diff --git a/examples/full-cluster-tf-upgrade/1.23.in-progress/aws-auth/tf-run.data b/examples/full-cluster-tf-upgrade/1.23.in-progress/aws-auth/tf-run.data
index 049f9df..50f6ccb 100644
--- a/examples/full-cluster-tf-upgrade/1.23.in-progress/aws-auth/tf-run.data
+++ b/examples/full-cluster-tf-upgrade/1.23.in-progress/aws-auth/tf-run.data
@@ -1,10 +1,11 @@
-VERSION 1.2.2
+VERSION 1.2.3
 REMOTE-STATE
 COMMAND tf-directory-setup.py -l none -f
 COMMAND setup-new-directory.sh
 COMMAND tf-init -upgrade
 COMMAND ln -sf ../versions.tf
 COMMAND ln -sf ../settings.auto.tfvars
+COMMAND ln -sf ../variables.application_tags.auto.tfvars
 LINKTOP init
 ALL
 COMMAND tf-directory-setup.py -l s3
diff --git a/examples/full-cluster-tf-upgrade/1.23.in-progress/cluster-roles/deployer.iam.tf b/examples/full-cluster-tf-upgrade/1.23.in-progress/cluster-roles/deployer.iam.tf
index 204b4d1..7d76a89 100644
--- a/examples/full-cluster-tf-upgrade/1.23.in-progress/cluster-roles/deployer.iam.tf
+++ b/examples/full-cluster-tf-upgrade/1.23.in-progress/cluster-roles/deployer.iam.tf
@@ -32,7 +32,7 @@ module "service_cicd_deployer" {
   )
 }
 module "role_cicd_deployer" {
-  source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git"
+  source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade"
 
   role_name              = local.role_cicd_k8s_group_name
   role_description       = "Role for EKS cluster ${var.cluster_name} for access by ${var.cicd_k8s_group_name}"
diff --git a/examples/full-cluster-tf-upgrade/1.23.in-progress/cluster-roles/tf-run.data b/examples/full-cluster-tf-upgrade/1.23.in-progress/cluster-roles/tf-run.data
index 4f92a5c..9179181 100644
--- a/examples/full-cluster-tf-upgrade/1.23.in-progress/cluster-roles/tf-run.data
+++ b/examples/full-cluster-tf-upgrade/1.23.in-progress/cluster-roles/tf-run.data
@@ -1,4 +1,4 @@
-VERSION 1.2.2
+VERSION 1.2.4
 REMOTE-STATE
 STOP only run this after the cluster roles represented here have been setup in K8S
 COMMAND tf-directory-setup.py -l none -f
@@ -6,7 +6,11 @@ COMMAND setup-new-directory.sh
 COMMAND tf-init -upgrade
 COMMAND ln -sf ../versions.tf
 COMMAND ln -sf ../settings.auto.tfvars .
+COMMAND ln -sf ../variables.application_tags.auto.tfvars
 LINKTOP init
+LINKTOP provider_configs.d/provider.ldap_new.auto.tfvars
+LINKTOP provider_configs.d/provider.ldap_new.tf
+LINKTOP provider_configs.d/provider.ldap_new.variables.tf
 POLICY
 ALL
 COMMAND tf-directory-setup.py -l s3
diff --git a/examples/full-cluster-tf-upgrade/1.23.in-progress/common-services/tags.md b/examples/full-cluster-tf-upgrade/1.23.in-progress/common-services/tags.md
new file mode 100644
index 0000000..ab5b05e
--- /dev/null
+++ b/examples/full-cluster-tf-upgrade/1.23.in-progress/common-services/tags.md
@@ -0,0 +1,20 @@
+# Tagging
+
+## Istio 
+
+For the [AWS Load Balancer Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/guide/service/annotations/#load-balancer-attributes), we want
+to enable the following
+
+* S3 Access Logs
+```
+service.beta.kubernetes.io/aws-load-balancer-attributes: access_logs.s3.enabled=true,access_logs.s3.bucket=my-access-log-bucket,access_logs.s3.prefix=my-app
+```
+* Disable IP address persistence (needed for Cumulus, may not be needed for others, will make a variable)
+```
+#service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: stickiness.enabled=true,stickiness.type=source_ip
+service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: stickiness.enabled=false
+```
+* Pass additional tags (from `var.application_tags.auto.tfvars`)
+```
+service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: key=value,key=value
+```
diff --git a/examples/full-cluster-tf-upgrade/1.23.in-progress/common-services/tf-run.data b/examples/full-cluster-tf-upgrade/1.23.in-progress/common-services/tf-run.data
index d233332..47d98a5 100644
--- a/examples/full-cluster-tf-upgrade/1.23.in-progress/common-services/tf-run.data
+++ b/examples/full-cluster-tf-upgrade/1.23.in-progress/common-services/tf-run.data
@@ -1,4 +1,4 @@
-VERSION 1.2.2
+VERSION 1.2.3
 REMOTE-STATE
 COMMAND tf-directory-setup.py -l none -f
 COMMAND setup-new-directory.sh
@@ -7,6 +7,7 @@ COMMAND ln -sf ../variables.vpc.auto.tfvars .
 COMMAND ln -sf ../variables.vpc.tf
 COMMAND ln -sf ../versions.tf
 COMMAND ln -sf ../settings.auto.tfvars
+COMMAND ln -sf ../variables.application_tags.auto.tfvars
 LINKTOP init
 
 module.cert
diff --git a/examples/full-cluster-tf-upgrade/1.23.in-progress/efs/tf-run.data b/examples/full-cluster-tf-upgrade/1.23.in-progress/efs/tf-run.data
index ba1d9c5..68a4c31 100644
--- a/examples/full-cluster-tf-upgrade/1.23.in-progress/efs/tf-run.data
+++ b/examples/full-cluster-tf-upgrade/1.23.in-progress/efs/tf-run.data
@@ -1,11 +1,13 @@
-VERSION 1.2.2
+VERSION 1.1.2
 REMOTE-STATE
 COMMAND tf-directory-setup.py -l none -f
 COMMAND setup-new-directory.sh
 COMMAND tf-init -upgrade
-COMMAND ln -sf ../versions.tf
-COMMAND ln -sf ../settings.auto.tfvars
 LINKTOP init
+LINKTOP provider_configs.d/provider.ldap_new.auto.tfvars
+LINKTOP provider_configs.d/provider.ldap_new.tf
+LINKTOP provider_configs.d/provider.ldap_new.variables.tf
+
 POLICY
 ALL
 COMMAND tf-directory-setup.py -l s3
diff --git a/examples/full-cluster-tf-upgrade/1.23.in-progress/irsa-roles/cluster-autoscaler/tf-run.data b/examples/full-cluster-tf-upgrade/1.23.in-progress/irsa-roles/cluster-autoscaler/tf-run.data
index 67ebd3e..a8cdab1 100644
--- a/examples/full-cluster-tf-upgrade/1.23.in-progress/irsa-roles/cluster-autoscaler/tf-run.data
+++ b/examples/full-cluster-tf-upgrade/1.23.in-progress/irsa-roles/cluster-autoscaler/tf-run.data
@@ -1,4 +1,4 @@
-VERSION 1.2.2
+VERSION 1.2.3
 REMOTE-STATE
 COMMAND tf-directory-setup.py -l none
 COMMAND setup-new-directory.sh
@@ -6,6 +6,10 @@ COMMAND tf-init -upgrade
 COMMAND ln -sf ../versions.tf
 COMMAND ln -sf ../settings.auto.tfvars
 LINKTOP init
+LINKTOP provider_configs.d/provider.ldap_new.auto.tfvars
+LINKTOP provider_configs.d/provider.ldap_new.tf
+LINKTOP provider_configs.d/provider.ldap_new.variables.tf
+
 POLICY
 ALL
 COMMAND tf-directory-setup.py -l s3
diff --git a/examples/full-cluster-tf-upgrade/1.23.in-progress/irsa-roles/tf-run.data b/examples/full-cluster-tf-upgrade/1.23.in-progress/irsa-roles/tf-run.data
index 3e6ef7c..ddd8fff 100644
--- a/examples/full-cluster-tf-upgrade/1.23.in-progress/irsa-roles/tf-run.data
+++ b/examples/full-cluster-tf-upgrade/1.23.in-progress/irsa-roles/tf-run.data
@@ -1,10 +1,11 @@
-VERSION 1.2.2
+VERSION 1.2.3
 REMOTE-STATE
 COMMAND tf-directory-setup.py -l none -f
 COMMAND setup-new-directory.sh
 COMMAND tf-init -upgrade
 COMMAND ln -sf ../versions.tf
 COMMAND ln -sf ../settings.auto.tfvars
+COMMAND ln -sf ../variables.application_tags.auto.tfvars
 LINKTOP init
 ALL
 COMMAND tf-directory-setup.py -l s3
diff --git a/examples/full-cluster-tf-upgrade/1.23.in-progress/tf-run.data b/examples/full-cluster-tf-upgrade/1.23.in-progress/tf-run.data
index 0c88eb9..b8b8fa9 100644
--- a/examples/full-cluster-tf-upgrade/1.23.in-progress/tf-run.data
+++ b/examples/full-cluster-tf-upgrade/1.23.in-progress/tf-run.data
@@ -1,4 +1,4 @@
-VERSION 1.3.1
+VERSION 1.3.3
 REMOTE-STATE
 COMMENT make sure the private-lb subnet and container subnets are tagged properly (see README.md)
 STOP then continue with at step %%NEXT%% (tag:subnets-verified)