diff --git a/CHANGELOG.md b/CHANGELOG.md
index d7b9837..ca17754 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,10 +17,13 @@
* 1.0.3 -- 2024-04-23
- add output directory for certificates
-* 1.1.0 -- 2024-05-16
+* 1.0.4 -- 2024-05-16
- acmpca
- new outputs
- certificate_details
- certificate_subject
- certificate_issuer_details
- certificate_issuer_subject
+
+* 1.1.0 -- 2024-05-17
+ - acmpca-iam-rolesanywhere new submodule
diff --git a/acmpca-eks-cert-manager/README.md b/acmpca-eks-cert-manager/README.md
index 0c5430a..03ee174 100644
--- a/acmpca-eks-cert-manager/README.md
+++ b/acmpca-eks-cert-manager/README.md
@@ -115,6 +115,8 @@ resource "helm_release" "intermediate-certificate-issuer" {
| Name | Description |
|------|-------------|
| [certificate](#output\_certificate) | PEM format for signed certificate |
+| [certificate\_authority\_arn](#output\_certificate\_authority\_arn) | ACM PCA Certificate Authority ARN |
+| [certificate\_authority\_name](#output\_certificate\_authority\_name) | ACM PCA Certificate Authority Name |
| [certificate\_chain](#output\_certificate\_chain) | PEM format for certificate chain (issuer through root) |
| [certificate\_csr](#output\_certificate\_csr) | PEM format Certificate Signing Request |
| [certificate\_key](#output\_certificate\_key) | PEM format RSA Key |
diff --git a/acmpca-eks-cert-manager/output.tf b/acmpca-eks-cert-manager/output.tf
index 8a736c5..a48c583 100644
--- a/acmpca-eks-cert-manager/output.tf
+++ b/acmpca-eks-cert-manager/output.tf
@@ -1,3 +1,13 @@
+output "certificate_authority_arn" {
+ description = "ACM PCA Certificate Authority ARN"
+ value = module.certificate.certificate_authority_arn
+}
+
+output "certificate_authority_name" {
+ description = "ACM PCA Certificate Authority Name"
+ value = module.certificate.certificate_authority_name
+}
+
output "certificate_key" {
description = "PEM format RSA Key"
sensitive = true
diff --git a/acmpca-iam-rolesanywhere/.terraform-docs.yml b/acmpca-iam-rolesanywhere/.terraform-docs.yml
new file mode 120000
index 0000000..f095125
--- /dev/null
+++ b/acmpca-iam-rolesanywhere/.terraform-docs.yml
@@ -0,0 +1 @@
+../.terraform-docs.yml
\ No newline at end of file
diff --git a/acmpca-iam-rolesanywhere/README.md b/acmpca-iam-rolesanywhere/README.md
new file mode 100644
index 0000000..6928055
--- /dev/null
+++ b/acmpca-iam-rolesanywhere/README.md
@@ -0,0 +1,129 @@
+
+# About : aws-certificate/acmpca-iam-rolesanywhere
+
+This module creates an ACM-PCA certificate, using the `acmpca` submodule in this repository. It is for the creation of the
+EKS setup for cert-manager. See the general [documentation](../acmpca) for more low-level details. All the requirements and pre-requisities
+for the for the [acmpca](../acmpca) submodule apply to this submodule.
+
+This creates a certificate with the subject of **C=US,O=U.S. Census Bureau,OU=PKI-EKS,CN={region\_short} {clustername} Issuer**. It does
+not nor will it create any local files, so no longer do you need to add files to `git-secret` or add files to git in `certs/` (as the directory
+is not created).
+
+This module returns:
+- certificate\_tls\_key
+ The base64 PEM formatted key. This is what you need to use in the helm chart for `tls.key`.
+- certificate\_tls\_crt
+ The base64 PEM formatted certificate and chain. This is what you need to use in the helm chart for `tls.crt`.
+- certificate\_key
+ The PEM formatted key. It is here for reference, but should not be needed by `cert-manager`.
+- certificate\_csr
+ The certificate signing requested. It is here for reference, but should not be needed by `cert-manager`.
+- certificate
+ The PEM formatted signed certificate from ACM-PCA. It is here for reference, but should not be needed by `cert-manager`.
+- certificate\_chain
+ The PEM formatted certificate chain (issuer, intermediates, root). It is here for reference, but should not be needed by `cert-manager`.
+
+It takes two arguments, the `cluster_name` and the `contact_email`, which should be a group email address. Currently, and ACM-PCA Certificate
+does not permit the use of Tags, so this email address is intended to be used at a future time through a to-be-established tracking system.
+
+The certificate issued will be good for 365 days. ACM-PCA created for EKS cert-manager does not have an automatic renew capability as it
+is not associated with a supported AWS Service.
+
+# Usage
+## Create Subordinate CA
+
+This shows the module call with how you would use it.
+
+```hcl
+module "subordinate_ca" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acmpca-eks-cert-manager"
+
+ cluster_name = "test-cluster-dev"
+ contact_email = "group-mailing-list@census.gov"
+
+ tags = merge(
+ local.base_tags,
+ local.common_tags,
+ var.account_tags,
+ var.infrastructure_tags,
+ var.application_tags,
+ )
+}
+```
+## Update settings in helm chart
+Update the `tls.crt` and `tls.key` settings to their respective output values from the module.
+
+```hcl
+resource "helm_release" "intermediate-certificate-issuer" {
+ # other code
+ set {
+ name = "tls.crt"
+ value = module.subordinate_ca.certificate_tls_crt
+ }
+ set {
+ name = "tls.key"
+ value = module.subordinate_ca.certificate_tls_key
+ }
+
+```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.14 |
+| [aws](#requirement\_aws) | >= 5.0 |
+| [local](#requirement\_local) | >= 2.1.0 |
+| [null](#requirement\_null) | >= 3.1.0 |
+| [random](#requirement\_random) | >= 3.6.0 |
+| [tls](#requirement\_tls) | >= 3.1.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 5.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [certificate](#module\_certificate) | ../acmpca | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| [certificate\_subject\_ou](#input\_certificate\_subject\_ou) | Specific OU to use in the certificate subject. Default is 'IAM RolesAnywhere {account\_id}' | `string` | `null` | no |
+| [contact\_email](#input\_contact\_email) | Email address in @census.gov of contact for the certificate. This is strongly recommended to be a group email address. | `string` | n/a | yes |
+| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| [role\_name](#input\_role\_name) | IAM RolesAnywhere Role Name (including r- prefix if necessary) | `string` | n/a | yes |
+| [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
+| [validity\_days](#input\_validity\_days) | Number of days for which the certificate is valid. For the short lived certificate, this must be <= 7 | `number` | `365` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [certificate](#output\_certificate) | PEM format for signed certificate |
+| [certificate\_authority\_arn](#output\_certificate\_authority\_arn) | ACM PCA Certificate Authority ARN |
+| [certificate\_authority\_name](#output\_certificate\_authority\_name) | ACM PCA Certificate Authority Name |
+| [certificate\_chain](#output\_certificate\_chain) | PEM format for certificate chain (issuer through root) |
+| [certificate\_csr](#output\_certificate\_csr) | PEM format Certificate Signing Request |
+| [certificate\_details](#output\_certificate\_details) | Certificate details |
+| [certificate\_filenames](#output\_certificate\_filenames) | Map of certificate file names |
+| [certificate\_issuer\_details](#output\_certificate\_issuer\_details) | Certificate Issuer details |
+| [certificate\_issuer\_subject](#output\_certificate\_issuer\_subject) | Certificate Issuer Subject field map |
+| [certificate\_key](#output\_certificate\_key) | PEM format RSA Key |
+| [certificate\_subject](#output\_certificate\_subject) | Certificate Subject field map |
+
\ No newline at end of file
diff --git a/acmpca-iam-rolesanywhere/data.tf b/acmpca-iam-rolesanywhere/data.tf
new file mode 120000
index 0000000..995624d
--- /dev/null
+++ b/acmpca-iam-rolesanywhere/data.tf
@@ -0,0 +1 @@
+../common/data.tf
\ No newline at end of file
diff --git a/acmpca-iam-rolesanywhere/defaults.tf b/acmpca-iam-rolesanywhere/defaults.tf
new file mode 120000
index 0000000..a5556ac
--- /dev/null
+++ b/acmpca-iam-rolesanywhere/defaults.tf
@@ -0,0 +1 @@
+../common/defaults.tf
\ No newline at end of file
diff --git a/acmpca-iam-rolesanywhere/main.tf b/acmpca-iam-rolesanywhere/main.tf
new file mode 100644
index 0000000..a10a273
--- /dev/null
+++ b/acmpca-iam-rolesanywhere/main.tf
@@ -0,0 +1,107 @@
+/*
+* # About : aws-certificate/acmpca-iam-rolesanywhere
+*
+* This module creates an ACM-PCA certificate, using the `acmpca` submodule in this repository. It is for the creation of the
+* EKS setup for cert-manager. See the general [documentation](../acmpca) for more low-level details. All the requirements and pre-requisities
+* for the for the [acmpca](../acmpca) submodule apply to this submodule.
+*
+* This creates a certificate with the subject of **C=US,O=U.S. Census Bureau,OU=PKI-EKS,CN={region_short} {clustername} Issuer**. It does
+* not nor will it create any local files, so no longer do you need to add files to `git-secret` or add files to git in `certs/` (as the directory
+* is not created).
+*
+* This module returns:
+* - certificate_tls_key
+* The base64 PEM formatted key. This is what you need to use in the helm chart for `tls.key`.
+* - certificate_tls_crt
+* The base64 PEM formatted certificate and chain. This is what you need to use in the helm chart for `tls.crt`.
+* - certificate_key
+* The PEM formatted key. It is here for reference, but should not be needed by `cert-manager`.
+* - certificate_csr
+* The certificate signing requested. It is here for reference, but should not be needed by `cert-manager`.
+* - certificate
+* The PEM formatted signed certificate from ACM-PCA. It is here for reference, but should not be needed by `cert-manager`.
+* - certificate_chain
+* The PEM formatted certificate chain (issuer, intermediates, root). It is here for reference, but should not be needed by `cert-manager`.
+*
+* It takes two arguments, the `cluster_name` and the `contact_email`, which should be a group email address. Currently, and ACM-PCA Certificate
+* does not permit the use of Tags, so this email address is intended to be used at a future time through a to-be-established tracking system.
+*
+* The certificate issued will be good for 365 days. ACM-PCA created for EKS cert-manager does not have an automatic renew capability as it
+* is not associated with a supported AWS Service.
+*
+* # Usage
+* ## Create Subordinate CA
+*
+* This shows the module call with how you would use it.
+*
+* ```hcl
+* module "subordinate_ca" {
+* source = "git@github.e.it.census.gov:terraform-modules/aws-certificates//acmpca-eks-cert-manager"
+*
+* cluster_name = "test-cluster-dev"
+* contact_email = "group-mailing-list@census.gov"
+*
+* tags = merge(
+* local.base_tags,
+* local.common_tags,
+* var.account_tags,
+* var.infrastructure_tags,
+* var.application_tags,
+* )
+* }
+* ```
+* ## Update settings in helm chart
+* Update the `tls.crt` and `tls.key` settings to their respective output values from the module.
+*
+* ```hcl
+* resource "helm_release" "intermediate-certificate-issuer" {
+* # other code
+* set {
+* name = "tls.crt"
+* value = module.subordinate_ca.certificate_tls_crt
+* }
+* set {
+* name = "tls.key"
+* value = module.subordinate_ca.certificate_tls_key
+* }
+*
+* ```
+*/
+
+locals {
+ account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+ account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+ region = data.aws_region.current.name
+ region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
+
+ base_tags = {
+ "boc:tf_module_version" = local._module_version
+ "boc:created_by" = "terraform"
+ }
+}
+
+locals {
+ # authority_mode = var.validity_days <= 7 ? "short" : var.certificate_authority_mode
+ certificate_subject_ou = var.certificate_subject_ou == null ? format("IAM RolesAnywhere %v", local.account_id) : var.certificate_subject_ou
+}
+
+module "certificate" {
+ source = "../acmpca"
+
+ certificate_cn = var.role_name
+ contact_email = var.contact_email
+ create_files = var.create_files
+ certificate_filename = format("%v.crt", var.role_name)
+ certificate_chain_filename = format("%v.chain.crt", var.role_name)
+ key_filename = format("%v.key", var.role_name)
+ csr_filename = format("%v.csr", var.role_name)
+ certificate_authority_mode = "general"
+ certificate_type = "end-entity"
+ certificate_subject_overrides = { ou = local.certificate_subject_ou }
+ validity_days = var.validity_days
+
+ tags = merge(
+ local.base_tags,
+ var.tags,
+ )
+}
diff --git a/acmpca-iam-rolesanywhere/output.tf b/acmpca-iam-rolesanywhere/output.tf
new file mode 100644
index 0000000..c09166f
--- /dev/null
+++ b/acmpca-iam-rolesanywhere/output.tf
@@ -0,0 +1,63 @@
+output "certificate_authority_arn" {
+ description = "ACM PCA Certificate Authority ARN"
+ value = module.certificate.certificate_authority_arn
+}
+
+output "certificate_authority_name" {
+ description = "ACM PCA Certificate Authority Name"
+ value = module.certificate.certificate_authority_name
+}
+
+output "certificate_key" {
+ description = "PEM format RSA Key"
+ sensitive = true
+ value = module.certificate.certificate_key
+}
+
+output "certificate_csr" {
+ description = "PEM format Certificate Signing Request"
+ sensitive = false
+ value = module.certificate.certificate_csr
+}
+
+output "certificate" {
+ description = "PEM format for signed certificate"
+ sensitive = false
+ value = module.certificate.certificate
+}
+
+output "certificate_chain" {
+ description = "PEM format for certificate chain (issuer through root)"
+ sensitive = false
+ value = module.certificate.certificate_chain
+}
+
+output "certificate_filenames" {
+ description = "Map of certificate file names"
+ sensitive = false
+ value = module.certificate.filenames
+}
+
+output "certificate_details" {
+ description = "Certificate details"
+ sensitive = false
+ value = module.certificate.certificate_details
+}
+
+output "certificate_subject" {
+ description = "Certificate Subject field map"
+ sensitive = false
+ value = module.certificate.certificate_subject
+}
+
+output "certificate_issuer_details" {
+ description = "Certificate Issuer details"
+ sensitive = false
+ value = module.certificate.certificate_issuer_details
+}
+
+output "certificate_issuer_subject" {
+ description = "Certificate Issuer Subject field map"
+ sensitive = false
+ value = module.certificate.certificate_issuer_subject
+}
diff --git a/acmpca-iam-rolesanywhere/prefixes.tf b/acmpca-iam-rolesanywhere/prefixes.tf
new file mode 120000
index 0000000..7e265d5
--- /dev/null
+++ b/acmpca-iam-rolesanywhere/prefixes.tf
@@ -0,0 +1 @@
+../common/prefixes.tf
\ No newline at end of file
diff --git a/acmpca-iam-rolesanywhere/variables.common.tf b/acmpca-iam-rolesanywhere/variables.common.tf
new file mode 120000
index 0000000..7439ed8
--- /dev/null
+++ b/acmpca-iam-rolesanywhere/variables.common.tf
@@ -0,0 +1 @@
+../common/variables.common.tf
\ No newline at end of file
diff --git a/acmpca-iam-rolesanywhere/variables.tf b/acmpca-iam-rolesanywhere/variables.tf
new file mode 100644
index 0000000..7652c8f
--- /dev/null
+++ b/acmpca-iam-rolesanywhere/variables.tf
@@ -0,0 +1,33 @@
+variable "role_name" {
+ description = "IAM RolesAnywhere Role Name (including r- prefix if necessary)"
+ type = string
+}
+
+variable "contact_email" {
+ description = "Email address in @census.gov of contact for the certificate. This is strongly recommended to be a group email address."
+ type = string
+}
+
+variable "validity_days" {
+ description = "Number of days for which the certificate is valid. For the short lived certificate, this must be <= 7"
+ type = number
+ default = 365
+
+ validation {
+ condition = var.validity_days > 0
+ error_message = "validity_days must be larger than 0."
+ }
+}
+
+# variable "certificate_naming_attributes" {
+# description = "Map of certificate naming attributes"
+# type = map(string)
+# default = {}
+# }
+
+variable "certificate_subject_ou" {
+ description = "Specific OU to use in the certificate subject. Default is 'IAM RolesAnywhere {account_id}'"
+ type = string
+ default = null
+}
+
diff --git a/acmpca-iam-rolesanywhere/version.tf b/acmpca-iam-rolesanywhere/version.tf
new file mode 120000
index 0000000..b83c5b7
--- /dev/null
+++ b/acmpca-iam-rolesanywhere/version.tf
@@ -0,0 +1 @@
+../common/version.tf
\ No newline at end of file
diff --git a/acmpca-iam-rolesanywhere/versions.tf b/acmpca-iam-rolesanywhere/versions.tf
new file mode 120000
index 0000000..41bb22f
--- /dev/null
+++ b/acmpca-iam-rolesanywhere/versions.tf
@@ -0,0 +1 @@
+../common/versions.tf
\ No newline at end of file
diff --git a/acmpca/README.md b/acmpca/README.md
index c73e1fa..b6141f6 100644
--- a/acmpca/README.md
+++ b/acmpca/README.md
@@ -107,6 +107,8 @@ No modules.
| Name | Description |
|------|-------------|
| [certificate](#output\_certificate) | PEM format for signed certificate |
+| [certificate\_authority\_arn](#output\_certificate\_authority\_arn) | ACM PCA Certificate Authority ARN |
+| [certificate\_authority\_name](#output\_certificate\_authority\_name) | ACM PCA Certificate Authority Name |
| [certificate\_chain](#output\_certificate\_chain) | PEM format for certificate chain (issuer through root) |
| [certificate\_csr](#output\_certificate\_csr) | PEM format Certificate Signing Request |
| [certificate\_details](#output\_certificate\_details) | Certificate details |
diff --git a/acmpca/output.tf b/acmpca/output.tf
index f1f8fc2..6ffd3ad 100644
--- a/acmpca/output.tf
+++ b/acmpca/output.tf
@@ -1,3 +1,13 @@
+output "certificate_authority_arn" {
+ description = "ACM PCA Certificate Authority ARN"
+ value = aws_acmpca_certificate.certificate.certificate_authority_arn
+}
+
+output "certificate_authority_name" {
+ description = "ACM PCA Certificate Authority Name"
+ value = local.ca_settings["ca_name"]
+}
+
output "certificate_key" {
description = "PEM format RSA Key"
sensitive = true