From 24b5136e06c01133083910c3f40470c6bef5b980 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 20 Jan 2026 16:54:05 -0500
Subject: [PATCH 1/6] =?UTF-8?q?=F0=9F=93=A6=EF=B8=8F=20package(addons):=20?=
 =?UTF-8?q?create=20separate=20file=20for=20addons=20and=20add=20kube-stat?=
 =?UTF-8?q?e-metrics=20and=20prometheus-node-exporter?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md |  2 +-
 addons.tf | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 main.tf   | 45 +--------------------------------------------
 3 files changed, 51 insertions(+), 45 deletions(-)
 create mode 100644 addons.tf

diff --git a/README.md b/README.md
index 70396bf..a909a95 100644
--- a/README.md
+++ b/README.md
@@ -104,7 +104,7 @@ efs-csi-controller    0         5m
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.27.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.28.0 |
 | <a name="provider_null"></a> [null](#provider\_null) | 3.2.4 |
 | <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
 
diff --git a/addons.tf b/addons.tf
new file mode 100644
index 0000000..9e8d98a
--- /dev/null
+++ b/addons.tf
@@ -0,0 +1,49 @@
+locals {
+  addons = {
+    amazon-cloudwatch-observability = {
+      most_recent              = true
+      service_account_role_arn = module.cloudwatch_observability_irsa_role.iam_role_arn
+    }
+    aws-ebs-csi-driver = {
+      most_recent              = true
+      service_account_role_arn = module.ebs_csi_irsa_role.iam_role_arn
+    }
+    aws-efs-csi-driver = {
+      most_recent              = true
+      service_account_role_arn = module.efs_csi_irsa_role.iam_role_arn
+    }
+    cert-manager = {
+      most_recent = true
+    }
+    coredns = {
+      most_recent = true
+    }
+    eks-node-monitoring-agent = {
+      most_recent = true
+    }
+    eks-pod-identity-agent = {
+      most_recent    = true
+      before_compute = true
+    }
+    kube-proxy = {
+      most_recent = true
+    }
+    kube-state-metrics = {
+      most_recent = true
+    }
+    metrics-server = {
+      most_recent = true
+    }
+    prometheus-node-exporter = {
+      most_recent = true
+    }
+    snapshot-controller = {
+      most_recent = true
+    }
+    vpc-cni = {
+      most_recent              = true
+      service_account_role_arn = module.vpc_cni_irsa_role.iam_role_arn
+      before_compute           = true
+    }
+  }
+}
diff --git a/main.tf b/main.tf
index 9c127fc..3362d0b 100644
--- a/main.tf
+++ b/main.tf
@@ -41,50 +41,7 @@ module "cluster" {
   vpc_id     = local.vpc_id
   subnet_ids = local.subnets
 
-  addons = {
-    amazon-cloudwatch-observability = {
-      most_recent              = true
-      service_account_role_arn = module.cloudwatch_observability_irsa_role.iam_role_arn
-    }
-    aws-ebs-csi-driver = {
-      most_recent              = true
-      service_account_role_arn = module.ebs_csi_irsa_role.iam_role_arn
-    }
-    aws-efs-csi-driver = {
-      most_recent              = true
-      service_account_role_arn = module.efs_csi_irsa_role.iam_role_arn
-    }
-    cert-manager = {
-      most_recent = true
-    }
-    coredns = {
-      most_recent = true
-    }
-    eks-node-monitoring-agent = {
-      most_recent = true
-    }
-    eks-pod-identity-agent = {
-      most_recent    = true
-      before_compute = true
-    }
-    kube-proxy = {
-      most_recent = true
-    }
-    # kube-state-metrics = {
-    #   most_recent = true
-    # }
-    metrics-server = {
-      most_recent = true
-    }
-    snapshot-controller = {
-      most_recent = true
-    }
-    vpc-cni = {
-      most_recent              = true
-      service_account_role_arn = module.vpc_cni_irsa_role.iam_role_arn
-      before_compute           = true
-    }
-  }
+  addons = local.addons
 
   node_security_group_enable_recommended_rules = true
 

From a759ef8bbcaac38c830b012d37de99a4a1e7132d Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 20 Jan 2026 17:02:47 -0500
Subject: [PATCH 2/6] =?UTF-8?q?=F0=9F=90=9B=20fix(prometheus-node-exporter?=
 =?UTF-8?q?):=20add=20namespace=20to=20prometheus-node-exporter=20addon?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md    |  1 +
 addons.tf    |  1 +
 main.tf      |  2 +-
 variables.tf | 10 ++++++++++
 4 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index a909a95..b158f0c 100644
--- a/README.md
+++ b/README.md
@@ -161,6 +161,7 @@ efs-csi-controller    0         5m
 | <a name="input_enable_cluster_creator_admin_permissions"></a> [enable\_cluster\_creator\_admin\_permissions](#input\_enable\_cluster\_creator\_admin\_permissions) | Grant admin permissions to the cluster creator | `bool` | `true` | no |
 | <a name="input_subnets_name"></a> [subnets\_name](#input\_subnets\_name) | Name pattern for subnets to be used by EKS cluster | `string` | `"*-container-*"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags to apply to all resources | `map(string)` | `{}` | no |
+| <a name="input_telemetry_namespace"></a> [telemetry\_namespace](#input\_telemetry\_namespace) | Namespace for telemetry components | `string` | `"telemetry"` | no |
 | <a name="input_vpc_name"></a> [vpc\_name](#input\_vpc\_name) | Name of the VPC where EKS cluster will be created | `string` | n/a | yes |
 
 ## Outputs
diff --git a/addons.tf b/addons.tf
index 9e8d98a..3f83cd8 100644
--- a/addons.tf
+++ b/addons.tf
@@ -36,6 +36,7 @@ locals {
     }
     prometheus-node-exporter = {
       most_recent = true
+      namespace   = var.telemetry_namespace
     }
     snapshot-controller = {
       most_recent = true
diff --git a/main.tf b/main.tf
index 3362d0b..4507be3 100644
--- a/main.tf
+++ b/main.tf
@@ -50,7 +50,7 @@ module "cluster" {
   security_group_additional_rules = local.cluster_security_group_additional_rules
 
   eks_managed_node_groups = {
-    karpenter_controllers = {
+    karpenter = {
       name          = local.ng_name
       ami_type      = "BOTTLEROCKET_x86_64"
       capacity_type = "ON_DEMAND"
diff --git a/variables.tf b/variables.tf
index be02865..dbd959a 100644
--- a/variables.tf
+++ b/variables.tf
@@ -145,3 +145,13 @@ variable "cloudwatch_retention_days" {
   type        = string
   default     = "14"
 }
+
+variable "telemetry_namespace" {
+  description = "Namespace for telemetry components"
+  type        = string
+  default     = "telemetry"
+  validation {
+    condition     = can(regex("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", var.telemetry_namespace)) && length(var.telemetry_namespace) <= 63
+    error_message = "Namespace must consist of lower case alphanumeric characters or '-', start and end with an alphanumeric character, and be no longer than 63 characters."
+  }
+}

From f11d6ea0067f6300521434f78db1e2d7d0b2d9f1 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 20 Jan 2026 17:40:47 -0500
Subject: [PATCH 3/6] =?UTF-8?q?=F0=9F=94=96=20bump(eks):=20update=20versio?=
 =?UTF-8?q?n=20from=20upstream=20to=20latest?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md                                         | 2 +-
 main.tf                                           | 2 +-
 additional-sg-rules.tf => securitygroups.rules.tf | 0
 3 files changed, 2 insertions(+), 2 deletions(-)
 rename additional-sg-rules.tf => securitygroups.rules.tf (100%)

diff --git a/README.md b/README.md
index b158f0c..340e095 100644
--- a/README.md
+++ b/README.md
@@ -113,7 +113,7 @@ efs-csi-controller    0         5m
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cloudwatch_observability_irsa_role"></a> [cloudwatch\_observability\_irsa\_role](#module\_cloudwatch\_observability\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
-| <a name="module_cluster"></a> [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/ | v21.11.0 |
+| <a name="module_cluster"></a> [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/ | v21.15.1 |
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_vpc_cni_irsa_role"></a> [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-iam//modules/iam-role-for-service-accounts-eks | n/a |
diff --git a/main.tf b/main.tf
index 4507be3..072f21d 100644
--- a/main.tf
+++ b/main.tf
@@ -19,7 +19,7 @@ resource "terraform_data" "subnet_validation" {
 }
 
 module "cluster" {
-  source = "git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/?ref=v21.11.0"
+  source = "git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/?ref=v21.15.1"
 
   access_entries                           = local.access_entries
   cloudwatch_log_group_retention_in_days   = var.cloudwatch_retention_days
diff --git a/additional-sg-rules.tf b/securitygroups.rules.tf
similarity index 100%
rename from additional-sg-rules.tf
rename to securitygroups.rules.tf

From a3a3d9a70268cc5366872a8404215e077fa005c0 Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Wed, 21 Jan 2026 18:58:33 -0500
Subject: [PATCH 4/6] =?UTF-8?q?=F0=9F=90=9B=20fix(node-size):=20increase?=
 =?UTF-8?q?=20base=20node=20size=20to=20t3a.large=20and=20enable=20node=20?=
 =?UTF-8?q?repair?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md    | 2 +-
 main.tf      | 3 +++
 variables.tf | 2 +-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 340e095..254d9c9 100644
--- a/README.md
+++ b/README.md
@@ -154,7 +154,7 @@ efs-csi-controller    0         5m
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | Kubernetes version to use for the EKS cluster | `string` | n/a | yes |
 | <a name="input_eks_instance_disk_size"></a> [eks\_instance\_disk\_size](#input\_eks\_instance\_disk\_size) | Size of the EKS node disk in GB | `number` | `80` | no |
-| <a name="input_eks_instance_types"></a> [eks\_instance\_types](#input\_eks\_instance\_types) | List of EC2 instance types for the EKS node group | `list(string)` | <pre>[<br/>  "t3a.medium"<br/>]</pre> | no |
+| <a name="input_eks_instance_types"></a> [eks\_instance\_types](#input\_eks\_instance\_types) | List of EC2 instance types for the EKS node group | `list(string)` | <pre>[<br/>  "t3a.large"<br/>]</pre> | no |
 | <a name="input_eks_ng_desired_size"></a> [eks\_ng\_desired\_size](#input\_eks\_ng\_desired\_size) | Desired size of the EKS node group | `number` | `2` | no |
 | <a name="input_eks_ng_max_size"></a> [eks\_ng\_max\_size](#input\_eks\_ng\_max\_size) | Maximum size of the EKS node group | `number` | `2` | no |
 | <a name="input_eks_ng_min_size"></a> [eks\_ng\_min\_size](#input\_eks\_ng\_min\_size) | Minimum size of the EKS node group | `number` | `2` | no |
diff --git a/main.tf b/main.tf
index 072f21d..47e6391 100644
--- a/main.tf
+++ b/main.tf
@@ -60,6 +60,9 @@ module "cluster" {
       min_size     = var.eks_ng_min_size
       max_size     = var.eks_ng_max_size
       desired_size = var.eks_ng_desired_size
+      node_repair_config = {
+        enabled = true
+      }
 
       iam_role_name                = format("%v%v-nodegroup", local.prefixes["eks-role"], var.cluster_name)
       iam_role_additional_policies = local.additional_policies
diff --git a/variables.tf b/variables.tf
index dbd959a..ffbd117 100644
--- a/variables.tf
+++ b/variables.tf
@@ -55,7 +55,7 @@ variable "eks_instance_types" {
   description = "List of EC2 instance types for the EKS node group"
   type        = list(string)
   default = [
-    "t3a.medium"
+    "t3a.large"
   ]
   validation {
     condition     = length(var.eks_instance_types) > 0

From ae3b836bf18bf7972cb8cca9ac9f132927e71e9b Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Tue, 24 Feb 2026 12:27:43 -0500
Subject: [PATCH 5/6] fix(addons) do not assign to telemetry namespace

---
 README.md    |  1 -
 addons.tf    |  1 -
 variables.tf | 10 ----------
 3 files changed, 12 deletions(-)

diff --git a/README.md b/README.md
index 254d9c9..a4859b8 100644
--- a/README.md
+++ b/README.md
@@ -161,7 +161,6 @@ efs-csi-controller    0         5m
 | <a name="input_enable_cluster_creator_admin_permissions"></a> [enable\_cluster\_creator\_admin\_permissions](#input\_enable\_cluster\_creator\_admin\_permissions) | Grant admin permissions to the cluster creator | `bool` | `true` | no |
 | <a name="input_subnets_name"></a> [subnets\_name](#input\_subnets\_name) | Name pattern for subnets to be used by EKS cluster | `string` | `"*-container-*"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags to apply to all resources | `map(string)` | `{}` | no |
-| <a name="input_telemetry_namespace"></a> [telemetry\_namespace](#input\_telemetry\_namespace) | Namespace for telemetry components | `string` | `"telemetry"` | no |
 | <a name="input_vpc_name"></a> [vpc\_name](#input\_vpc\_name) | Name of the VPC where EKS cluster will be created | `string` | n/a | yes |
 
 ## Outputs
diff --git a/addons.tf b/addons.tf
index 3f83cd8..9e8d98a 100644
--- a/addons.tf
+++ b/addons.tf
@@ -36,7 +36,6 @@ locals {
     }
     prometheus-node-exporter = {
       most_recent = true
-      namespace   = var.telemetry_namespace
     }
     snapshot-controller = {
       most_recent = true
diff --git a/variables.tf b/variables.tf
index ffbd117..f4463ec 100644
--- a/variables.tf
+++ b/variables.tf
@@ -145,13 +145,3 @@ variable "cloudwatch_retention_days" {
   type        = string
   default     = "14"
 }
-
-variable "telemetry_namespace" {
-  description = "Namespace for telemetry components"
-  type        = string
-  default     = "telemetry"
-  validation {
-    condition     = can(regex("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", var.telemetry_namespace)) && length(var.telemetry_namespace) <= 63
-    error_message = "Namespace must consist of lower case alphanumeric characters or '-', start and end with an alphanumeric character, and be no longer than 63 characters."
-  }
-}

From 40518ab329c07beab283eda2d2a9beccdb544bdd Mon Sep 17 00:00:00 2001
From: "Matthew C. Morgan" <matthew.c.morgan@census.gov>
Date: Thu, 26 Feb 2026 12:23:40 -0500
Subject: [PATCH 6/6] feat(access-entries) add sc-eks to admin entries

---
 README.md         | 1 +
 access-entries.tf | 7 ++++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index a4859b8..7961359 100644
--- a/README.md
+++ b/README.md
@@ -138,6 +138,7 @@ efs-csi-controller    0         5m
 | [aws_iam_roles.sso_admins](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
 | [aws_iam_roles.sso_devs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
 | [aws_iam_roles.sso_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
+| [aws_iam_roles.sso_sc_eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_roles) | data source |
 | [aws_iam_session_context.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_session_context) | data source |
 | [aws_kms_key.ebs_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
 | [aws_subnet.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
diff --git a/access-entries.tf b/access-entries.tf
index 5f9c6ea..d6a029c 100644
--- a/access-entries.tf
+++ b/access-entries.tf
@@ -15,6 +15,11 @@ data "aws_iam_roles" "sso_devs" {
   path_prefix = "/aws-reserved/sso.amazonaws.com/"
 }
 
+data "aws_iam_roles" "sso_sc_eks" {
+  name_regex  = "AWSReservedSSO_sc-eks"
+  path_prefix = "/aws-reserved/sso.amazonaws.com/"
+}
+
 data "aws_iam_roles" "roles" {
   name_regex = "r-inf-terraform(-eks)"
 }
@@ -26,7 +31,7 @@ data "aws_iam_roles" "sso_read" {
 
 locals {
   access_entries = merge(local.admins, local.viewers)
-  admin_arns     = [for arn in concat(tolist(data.aws_iam_roles.roles.arns), tolist(data.aws_iam_roles.sso_admins.arns)) : arn if arn != data.aws_iam_session_context.current.issuer_arn]
+  admin_arns     = [for arn in concat(tolist(data.aws_iam_roles.roles.arns), tolist(data.aws_iam_roles.sso_admins.arns), tolist(data.aws_iam_roles.sso_sc_eks.arns)) : arn if arn != data.aws_iam_session_context.current.issuer_arn]
   admins = {
     for arn in local.admin_arns :
     arn => {