
-    "karpenter.sh/discovery" = var.cluster_name
-  }
-  max_tag_count  = 45
-  ng_name        = format("%v%v-nodegroup", local.prefixes["eks"], var.cluster_name)
-  subnets        = [for k, v in data.aws_subnet.subnets : v.id if length(regexall("us-east-1e", v.availability_zone)) == 0]
-  tags           = merge(local.base_tags, var.tags)
-  vpc_cidr_block = data.aws_vpc.eks_vpc.cidr_block
-  vpc_id         = data.aws_vpc.eks_vpc.id
+  max_tag_count       = 45
+  ng_name             = format("%v%v-nodegroup", local.prefixes["eks"], var.cluster_name)
+  subnets             = [for k, v in data.aws_subnet.subnets : v.id if length(regexall("us-east-1e", v.availability_zone)) == 0]
+  vpc_cidr_block      = data.aws_vpc.eks_vpc.cidr_block
+  vpc_id              = data.aws_vpc.eks_vpc.id
 }
 
 resource "terraform_data" "subnet_validation" {
@@ -129,7 +122,6 @@ module "cluster" {
       }
     }
   }
-  tags = local.tags
 }
 
 # Tag existing subnets for EKS

From 7527d110664e3784c89a85115e69db7b675ad30d Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Wed, 22 Oct 2025 17:14:53 -0400
Subject: [PATCH 21/27] =?UTF-8?q?=E2=9C=A8=20feat(cert-manager):=20add=20p?=
 =?UTF-8?q?ort=20for=20cert-manager=20webhook?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 additional_sg_rules.tf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/additional_sg_rules.tf b/additional_sg_rules.tf
index b93a8bf..f4f5908 100644
--- a/additional_sg_rules.tf
+++ b/additional_sg_rules.tf
@@ -26,11 +26,11 @@ locals {
       type                          = "ingress"
     }
     ingress_cert_manager_webhook = {
-      description                   = "Cert Manager webhook"
-      from_port                     = 9402
+      description                   = "cert-manager webhook"
+      from_port                     = 10260
       protocol                      = "tcp"
       source_cluster_security_group = true
-      to_port                       = 9402
+      to_port                       = 10260
       type                          = "ingress"
     }
   }

From 6b4b7a9ae840e4151c1afcc2c9dbc7cfc83ca163 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Wed, 22 Oct 2025 17:38:01 -0400
Subject: [PATCH 22/27] remove tags as they are handled at provider

---
 README.md         |  2 +-
 main.tf           |  2 +-
 securitygroups.tf | 33 +++++++--------------------------
 3 files changed, 9 insertions(+), 28 deletions(-)

diff --git a/README.md b/README.md
index 5c9153f..f53a3c5 100644
--- a/README.md
+++ b/README.md
@@ -113,7 +113,7 @@ efs-csi-controller    0         5m
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cloudwatch_observability_irsa_role"></a> [cloudwatch\_observability\_irsa\_role](#module\_cloudwatch\_observability\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
-| <a name="module_cluster"></a> [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/ | v21.3.2 |
+| <a name="module_cluster"></a> [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/ | v21.4.0 |
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_vpc_cni_irsa_role"></a> [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
diff --git a/main.tf b/main.tf
index 9392b05..5aaf7c1 100644
--- a/main.tf
+++ b/main.tf
@@ -19,7 +19,7 @@ resource "terraform_data" "subnet_validation" {
 }
 
 module "cluster" {
-  source = "git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/?ref=v21.3.2"
+  source = "git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/?ref=v21.4.0"
 
   access_entries                           = local.access_entries
   cloudwatch_log_group_retention_in_days   = var.cloudwatch_retention_days
diff --git a/securitygroups.tf b/securitygroups.tf
index 9712bda..a30f716 100644
--- a/securitygroups.tf
+++ b/securitygroups.tf
@@ -5,15 +5,9 @@ locals {
 }
 
 resource "aws_security_group" "additional_eks_cluster_sg" {
-  name = local.additional_eks_cluster_sg_name
-
-  tags = merge(
-    local.base_tags,
-    var.tags,
-    { "Name" = local.additional_eks_cluster_sg_name },
-  )
-
-  vpc_id = data.aws_vpc.eks_vpc.id
+  name        = local.additional_eks_cluster_sg_name
+  description = format("Security group for additional access for EKS cluster %v", var.cluster_name)
+  vpc_id      = data.aws_vpc.eks_vpc.id
 
   ingress {
     from_port = 0
@@ -46,15 +40,9 @@ resource "aws_security_group" "additional_eks_cluster_sg" {
 
 # once setup, you cannot change any ports here
 resource "aws_security_group" "all_worker_mgmt" {
-  name = local.all_worker_mgmt_name
-
-  tags = merge(
-    local.base_tags,
-    var.tags,
-    { "Name" = local.all_worker_mgmt_name },
-  )
-
-  vpc_id = local.vpc_id
+  name        = local.all_worker_mgmt_name
+  description = format("Security group for all worker management access for EKS cluster %v", var.cluster_name)
+  vpc_id      = local.vpc_id
 
   ingress {
     from_port   = 0
@@ -79,14 +67,7 @@ resource "aws_security_group" "all_worker_mgmt" {
 resource "aws_security_group" "extra_cluster_sg" {
   name        = format("%v%v-extra", local.prefixes["eks-security-group"], var.cluster_name)
   description = format("Security group for additional access for EKS cluster %v", var.cluster_name)
-
-  tags = merge(
-    local.base_tags,
-    var.tags,
-    { "Name" = format("%v%v-extra", local.prefixes["eks-security-group"], var.cluster_name) },
-  )
-
-  vpc_id = data.aws_vpc.eks_vpc.id
+  vpc_id      = data.aws_vpc.eks_vpc.id
 
   ingress {
     from_port = 0

From 05d3f108e9eeeba5ba54180434ce16db56d09311 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 23 Oct 2025 17:52:54 -0400
Subject: [PATCH 23/27] bump to latest

---
 README.md | 2 +-
 main.tf   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index f53a3c5..015cf3b 100644
--- a/README.md
+++ b/README.md
@@ -113,7 +113,7 @@ efs-csi-controller    0         5m
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cloudwatch_observability_irsa_role"></a> [cloudwatch\_observability\_irsa\_role](#module\_cloudwatch\_observability\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
-| <a name="module_cluster"></a> [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/ | v21.4.0 |
+| <a name="module_cluster"></a> [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/ | v21.6.1 |
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_vpc_cni_irsa_role"></a> [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
diff --git a/main.tf b/main.tf
index 5aaf7c1..414c421 100644
--- a/main.tf
+++ b/main.tf
@@ -19,7 +19,7 @@ resource "terraform_data" "subnet_validation" {
 }
 
 module "cluster" {
-  source = "git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/?ref=v21.4.0"
+  source = "git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/?ref=v21.6.1"
 
   access_entries                           = local.access_entries
   cloudwatch_log_group_retention_in_days   = var.cloudwatch_retention_days

From a902ac4d9b22d31a25bd920633bb20844838639e Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 23 Oct 2025 20:00:28 -0400
Subject: [PATCH 24/27] rename

---
 access_entries.tf => access-entries.tf           | 0
 additional_sg_rules.tf => additional-sg-rules.tf | 0
 aws_data.tf => aws-data.tf                       | 0
 3 files changed, 0 insertions(+), 0 deletions(-)
 rename access_entries.tf => access-entries.tf (100%)
 rename additional_sg_rules.tf => additional-sg-rules.tf (100%)
 rename aws_data.tf => aws-data.tf (100%)

diff --git a/access_entries.tf b/access-entries.tf
similarity index 100%
rename from access_entries.tf
rename to access-entries.tf
diff --git a/additional_sg_rules.tf b/additional-sg-rules.tf
similarity index 100%
rename from additional_sg_rules.tf
rename to additional-sg-rules.tf
diff --git a/aws_data.tf b/aws-data.tf
similarity index 100%
rename from aws_data.tf
rename to aws-data.tf

From 332a563b60699c9f9f594ae88fa0721561c8610b Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Mon, 27 Oct 2025 17:54:06 -0400
Subject: [PATCH 25/27] deprecated roles

---
 cluster-admin.tf => cluster-admin.tf.off | 3 +++
 cluster-role.tf => cluster-role.tf.off   | 5 ++++-
 2 files changed, 7 insertions(+), 1 deletion(-)
 rename cluster-admin.tf => cluster-admin.tf.off (96%)
 rename cluster-role.tf => cluster-role.tf.off (94%)

diff --git a/cluster-admin.tf b/cluster-admin.tf.off
similarity index 96%
rename from cluster-admin.tf
rename to cluster-admin.tf.off
index 322c734..fe06daf 100644
--- a/cluster-admin.tf
+++ b/cluster-admin.tf.off
@@ -1,5 +1,8 @@
 #---
 # cluster-admin
+# This is deprecated by
+# enable_cluster_creator_admin_permissions = var.enable_cluster_creator_admin_permissions
+# in main.tf
 #---
 locals {
   iam_arn       = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id)
diff --git a/cluster-role.tf b/cluster-role.tf.off
similarity index 94%
rename from cluster-role.tf
rename to cluster-role.tf.off
index 7347e64..be6d5a6 100644
--- a/cluster-role.tf
+++ b/cluster-role.tf.off
@@ -1,5 +1,8 @@
 #---
-# cluster
+# cluster role
+# This is deprecated by
+# enable_cluster_creator_admin_permissions = var.enable_cluster_creator_admin_permissions
+# in main.tf
 #---
 locals {
   cluster_managed_policy_list = [

From cc8f6f19e834dc2da864e188300c3bd606ae2926 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Mon, 27 Oct 2025 17:55:01 -0400
Subject: [PATCH 26/27] diable public access endpoints

---
 README.md    | 18 +-----------------
 aws-data.tf  |  2 --
 variables.tf |  2 +-
 3 files changed, 2 insertions(+), 20 deletions(-)

diff --git a/README.md b/README.md
index 015cf3b..c72b8fa 100644
--- a/README.md
+++ b/README.md
@@ -123,15 +123,6 @@ efs-csi-controller    0         5m
 | Name | Type |
 |------|------|
 | [aws_ec2_tag.container_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
-| [aws_iam_policy.cloudwatch-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.cluster-admin-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.nlb-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy_attachment.cluster-admin-attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
-| [aws_iam_role.role_cluster-admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role.role_eks-cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy_attachment.eks-cluster-cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.eks-cluster-managed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.eks-cluster-nlb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_security_group.additional_eks_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group.all_worker_mgmt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group.extra_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
@@ -144,18 +135,11 @@ efs-csi-controller    0         5m
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source |
-| [aws_iam_policy.cluster_managed_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
-| [aws_iam_policy_document.allow_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.cloudwatch-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.cluster-admin-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.eks_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.nlb-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_roles.roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
 | [aws_iam_roles.sso_admins](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
 | [aws_iam_roles.sso_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
 | [aws_iam_session_context.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_session_context) | data source |
 | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 | [aws_subnet.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
 | [aws_subnets.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
 | [aws_vpc.eks_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
@@ -168,7 +152,7 @@ efs-csi-controller    0         5m
 | <a name="input_census_private_cidr"></a> [census\_private\_cidr](#input\_census\_private\_cidr) | Census Private CIR Blocks | `list(string)` | <pre>[<br/>  "148.129.0.0/16",<br/>  "172.16.0.0/12",<br/>  "192.168.0.0/16",<br/>  "10.0.0.0/16"<br/>]</pre> | no |
 | <a name="input_cloudwatch_retention_days"></a> [cloudwatch\_retention\_days](#input\_cloudwatch\_retention\_days) | number of days to retain logs in cloudwatch | `string` | `"14"` | no |
 | <a name="input_cluster_endpoint_private_access"></a> [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Whether the EKS cluster API server endpoint is privately accessible | `bool` | `true` | no |
-| <a name="input_cluster_endpoint_public_access"></a> [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether the EKS cluster API server endpoint is publicly accessible | `bool` | `true` | no |
+| <a name="input_cluster_endpoint_public_access"></a> [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether the EKS cluster API server endpoint is publicly accessible | `bool` | `false` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | Kubernetes version to use for the EKS cluster | `string` | n/a | yes |
 | <a name="input_eks_instance_disk_size"></a> [eks\_instance\_disk\_size](#input\_eks\_instance\_disk\_size) | Size of the EKS node disk in GB | `number` | `80` | no |
diff --git a/aws-data.tf b/aws-data.tf
index 4c35bb2..1402bc0 100644
--- a/aws-data.tf
+++ b/aws-data.tf
@@ -1,7 +1,5 @@
 data "aws_caller_identity" "current" {}
 
-data "aws_region" "current" {}
-
 data "aws_arn" "current" {
   arn = data.aws_caller_identity.current.arn
 }
diff --git a/variables.tf b/variables.tf
index 131e9e4..cbb084f 100644
--- a/variables.tf
+++ b/variables.tf
@@ -25,7 +25,7 @@ variable "cluster_endpoint_private_access" {
 variable "cluster_endpoint_public_access" {
   description = "Whether the EKS cluster API server endpoint is publicly accessible"
   type        = bool
-  default     = true
+  default     = false
 }
 
 variable "enable_cluster_creator_admin_permissions" {

From 4f056504f05eb2f638dbc1425a4e0a8fe40fe63b Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Wed, 7 Jan 2026 17:41:19 -0500
Subject: [PATCH 27/27] =?UTF-8?q?=F0=9F=90=9B=20fix(security=5Fgroups):=20?=
 =?UTF-8?q?Adds=20census=20private=20networks=20to=20sgs=20so=20kubectl=20?=
 =?UTF-8?q?works=20with=20only=20private=20access?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md              |  8 +++----
 access-entries.tf      |  7 ++++++-
 additional-sg-rules.tf | 47 +++++++++++++++++++++++++++++++++++-------
 main.tf                |  8 ++++---
 securitygroup.ports.tf | 45 ++++++++--------------------------------
 variables.tf           | 12 -----------
 6 files changed, 62 insertions(+), 65 deletions(-)

diff --git a/README.md b/README.md
index c72b8fa..70396bf 100644
--- a/README.md
+++ b/README.md
@@ -104,7 +104,7 @@ efs-csi-controller    0         5m
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.16.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.27.0 |
 | <a name="provider_null"></a> [null](#provider\_null) | 3.2.4 |
 | <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
 
@@ -113,7 +113,7 @@ efs-csi-controller    0         5m
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cloudwatch_observability_irsa_role"></a> [cloudwatch\_observability\_irsa\_role](#module\_cloudwatch\_observability\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
-| <a name="module_cluster"></a> [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/ | v21.6.1 |
+| <a name="module_cluster"></a> [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/ | v21.11.0 |
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_vpc_cni_irsa_role"></a> [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
@@ -129,7 +129,6 @@ efs-csi-controller    0         5m
 | [aws_security_group_rule.allow_sidecar_injection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_vpc_security_group_egress_rule.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
 | [aws_vpc_security_group_ingress_rule.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
-| [aws_vpc_security_group_ingress_rule.additional_ingress_rules_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
 | [null_resource.git_version](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [terraform_data.subnet_validation](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
@@ -137,6 +136,7 @@ efs-csi-controller    0         5m
 | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source |
 | [aws_iam_roles.roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
 | [aws_iam_roles.sso_admins](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
+| [aws_iam_roles.sso_devs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
 | [aws_iam_roles.sso_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
 | [aws_iam_session_context.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_session_context) | data source |
 | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
@@ -151,8 +151,6 @@ efs-csi-controller    0         5m
 | <a name="input_access_entries"></a> [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster | `any` | `{}` | no |
 | <a name="input_census_private_cidr"></a> [census\_private\_cidr](#input\_census\_private\_cidr) | Census Private CIR Blocks | `list(string)` | <pre>[<br/>  "148.129.0.0/16",<br/>  "172.16.0.0/12",<br/>  "192.168.0.0/16",<br/>  "10.0.0.0/16"<br/>]</pre> | no |
 | <a name="input_cloudwatch_retention_days"></a> [cloudwatch\_retention\_days](#input\_cloudwatch\_retention\_days) | number of days to retain logs in cloudwatch | `string` | `"14"` | no |
-| <a name="input_cluster_endpoint_private_access"></a> [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Whether the EKS cluster API server endpoint is privately accessible | `bool` | `true` | no |
-| <a name="input_cluster_endpoint_public_access"></a> [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether the EKS cluster API server endpoint is publicly accessible | `bool` | `false` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | Kubernetes version to use for the EKS cluster | `string` | n/a | yes |
 | <a name="input_eks_instance_disk_size"></a> [eks\_instance\_disk\_size](#input\_eks\_instance\_disk\_size) | Size of the EKS node disk in GB | `number` | `80` | no |
diff --git a/access-entries.tf b/access-entries.tf
index d206d07..5f9c6ea 100644
--- a/access-entries.tf
+++ b/access-entries.tf
@@ -10,6 +10,11 @@ data "aws_iam_roles" "sso_admins" {
   path_prefix = "/aws-reserved/sso.amazonaws.com/"
 }
 
+data "aws_iam_roles" "sso_devs" {
+  name_regex  = "AWSReservedSSO_sc-developer"
+  path_prefix = "/aws-reserved/sso.amazonaws.com/"
+}
+
 data "aws_iam_roles" "roles" {
   name_regex = "r-inf-terraform(-eks)"
 }
@@ -38,7 +43,7 @@ locals {
     }
   }
   viewers = {
-    for arn in tolist(data.aws_iam_roles.sso_read.arns) :
+    for arn in concat(tolist(data.aws_iam_roles.sso_read.arns), tolist(data.aws_iam_roles.sso_devs.arns)) :
     arn => {
       principal_arn     = arn
       kubernetes_groups = ["eks-console-dashboard-restricted-access-group"]
diff --git a/additional-sg-rules.tf b/additional-sg-rules.tf
index f4f5908..f2b3c77 100644
--- a/additional-sg-rules.tf
+++ b/additional-sg-rules.tf
@@ -17,14 +17,15 @@ locals {
       to_port                       = 9443
       type                          = "ingress"
     }
-    ingress_metrics_server = {
-      description                   = "Metrics server"
-      from_port                     = 10251
-      protocol                      = "tcp"
-      source_cluster_security_group = true
-      to_port                       = 10251
-      type                          = "ingress"
-    }
+    # no longer required as of k8s v1.34+
+    # ingress_metrics_server = {
+    #   description                   = "Metrics server"
+    #   from_port                     = 10251
+    #   protocol                      = "tcp"
+    #   source_cluster_security_group = true
+    #   to_port                       = 10251
+    #   type                          = "ingress"
+    # }
     ingress_cert_manager_webhook = {
       description                   = "cert-manager webhook"
       from_port                     = 10260
@@ -34,4 +35,34 @@ locals {
       type                          = "ingress"
     }
   }
+  cluster_security_group_additional_rules = {
+    api_internal_148_129 = {
+      cidr_blocks = ["148.129.0.0/16"]
+      from_port   = 443
+      to_port     = 443
+      ip_protocol = "tcp"
+      description = "Census Internal 148.129/16"
+    },
+    api_internal_192_168 = {
+      cidr_blocks = ["192.168.0.0/16"]
+      from_port   = 443
+      to_port     = 443
+      ip_protocol = "tcp"
+      description = "Census Internal 192.168/16"
+    },
+    api_internal_172_16 = {
+      cidr_blocks = ["172.16.0.0/12"]
+      from_port   = 443
+      to_port     = 443
+      ip_protocol = "tcp"
+      description = "Census Internal 172.16/12"
+    },
+    api_internal_10_0 = {
+      cidr_blocks = ["10.0.0.0/8"]
+      from_port   = 443
+      to_port     = 443
+      ip_protocol = "tcp"
+      description = "Census Internal 10/8"
+    }
+  }
 }
diff --git a/main.tf b/main.tf
index 414c421..9c127fc 100644
--- a/main.tf
+++ b/main.tf
@@ -19,12 +19,12 @@ resource "terraform_data" "subnet_validation" {
 }
 
 module "cluster" {
-  source = "git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/?ref=v21.6.1"
+  source = "git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/?ref=v21.11.0"
 
   access_entries                           = local.access_entries
   cloudwatch_log_group_retention_in_days   = var.cloudwatch_retention_days
-  endpoint_private_access                  = var.cluster_endpoint_private_access
-  endpoint_public_access                   = var.cluster_endpoint_public_access
+  endpoint_private_access                  = true
+  endpoint_public_access                   = false
   name                                     = var.cluster_name
   upgrade_policy                           = { support_type = "STANDARD" }
   kubernetes_version                       = var.cluster_version
@@ -90,6 +90,8 @@ module "cluster" {
 
   node_security_group_additional_rules = local.node_security_group_additional_rules
 
+  security_group_additional_rules = local.cluster_security_group_additional_rules
+
   eks_managed_node_groups = {
     karpenter_controllers = {
       name          = local.ng_name
diff --git a/securitygroup.ports.tf b/securitygroup.ports.tf
index a366d18..288178a 100644
--- a/securitygroup.ports.tf
+++ b/securitygroup.ports.tf
@@ -84,21 +84,6 @@ locals {
     }
   ]
 
-  sg_additional_ports_2 = [
-    {
-      component   = "istio"
-      description = "XDS and CA services (TLS and mTLS)"
-      from_port   = 15012
-      to_port     = 15012
-    },
-    {
-      component   = "istio"
-      description = "Webhook container port, forwarded from 443"
-      from_port   = 15017
-      to_port     = 15017
-    }
-  ]
-
   sg_additional_ingress_rules = {
     for ikey, ivalue in local.sg_additional_ports :
     "${ikey}_ingress" => {
@@ -122,18 +107,6 @@ locals {
       self        = true
     }
   }
-
-  sg_additional_ingress_rules_2 = {
-    for ikey, ivalue in local.sg_additional_ports_2 :
-    "${ikey}_ingress" => {
-      description = ivalue.description
-      protocol    = "tcp"
-      from_port   = ivalue.from_port
-      to_port     = ivalue.to_port
-      type        = "ingress"
-      self        = true
-    }
-  }
 }
 
 resource "aws_vpc_security_group_ingress_rule" "additional" {
@@ -158,13 +131,13 @@ resource "aws_vpc_security_group_egress_rule" "additional" {
   referenced_security_group_id = each.value.self ? aws_security_group.additional_eks_cluster_sg.id : null
 }
 
-resource "aws_vpc_security_group_ingress_rule" "additional_ingress_rules_2" {
-  for_each          = { for k, v in local.sg_additional_ingress_rules_2 : v.from_port => v }
-  security_group_id = aws_security_group.extra_cluster_sg.id
+# resource "aws_vpc_security_group_ingress_rule" "additional_ingress_rules_2" {
+#   for_each          = { for k, v in local.sg_additional_ingress_rules_2 : v.from_port => v }
+#   security_group_id = aws_security_group.extra_cluster_sg.id
 
-  description                  = each.value.description
-  from_port                    = each.value.from_port
-  to_port                      = each.value.to_port
-  ip_protocol                  = each.value.protocol
-  referenced_security_group_id = aws_security_group.additional_eks_cluster_sg.id
-}
+#   description                  = each.value.description
+#   from_port                    = each.value.from_port
+#   to_port                      = each.value.to_port
+#   ip_protocol                  = each.value.protocol
+#   referenced_security_group_id = aws_security_group.additional_eks_cluster_sg.id
+# }
diff --git a/variables.tf b/variables.tf
index cbb084f..be02865 100644
--- a/variables.tf
+++ b/variables.tf
@@ -16,18 +16,6 @@ variable "cluster_version" {
   }
 }
 
-variable "cluster_endpoint_private_access" {
-  description = "Whether the EKS cluster API server endpoint is privately accessible"
-  type        = bool
-  default     = true
-}
-
-variable "cluster_endpoint_public_access" {
-  description = "Whether the EKS cluster API server endpoint is publicly accessible"
-  type        = bool
-  default     = false
-}
-
 variable "enable_cluster_creator_admin_permissions" {
   description = "Grant admin permissions to the cluster creator"
   type        = bool