diff --git a/aws_data.tf b/aws_data.tf
deleted file mode 100644
index 1e41f1d..0000000
--- a/aws_data.tf
+++ /dev/null
@@ -1,12 +0,0 @@
-
-data "aws_caller_identity" "current" {}
-
-data "aws_arn" "current" {
-  arn = data.aws_caller_identity.current.arn
-}
-
-data "aws_iam_openid_connect_provider" "openid" {
-  url = var.cluster_oidc_issuer_url
-}
-
-
diff --git a/main.tf b/main.tf
index 09e6b39..6af8727 100644
--- a/main.tf
+++ b/main.tf
@@ -18,9 +18,43 @@ data "kubernetes_namespace" "existing-ns" {
 }
 
 locals {
+  base_tags = {
+    "eks-cluster-name"      = var.cluster_name
+    "boc:tf_module_name"    = local._module_name
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+    CostAllocation          = var.tag_costallocation
+  }
+
   ns = try(kubernetes_namespace.ns[0].metadata[0].name, data.kubernetes_namespace.existing-ns[0].metadata[0].name)
 }
 
+module "loki-irsa-role" {
+  #source = "git@github.it.census.gov:SOA/tfmod-custom-iam-role-for-service-account-eks.git/?ref=1.0.0"
+  source = "git@github.it.census.gov:SOA/tfmod-custom-iam-role-for-service-account-eks.git/"
+
+  role_name = "${var.cluster_name}-loki"
+
+  attach_s3_bucket_owner_policy          = true
+  attach_encrypted_object_manager_policy = true
+
+  s3_bucket_arns = [
+    module.loki-s3.s3_bucket_arn,
+    "${module.loki-s3.s3_bucket_arn}/*",
+  ]
+  kms_key_arns = [
+    "${module.loki-s3.kms_key_arn}"
+  ]
+
+  oidc_providers = {
+    main = {
+      provider_arn               = var.oidc_provider_arn
+      namespace_service_accounts = ["${var.namespace}:loki"]
+    }
+  }
+  tags = merge(local.base_tags, var.additional_tags)
+}
+
 resource "helm_release" "loki" {
   chart      = "loki"
   version    = var.loki_chart_version
@@ -211,7 +245,7 @@ resource "helm_release" "loki" {
 
   set {
     name  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
-    value = format("r-eks-%v-irsa-loki-sa", var.cluster_name)
+    value = module.loki-irsa-role.iam_role_arn
   }
 
   set {
@@ -282,8 +316,4 @@ resource "helm_release" "loki" {
     name  = "gateway.image.tag"
     value = module.images.images[local.provisioner_key].tag
   }
-  # referencing vi /home/z/zawac002/eks-middleware-deployment/charts/loki-scalable/dev-values.yaml
-  # /home/z/zawac002/eks-middleware-deployment/charts/loki-scalable
-  # Using diff orig_values.yaml dev-values.yaml | less
-  # Up through:
 }
diff --git a/policies.tf b/policies.tf
deleted file mode 100644
index bd0731f..0000000
--- a/policies.tf
+++ /dev/null
@@ -1,78 +0,0 @@
-## bucket policy
-data "aws_iam_policy_document" "loki-s3-policy" {
-  statement {
-    sid    = "LokiS3bucketPermissions"
-    effect = "Allow"
-    actions = [
-      "s3:GetObject*",
-      "s3:PutObject*",
-      "s3:List*",
-      "s3:DeleteObject*",
-      "s3:PutBucketVersioning",
-      "s3:GetBucket*",
-      "s3:AbortMultipartUpload"
-    ]
-    resources = [
-      "arn:${data.aws_arn.current.partition}:s3:::v-s3-${module.loki-s3.s3_requested_bucket_name}",
-      "arn:${data.aws_arn.current.partition}:s3:::v-s3-${module.loki-s3.s3_requested_bucket_name}/*"
-    ]
-  }
-}
-
-resource "aws_iam_policy" "loki-s3-policy" {
-  name        = trim(format("%v-loki-s3-policy", var.cluster_name), "adsd-")
-  description = "Policy for Loki S3 bucket."
-
-  policy = data.aws_iam_policy_document.loki-s3-policy.json
-}
-
-## kms policy
-data "aws_iam_policy_document" "loki-kms-policy" {
-  statement {
-    sid    = "AllowLokiRoleKMSActions1"
-    effect = "Allow"
-    actions = [
-      "kms:GenerateDataKey",
-      "kms:Decrypt",
-      "kms:Encrypt",
-      "kms:DescribeKey",
-      "kms:ReEncrypt*"
-    ]
-    resources = [
-      "${module.loki-s3.kms_key_arn}"
-    ]
-  }
-}
-
-resource "aws_iam_policy" "loki-kms-policy" {
-  name        = trim(format("%v-loki-kms-policy", var.cluster_name), "adsd-")
-  description = "KMS Policy for Loki S3 bucket."
-
-  policy = data.aws_iam_policy_document.loki-kms-policy.json
-}
-
-
-## loki role
-data "aws_iam_policy_document" "loki-assume" {
-  statement {
-    actions = ["sts:AssumeRoleWithWebIdentity"]
-
-    principals {
-      type = "Federated"
-      identifiers = [
-        "${data.aws_iam_openid_connect_provider.openid.arn}",
-      ]
-    }
-
-    condition {
-      test     = "StringEquals"
-      variable = "${data.aws_iam_openid_connect_provider.openid.url}:sub"
-      values = [
-        "system:serviceaccount:${var.namespace}:loki"
-      ]
-    }
-
-    effect = "Allow"
-  }
-}
-
diff --git a/roles.tf b/roles.tf
deleted file mode 100644
index 7cd27d3..0000000
--- a/roles.tf
+++ /dev/null
@@ -1,19 +0,0 @@
-## loki role
-resource "aws_iam_role" "loki-role" {
-  name = format("r-eks-%v-irsa-loki-sa", var.cluster_name)
-
-  assume_role_policy = data.aws_iam_policy_document.loki-assume.json
-}
-
-## attach policies to role
-
-resource "aws_iam_role_policy_attachment" "loki-role-s3-attachment" {
-  policy_arn = aws_iam_policy.loki-s3-policy.arn
-  role       = aws_iam_role.loki-role.name
-}
-
-resource "aws_iam_role_policy_attachment" "loki-role-kms-attachment" {
-  policy_arn = aws_iam_policy.loki-kms-policy.arn
-  role       = aws_iam_role.loki-role.name
-}
-
diff --git a/s3.tf b/s3.tf
index 9a7eb15..e9907d3 100644
--- a/s3.tf
+++ b/s3.tf
@@ -1,3 +1,5 @@
+data "aws_caller_identity" "current" {}
+
 ## create bucket
 locals {
   account_id = data.aws_caller_identity.current.account_id
@@ -12,4 +14,8 @@ module "loki-s3" {
 
   bucket_name       = format("%v-loki", var.cluster_name)
   access_log_bucket = data.aws_s3_bucket.s3_server_access_logs.id
+
+  tags = {
+    "eks-cluster-name" = var.cluster_name
+  }
 }
diff --git a/variables.tf b/variables.tf
index 934bae6..c248187 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1,3 +1,14 @@
+variable "tag_costallocation" {
+  description = "Tag CostAllocation (default)"
+  type        = string
+}
+
+variable "additional_tags" {
+  description = "Additional tags to add to resources created in AWS (s3 bucket, ...)"
+  type        = map(string)
+  default     = {}
+}
+
 variable "region" {
   description = "The region holding these resources (for the s3 bucket.)"
   type        = string
@@ -26,9 +37,9 @@ variable "create_namespace" {
   default     = "true"
 }
 
-variable "cluster_oidc_issuer_url" {
-  description = "The URL in the EKS cluster for the OpenID Connect identity provider.  This is the full URL including https://"
-  type = string
+variable "oidc_provider_arn" {
+  description = "The ARN in the EKS cluster for the OpenID Connect identity provider."
+  type        = string
 }
 
 variable "rwo_storage_class" {
diff --git a/version.tf b/version.tf
new file mode 100644
index 0000000..94d9790
--- /dev/null
+++ b/version.tf
@@ -0,0 +1,4 @@
+locals {
+  _module_name    = "tfmod-loki"
+  _module_version = "unknown"
+}