diff --git a/CHANGELOG.md b/CHANGELOG.md
index 316c447..c67821e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -43,3 +43,6 @@
     - xray
     - secrets-manager
     - cloudwatch-agent
+
+* 2.2.0 -- 2024-03-25
+  - move cloudwatch agent to an addon
diff --git a/examples/full-cluster-tf-upgrade/1.25/addons/addon_cloudwatch.tf b/examples/full-cluster-tf-upgrade/1.25/addons/addon_cloudwatch.tf
new file mode 100644
index 0000000..f3b483e
--- /dev/null
+++ b/examples/full-cluster-tf-upgrade/1.25/addons/addon_cloudwatch.tf
@@ -0,0 +1,66 @@
+# https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html
+# amazon-cloudwatch-observability
+
+locals {
+  cloudwatch_managed_policies        = ["AWSXrayWriteOnlyAccess", "CloudWatchAgentServerPolicy"]
+  cloudwatch_observability_name      = "cloudwatch-agent"
+  cloudwatch_observability_namespace = "amazon-cloudwatch"
+}
+
+data "aws_iam_policy" "cloudwatch-observability-policies" {
+  for_each = toset(local.cloudwatch_managed_policies)
+  name     = each.key
+}
+
+resource "aws_eks_addon" "amazon-cloudwatch-observability" {
+  count = lookup(local.addon_versions, "amazon-cloudwatch-observability", null) != null ? 1 : 0
+
+  cluster_name             = var.cluster_name
+  addon_name               = "amazon-cloudwatch-observability"
+  addon_version            = lookup(local.addon_versions, "amazon-cloudwatch-observability")
+  service_account_role_arn = module.role_cloudwatch-observability.iam_role_arn
+  configuration_values     = null
+  #  resolve_conflicts        = "OVERWRITE"
+  # note OVERWRITE resets to eks addon defaults, PRESERVE uses any values set here
+  resolve_conflicts_on_create = "OVERWRITE"
+  resolve_conflicts_on_update = "OVERWRITE"
+
+  depends_on = [aws_cloudwatch_log_group.cloudwatch-observability]
+}
+
+module "role_cloudwatch-observability" {
+  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+
+  role_description = "EKS IAM Role for ${var.cluster_name} for service account ${local.cloudwatch_observability_namespace}:${local.cloudwatch_observability_name}"
+  role_name        = format("%v%v-irsa__%v", local._prefixes["eks-role"], var.cluster_name, local.cloudwatch_observability_name)
+  role_policy_arns = { for k, v in data.aws_iam_policy.cloudwatch-observability-policies : k => v.arn }
+
+  oidc_providers = {
+    main = {
+      provider_arn               = local.oidc_provider_arn
+      namespace_service_accounts = [format("%v:%v", local.cloudwatch_observability_namespace, local.cloudwatch_observability_name)]
+    }
+  }
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+    {
+      "eks:namespace" = local.cloudwatch_observability_namespace
+      "eks:user"      = local.cloudwatch_observability_name
+    }
+  )
+}
+
+resource "aws_cloudwatch_log_group" "cloudwatch-observability" {
+  for_each          = toset(var.cloudwatch-observability_log_names)
+  name              = format("/aws/containerinsights/%v/%v", var.cluster_name, each.key)
+  retention_in_days = var.cloudwatch-observability_log_retention_days
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+  )
+}
diff --git a/examples/full-cluster-tf-upgrade/1.25/addons/variables.addons.tf b/examples/full-cluster-tf-upgrade/1.25/addons/variables.addons.tf
index 4853495..8a21dad 100644
--- a/examples/full-cluster-tf-upgrade/1.25/addons/variables.addons.tf
+++ b/examples/full-cluster-tf-upgrade/1.25/addons/variables.addons.tf
@@ -1,3 +1,5 @@
+# aws eks describe-addon-versions --kubernetes-version 1.25  --query 'addons[].{Name:addonName,Version:addonVersions[].addonVersion}' --output text
+
 variable "addon_versions" {
   description = "Map of addon versions by Kubernetes version"
   type        = map(map(string))
@@ -9,12 +11,49 @@ variable "addon_versions" {
       "aws-ebs-csi-driver" = "v1.18.0-eksbuild.1"
     }
     "1.25" = {
-      "coredns"            = "v1.9.3-eksbuild.5"
-      "kube-proxy"         = "v1.25.11-eksbuild.2"
-      "vpc-cni"            = "v1.13.4-eksbuild.1"
-      "aws-ebs-csi-driver" = "v1.21.0-eksbuild.1"
-      "aws-efs-csi-driver" = "v1.5.8-eksbuild.1"
-      "adot"               = "v0.78.0-eksbuild.1"
+      ##      "coredns" = "v1.9.3-eksbuild.5"
+      "coredns" = "v1.9.3-eksbuild.11"
+      ##      "kube-proxy" = "v1.25.11-eksbuild.2"
+      "kube-proxy" = "v1.25.16-eksbuild.3"
+      ##      "vpc-cni" = "v1.13.4-eksbuild.1"
+      "vpc-cni" = "v1.17.1-eksbuild.1"
+      ##      "aws-ebs-csi-driver" = "v1.21.0-eksbuild.1"
+      "aws-ebs-csi-driver" = "v1.28.0-eksbuild.1"
+      ##      "aws-efs-csi-driver" = "v1.5.8-eksbuild.1"
+      "aws-efs-csi-driver" = "v1.7.6-eksbuild.1"
+      ##      "adot" = "v0.78.0-eksbuild.1"
+      "adot"                            = "v0.94.1-eksbuild.1"
+      "amazon-cloudwatch-observability" = "v1.4.0-eksbuild.1"
+    }
+    "1.28" = {
+      "coredns"            = "v1.10.1-eksbuild.6"
+      "kube-proxy"         = "v1.28.2-eksbuild.2"
+      "vpc-cni"            = "v1.15.4-eksbuild.1"
+      "aws-ebs-csi-driver" = "v1.25.0-eksbuild.1"
+      "aws-efs-csi-driver" = "v1.7.1-eksbuild.1"
+      "adot"               = "v0.88.0-eksbuild.2"
+    }
+    "1.29" = {
+      "coredns"                         = "v1.11.1-eksbuild.6"
+      "kube-proxy"                      = "v1.29.1-eksbuild.2"
+      "vpc-cni"                         = "v1.17.1-eksbuild.1"
+      "aws-ebs-csi-driver"              = "v1.28.0-eksbuild.1"
+      "aws-efs-csi-driver"              = "v1.7.6-eksbuild.1"
+      "adot"                            = "v0.94.1-eksbuild.1"
+      "snapshot-controller"             = "v6.3.2-eksbuild.1"
+      "amazon-cloudwatch-observability" = "v1.4.0-eksbuild.1"
     }
   }
 }
+
+variable "cloudwatch-observability_log_names" {
+  description = "Amazon Cloudwatch Observability log group names"
+  type        = list(string)
+  default     = ["application", "dataplane", "host", "performance"]
+}
+
+variable "cloudwatch-observability_log_retention_days" {
+  description = "Amazon Cloudwatch Observability log group retention in days"
+  type        = number
+  default     = 90
+}
diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/.tf-control b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/.tf-control
deleted file mode 100644
index 280f449..0000000
--- a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/.tf-control
+++ /dev/null
@@ -1,20 +0,0 @@
-# .tf-control
-# allows for setting a specific command to be used for tf-* commands under this git repo
-# see tf-control.sh help for more info
-
-TFCONTROL_VERSION="1.0.5"
-
-TFCOMMAND="terraform_latest"
-# TF_CLI_CONFIG_FILE=PATH-TO-FILE/.tf-control.tfrc
-# TFARGS=""
-# TFNOLOG=""
-# TFNOCOLOR=""
-
-# use the following to force a specific version.  An upgrade of an existing 0.12.31 to 1.x
-# needs you to cycle through 0.13.17, 0.14.11, and then latest (0.15.5 not needed).  Other
-# steps in between.  See https://github.e.it.census.gov/terraform/support/tree/master/docs/how-to/terraform-upgrade for details
-#
-#TFCOMMAND="terraform_0.12.31"
-#TFCOMMAND="terraform_0.13.7"
-#TFCOMMAND="terraform_0.14.11"
-#TFCOMMAND="terraform_0.15.5"
diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/.tf-control.tfrc b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/.tf-control.tfrc
deleted file mode 100644
index 7425488..0000000
--- a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/.tf-control.tfrc
+++ /dev/null
@@ -1,24 +0,0 @@
-TFCONTROL_VERSION="1.0.5"
-
-# https://www.terraform.io/docs/cli/config/config-file.html
-plugin_cache_dir   = "/data/terraform/terraform.d/plugin-cache"
-#disable_checkpoint = true
-
-provider_installation {
-#  filesystem_mirror {
-#    path    = "/apps/terraform/terraform.d/providers"
-#    include = [ "*/*/*" ]
-#  }
-  filesystem_mirror {
-    path    = "/data/terraform/terraform.d/providers"
-    include = [ "*/*/*" ]
-  }
-#  filesystem_mirror {
-#    path    = "/apps/terraform/terraform.d/providers"
-#    include = [ "external.terraform.census.gov/*/*" ]
-#  }
-  direct {
-    include = [ "*/*/*" ]
-  }
-}
-
diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/README.md b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/README.md
deleted file mode 100644
index ee7afb6..0000000
--- a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/README.md
+++ /dev/null
@@ -1,127 +0,0 @@
-# Extras :: cloudwatch-agent
-
-The configuration in this dierectory will deploy cloudwatch-agent and fluentbit, to be used for EKS Container Insights.
-
-# Links
-
-* AWS Docs
-  * https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-prerequisites.html
-  * https://aws.amazon.com/blogs/opensource/centralized-container-logging-fluent-bit/
-  * https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ContainerInsights-use-kubelet.html
-  * https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html
-  * https://aws.github.io/eks-charts"
-* Cloudwatch Agnet
-  * https://github.com/aws/eks-charts/tree/master/stable/aws-cloudwatch-metrics
-* Fluent Bit
-  * https://github.com/aws/aws-for-fluent-bit
-  * https://github.com/aws/eks-charts/tree/master/stable/aws-for-fluent-bit
-
-# Supported Versions
-
-This configuration has been tested and validated on EKS versions
-
-* 1.24
-* 1.25
-
-# Configuration
-
-This uses a helm chart, an IRSA role, and pulls the latest images at the time of creating this module.
-Look in the `variables.*.auto.tfvars` files for the version numbers.
-
-# Installation
-
-You will need the latest copy of the `aws-eks` module, using the `tf-upgrade` branch.  This requires the use of
-Terraform 1.x, and as it is deployed in a subdirectory, it should work without issue.
-
-## Step 1: Get aws-eks repo
-
-If you do not have the `aws-eks` repo, clone it in the branch `tf-upgrade`.
-
-```script
-# go to your TF repository directory
-cd $PATH_TO_TERRAFORM
-git clone git@github.e.it.census.gov:terraform-modules/aws-eks.git -b tf-upgrade
-cd aws-eks
-export EKS_SOURCE=$(pwd)
-```
-
-If you already have the repo, go into the directory, checkout the branch and refresh it.
-
-```script
-# go to your TF repository directory
-cd $PATH_TO_TERRAFORM
-cd aws-eks
-git checkout tf-upgrade
-git pull origin tf-upgrade
-export EKS_SOURCE=$(pwd)
-```
-
-## Step 2: Copy code
-
-Go into the `common-services` directory of the EKS cluster where you wish to deploy this.  Make a directory, `cloudwatch-agent`, and then
-rsync the code. Please use rsync, not copy.  There is a directory, and there may be softlinks.  You'll work in a new branch.  An example is below:
-
-```script
-cd $PATH_TO_TERRAFORM
-cd 107742151971-do2-govcloud/vpc/east/vpc5/apps/eks-ditd-gups-stage/common-services
-mkdir cloudwatch-agent
-cd cloudwatch-agent
-git checkout -b add-cloudwatch-agent
-rsync -avRWH $EKS_SOURCE/examples/extra/cloudwatch-agent/./ ./
-```
-
-## Step 3: Plan
-
-There is no configuration needed.  All relevant details are pulled from the parent directories.  You do need EKS cluster access,
-so be sure you are running with a user who has K8S RBAC access.
-
-```script
-tf-run plan
-tf-plan summary
-
-# add to git
-git add .
-git commit -m 'add cloudwatch, fluentbit' .
-git push
-# submit PR with plan summary and plan log
-```
-
-## Step 4: Apply
-
-Once the PR is merged, apply, and finalize the directory.
-
-```script
-tf-run apply
-```
-
-Make sure it started up:
-
-```console
-% kubectl --kubeconfig setup/kube.config get pods -n aws-cloudwatch
-NAME                                  READY   STATUS    RESTARTS   AGE
-aws-cloudwatch-metrics-8jlwh          1/1     Running   0          24h
-aws-cloudwatch-metrics-8jxqs          1/1     Running   0          24h
-aws-cloudwatch-metrics-k668c          1/1     Running   0          24h
-fluent-bit-aws-for-fluent-bit-6bvgk   1/1     Running   0          24h
-fluent-bit-aws-for-fluent-bit-b4hk5   1/1     Running   0          24h
-fluent-bit-aws-for-fluent-bit-chx46   1/1     Running   0          24h
-```
-
-All should be running.  If any errors, or not running, look at `events` and `logs`.
-
-Then, check AWS CloudWatch Logs. There will be four log as follows: /aws/containerinsights/{clustername}/{name}
-where {name} is
-
-  * performance
-  * host
-  * applications
-  * dataplane
-
-The Container Insight dashboard should also show performance data for the cluster, though it may take some
-time to appear.
-
-
-# CHANGELOG
-
-* 1.0.0 -- 2023-08-24
-  - initial
diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/cloudwatch-agent.tf b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/cloudwatch-agent.tf
deleted file mode 100644
index 8eeacf3..0000000
--- a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/cloudwatch-agent.tf
+++ /dev/null
@@ -1,123 +0,0 @@
-# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-prerequisites.html
-
-data "aws_iam_policy" "policy_cloudwatch-agent" {
-  name = "CloudWatchAgentServerPolicy"
-}
-
-module "role_cloudwatch-agent" {
-  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-
-  role_description = "EKS IAM Role for ${var.cluster_name} for service account ${var.cloudwatch_agent_namespace}:${var.cloudwatch_agent_name}"
-  role_name        = format("%v%v-irsa__%v", local._prefixes["eks-role"], var.cluster_name, var.cloudwatch_agent_name)
-
-  role_policy_arns = {
-    policy = data.aws_iam_policy.policy_cloudwatch-agent.arn
-  }
-
-  oidc_providers = {
-    main = {
-      provider_arn               = local.oidc_provider_arn
-      namespace_service_accounts = [format("%v:%v", var.cloudwatch_agent_namespace, var.cloudwatch_agent_name)]
-    }
-  }
-
-  tags = merge(
-    local.base_tags,
-    local.common_tags,
-    var.application_tags,
-    {
-      "eks:namespace" = var.cloudwatch_agent_namespace
-      "eks:user"      = var.cloudwatch_agent_name
-    }
-  )
-}
-
-locals {
-  cloudwatch_agent_images_output = { for k, v in module.images_cloudwatch-agent.images : v.name => v }
-}
-
-module "images_cloudwatch-agent" {
-  source = "git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git?ref=tf-upgrade"
-
-  profile          = var.profile
-  application_list = []
-  application_name = format("eks/%v", var.cluster_name)
-  image_config     = [for k, v in var.cloudwatch_agent_images : v if v.enabled]
-  tags = merge(
-    local.base_tags,
-    local.common_tags,
-    var.application_tags,
-  )
-}
-
-resource "aws_cloudwatch_log_group" "cloudwatch_agent_logs" {
-  for_each          = toset(var.cloudwatch_agent_log_names)
-  name              = format("/aws/containerinsights/%v/%v", var.cluster_name, each.key)
-  retention_in_days = var.cloudwatch_agent_log_retention_days
-  tags = merge(
-    local.base_tags,
-    local.common_tags,
-    var.application_tags,
-  )
-}
-
-resource "kubernetes_namespace" "cloudwatch-agent" {
-  metadata {
-    name = var.cloudwatch_agent_namespace
-  }
-}
-
-# chart
-# https://github.com/aws/eks-charts/tree/master/stable/aws-cloudwatch-metrics
-resource "helm_release" "cloudwatch-agent" {
-  chart      = "aws-cloudwatch-metrics"
-  name       = "aws-cloudwatch-metrics"
-  namespace  = var.cloudwatch_agent_namespace
-  repository = var.cloudwatch_agent_charts["cloudwatch-agent"].use_remote ? var.cloudwatch_agent_charts["cloudwatch-agent"].repository : "${path.module}/charts"
-  version    = var.cloudwatch_agent_charts["cloudwatch-agent"].use_remote ? var.cloudwatch_agent_charts["cloudwatch-agent"].version : null
-
-  depends_on = [kubernetes_namespace.cloudwatch-agent,module.images_cloudwatch-agent]
-  set {
-    name = "image.repository"
-    value = split(":", local.cloudwatch_agent_images_output["cloudwatch-agent"].dest_full_path)[0]
-  }
-
-  set {
-    name = "image.tag"
-    value = local.cloudwatch_agent_images_output["cloudwatch-agent"].tag
-  }
-
-  set {
-    name = "clusterName"
-    value = var.cluster_name
-  }
-  set {
-    name = "serviceAccount.name"
-    value = var.cloudwatch_agent_name
-  }
-  set {
-    name = "serviceAccount.create"
-    value = "true"
-  }
-  set {
-    name  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
-    value = module.role_cloudwatch-agent.iam_role_arn
-  }
-  timeout = 300
-}
-
-data "aws_iam_policy_document" "cloudwatch_agent_policy_extra" {
-  statement {
-    sid = "DescribeVolumes"
-    effect = "Allow"
-    actions = [ "ec2:DescribeVolumes" ]
-    resources = [ "*" ]
-  }
-}
-
-resource "aws_iam_role_policy" "cloudwatch_agent_policy_extra" {
-  name = "extra"
-  role = module.role_cloudwatch-agent.iam_role_name
-
-  policy = data.aws_iam_policy_document.cloudwatch_agent_policy_extra.json
-}
diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/fluentbit.tf b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/fluentbit.tf
deleted file mode 100644
index 26e20f1..0000000
--- a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/fluentbit.tf
+++ /dev/null
@@ -1,186 +0,0 @@
-# https://github.com/aws/aws-for-fluent-bit
-
-## % tf-aws ssm get-parameters-by-path --path /aws/service/aws-for-fluent-bit/ --query 'Parameters[*].Name'|grep 2.31.12
-##     "/aws/service/aws-for-fluent-bit/2.31.12-windowsservercore",
-##     "/aws/service/aws-for-fluent-bit/init-2.31.12.20230629",
-##     "/aws/service/aws-for-fluent-bit/2.31.12.20230727",
-##     "/aws/service/aws-for-fluent-bit/2.31.12.20230629",
-##     "/aws/service/aws-for-fluent-bit/2.31.12",
-##     "/aws/service/aws-for-fluent-bit/init-2.31.12",
-##     "/aws/service/aws-for-fluent-bit/init-2.31.12.20230727"
-## 
-## % tf-aws ssm get-parameter --name /aws/service/aws-for-fluent-bit/2.31.12.20230629
-## {
-##     "Parameter": {
-##         "Name": "/aws/service/aws-for-fluent-bit/2.31.12.20230629",
-##         "Type": "String",
-##         "Value": "161423150738.dkr.ecr.us-gov-west-1.amazonaws.com/aws-for-fluent-bit:2.31.12.20230629",
-##         "Version": 1,
-##         "LastModifiedDate": "2023-06-29T20:54:07.770000-04:00",
-##         "ARN": "arn:aws-us-gov:ssm:us-gov-west-1::parameter/aws/service/aws-for-fluent-bit/2.31.12.20230629",
-##         "DataType": "text"
-##     }
-## }
-
-
-data "aws_ssm_parameter" "fluentbit_image" {
-  name = format("/aws/service/aws-for-fluent-bit/%v", var.fluentbit_tag)
-
-  lifecycle {
-    precondition {
-      condition     = var.fluentbit_tag != null && var.fluentbit_tag != ""
-      error_message = "var.fluentbit_tag must be provided and not null or empty."
-    }
-  }
-}
-
-
-module "role_fluentbit" {
-  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-
-  role_description = "EKS IAM Role for ${var.cluster_name} for service account ${var.fluentbit_namespace}:${var.fluentbit_name}"
-  role_name        = format("%v%v-irsa__%v", local._prefixes["eks-role"], var.cluster_name, var.fluentbit_name)
-
-  role_policy_arns = {
-    policy = aws_iam_policy.policy_fluentbit.arn
-  }
-
-  oidc_providers = {
-    main = {
-      provider_arn               = local.oidc_provider_arn
-      namespace_service_accounts = [format("%v:%v", var.fluentbit_namespace, var.fluentbit_name)]
-    }
-  }
-
-  tags = merge(
-    local.base_tags,
-    local.common_tags,
-    var.application_tags,
-    {
-      "eks:namespace" = var.fluentbit_namespace
-      "eks:user"      = var.fluentbit_name
-    }
-  )
-}
-
-resource "aws_iam_policy" "policy_fluentbit" {
-  name        = format("%v%v-irsa__%v", local._prefixes["eks-policy"], var.cluster_name, var.fluentbit_name)
-  description = "EKS IAM Policy for ${var.cluster_name} for service account ${var.fluentbit_namespace}:${var.fluentbit_name}"
-  path        = "/"
-  policy      = data.aws_iam_policy_document.policy_fluentbit.json
-
-  tags = merge(
-    local.base_tags,
-    local.common_tags,
-    var.application_tags,
-    {
-      "Name"          = format("%v%v-irsa__%v", local._prefixes["eks-policy"], var.cluster_name, var.fluentbit_name)
-      "eks:namespace" = var.fluentbit_namespace
-      "eks:user"      = var.fluentbit_name
-    }
-  )
-}
-
-
-# https://aws.amazon.com/blogs/opensource/centralized-container-logging-fluent-bit/
-data "aws_iam_policy_document" "policy_fluentbit" {
-  statement {
-    sid    = "AllowFirehose"
-    effect = "Allow"
-    actions = [
-      "firehose:PutRecordBatch"
-    ]
-    resources = ["*"]
-  }
-  ##   statement {
-  ##     sid = "PutLogEvents"
-  ##     effect = "Allow"
-  ##     actions = [
-  ##              "logs:PutLogEvents"
-  ##     ]
-  ##     resources = [ format("arn:%v:logs:*:*:log-group:*:*:*",data.aws_arn.current.partition) ]
-  ##   }
-  statement {
-    sid    = "CreateStreams"
-    effect = "Allow"
-    actions = [
-      "logs:CreateLogStream",
-      "logs:DescribeLogStreams",
-      "logs:PutLogEvents"
-    ]
-    #    resources = [ format("arn:%v:logs:*:*:log-group:*",data.aws_arn.current.partition) ]
-    resources = [for k, v in aws_cloudwatch_log_group.fluentbit_logs : format("%v:*", v.arn)]
-  }
-  ##   statement {
-  ##     sid = "CreateLogGroup"
-  ##     effect = "Allow"
-  ##     actions = [
-  ##              "logs:CreateLogGroup"
-  ##    ]
-  ##    resources = [ "*" ]
-  ##   }
-}
-
-resource "aws_cloudwatch_log_group" "fluentbit_logs" {
-  for_each          = toset(var.fluentbit_log_names)
-  name              = format("/aws/containerinsights/%v/%v", var.cluster_name, each.key)
-  retention_in_days = var.fluentbit_log_retention_days
-  tags = merge(
-    local.base_tags,
-    local.common_tags,
-    var.application_tags,
-  )
-}
-
-## helm, reference ssm image
-# https://github.com/aws/eks-charts/tree/master/stable/aws-for-fluent-bit
-
-resource "helm_release" "fluentbit" {
-  chart      = "aws-for-fluent-bit"
-  name       = var.fluentbit_name
-  namespace  = var.fluentbit_namespace
-  repository = var.fluentbit_charts["fluent-bit"].use_remote ? var.fluentbit_charts["fluent-bit"].repository : "${path.module}/charts"
-  version    = var.fluentbit_charts["fluent-bit"].use_remote ? var.fluentbit_charts["fluent-bit"].version : null
-
-  values = [
-    file("fluentbit.values.yml"),
-    templatefile("${path.root}/templates/fluentbit.env.yml.tpl",{
-      region = local.region
-      cluster_name = var.cluster_name
-    })
-  ]
-
-  set {
-    name  = "cluster.name"
-    value = var.cluster_name
-  }
-  set {
-    name  = "logs.region"
-    value = var.region
-  }
-  set {
-    name  = "image.repository"
-    value = split(":", data.aws_ssm_parameter.fluentbit_image.value)[0]
-  }
-  set {
-    name  = "image.tag"
-    value = var.fluentbit_tag
-  }
-  set {
-    name  = "cloudWatchLogs.enabled"
-    value = "false"
-  }
-  set {
-    name  = "serviceAccount.name"
-    value = var.fluentbit_name
-  }
-  set {
-    name  = "serviceAccount.create"
-    value = "true"
-  }
-  set {
-    name  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
-    value = module.role_fluentbit.iam_role_arn
-  }
-  timeout = 300
-}
diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/fluentbit.values.yml b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/fluentbit.values.yml
deleted file mode 100644
index 029164e..0000000
--- a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/fluentbit.values.yml
+++ /dev/null
@@ -1,229 +0,0 @@
-# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ContainerInsights-use-kubelet.html
-# networkign needs to be enablrd for the kubernetes filter. The chart does not enable this and has comments about enabling
-hostNetwork: true
-dnsPolicy: ClusterFirstWithHostNet
-# disable starndard input and filter
-input:
-  enabled: false
-filter:
-  enabled: false
-#  https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html
-#  https://raw.githubusercontent.com/aws-samples/amazon-cloudwatch-container-insights/latest/k8s-deployment-manifest-templates/deployment-mode/daemonset/container-insights-monitoring/cloudwatch-namespace.yaml
-#  https://raw.githubusercontent.com/aws-samples/amazon-cloudwatch-container-insights/latest/k8s-deployment-manifest-templates/deployment-mode/daemonset/container-insights-monitoring/fluent-bit/fluent-bit.yaml
-# takes volumes, volumeMounts, and inputs,outputs,filters, and parsers from these sample
-# note there seems not to be away to pass the labels and selector.matchLabels to this chart
-#
-volumeMounts:
-# Please don't change below read-only permissions
-  - name: fluentbitstate
-    mountPath: /var/fluent-bit/state
-  - name: varlog
-    mountPath: /var/log
-    readOnly: true
-  - name: varlibdockercontainers
-    mountPath: /var/lib/docker/containers
-    readOnly: true
-  - name: runlogjournal
-    mountPath: /run/log/journal
-    readOnly: true
-  - name: dmesg
-    mountPath: /var/log/dmesg
-    readOnly: true
-volumes:
-  - name: fluentbitstate
-    hostPath:
-      path: /var/fluent-bit/state
-  - name: varlog
-    hostPath:
-      path: /var/log
-  - name: varlibdockercontainers
-    hostPath:
-      path: /var/lib/docker/containers
-  - name: runlogjournal
-    hostPath:
-      path: /run/log/journal
-  - name: dmesg
-    hostPath:
-      path: /var/log/dmesg
-additionalInputs: |-
-  [INPUT]
-      Name                tail
-      Tag                 application.*
-      Exclude_Path        /var/log/containers/cloudwatch-agent*, /var/log/containers/fluent-bit*, /var/log/containers/aws-node*, /var/log/containers/kube-proxy*
-      Path                /var/log/containers/*.log
-      multiline.parser    docker, cri
-      DB                  /var/fluent-bit/state/flb_container.db
-      Mem_Buf_Limit       50MB
-      Skip_Long_Lines     On
-      Refresh_Interval    10
-      Rotate_Wait         30
-      storage.type        filesystem
-      Read_from_Head      ${READ_FROM_HEAD}
-  [INPUT]
-      Name                tail
-      Tag                 application.*
-      Path                /var/log/containers/fluent-bit*
-      multiline.parser    docker, cri
-      DB                  /var/fluent-bit/state/flb_log.db
-      Mem_Buf_Limit       5MB
-      Skip_Long_Lines     On
-      Refresh_Interval    10
-      Read_from_Head      ${READ_FROM_HEAD}
-  [INPUT]
-      Name                tail
-      Tag                 application.*
-      Path                /var/log/containers/cloudwatch-agent*
-      multiline.parser    docker, cri
-      DB                  /var/fluent-bit/state/flb_cwagent.db
-      Mem_Buf_Limit       5MB
-      Skip_Long_Lines     On
-      Refresh_Interval    10
-      Read_from_Head      ${READ_FROM_HEAD}
-  [INPUT]
-      Name                systemd
-      Tag                 dataplane.systemd.*
-      Systemd_Filter      _SYSTEMD_UNIT=docker.service
-      Systemd_Filter      _SYSTEMD_UNIT=containerd.service
-      Systemd_Filter      _SYSTEMD_UNIT=kubelet.service
-      DB                  /var/fluent-bit/state/systemd.db
-      Path                /var/log/journal
-      Read_From_Tail      ${READ_FROM_TAIL}
-  [INPUT]
-      Name                tail
-      Tag                 dataplane.tail.*
-      Path                /var/log/containers/aws-node*, /var/log/containers/kube-proxy*
-      multiline.parser    docker, cri
-      DB                  /var/fluent-bit/state/flb_dataplane_tail.db
-      Mem_Buf_Limit       50MB
-      Skip_Long_Lines     On
-      Refresh_Interval    10
-      Rotate_Wait         30
-      storage.type        filesystem
-      Read_from_Head      ${READ_FROM_HEAD}
-  [INPUT]
-      Name                tail
-      Tag                 host.dmesg
-      Path                /var/log/dmesg
-      Key                 message
-      DB                  /var/fluent-bit/state/flb_dmesg.db
-      Mem_Buf_Limit       5MB
-      Skip_Long_Lines     On
-      Refresh_Interval    10
-      Read_from_Head      ${READ_FROM_HEAD}
-  [INPUT]
-      Name                tail
-      Tag                 host.messages
-      Path                /var/log/messages
-      Parser              syslog
-      DB                  /var/fluent-bit/state/flb_messages.db
-      Mem_Buf_Limit       5MB
-      Skip_Long_Lines     On
-      Refresh_Interval    10
-      Read_from_Head      ${READ_FROM_HEAD}
-  [INPUT]
-      Name                tail
-      Tag                 host.secure
-      Path                /var/log/secure
-      Parser              syslog
-      DB                  /var/fluent-bit/state/flb_secure.db
-      Mem_Buf_Limit       5MB
-      Skip_Long_Lines     On
-      Refresh_Interval    10
-      Read_from_Head      ${READ_FROM_HEAD}
-additionalOutputs: |-
-  [OUTPUT]
-      Name                cloudwatch_logs
-      Match               application.*
-      region              ${AWS_REGION}
-      log_group_name      /aws/containerinsights/${CLUSTER_NAME}/application
-      log_stream_prefix   ${HOST_NAME}-
-      auto_create_group   true
-      extra_user_agent    container-insights
-  [OUTPUT]
-      Name                cloudwatch_logs
-      Match               dataplane.*
-      region              ${AWS_REGION}
-      log_group_name      /aws/containerinsights/${CLUSTER_NAME}/dataplane
-      log_stream_prefix   ${HOST_NAME}-
-      auto_create_group   true
-      extra_user_agent    container-insights
-  [OUTPUT]
-      Name                cloudwatch_logs
-      Match               host.*
-      region              ${AWS_REGION}
-      log_group_name      /aws/containerinsights/${CLUSTER_NAME}/host
-      log_stream_prefix   ${HOST_NAME}.
-      auto_create_group   true
-      extra_user_agent    container-insights
-additionalFilters: |-
-  [FILTER]
-      Name                kubernetes
-      Match               application.*
-      Kube_URL            https://kubernetes.default.svc:443
-      Kube_Tag_Prefix     application.var.log.containers.
-      Merge_Log           On
-      Merge_Log_Key       log_processed
-      K8S-Logging.Parser  On
-      K8S-Logging.Exclude Off
-      Labels              Off
-      Annotations         Off
-      Use_Kubelet         On
-      Kubelet_Port        10250
-      Buffer_Size         0
-      Kube_CA_File        /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-      Kube_Token_File     /var/run/secrets/kubernetes.io/serviceaccount/token
-  [FILTER]
-      Name                modify
-      Match               dataplane.systemd.*
-      Rename              _HOSTNAME                   hostname
-      Rename              _SYSTEMD_UNIT               systemd_unit
-      Rename              MESSAGE                     message
-      Remove_regex        ^((?!hostname|systemd_unit|message).)*$
-  [FILTER]
-      Name                aws
-      Match               dataplane.*
-      imds_version        v1
-  [FILTER]
-      Name                aws
-      Match               host.*
-      imds_version        v1
-service:
-  extraParsers: |-
-    [PARSER]
-        Name                syslog
-        Format              regex
-        Regex               ^(?<time>[^ ]* {1,2}[^ ]* [^ ]*) (?<host>[^ ]*) (?<ident>[a-zA-Z0-9_\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$
-        Time_Key            time
-        Time_Format         %b %d %H:%M:%S
-    [PARSER]
-        Name                container_firstline
-        Format              regex
-        Regex               (?<log>(?<="log":")\S(?!\.).*?)(?<!\\)".*(?<stream>(?<="stream":").*?)".*(?<time>\d{4}-\d{1,2}-\d{1,2}T\d{2}:\d{2}:\d{2}\.\w*).*(?=})
-        Time_Key            time
-        Time_Format         %Y-%m-%dT%H:%M:%S.%LZ
-    [PARSER]
-        Name                cwagent_firstline
-        Format              regex
-        Regex               (?<log>(?<="log":")\d{4}[\/-]\d{1,2}[\/-]\d{1,2}[ T]\d{2}:\d{2}:\d{2}(?!\.).*?)(?<!\\)".*(?<stream>(?<="stream":").*?)".*(?<time>\d{4}-\d{1,2}-\d{1,2}T\d{2}:\d{2}:\d{2}\.\w*).*(?=})
-        Time_Key            time
-        Time_Format         %Y-%m-%dT%H:%M:%S.%LZ
-  extraService: |-
-    HTTP_Server  On
-    HTTP_Listen  0.0.0.0
-    HTTP_PORT    2020
-    Health_Check On
-    HC_Errors_Count 5
-    HC_Retry_Failure_Count 5
-    HC_Period 5
-    Flush                     5
-    Grace                     30
-    Log_Level                 info
-    # Log_Level                 debug
-    Daemon                    off
-    #    HTTP_Server               ${HTTP_SERVER}
-    #    HTTP_Listen               0.0.0.0
-    #    HTTP_Port                 ${HTTP_PORT}
-    storage.path              /var/fluent-bit/state/flb-storage/
-    storage.sync              normal
-    storage.checksum          off
-    storage.backlog.mem_limit 5M
diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/locals.tf b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/locals.tf
deleted file mode 100644
index 4b9ae5a..0000000
--- a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/locals.tf
+++ /dev/null
@@ -1,17 +0,0 @@
-locals {
-  base_tags = {
-    "eks-cluster-name"      = var.cluster_name
-    "boc:tf_module_version" = local._module_version
-    "boc:created_by"        = "terraform"
-  }
-}
-
-# replace TF remote state accordingly in parent_rs with that from the parent directory, and be sure to make the link
-locals {
-  vpc_id               = local.parent_rs.cluster_vpc_id
-  subnet_ids           = local.parent_rs.cluster_subnet_ids
-  cluster_worker_sg_id = local.parent_rs.cluster_worker_sg_id
-
-  oidc_provider_url = local.parent_rs.oidc_provider_url
-  oidc_provider_arn = local.parent_rs.oidc_provider_arn
-}
diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/region.tf b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/region.tf
deleted file mode 100644
index f617506..0000000
--- a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/region.tf
+++ /dev/null
@@ -1,3 +0,0 @@
-locals {
-  region = var.region
-}
diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/templates/fluentbit.env.yml.tpl b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/templates/fluentbit.env.yml.tpl
deleted file mode 100644
index b05dcc3..0000000
--- a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/templates/fluentbit.env.yml.tpl
+++ /dev/null
@@ -1,13 +0,0 @@
-env:
-  - name: AWS_REGION
-    value: "${region}"
-  - name: CLUSTER_NAME
-    value: "${cluster_name}"
-  - name: HOST_NAME
-    valueFrom:
-      fieldRef:
-        fieldPath: spec.nodeName
-  - name: READ_FROM_HEAD
-    value: "off"
-  - name: READ_FROM_TAIL
-    value: "on"
diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/tf-run.data b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/tf-run.data
deleted file mode 100644
index d868cbe..0000000
--- a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/tf-run.data
+++ /dev/null
@@ -1,32 +0,0 @@
-VERSION 1.4.3
-REMOTE-STATE
-COMMAND tf-directory-setup.py -l none -f
-COMMAND setup-new-directory.sh
-
-LINKTOP init
-LINKTOP includes.d/variables.account_tags.tf
-LINKTOP includes.d/variables.account_tags.auto.tfvars
-LINKTOP includes.d/variables.infrastructure_tags.tf
-LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars
-LINKTOP includes.d/variables.application_tags.tf
-# LINKTOP includes.d/variables.application_tags.auto.tfvars
-LINK variables.application_tags.auto.tfvars
-LINKTOP provider_configs.d/provider.ldap_new.auto.tfvars
-LINKTOP provider_configs.d/provider.ldap_new.tf
-LINKTOP provider_configs.d/provider.ldap_new.variables.tf
-LINK settings.auto.tfvars
-LINK includes.d/parent_rs.tf
-LINK includes.d/data.eks-subdirectory.tf
-LINK includes.d/kubeconfig.eks-subdirectory.tf
-LINK variables.eks.tf
-LINK prefixes.tf
-LINK providers.tf
-LINK variables.addons.tf
-LINK versions.tf
-LINK version.tf
-LINK variables.vpc.tf
-LINK variables.vpc.auto.tfvars
-COMMAND tf-init 
-
-ALL
-COMMAND tf-directory-setup.py -l s3
diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/tf-run.destroy.data b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/tf-run.destroy.data
deleted file mode 100644
index 7a82c9f..0000000
--- a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/tf-run.destroy.data
+++ /dev/null
@@ -1,6 +0,0 @@
-VERSION 1.0.1
-BACKUP-STATE
-COMMAND tf-init
-COMMAND tf-state list
-
-ALL
diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/variables.cloudwatch-agent.auto.tfvars b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/variables.cloudwatch-agent.auto.tfvars
deleted file mode 100644
index 744778a..0000000
--- a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/variables.cloudwatch-agent.auto.tfvars
+++ /dev/null
@@ -1,27 +0,0 @@
-cloudwatch_agent_namespace = "aws-cloudwatch"
-cloudwatch_agent_charts = {
-  "cloudwatch-agent" = {
-    name          = "aws-cloudwatch-metrics"
-    documentation = "https://github.com/aws/eks-charts/tree/master/stable/aws-cloudwatch-metrics"
-    repository    = "https://aws.github.io/eks-charts"
-    version       = "0.0.9"
-    use_remote    = true
-  }
-}
-cloudwatch_agent_images = {
-  "cloudwatch-agent" = {
-    name            = "cloudwatch-agent"
-    image           = "public.ecr.aws/cloudwatch-agent/cloudwatch-agent"
-    dest_path       = null
-    source_registry = "public.ecr.aws"
-    source_image    = "cloudwatch-agent/cloudwatch-agent"
-    source_tag      = null
-    #    tag            = "latest"
-    tag     = "1.300026.2b172"
-    enabled = true
-  }
-}
-cloudwatch_agent_log_retention_days = 90
-
-
-
diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/variables.cloudwatch-agent.tf b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/variables.cloudwatch-agent.tf
deleted file mode 100644
index b0f9b19..0000000
--- a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/variables.cloudwatch-agent.tf
+++ /dev/null
@@ -1,53 +0,0 @@
-variable "cloudwatch_agent_namespace" {
-  description = "Cloudwatch agent namespace"
-  type        = string
-  default     = "kube-system"
-}
-
-variable "cloudwatch_agent_name" {
-  description = "Cloudwatch Agent service account name"
-  type        = string
-  default     = "cloudwatch"
-}
-
-variable "cloudwatch_agent_charts" {
-  description = "Cloudwatch Map of object with details about remote charts"
-  type = map(object(
-    {
-      name          = string
-      documentation = optional(string, null)
-      repository    = string
-      version       = string
-      use_remote    = bool
-  }))
-  default = {}
-}
-
-variable "cloudwatch_agent_images" {
-  description = "Cloudwatch List of image configuration objects to copy from SOURCE to DESTINATION"
-  type = map(object({
-    name            = string,
-    documentation   = optional(string, null)
-    tag             = string,
-    dest_path       = string,
-    source_registry = string,
-    source_image    = string,
-    source_tag      = string,
-    enabled         = bool,
-  }))
-  default = {}
-}
-
-variable "cloudwatch_agent_log_retention_days" {
-  description = "Cloudwatch log retention in days (default 180)"
-  type        = number
-  default     = 180
-}
-
-variable "cloudwatch_agent_log_names" {
-  description = "Cloudwatch log names"
-  type        = list(string)
-  default     = ["performance"]
-}
-
-
diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/variables.fluentbit.auto.tfvars b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/variables.fluentbit.auto.tfvars
deleted file mode 100644
index a4aab77..0000000
--- a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/variables.fluentbit.auto.tfvars
+++ /dev/null
@@ -1,14 +0,0 @@
-fluentbit_namespace          = "aws-cloudwatch"
-fluentbit_name               = "fluent-bit"
-fluentbit_tag                = "2.31.12.20230629"
-fluentbit_log_retention_days = 90
-
-fluentbit_charts = {
-  "fluent-bit" = {
-    documentation = "https://artifacthub.io/packages/helm/aws/aws-for-fluent-bit/0.1.28"
-    name          = "aws-for-fluent-bit"
-    repository    = "https://aws.github.io/eks-charts"
-    version       = "0.1.28"
-    use_remote    = true
-  }
-}
diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/variables.fluentbit.tf b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/variables.fluentbit.tf
deleted file mode 100644
index 30525b9..0000000
--- a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/variables.fluentbit.tf
+++ /dev/null
@@ -1,57 +0,0 @@
-variable "fluentbit_namespace" {
-  description = "Fluent Bit namespace"
-  type        = string
-  default     = "kube-system"
-}
-
-variable "fluentbit_name" {
-  description = "Fluent Bit service account name"
-  type        = string
-  default     = "fluent-bit-sa"
-}
-
-variable "fluentbit_images" {
-  description = "Fluent bit List of image configuration objects to copy from SOURCE to DESTINATION"
-  type = map(object({
-    name            = string,
-    documentation   = optional(string, null)
-    tag             = string,
-    dest_path       = string,
-    source_registry = string,
-    source_image    = string,
-    source_tag      = string,
-    enabled         = bool,
-  }))
-  default = {}
-}
-
-variable "fluentbit_charts" {
-  description = "Fluent bit Map of object with details about remote charts"
-  type = map(object(
-    {
-      name          = string
-      documentation = optional(string, null)
-      repository    = string
-      version       = string
-      use_remote    = bool
-  }))
-  default = {}
-}
-
-variable "fluentbit_tag" {
-  description = "Fluent bit version tag from SSM parameter"
-  type        = string
-  default     = null
-}
-
-variable "fluentbit_log_retention_days" {
-  description = "Fluentbitlog retention in days (default 180)"
-  type        = number
-  default     = 180
-}
-
-variable "fluentbit_log_names" {
-  description = "Fluentbitlog log names"
-  type        = list(string)
-  default     = ["application", "dataplane", "host"]
-}
diff --git a/examples/full-cluster-tf-upgrade/1.28/addons/addon_cloudwatch.tf b/examples/full-cluster-tf-upgrade/1.28/addons/addon_cloudwatch.tf
new file mode 100644
index 0000000..f3b483e
--- /dev/null
+++ b/examples/full-cluster-tf-upgrade/1.28/addons/addon_cloudwatch.tf
@@ -0,0 +1,66 @@
+# https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html
+# amazon-cloudwatch-observability
+
+locals {
+  cloudwatch_managed_policies        = ["AWSXrayWriteOnlyAccess", "CloudWatchAgentServerPolicy"]
+  cloudwatch_observability_name      = "cloudwatch-agent"
+  cloudwatch_observability_namespace = "amazon-cloudwatch"
+}
+
+data "aws_iam_policy" "cloudwatch-observability-policies" {
+  for_each = toset(local.cloudwatch_managed_policies)
+  name     = each.key
+}
+
+resource "aws_eks_addon" "amazon-cloudwatch-observability" {
+  count = lookup(local.addon_versions, "amazon-cloudwatch-observability", null) != null ? 1 : 0
+
+  cluster_name             = var.cluster_name
+  addon_name               = "amazon-cloudwatch-observability"
+  addon_version            = lookup(local.addon_versions, "amazon-cloudwatch-observability")
+  service_account_role_arn = module.role_cloudwatch-observability.iam_role_arn
+  configuration_values     = null
+  #  resolve_conflicts        = "OVERWRITE"
+  # note OVERWRITE resets to eks addon defaults, PRESERVE uses any values set here
+  resolve_conflicts_on_create = "OVERWRITE"
+  resolve_conflicts_on_update = "OVERWRITE"
+
+  depends_on = [aws_cloudwatch_log_group.cloudwatch-observability]
+}
+
+module "role_cloudwatch-observability" {
+  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+
+  role_description = "EKS IAM Role for ${var.cluster_name} for service account ${local.cloudwatch_observability_namespace}:${local.cloudwatch_observability_name}"
+  role_name        = format("%v%v-irsa__%v", local._prefixes["eks-role"], var.cluster_name, local.cloudwatch_observability_name)
+  role_policy_arns = { for k, v in data.aws_iam_policy.cloudwatch-observability-policies : k => v.arn }
+
+  oidc_providers = {
+    main = {
+      provider_arn               = local.oidc_provider_arn
+      namespace_service_accounts = [format("%v:%v", local.cloudwatch_observability_namespace, local.cloudwatch_observability_name)]
+    }
+  }
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+    {
+      "eks:namespace" = local.cloudwatch_observability_namespace
+      "eks:user"      = local.cloudwatch_observability_name
+    }
+  )
+}
+
+resource "aws_cloudwatch_log_group" "cloudwatch-observability" {
+  for_each          = toset(var.cloudwatch-observability_log_names)
+  name              = format("/aws/containerinsights/%v/%v", var.cluster_name, each.key)
+  retention_in_days = var.cloudwatch-observability_log_retention_days
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+  )
+}
diff --git a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/.tf-control b/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/.tf-control
deleted file mode 100644
index 280f449..0000000
--- a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/.tf-control
+++ /dev/null
@@ -1,20 +0,0 @@
-# .tf-control
-# allows for setting a specific command to be used for tf-* commands under this git repo
-# see tf-control.sh help for more info
-
-TFCONTROL_VERSION="1.0.5"
-
-TFCOMMAND="terraform_latest"
-# TF_CLI_CONFIG_FILE=PATH-TO-FILE/.tf-control.tfrc
-# TFARGS=""
-# TFNOLOG=""
-# TFNOCOLOR=""
-
-# use the following to force a specific version.  An upgrade of an existing 0.12.31 to 1.x
-# needs you to cycle through 0.13.17, 0.14.11, and then latest (0.15.5 not needed).  Other
-# steps in between.  See https://github.e.it.census.gov/terraform/support/tree/master/docs/how-to/terraform-upgrade for details
-#
-#TFCOMMAND="terraform_0.12.31"
-#TFCOMMAND="terraform_0.13.7"
-#TFCOMMAND="terraform_0.14.11"
-#TFCOMMAND="terraform_0.15.5"
diff --git a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/.tf-control.tfrc b/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/.tf-control.tfrc
deleted file mode 100644
index 7425488..0000000
--- a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/.tf-control.tfrc
+++ /dev/null
@@ -1,24 +0,0 @@
-TFCONTROL_VERSION="1.0.5"
-
-# https://www.terraform.io/docs/cli/config/config-file.html
-plugin_cache_dir   = "/data/terraform/terraform.d/plugin-cache"
-#disable_checkpoint = true
-
-provider_installation {
-#  filesystem_mirror {
-#    path    = "/apps/terraform/terraform.d/providers"
-#    include = [ "*/*/*" ]
-#  }
-  filesystem_mirror {
-    path    = "/data/terraform/terraform.d/providers"
-    include = [ "*/*/*" ]
-  }
-#  filesystem_mirror {
-#    path    = "/apps/terraform/terraform.d/providers"
-#    include = [ "external.terraform.census.gov/*/*" ]
-#  }
-  direct {
-    include = [ "*/*/*" ]
-  }
-}
-
diff --git a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/README.md b/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/README.md
deleted file mode 100644
index ee7afb6..0000000
--- a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/README.md
+++ /dev/null
@@ -1,127 +0,0 @@
-# Extras :: cloudwatch-agent
-
-The configuration in this dierectory will deploy cloudwatch-agent and fluentbit, to be used for EKS Container Insights.
-
-# Links
-
-* AWS Docs
-  * https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-prerequisites.html
-  * https://aws.amazon.com/blogs/opensource/centralized-container-logging-fluent-bit/
-  * https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ContainerInsights-use-kubelet.html
-  * https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html
-  * https://aws.github.io/eks-charts"
-* Cloudwatch Agnet
-  * https://github.com/aws/eks-charts/tree/master/stable/aws-cloudwatch-metrics
-* Fluent Bit
-  * https://github.com/aws/aws-for-fluent-bit
-  * https://github.com/aws/eks-charts/tree/master/stable/aws-for-fluent-bit
-
-# Supported Versions
-
-This configuration has been tested and validated on EKS versions
-
-* 1.24
-* 1.25
-
-# Configuration
-
-This uses a helm chart, an IRSA role, and pulls the latest images at the time of creating this module.
-Look in the `variables.*.auto.tfvars` files for the version numbers.
-
-# Installation
-
-You will need the latest copy of the `aws-eks` module, using the `tf-upgrade` branch.  This requires the use of
-Terraform 1.x, and as it is deployed in a subdirectory, it should work without issue.
-
-## Step 1: Get aws-eks repo
-
-If you do not have the `aws-eks` repo, clone it in the branch `tf-upgrade`.
-
-```script
-# go to your TF repository directory
-cd $PATH_TO_TERRAFORM
-git clone git@github.e.it.census.gov:terraform-modules/aws-eks.git -b tf-upgrade
-cd aws-eks
-export EKS_SOURCE=$(pwd)
-```
-
-If you already have the repo, go into the directory, checkout the branch and refresh it.
-
-```script
-# go to your TF repository directory
-cd $PATH_TO_TERRAFORM
-cd aws-eks
-git checkout tf-upgrade
-git pull origin tf-upgrade
-export EKS_SOURCE=$(pwd)
-```
-
-## Step 2: Copy code
-
-Go into the `common-services` directory of the EKS cluster where you wish to deploy this.  Make a directory, `cloudwatch-agent`, and then
-rsync the code. Please use rsync, not copy.  There is a directory, and there may be softlinks.  You'll work in a new branch.  An example is below:
-
-```script
-cd $PATH_TO_TERRAFORM
-cd 107742151971-do2-govcloud/vpc/east/vpc5/apps/eks-ditd-gups-stage/common-services
-mkdir cloudwatch-agent
-cd cloudwatch-agent
-git checkout -b add-cloudwatch-agent
-rsync -avRWH $EKS_SOURCE/examples/extra/cloudwatch-agent/./ ./
-```
-
-## Step 3: Plan
-
-There is no configuration needed.  All relevant details are pulled from the parent directories.  You do need EKS cluster access,
-so be sure you are running with a user who has K8S RBAC access.
-
-```script
-tf-run plan
-tf-plan summary
-
-# add to git
-git add .
-git commit -m 'add cloudwatch, fluentbit' .
-git push
-# submit PR with plan summary and plan log
-```
-
-## Step 4: Apply
-
-Once the PR is merged, apply, and finalize the directory.
-
-```script
-tf-run apply
-```
-
-Make sure it started up:
-
-```console
-% kubectl --kubeconfig setup/kube.config get pods -n aws-cloudwatch
-NAME                                  READY   STATUS    RESTARTS   AGE
-aws-cloudwatch-metrics-8jlwh          1/1     Running   0          24h
-aws-cloudwatch-metrics-8jxqs          1/1     Running   0          24h
-aws-cloudwatch-metrics-k668c          1/1     Running   0          24h
-fluent-bit-aws-for-fluent-bit-6bvgk   1/1     Running   0          24h
-fluent-bit-aws-for-fluent-bit-b4hk5   1/1     Running   0          24h
-fluent-bit-aws-for-fluent-bit-chx46   1/1     Running   0          24h
-```
-
-All should be running.  If any errors, or not running, look at `events` and `logs`.
-
-Then, check AWS CloudWatch Logs. There will be four log as follows: /aws/containerinsights/{clustername}/{name}
-where {name} is
-
-  * performance
-  * host
-  * applications
-  * dataplane
-
-The Container Insight dashboard should also show performance data for the cluster, though it may take some
-time to appear.
-
-
-# CHANGELOG
-
-* 1.0.0 -- 2023-08-24
-  - initial
diff --git a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/cloudwatch-agent.tf b/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/cloudwatch-agent.tf
deleted file mode 100644
index 8eeacf3..0000000
--- a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/cloudwatch-agent.tf
+++ /dev/null
@@ -1,123 +0,0 @@
-# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-prerequisites.html
-
-data "aws_iam_policy" "policy_cloudwatch-agent" {
-  name = "CloudWatchAgentServerPolicy"
-}
-
-module "role_cloudwatch-agent" {
-  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-
-  role_description = "EKS IAM Role for ${var.cluster_name} for service account ${var.cloudwatch_agent_namespace}:${var.cloudwatch_agent_name}"
-  role_name        = format("%v%v-irsa__%v", local._prefixes["eks-role"], var.cluster_name, var.cloudwatch_agent_name)
-
-  role_policy_arns = {
-    policy = data.aws_iam_policy.policy_cloudwatch-agent.arn
-  }
-
-  oidc_providers = {
-    main = {
-      provider_arn               = local.oidc_provider_arn
-      namespace_service_accounts = [format("%v:%v", var.cloudwatch_agent_namespace, var.cloudwatch_agent_name)]
-    }
-  }
-
-  tags = merge(
-    local.base_tags,
-    local.common_tags,
-    var.application_tags,
-    {
-      "eks:namespace" = var.cloudwatch_agent_namespace
-      "eks:user"      = var.cloudwatch_agent_name
-    }
-  )
-}
-
-locals {
-  cloudwatch_agent_images_output = { for k, v in module.images_cloudwatch-agent.images : v.name => v }
-}
-
-module "images_cloudwatch-agent" {
-  source = "git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git?ref=tf-upgrade"
-
-  profile          = var.profile
-  application_list = []
-  application_name = format("eks/%v", var.cluster_name)
-  image_config     = [for k, v in var.cloudwatch_agent_images : v if v.enabled]
-  tags = merge(
-    local.base_tags,
-    local.common_tags,
-    var.application_tags,
-  )
-}
-
-resource "aws_cloudwatch_log_group" "cloudwatch_agent_logs" {
-  for_each          = toset(var.cloudwatch_agent_log_names)
-  name              = format("/aws/containerinsights/%v/%v", var.cluster_name, each.key)
-  retention_in_days = var.cloudwatch_agent_log_retention_days
-  tags = merge(
-    local.base_tags,
-    local.common_tags,
-    var.application_tags,
-  )
-}
-
-resource "kubernetes_namespace" "cloudwatch-agent" {
-  metadata {
-    name = var.cloudwatch_agent_namespace
-  }
-}
-
-# chart
-# https://github.com/aws/eks-charts/tree/master/stable/aws-cloudwatch-metrics
-resource "helm_release" "cloudwatch-agent" {
-  chart      = "aws-cloudwatch-metrics"
-  name       = "aws-cloudwatch-metrics"
-  namespace  = var.cloudwatch_agent_namespace
-  repository = var.cloudwatch_agent_charts["cloudwatch-agent"].use_remote ? var.cloudwatch_agent_charts["cloudwatch-agent"].repository : "${path.module}/charts"
-  version    = var.cloudwatch_agent_charts["cloudwatch-agent"].use_remote ? var.cloudwatch_agent_charts["cloudwatch-agent"].version : null
-
-  depends_on = [kubernetes_namespace.cloudwatch-agent,module.images_cloudwatch-agent]
-  set {
-    name = "image.repository"
-    value = split(":", local.cloudwatch_agent_images_output["cloudwatch-agent"].dest_full_path)[0]
-  }
-
-  set {
-    name = "image.tag"
-    value = local.cloudwatch_agent_images_output["cloudwatch-agent"].tag
-  }
-
-  set {
-    name = "clusterName"
-    value = var.cluster_name
-  }
-  set {
-    name = "serviceAccount.name"
-    value = var.cloudwatch_agent_name
-  }
-  set {
-    name = "serviceAccount.create"
-    value = "true"
-  }
-  set {
-    name  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
-    value = module.role_cloudwatch-agent.iam_role_arn
-  }
-  timeout = 300
-}
-
-data "aws_iam_policy_document" "cloudwatch_agent_policy_extra" {
-  statement {
-    sid = "DescribeVolumes"
-    effect = "Allow"
-    actions = [ "ec2:DescribeVolumes" ]
-    resources = [ "*" ]
-  }
-}
-
-resource "aws_iam_role_policy" "cloudwatch_agent_policy_extra" {
-  name = "extra"
-  role = module.role_cloudwatch-agent.iam_role_name
-
-  policy = data.aws_iam_policy_document.cloudwatch_agent_policy_extra.json
-}
diff --git a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/fluentbit.tf b/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/fluentbit.tf
deleted file mode 100644
index 26e20f1..0000000
--- a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/fluentbit.tf
+++ /dev/null
@@ -1,186 +0,0 @@
-# https://github.com/aws/aws-for-fluent-bit
-
-## % tf-aws ssm get-parameters-by-path --path /aws/service/aws-for-fluent-bit/ --query 'Parameters[*].Name'|grep 2.31.12
-##     "/aws/service/aws-for-fluent-bit/2.31.12-windowsservercore",
-##     "/aws/service/aws-for-fluent-bit/init-2.31.12.20230629",
-##     "/aws/service/aws-for-fluent-bit/2.31.12.20230727",
-##     "/aws/service/aws-for-fluent-bit/2.31.12.20230629",
-##     "/aws/service/aws-for-fluent-bit/2.31.12",
-##     "/aws/service/aws-for-fluent-bit/init-2.31.12",
-##     "/aws/service/aws-for-fluent-bit/init-2.31.12.20230727"
-## 
-## % tf-aws ssm get-parameter --name /aws/service/aws-for-fluent-bit/2.31.12.20230629
-## {
-##     "Parameter": {
-##         "Name": "/aws/service/aws-for-fluent-bit/2.31.12.20230629",
-##         "Type": "String",
-##         "Value": "161423150738.dkr.ecr.us-gov-west-1.amazonaws.com/aws-for-fluent-bit:2.31.12.20230629",
-##         "Version": 1,
-##         "LastModifiedDate": "2023-06-29T20:54:07.770000-04:00",
-##         "ARN": "arn:aws-us-gov:ssm:us-gov-west-1::parameter/aws/service/aws-for-fluent-bit/2.31.12.20230629",
-##         "DataType": "text"
-##     }
-## }
-
-
-data "aws_ssm_parameter" "fluentbit_image" {
-  name = format("/aws/service/aws-for-fluent-bit/%v", var.fluentbit_tag)
-
-  lifecycle {
-    precondition {
-      condition     = var.fluentbit_tag != null && var.fluentbit_tag != ""
-      error_message = "var.fluentbit_tag must be provided and not null or empty."
-    }
-  }
-}
-
-
-module "role_fluentbit" {
-  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-
-  role_description = "EKS IAM Role for ${var.cluster_name} for service account ${var.fluentbit_namespace}:${var.fluentbit_name}"
-  role_name        = format("%v%v-irsa__%v", local._prefixes["eks-role"], var.cluster_name, var.fluentbit_name)
-
-  role_policy_arns = {
-    policy = aws_iam_policy.policy_fluentbit.arn
-  }
-
-  oidc_providers = {
-    main = {
-      provider_arn               = local.oidc_provider_arn
-      namespace_service_accounts = [format("%v:%v", var.fluentbit_namespace, var.fluentbit_name)]
-    }
-  }
-
-  tags = merge(
-    local.base_tags,
-    local.common_tags,
-    var.application_tags,
-    {
-      "eks:namespace" = var.fluentbit_namespace
-      "eks:user"      = var.fluentbit_name
-    }
-  )
-}
-
-resource "aws_iam_policy" "policy_fluentbit" {
-  name        = format("%v%v-irsa__%v", local._prefixes["eks-policy"], var.cluster_name, var.fluentbit_name)
-  description = "EKS IAM Policy for ${var.cluster_name} for service account ${var.fluentbit_namespace}:${var.fluentbit_name}"
-  path        = "/"
-  policy      = data.aws_iam_policy_document.policy_fluentbit.json
-
-  tags = merge(
-    local.base_tags,
-    local.common_tags,
-    var.application_tags,
-    {
-      "Name"          = format("%v%v-irsa__%v", local._prefixes["eks-policy"], var.cluster_name, var.fluentbit_name)
-      "eks:namespace" = var.fluentbit_namespace
-      "eks:user"      = var.fluentbit_name
-    }
-  )
-}
-
-
-# https://aws.amazon.com/blogs/opensource/centralized-container-logging-fluent-bit/
-data "aws_iam_policy_document" "policy_fluentbit" {
-  statement {
-    sid    = "AllowFirehose"
-    effect = "Allow"
-    actions = [
-      "firehose:PutRecordBatch"
-    ]
-    resources = ["*"]
-  }
-  ##   statement {
-  ##     sid = "PutLogEvents"
-  ##     effect = "Allow"
-  ##     actions = [
-  ##              "logs:PutLogEvents"
-  ##     ]
-  ##     resources = [ format("arn:%v:logs:*:*:log-group:*:*:*",data.aws_arn.current.partition) ]
-  ##   }
-  statement {
-    sid    = "CreateStreams"
-    effect = "Allow"
-    actions = [
-      "logs:CreateLogStream",
-      "logs:DescribeLogStreams",
-      "logs:PutLogEvents"
-    ]
-    #    resources = [ format("arn:%v:logs:*:*:log-group:*",data.aws_arn.current.partition) ]
-    resources = [for k, v in aws_cloudwatch_log_group.fluentbit_logs : format("%v:*", v.arn)]
-  }
-  ##   statement {
-  ##     sid = "CreateLogGroup"
-  ##     effect = "Allow"
-  ##     actions = [
-  ##              "logs:CreateLogGroup"
-  ##    ]
-  ##    resources = [ "*" ]
-  ##   }
-}
-
-resource "aws_cloudwatch_log_group" "fluentbit_logs" {
-  for_each          = toset(var.fluentbit_log_names)
-  name              = format("/aws/containerinsights/%v/%v", var.cluster_name, each.key)
-  retention_in_days = var.fluentbit_log_retention_days
-  tags = merge(
-    local.base_tags,
-    local.common_tags,
-    var.application_tags,
-  )
-}
-
-## helm, reference ssm image
-# https://github.com/aws/eks-charts/tree/master/stable/aws-for-fluent-bit
-
-resource "helm_release" "fluentbit" {
-  chart      = "aws-for-fluent-bit"
-  name       = var.fluentbit_name
-  namespace  = var.fluentbit_namespace
-  repository = var.fluentbit_charts["fluent-bit"].use_remote ? var.fluentbit_charts["fluent-bit"].repository : "${path.module}/charts"
-  version    = var.fluentbit_charts["fluent-bit"].use_remote ? var.fluentbit_charts["fluent-bit"].version : null
-
-  values = [
-    file("fluentbit.values.yml"),
-    templatefile("${path.root}/templates/fluentbit.env.yml.tpl",{
-      region = local.region
-      cluster_name = var.cluster_name
-    })
-  ]
-
-  set {
-    name  = "cluster.name"
-    value = var.cluster_name
-  }
-  set {
-    name  = "logs.region"
-    value = var.region
-  }
-  set {
-    name  = "image.repository"
-    value = split(":", data.aws_ssm_parameter.fluentbit_image.value)[0]
-  }
-  set {
-    name  = "image.tag"
-    value = var.fluentbit_tag
-  }
-  set {
-    name  = "cloudWatchLogs.enabled"
-    value = "false"
-  }
-  set {
-    name  = "serviceAccount.name"
-    value = var.fluentbit_name
-  }
-  set {
-    name  = "serviceAccount.create"
-    value = "true"
-  }
-  set {
-    name  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
-    value = module.role_fluentbit.iam_role_arn
-  }
-  timeout = 300
-}
diff --git a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/fluentbit.values.yml b/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/fluentbit.values.yml
deleted file mode 100644
index 029164e..0000000
--- a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/fluentbit.values.yml
+++ /dev/null
@@ -1,229 +0,0 @@
-# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ContainerInsights-use-kubelet.html
-# networkign needs to be enablrd for the kubernetes filter. The chart does not enable this and has comments about enabling
-hostNetwork: true
-dnsPolicy: ClusterFirstWithHostNet
-# disable starndard input and filter
-input:
-  enabled: false
-filter:
-  enabled: false
-#  https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html
-#  https://raw.githubusercontent.com/aws-samples/amazon-cloudwatch-container-insights/latest/k8s-deployment-manifest-templates/deployment-mode/daemonset/container-insights-monitoring/cloudwatch-namespace.yaml
-#  https://raw.githubusercontent.com/aws-samples/amazon-cloudwatch-container-insights/latest/k8s-deployment-manifest-templates/deployment-mode/daemonset/container-insights-monitoring/fluent-bit/fluent-bit.yaml
-# takes volumes, volumeMounts, and inputs,outputs,filters, and parsers from these sample
-# note there seems not to be away to pass the labels and selector.matchLabels to this chart
-#
-volumeMounts:
-# Please don't change below read-only permissions
-  - name: fluentbitstate
-    mountPath: /var/fluent-bit/state
-  - name: varlog
-    mountPath: /var/log
-    readOnly: true
-  - name: varlibdockercontainers
-    mountPath: /var/lib/docker/containers
-    readOnly: true
-  - name: runlogjournal
-    mountPath: /run/log/journal
-    readOnly: true
-  - name: dmesg
-    mountPath: /var/log/dmesg
-    readOnly: true
-volumes:
-  - name: fluentbitstate
-    hostPath:
-      path: /var/fluent-bit/state
-  - name: varlog
-    hostPath:
-      path: /var/log
-  - name: varlibdockercontainers
-    hostPath:
-      path: /var/lib/docker/containers
-  - name: runlogjournal
-    hostPath:
-      path: /run/log/journal
-  - name: dmesg
-    hostPath:
-      path: /var/log/dmesg
-additionalInputs: |-
-  [INPUT]
-      Name                tail
-      Tag                 application.*
-      Exclude_Path        /var/log/containers/cloudwatch-agent*, /var/log/containers/fluent-bit*, /var/log/containers/aws-node*, /var/log/containers/kube-proxy*
-      Path                /var/log/containers/*.log
-      multiline.parser    docker, cri
-      DB                  /var/fluent-bit/state/flb_container.db
-      Mem_Buf_Limit       50MB
-      Skip_Long_Lines     On
-      Refresh_Interval    10
-      Rotate_Wait         30
-      storage.type        filesystem
-      Read_from_Head      ${READ_FROM_HEAD}
-  [INPUT]
-      Name                tail
-      Tag                 application.*
-      Path                /var/log/containers/fluent-bit*
-      multiline.parser    docker, cri
-      DB                  /var/fluent-bit/state/flb_log.db
-      Mem_Buf_Limit       5MB
-      Skip_Long_Lines     On
-      Refresh_Interval    10
-      Read_from_Head      ${READ_FROM_HEAD}
-  [INPUT]
-      Name                tail
-      Tag                 application.*
-      Path                /var/log/containers/cloudwatch-agent*
-      multiline.parser    docker, cri
-      DB                  /var/fluent-bit/state/flb_cwagent.db
-      Mem_Buf_Limit       5MB
-      Skip_Long_Lines     On
-      Refresh_Interval    10
-      Read_from_Head      ${READ_FROM_HEAD}
-  [INPUT]
-      Name                systemd
-      Tag                 dataplane.systemd.*
-      Systemd_Filter      _SYSTEMD_UNIT=docker.service
-      Systemd_Filter      _SYSTEMD_UNIT=containerd.service
-      Systemd_Filter      _SYSTEMD_UNIT=kubelet.service
-      DB                  /var/fluent-bit/state/systemd.db
-      Path                /var/log/journal
-      Read_From_Tail      ${READ_FROM_TAIL}
-  [INPUT]
-      Name                tail
-      Tag                 dataplane.tail.*
-      Path                /var/log/containers/aws-node*, /var/log/containers/kube-proxy*
-      multiline.parser    docker, cri
-      DB                  /var/fluent-bit/state/flb_dataplane_tail.db
-      Mem_Buf_Limit       50MB
-      Skip_Long_Lines     On
-      Refresh_Interval    10
-      Rotate_Wait         30
-      storage.type        filesystem
-      Read_from_Head      ${READ_FROM_HEAD}
-  [INPUT]
-      Name                tail
-      Tag                 host.dmesg
-      Path                /var/log/dmesg
-      Key                 message
-      DB                  /var/fluent-bit/state/flb_dmesg.db
-      Mem_Buf_Limit       5MB
-      Skip_Long_Lines     On
-      Refresh_Interval    10
-      Read_from_Head      ${READ_FROM_HEAD}
-  [INPUT]
-      Name                tail
-      Tag                 host.messages
-      Path                /var/log/messages
-      Parser              syslog
-      DB                  /var/fluent-bit/state/flb_messages.db
-      Mem_Buf_Limit       5MB
-      Skip_Long_Lines     On
-      Refresh_Interval    10
-      Read_from_Head      ${READ_FROM_HEAD}
-  [INPUT]
-      Name                tail
-      Tag                 host.secure
-      Path                /var/log/secure
-      Parser              syslog
-      DB                  /var/fluent-bit/state/flb_secure.db
-      Mem_Buf_Limit       5MB
-      Skip_Long_Lines     On
-      Refresh_Interval    10
-      Read_from_Head      ${READ_FROM_HEAD}
-additionalOutputs: |-
-  [OUTPUT]
-      Name                cloudwatch_logs
-      Match               application.*
-      region              ${AWS_REGION}
-      log_group_name      /aws/containerinsights/${CLUSTER_NAME}/application
-      log_stream_prefix   ${HOST_NAME}-
-      auto_create_group   true
-      extra_user_agent    container-insights
-  [OUTPUT]
-      Name                cloudwatch_logs
-      Match               dataplane.*
-      region              ${AWS_REGION}
-      log_group_name      /aws/containerinsights/${CLUSTER_NAME}/dataplane
-      log_stream_prefix   ${HOST_NAME}-
-      auto_create_group   true
-      extra_user_agent    container-insights
-  [OUTPUT]
-      Name                cloudwatch_logs
-      Match               host.*
-      region              ${AWS_REGION}
-      log_group_name      /aws/containerinsights/${CLUSTER_NAME}/host
-      log_stream_prefix   ${HOST_NAME}.
-      auto_create_group   true
-      extra_user_agent    container-insights
-additionalFilters: |-
-  [FILTER]
-      Name                kubernetes
-      Match               application.*
-      Kube_URL            https://kubernetes.default.svc:443
-      Kube_Tag_Prefix     application.var.log.containers.
-      Merge_Log           On
-      Merge_Log_Key       log_processed
-      K8S-Logging.Parser  On
-      K8S-Logging.Exclude Off
-      Labels              Off
-      Annotations         Off
-      Use_Kubelet         On
-      Kubelet_Port        10250
-      Buffer_Size         0
-      Kube_CA_File        /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-      Kube_Token_File     /var/run/secrets/kubernetes.io/serviceaccount/token
-  [FILTER]
-      Name                modify
-      Match               dataplane.systemd.*
-      Rename              _HOSTNAME                   hostname
-      Rename              _SYSTEMD_UNIT               systemd_unit
-      Rename              MESSAGE                     message
-      Remove_regex        ^((?!hostname|systemd_unit|message).)*$
-  [FILTER]
-      Name                aws
-      Match               dataplane.*
-      imds_version        v1
-  [FILTER]
-      Name                aws
-      Match               host.*
-      imds_version        v1
-service:
-  extraParsers: |-
-    [PARSER]
-        Name                syslog
-        Format              regex
-        Regex               ^(?<time>[^ ]* {1,2}[^ ]* [^ ]*) (?<host>[^ ]*) (?<ident>[a-zA-Z0-9_\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$
-        Time_Key            time
-        Time_Format         %b %d %H:%M:%S
-    [PARSER]
-        Name                container_firstline
-        Format              regex
-        Regex               (?<log>(?<="log":")\S(?!\.).*?)(?<!\\)".*(?<stream>(?<="stream":").*?)".*(?<time>\d{4}-\d{1,2}-\d{1,2}T\d{2}:\d{2}:\d{2}\.\w*).*(?=})
-        Time_Key            time
-        Time_Format         %Y-%m-%dT%H:%M:%S.%LZ
-    [PARSER]
-        Name                cwagent_firstline
-        Format              regex
-        Regex               (?<log>(?<="log":")\d{4}[\/-]\d{1,2}[\/-]\d{1,2}[ T]\d{2}:\d{2}:\d{2}(?!\.).*?)(?<!\\)".*(?<stream>(?<="stream":").*?)".*(?<time>\d{4}-\d{1,2}-\d{1,2}T\d{2}:\d{2}:\d{2}\.\w*).*(?=})
-        Time_Key            time
-        Time_Format         %Y-%m-%dT%H:%M:%S.%LZ
-  extraService: |-
-    HTTP_Server  On
-    HTTP_Listen  0.0.0.0
-    HTTP_PORT    2020
-    Health_Check On
-    HC_Errors_Count 5
-    HC_Retry_Failure_Count 5
-    HC_Period 5
-    Flush                     5
-    Grace                     30
-    Log_Level                 info
-    # Log_Level                 debug
-    Daemon                    off
-    #    HTTP_Server               ${HTTP_SERVER}
-    #    HTTP_Listen               0.0.0.0
-    #    HTTP_Port                 ${HTTP_PORT}
-    storage.path              /var/fluent-bit/state/flb-storage/
-    storage.sync              normal
-    storage.checksum          off
-    storage.backlog.mem_limit 5M
diff --git a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/locals.tf b/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/locals.tf
deleted file mode 100644
index 4b9ae5a..0000000
--- a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/locals.tf
+++ /dev/null
@@ -1,17 +0,0 @@
-locals {
-  base_tags = {
-    "eks-cluster-name"      = var.cluster_name
-    "boc:tf_module_version" = local._module_version
-    "boc:created_by"        = "terraform"
-  }
-}
-
-# replace TF remote state accordingly in parent_rs with that from the parent directory, and be sure to make the link
-locals {
-  vpc_id               = local.parent_rs.cluster_vpc_id
-  subnet_ids           = local.parent_rs.cluster_subnet_ids
-  cluster_worker_sg_id = local.parent_rs.cluster_worker_sg_id
-
-  oidc_provider_url = local.parent_rs.oidc_provider_url
-  oidc_provider_arn = local.parent_rs.oidc_provider_arn
-}
diff --git a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/region.tf b/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/region.tf
deleted file mode 100644
index f617506..0000000
--- a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/region.tf
+++ /dev/null
@@ -1,3 +0,0 @@
-locals {
-  region = var.region
-}
diff --git a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/templates/fluentbit.env.yml.tpl b/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/templates/fluentbit.env.yml.tpl
deleted file mode 100644
index b05dcc3..0000000
--- a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/templates/fluentbit.env.yml.tpl
+++ /dev/null
@@ -1,13 +0,0 @@
-env:
-  - name: AWS_REGION
-    value: "${region}"
-  - name: CLUSTER_NAME
-    value: "${cluster_name}"
-  - name: HOST_NAME
-    valueFrom:
-      fieldRef:
-        fieldPath: spec.nodeName
-  - name: READ_FROM_HEAD
-    value: "off"
-  - name: READ_FROM_TAIL
-    value: "on"
diff --git a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/tf-run.data b/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/tf-run.data
deleted file mode 100644
index d868cbe..0000000
--- a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/tf-run.data
+++ /dev/null
@@ -1,32 +0,0 @@
-VERSION 1.4.3
-REMOTE-STATE
-COMMAND tf-directory-setup.py -l none -f
-COMMAND setup-new-directory.sh
-
-LINKTOP init
-LINKTOP includes.d/variables.account_tags.tf
-LINKTOP includes.d/variables.account_tags.auto.tfvars
-LINKTOP includes.d/variables.infrastructure_tags.tf
-LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars
-LINKTOP includes.d/variables.application_tags.tf
-# LINKTOP includes.d/variables.application_tags.auto.tfvars
-LINK variables.application_tags.auto.tfvars
-LINKTOP provider_configs.d/provider.ldap_new.auto.tfvars
-LINKTOP provider_configs.d/provider.ldap_new.tf
-LINKTOP provider_configs.d/provider.ldap_new.variables.tf
-LINK settings.auto.tfvars
-LINK includes.d/parent_rs.tf
-LINK includes.d/data.eks-subdirectory.tf
-LINK includes.d/kubeconfig.eks-subdirectory.tf
-LINK variables.eks.tf
-LINK prefixes.tf
-LINK providers.tf
-LINK variables.addons.tf
-LINK versions.tf
-LINK version.tf
-LINK variables.vpc.tf
-LINK variables.vpc.auto.tfvars
-COMMAND tf-init 
-
-ALL
-COMMAND tf-directory-setup.py -l s3
diff --git a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/tf-run.destroy.data b/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/tf-run.destroy.data
deleted file mode 100644
index 7a82c9f..0000000
--- a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/tf-run.destroy.data
+++ /dev/null
@@ -1,6 +0,0 @@
-VERSION 1.0.1
-BACKUP-STATE
-COMMAND tf-init
-COMMAND tf-state list
-
-ALL
diff --git a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/variables.cloudwatch-agent.auto.tfvars b/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/variables.cloudwatch-agent.auto.tfvars
deleted file mode 100644
index 744778a..0000000
--- a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/variables.cloudwatch-agent.auto.tfvars
+++ /dev/null
@@ -1,27 +0,0 @@
-cloudwatch_agent_namespace = "aws-cloudwatch"
-cloudwatch_agent_charts = {
-  "cloudwatch-agent" = {
-    name          = "aws-cloudwatch-metrics"
-    documentation = "https://github.com/aws/eks-charts/tree/master/stable/aws-cloudwatch-metrics"
-    repository    = "https://aws.github.io/eks-charts"
-    version       = "0.0.9"
-    use_remote    = true
-  }
-}
-cloudwatch_agent_images = {
-  "cloudwatch-agent" = {
-    name            = "cloudwatch-agent"
-    image           = "public.ecr.aws/cloudwatch-agent/cloudwatch-agent"
-    dest_path       = null
-    source_registry = "public.ecr.aws"
-    source_image    = "cloudwatch-agent/cloudwatch-agent"
-    source_tag      = null
-    #    tag            = "latest"
-    tag     = "1.300026.2b172"
-    enabled = true
-  }
-}
-cloudwatch_agent_log_retention_days = 90
-
-
-
diff --git a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/variables.cloudwatch-agent.tf b/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/variables.cloudwatch-agent.tf
deleted file mode 100644
index b0f9b19..0000000
--- a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/variables.cloudwatch-agent.tf
+++ /dev/null
@@ -1,53 +0,0 @@
-variable "cloudwatch_agent_namespace" {
-  description = "Cloudwatch agent namespace"
-  type        = string
-  default     = "kube-system"
-}
-
-variable "cloudwatch_agent_name" {
-  description = "Cloudwatch Agent service account name"
-  type        = string
-  default     = "cloudwatch"
-}
-
-variable "cloudwatch_agent_charts" {
-  description = "Cloudwatch Map of object with details about remote charts"
-  type = map(object(
-    {
-      name          = string
-      documentation = optional(string, null)
-      repository    = string
-      version       = string
-      use_remote    = bool
-  }))
-  default = {}
-}
-
-variable "cloudwatch_agent_images" {
-  description = "Cloudwatch List of image configuration objects to copy from SOURCE to DESTINATION"
-  type = map(object({
-    name            = string,
-    documentation   = optional(string, null)
-    tag             = string,
-    dest_path       = string,
-    source_registry = string,
-    source_image    = string,
-    source_tag      = string,
-    enabled         = bool,
-  }))
-  default = {}
-}
-
-variable "cloudwatch_agent_log_retention_days" {
-  description = "Cloudwatch log retention in days (default 180)"
-  type        = number
-  default     = 180
-}
-
-variable "cloudwatch_agent_log_names" {
-  description = "Cloudwatch log names"
-  type        = list(string)
-  default     = ["performance"]
-}
-
-
diff --git a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/variables.fluentbit.auto.tfvars b/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/variables.fluentbit.auto.tfvars
deleted file mode 100644
index f2128d4..0000000
--- a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/variables.fluentbit.auto.tfvars
+++ /dev/null
@@ -1,14 +0,0 @@
-fluentbit_namespace          = "aws-cloudwatch"
-fluentbit_name               = "fluent-bit"
-fluentbit_tag                = "2.31.12.20231011"
-fluentbit_log_retention_days = 90
-
-fluentbit_charts = {
-  "fluent-bit" = {
-    documentation = "https://artifacthub.io/packages/helm/aws/aws-for-fluent-bit"
-    name          = "aws-for-fluent-bit"
-    repository    = "https://aws.github.io/eks-charts"
-    version       = "0.1.32"
-    use_remote    = true
-  }
-}
diff --git a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/variables.fluentbit.tf b/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/variables.fluentbit.tf
deleted file mode 100644
index 30525b9..0000000
--- a/examples/full-cluster-tf-upgrade/1.28/common-services/cloudwatch-agent/variables.fluentbit.tf
+++ /dev/null
@@ -1,57 +0,0 @@
-variable "fluentbit_namespace" {
-  description = "Fluent Bit namespace"
-  type        = string
-  default     = "kube-system"
-}
-
-variable "fluentbit_name" {
-  description = "Fluent Bit service account name"
-  type        = string
-  default     = "fluent-bit-sa"
-}
-
-variable "fluentbit_images" {
-  description = "Fluent bit List of image configuration objects to copy from SOURCE to DESTINATION"
-  type = map(object({
-    name            = string,
-    documentation   = optional(string, null)
-    tag             = string,
-    dest_path       = string,
-    source_registry = string,
-    source_image    = string,
-    source_tag      = string,
-    enabled         = bool,
-  }))
-  default = {}
-}
-
-variable "fluentbit_charts" {
-  description = "Fluent bit Map of object with details about remote charts"
-  type = map(object(
-    {
-      name          = string
-      documentation = optional(string, null)
-      repository    = string
-      version       = string
-      use_remote    = bool
-  }))
-  default = {}
-}
-
-variable "fluentbit_tag" {
-  description = "Fluent bit version tag from SSM parameter"
-  type        = string
-  default     = null
-}
-
-variable "fluentbit_log_retention_days" {
-  description = "Fluentbitlog retention in days (default 180)"
-  type        = number
-  default     = 180
-}
-
-variable "fluentbit_log_names" {
-  description = "Fluentbitlog log names"
-  type        = list(string)
-  default     = ["application", "dataplane", "host"]
-}
diff --git a/examples/full-cluster-tf-upgrade/1.28/variables.addons.tf b/examples/full-cluster-tf-upgrade/1.28/variables.addons.tf
index a39b2eb..5913f12 100644
--- a/examples/full-cluster-tf-upgrade/1.28/variables.addons.tf
+++ b/examples/full-cluster-tf-upgrade/1.28/variables.addons.tf
@@ -1,3 +1,5 @@
+# aws eks describe-addon-versions --kubernetes-version 1.25  --query 'addons[].{Name:addonName,Version:addonVersions[].addonVersion}' --output text
+
 variable "addon_versions" {
   description = "Map of addon versions by Kubernetes version"
   type        = map(map(string))
@@ -9,20 +11,70 @@ variable "addon_versions" {
       "aws-ebs-csi-driver" = "v1.18.0-eksbuild.1"
     }
     "1.25" = {
-      "coredns"            = "v1.9.3-eksbuild.5"
-      "kube-proxy"         = "v1.25.11-eksbuild.2"
-      "vpc-cni"            = "v1.13.4-eksbuild.1"
-      "aws-ebs-csi-driver" = "v1.21.0-eksbuild.1"
-      "aws-efs-csi-driver" = "v1.5.8-eksbuild.1"
-      "adot"               = "v0.78.0-eksbuild.1"
+      "coredns"                         = "v1.9.3-eksbuild.11"
+      "kube-proxy"                      = "v1.25.16-eksbuild.3"
+      "vpc-cni"                         = "v1.17.1-eksbuild.1"
+      "aws-ebs-csi-driver"              = "v1.28.0-eksbuild.1"
+      "aws-efs-csi-driver"              = "v1.7.6-eksbuild.1"
+      "adot"                            = "v0.94.1-eksbuild.1"
+      "amazon-cloudwatch-observability" = "v1.4.0-eksbuild.1"
+    }
+    "1.26" = {
+      "coredns"                         = "v1.9.3-eksbuild.11"
+      "kube-proxy"                      = "v1.26.13-eksbuild.2"
+      "vpc-cni"                         = "v1.17.1-eksbuild.1"
+      "aws-ebs-csi-driver"              = "v1.28.0-eksbuild.1"
+      "aws-efs-csi-driver"              = "v1.7.6-eksbuild.1"
+      "adot"                            = "v0.94.1-eksbuild.1"
+      "snapshot-controller"             = "v6.3.2-eksbuild.1"
+      "amazon-cloudwatch-observability" = "v1.4.0-eksbuild.1"
+    }
+    "1.27" = {
+      "coredns"                         = "v1.10.1-eksbuild.7"
+      "kube-proxy"                      = "v1.27.10-eksbuild.2"
+      "vpc-cni"                         = "v1.17.1-eksbuild.1"
+      "aws-ebs-csi-driver"              = "v1.28.0-eksbuild.1"
+      "aws-efs-csi-driver"              = "v1.7.6-eksbuild.1"
+      "snapshot-controller"             = "v6.3.2-eksbuild.1"
+      "adot"                            = "v0.94.1-eksbuild.1"
+      "amazon-cloudwatch-observability" = "v1.4.0-eksbuild.1"
     }
     "1.28" = {
-      "coredns"            = "v1.10.1-eksbuild.6"
-      "kube-proxy"         = "v1.28.2-eksbuild.2"
-      "vpc-cni"            = "v1.15.4-eksbuild.1"
-      "aws-ebs-csi-driver" = "v1.25.0-eksbuild.1"
-      "aws-efs-csi-driver" = "v1.7.1-eksbuild.1"
-      "adot"               = "v0.88.0-eksbuild.2"
+      "coredns"                         = "v1.10.1-eksbuild.7"
+      "kube-proxy"                      = "v1.28.6-eksbuild.2"
+      "vpc-cni"                         = "v1.17.1-eksbuild.1"
+      "aws-ebs-csi-driver"              = "v1.28.0-eksbuild.1"
+      "aws-efs-csi-driver"              = "v1.7.6-eksbuild.1"
+      "adot"                            = "v0.94.1-eksbuild.1"
+      "snapshot-controller"             = "v6.3.2-eksbuild.1"
+      "amazon-cloudwatch-observability" = "v1.4.0-eksbuild.1"
+    }
+    "1.29" = {
+      "coredns"                         = "v1.11.1-eksbuild.6"
+      "kube-proxy"                      = "v1.29.1-eksbuild.2"
+      "vpc-cni"                         = "v1.17.1-eksbuild.1"
+      "aws-ebs-csi-driver"              = "v1.28.0-eksbuild.1"
+      "aws-efs-csi-driver"              = "v1.7.6-eksbuild.1"
+      "adot"                            = "v0.94.1-eksbuild.1"
+      "snapshot-controller"             = "v6.3.2-eksbuild.1"
+      "amazon-cloudwatch-observability" = "v1.4.0-eksbuild.1"
     }
   }
 }
+
+variable "cloudwatch-observability_log_names" {
+  description = "Amazon Cloudwatch Observability log group names"
+  type        = list(string)
+  default     = ["application", "dataplane", "host", "performance"]
+}
+
+variable "cloudwatch-observability_log_retention_days" {
+  description = "Amazon Cloudwatch Observability log group retention in days"
+  type        = number
+  default     = 90
+}
+
+
+
+
+
diff --git a/examples/full-cluster-tf-upgrade/1.29/addons/addon_cloudwatch.tf b/examples/full-cluster-tf-upgrade/1.29/addons/addon_cloudwatch.tf
new file mode 100644
index 0000000..f3b483e
--- /dev/null
+++ b/examples/full-cluster-tf-upgrade/1.29/addons/addon_cloudwatch.tf
@@ -0,0 +1,66 @@
+# https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html
+# amazon-cloudwatch-observability
+
+locals {
+  cloudwatch_managed_policies        = ["AWSXrayWriteOnlyAccess", "CloudWatchAgentServerPolicy"]
+  cloudwatch_observability_name      = "cloudwatch-agent"
+  cloudwatch_observability_namespace = "amazon-cloudwatch"
+}
+
+data "aws_iam_policy" "cloudwatch-observability-policies" {
+  for_each = toset(local.cloudwatch_managed_policies)
+  name     = each.key
+}
+
+resource "aws_eks_addon" "amazon-cloudwatch-observability" {
+  count = lookup(local.addon_versions, "amazon-cloudwatch-observability", null) != null ? 1 : 0
+
+  cluster_name             = var.cluster_name
+  addon_name               = "amazon-cloudwatch-observability"
+  addon_version            = lookup(local.addon_versions, "amazon-cloudwatch-observability")
+  service_account_role_arn = module.role_cloudwatch-observability.iam_role_arn
+  configuration_values     = null
+  #  resolve_conflicts        = "OVERWRITE"
+  # note OVERWRITE resets to eks addon defaults, PRESERVE uses any values set here
+  resolve_conflicts_on_create = "OVERWRITE"
+  resolve_conflicts_on_update = "OVERWRITE"
+
+  depends_on = [aws_cloudwatch_log_group.cloudwatch-observability]
+}
+
+module "role_cloudwatch-observability" {
+  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+
+  role_description = "EKS IAM Role for ${var.cluster_name} for service account ${local.cloudwatch_observability_namespace}:${local.cloudwatch_observability_name}"
+  role_name        = format("%v%v-irsa__%v", local._prefixes["eks-role"], var.cluster_name, local.cloudwatch_observability_name)
+  role_policy_arns = { for k, v in data.aws_iam_policy.cloudwatch-observability-policies : k => v.arn }
+
+  oidc_providers = {
+    main = {
+      provider_arn               = local.oidc_provider_arn
+      namespace_service_accounts = [format("%v:%v", local.cloudwatch_observability_namespace, local.cloudwatch_observability_name)]
+    }
+  }
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+    {
+      "eks:namespace" = local.cloudwatch_observability_namespace
+      "eks:user"      = local.cloudwatch_observability_name
+    }
+  )
+}
+
+resource "aws_cloudwatch_log_group" "cloudwatch-observability" {
+  for_each          = toset(var.cloudwatch-observability_log_names)
+  name              = format("/aws/containerinsights/%v/%v", var.cluster_name, each.key)
+  retention_in_days = var.cloudwatch-observability_log_retention_days
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+  )
+}
diff --git a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/.tf-control b/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/.tf-control
deleted file mode 100644
index 280f449..0000000
--- a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/.tf-control
+++ /dev/null
@@ -1,20 +0,0 @@
-# .tf-control
-# allows for setting a specific command to be used for tf-* commands under this git repo
-# see tf-control.sh help for more info
-
-TFCONTROL_VERSION="1.0.5"
-
-TFCOMMAND="terraform_latest"
-# TF_CLI_CONFIG_FILE=PATH-TO-FILE/.tf-control.tfrc
-# TFARGS=""
-# TFNOLOG=""
-# TFNOCOLOR=""
-
-# use the following to force a specific version.  An upgrade of an existing 0.12.31 to 1.x
-# needs you to cycle through 0.13.17, 0.14.11, and then latest (0.15.5 not needed).  Other
-# steps in between.  See https://github.e.it.census.gov/terraform/support/tree/master/docs/how-to/terraform-upgrade for details
-#
-#TFCOMMAND="terraform_0.12.31"
-#TFCOMMAND="terraform_0.13.7"
-#TFCOMMAND="terraform_0.14.11"
-#TFCOMMAND="terraform_0.15.5"
diff --git a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/.tf-control.tfrc b/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/.tf-control.tfrc
deleted file mode 100644
index 7425488..0000000
--- a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/.tf-control.tfrc
+++ /dev/null
@@ -1,24 +0,0 @@
-TFCONTROL_VERSION="1.0.5"
-
-# https://www.terraform.io/docs/cli/config/config-file.html
-plugin_cache_dir   = "/data/terraform/terraform.d/plugin-cache"
-#disable_checkpoint = true
-
-provider_installation {
-#  filesystem_mirror {
-#    path    = "/apps/terraform/terraform.d/providers"
-#    include = [ "*/*/*" ]
-#  }
-  filesystem_mirror {
-    path    = "/data/terraform/terraform.d/providers"
-    include = [ "*/*/*" ]
-  }
-#  filesystem_mirror {
-#    path    = "/apps/terraform/terraform.d/providers"
-#    include = [ "external.terraform.census.gov/*/*" ]
-#  }
-  direct {
-    include = [ "*/*/*" ]
-  }
-}
-
diff --git a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/README.md b/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/README.md
deleted file mode 100644
index ee7afb6..0000000
--- a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/README.md
+++ /dev/null
@@ -1,127 +0,0 @@
-# Extras :: cloudwatch-agent
-
-The configuration in this dierectory will deploy cloudwatch-agent and fluentbit, to be used for EKS Container Insights.
-
-# Links
-
-* AWS Docs
-  * https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-prerequisites.html
-  * https://aws.amazon.com/blogs/opensource/centralized-container-logging-fluent-bit/
-  * https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ContainerInsights-use-kubelet.html
-  * https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html
-  * https://aws.github.io/eks-charts"
-* Cloudwatch Agnet
-  * https://github.com/aws/eks-charts/tree/master/stable/aws-cloudwatch-metrics
-* Fluent Bit
-  * https://github.com/aws/aws-for-fluent-bit
-  * https://github.com/aws/eks-charts/tree/master/stable/aws-for-fluent-bit
-
-# Supported Versions
-
-This configuration has been tested and validated on EKS versions
-
-* 1.24
-* 1.25
-
-# Configuration
-
-This uses a helm chart, an IRSA role, and pulls the latest images at the time of creating this module.
-Look in the `variables.*.auto.tfvars` files for the version numbers.
-
-# Installation
-
-You will need the latest copy of the `aws-eks` module, using the `tf-upgrade` branch.  This requires the use of
-Terraform 1.x, and as it is deployed in a subdirectory, it should work without issue.
-
-## Step 1: Get aws-eks repo
-
-If you do not have the `aws-eks` repo, clone it in the branch `tf-upgrade`.
-
-```script
-# go to your TF repository directory
-cd $PATH_TO_TERRAFORM
-git clone git@github.e.it.census.gov:terraform-modules/aws-eks.git -b tf-upgrade
-cd aws-eks
-export EKS_SOURCE=$(pwd)
-```
-
-If you already have the repo, go into the directory, checkout the branch and refresh it.
-
-```script
-# go to your TF repository directory
-cd $PATH_TO_TERRAFORM
-cd aws-eks
-git checkout tf-upgrade
-git pull origin tf-upgrade
-export EKS_SOURCE=$(pwd)
-```
-
-## Step 2: Copy code
-
-Go into the `common-services` directory of the EKS cluster where you wish to deploy this.  Make a directory, `cloudwatch-agent`, and then
-rsync the code. Please use rsync, not copy.  There is a directory, and there may be softlinks.  You'll work in a new branch.  An example is below:
-
-```script
-cd $PATH_TO_TERRAFORM
-cd 107742151971-do2-govcloud/vpc/east/vpc5/apps/eks-ditd-gups-stage/common-services
-mkdir cloudwatch-agent
-cd cloudwatch-agent
-git checkout -b add-cloudwatch-agent
-rsync -avRWH $EKS_SOURCE/examples/extra/cloudwatch-agent/./ ./
-```
-
-## Step 3: Plan
-
-There is no configuration needed.  All relevant details are pulled from the parent directories.  You do need EKS cluster access,
-so be sure you are running with a user who has K8S RBAC access.
-
-```script
-tf-run plan
-tf-plan summary
-
-# add to git
-git add .
-git commit -m 'add cloudwatch, fluentbit' .
-git push
-# submit PR with plan summary and plan log
-```
-
-## Step 4: Apply
-
-Once the PR is merged, apply, and finalize the directory.
-
-```script
-tf-run apply
-```
-
-Make sure it started up:
-
-```console
-% kubectl --kubeconfig setup/kube.config get pods -n aws-cloudwatch
-NAME                                  READY   STATUS    RESTARTS   AGE
-aws-cloudwatch-metrics-8jlwh          1/1     Running   0          24h
-aws-cloudwatch-metrics-8jxqs          1/1     Running   0          24h
-aws-cloudwatch-metrics-k668c          1/1     Running   0          24h
-fluent-bit-aws-for-fluent-bit-6bvgk   1/1     Running   0          24h
-fluent-bit-aws-for-fluent-bit-b4hk5   1/1     Running   0          24h
-fluent-bit-aws-for-fluent-bit-chx46   1/1     Running   0          24h
-```
-
-All should be running.  If any errors, or not running, look at `events` and `logs`.
-
-Then, check AWS CloudWatch Logs. There will be four log as follows: /aws/containerinsights/{clustername}/{name}
-where {name} is
-
-  * performance
-  * host
-  * applications
-  * dataplane
-
-The Container Insight dashboard should also show performance data for the cluster, though it may take some
-time to appear.
-
-
-# CHANGELOG
-
-* 1.0.0 -- 2023-08-24
-  - initial
diff --git a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/cloudwatch-agent.tf b/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/cloudwatch-agent.tf
deleted file mode 100644
index a4b7004..0000000
--- a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/cloudwatch-agent.tf
+++ /dev/null
@@ -1,123 +0,0 @@
-# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-prerequisites.html
-
-data "aws_iam_policy" "policy_cloudwatch-agent" {
-  name = "CloudWatchAgentServerPolicy"
-}
-
-module "role_cloudwatch-agent" {
-  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-
-  role_description = "EKS IAM Role for ${var.cluster_name} for service account ${var.cloudwatch_agent_namespace}:${var.cloudwatch_agent_name}"
-  role_name        = format("%v%v-irsa__%v", local._prefixes["eks-role"], var.cluster_name, var.cloudwatch_agent_name)
-
-  role_policy_arns = {
-    policy = data.aws_iam_policy.policy_cloudwatch-agent.arn
-  }
-
-  oidc_providers = {
-    main = {
-      provider_arn               = local.oidc_provider_arn
-      namespace_service_accounts = [format("%v:%v", var.cloudwatch_agent_namespace, var.cloudwatch_agent_name)]
-    }
-  }
-
-  tags = merge(
-    local.base_tags,
-    local.common_tags,
-    var.application_tags,
-    {
-      "eks:namespace" = var.cloudwatch_agent_namespace
-      "eks:user"      = var.cloudwatch_agent_name
-    }
-  )
-}
-
-locals {
-  cloudwatch_agent_images_output = { for k, v in module.images_cloudwatch-agent.images : v.name => v }
-}
-
-module "images_cloudwatch-agent" {
-  source = "git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git?ref=tf-upgrade"
-
-  profile          = var.profile
-  application_list = []
-  application_name = format("eks/%v", var.cluster_name)
-  image_config     = [for k, v in var.cloudwatch_agent_images : v if v.enabled]
-  tags = merge(
-    local.base_tags,
-    local.common_tags,
-    var.application_tags,
-  )
-}
-
-resource "aws_cloudwatch_log_group" "cloudwatch_agent_logs" {
-  for_each          = toset(var.cloudwatch_agent_log_names)
-  name              = format("/aws/containerinsights/%v/%v", var.cluster_name, each.key)
-  retention_in_days = var.cloudwatch_agent_log_retention_days
-  tags = merge(
-    local.base_tags,
-    local.common_tags,
-    var.application_tags,
-  )
-}
-
-resource "kubernetes_namespace" "cloudwatch-agent" {
-  metadata {
-    name = var.cloudwatch_agent_namespace
-  }
-}
-
-# chart
-# https://github.com/aws/eks-charts/tree/master/stable/aws-cloudwatch-metrics
-resource "helm_release" "cloudwatch-agent" {
-  chart      = "aws-cloudwatch-metrics"
-  name       = "aws-cloudwatch-metrics"
-  namespace  = var.cloudwatch_agent_namespace
-  repository = var.cloudwatch_agent_charts["cloudwatch-agent"].use_remote ? var.cloudwatch_agent_charts["cloudwatch-agent"].repository : "${path.module}/charts"
-  version    = var.cloudwatch_agent_charts["cloudwatch-agent"].use_remote ? var.cloudwatch_agent_charts["cloudwatch-agent"].version : null
-
-  depends_on = [kubernetes_namespace.cloudwatch-agent, module.images_cloudwatch-agent]
-  set {
-    name  = "image.repository"
-    value = split(":", local.cloudwatch_agent_images_output["cloudwatch-agent"].dest_full_path)[0]
-  }
-
-  set {
-    name  = "image.tag"
-    value = local.cloudwatch_agent_images_output["cloudwatch-agent"].tag
-  }
-
-  set {
-    name  = "clusterName"
-    value = var.cluster_name
-  }
-  set {
-    name  = "serviceAccount.name"
-    value = var.cloudwatch_agent_name
-  }
-  set {
-    name  = "serviceAccount.create"
-    value = "true"
-  }
-  set {
-    name  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
-    value = module.role_cloudwatch-agent.iam_role_arn
-  }
-  timeout = 300
-}
-
-data "aws_iam_policy_document" "cloudwatch_agent_policy_extra" {
-  statement {
-    sid       = "DescribeVolumes"
-    effect    = "Allow"
-    actions   = ["ec2:DescribeVolumes"]
-    resources = ["*"]
-  }
-}
-
-resource "aws_iam_role_policy" "cloudwatch_agent_policy_extra" {
-  name = "extra"
-  role = module.role_cloudwatch-agent.iam_role_name
-
-  policy = data.aws_iam_policy_document.cloudwatch_agent_policy_extra.json
-}
diff --git a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/fluentbit.tf b/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/fluentbit.tf
deleted file mode 100644
index 9263e7b..0000000
--- a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/fluentbit.tf
+++ /dev/null
@@ -1,186 +0,0 @@
-# https://github.com/aws/aws-for-fluent-bit
-
-## % tf-aws ssm get-parameters-by-path --path /aws/service/aws-for-fluent-bit/ --query 'Parameters[*].Name'|grep 2.31.12
-##     "/aws/service/aws-for-fluent-bit/2.31.12-windowsservercore",
-##     "/aws/service/aws-for-fluent-bit/init-2.31.12.20230629",
-##     "/aws/service/aws-for-fluent-bit/2.31.12.20230727",
-##     "/aws/service/aws-for-fluent-bit/2.31.12.20230629",
-##     "/aws/service/aws-for-fluent-bit/2.31.12",
-##     "/aws/service/aws-for-fluent-bit/init-2.31.12",
-##     "/aws/service/aws-for-fluent-bit/init-2.31.12.20230727"
-## 
-## % tf-aws ssm get-parameter --name /aws/service/aws-for-fluent-bit/2.31.12.20230629
-## {
-##     "Parameter": {
-##         "Name": "/aws/service/aws-for-fluent-bit/2.31.12.20230629",
-##         "Type": "String",
-##         "Value": "161423150738.dkr.ecr.us-gov-west-1.amazonaws.com/aws-for-fluent-bit:2.31.12.20230629",
-##         "Version": 1,
-##         "LastModifiedDate": "2023-06-29T20:54:07.770000-04:00",
-##         "ARN": "arn:aws-us-gov:ssm:us-gov-west-1::parameter/aws/service/aws-for-fluent-bit/2.31.12.20230629",
-##         "DataType": "text"
-##     }
-## }
-
-
-data "aws_ssm_parameter" "fluentbit_image" {
-  name = format("/aws/service/aws-for-fluent-bit/%v", var.fluentbit_tag)
-
-  lifecycle {
-    precondition {
-      condition     = var.fluentbit_tag != null && var.fluentbit_tag != ""
-      error_message = "var.fluentbit_tag must be provided and not null or empty."
-    }
-  }
-}
-
-
-module "role_fluentbit" {
-  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-
-  role_description = "EKS IAM Role for ${var.cluster_name} for service account ${var.fluentbit_namespace}:${var.fluentbit_name}"
-  role_name        = format("%v%v-irsa__%v", local._prefixes["eks-role"], var.cluster_name, var.fluentbit_name)
-
-  role_policy_arns = {
-    policy = aws_iam_policy.policy_fluentbit.arn
-  }
-
-  oidc_providers = {
-    main = {
-      provider_arn               = local.oidc_provider_arn
-      namespace_service_accounts = [format("%v:%v", var.fluentbit_namespace, var.fluentbit_name)]
-    }
-  }
-
-  tags = merge(
-    local.base_tags,
-    local.common_tags,
-    var.application_tags,
-    {
-      "eks:namespace" = var.fluentbit_namespace
-      "eks:user"      = var.fluentbit_name
-    }
-  )
-}
-
-resource "aws_iam_policy" "policy_fluentbit" {
-  name        = format("%v%v-irsa__%v", local._prefixes["eks-policy"], var.cluster_name, var.fluentbit_name)
-  description = "EKS IAM Policy for ${var.cluster_name} for service account ${var.fluentbit_namespace}:${var.fluentbit_name}"
-  path        = "/"
-  policy      = data.aws_iam_policy_document.policy_fluentbit.json
-
-  tags = merge(
-    local.base_tags,
-    local.common_tags,
-    var.application_tags,
-    {
-      "Name"          = format("%v%v-irsa__%v", local._prefixes["eks-policy"], var.cluster_name, var.fluentbit_name)
-      "eks:namespace" = var.fluentbit_namespace
-      "eks:user"      = var.fluentbit_name
-    }
-  )
-}
-
-
-# https://aws.amazon.com/blogs/opensource/centralized-container-logging-fluent-bit/
-data "aws_iam_policy_document" "policy_fluentbit" {
-  statement {
-    sid    = "AllowFirehose"
-    effect = "Allow"
-    actions = [
-      "firehose:PutRecordBatch"
-    ]
-    resources = ["*"]
-  }
-  ##   statement {
-  ##     sid = "PutLogEvents"
-  ##     effect = "Allow"
-  ##     actions = [
-  ##              "logs:PutLogEvents"
-  ##     ]
-  ##     resources = [ format("arn:%v:logs:*:*:log-group:*:*:*",data.aws_arn.current.partition) ]
-  ##   }
-  statement {
-    sid    = "CreateStreams"
-    effect = "Allow"
-    actions = [
-      "logs:CreateLogStream",
-      "logs:DescribeLogStreams",
-      "logs:PutLogEvents"
-    ]
-    #    resources = [ format("arn:%v:logs:*:*:log-group:*",data.aws_arn.current.partition) ]
-    resources = [for k, v in aws_cloudwatch_log_group.fluentbit_logs : format("%v:*", v.arn)]
-  }
-  ##   statement {
-  ##     sid = "CreateLogGroup"
-  ##     effect = "Allow"
-  ##     actions = [
-  ##              "logs:CreateLogGroup"
-  ##    ]
-  ##    resources = [ "*" ]
-  ##   }
-}
-
-resource "aws_cloudwatch_log_group" "fluentbit_logs" {
-  for_each          = toset(var.fluentbit_log_names)
-  name              = format("/aws/containerinsights/%v/%v", var.cluster_name, each.key)
-  retention_in_days = var.fluentbit_log_retention_days
-  tags = merge(
-    local.base_tags,
-    local.common_tags,
-    var.application_tags,
-  )
-}
-
-## helm, reference ssm image
-# https://github.com/aws/eks-charts/tree/master/stable/aws-for-fluent-bit
-
-resource "helm_release" "fluentbit" {
-  chart      = "aws-for-fluent-bit"
-  name       = var.fluentbit_name
-  namespace  = var.fluentbit_namespace
-  repository = var.fluentbit_charts["fluent-bit"].use_remote ? var.fluentbit_charts["fluent-bit"].repository : "${path.module}/charts"
-  version    = var.fluentbit_charts["fluent-bit"].use_remote ? var.fluentbit_charts["fluent-bit"].version : null
-
-  values = [
-    file("fluentbit.values.yml"),
-    templatefile("${path.root}/templates/fluentbit.env.yml.tpl", {
-      region       = local.region
-      cluster_name = var.cluster_name
-    })
-  ]
-
-  set {
-    name  = "cluster.name"
-    value = var.cluster_name
-  }
-  set {
-    name  = "logs.region"
-    value = var.region
-  }
-  set {
-    name  = "image.repository"
-    value = split(":", data.aws_ssm_parameter.fluentbit_image.value)[0]
-  }
-  set {
-    name  = "image.tag"
-    value = var.fluentbit_tag
-  }
-  set {
-    name  = "cloudWatchLogs.enabled"
-    value = "false"
-  }
-  set {
-    name  = "serviceAccount.name"
-    value = var.fluentbit_name
-  }
-  set {
-    name  = "serviceAccount.create"
-    value = "true"
-  }
-  set {
-    name  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
-    value = module.role_fluentbit.iam_role_arn
-  }
-  timeout = 300
-}
diff --git a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/fluentbit.values.yml b/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/fluentbit.values.yml
deleted file mode 100644
index 029164e..0000000
--- a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/fluentbit.values.yml
+++ /dev/null
@@ -1,229 +0,0 @@
-# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ContainerInsights-use-kubelet.html
-# networkign needs to be enablrd for the kubernetes filter. The chart does not enable this and has comments about enabling
-hostNetwork: true
-dnsPolicy: ClusterFirstWithHostNet
-# disable starndard input and filter
-input:
-  enabled: false
-filter:
-  enabled: false
-#  https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html
-#  https://raw.githubusercontent.com/aws-samples/amazon-cloudwatch-container-insights/latest/k8s-deployment-manifest-templates/deployment-mode/daemonset/container-insights-monitoring/cloudwatch-namespace.yaml
-#  https://raw.githubusercontent.com/aws-samples/amazon-cloudwatch-container-insights/latest/k8s-deployment-manifest-templates/deployment-mode/daemonset/container-insights-monitoring/fluent-bit/fluent-bit.yaml
-# takes volumes, volumeMounts, and inputs,outputs,filters, and parsers from these sample
-# note there seems not to be away to pass the labels and selector.matchLabels to this chart
-#
-volumeMounts:
-# Please don't change below read-only permissions
-  - name: fluentbitstate
-    mountPath: /var/fluent-bit/state
-  - name: varlog
-    mountPath: /var/log
-    readOnly: true
-  - name: varlibdockercontainers
-    mountPath: /var/lib/docker/containers
-    readOnly: true
-  - name: runlogjournal
-    mountPath: /run/log/journal
-    readOnly: true
-  - name: dmesg
-    mountPath: /var/log/dmesg
-    readOnly: true
-volumes:
-  - name: fluentbitstate
-    hostPath:
-      path: /var/fluent-bit/state
-  - name: varlog
-    hostPath:
-      path: /var/log
-  - name: varlibdockercontainers
-    hostPath:
-      path: /var/lib/docker/containers
-  - name: runlogjournal
-    hostPath:
-      path: /run/log/journal
-  - name: dmesg
-    hostPath:
-      path: /var/log/dmesg
-additionalInputs: |-
-  [INPUT]
-      Name                tail
-      Tag                 application.*
-      Exclude_Path        /var/log/containers/cloudwatch-agent*, /var/log/containers/fluent-bit*, /var/log/containers/aws-node*, /var/log/containers/kube-proxy*
-      Path                /var/log/containers/*.log
-      multiline.parser    docker, cri
-      DB                  /var/fluent-bit/state/flb_container.db
-      Mem_Buf_Limit       50MB
-      Skip_Long_Lines     On
-      Refresh_Interval    10
-      Rotate_Wait         30
-      storage.type        filesystem
-      Read_from_Head      ${READ_FROM_HEAD}
-  [INPUT]
-      Name                tail
-      Tag                 application.*
-      Path                /var/log/containers/fluent-bit*
-      multiline.parser    docker, cri
-      DB                  /var/fluent-bit/state/flb_log.db
-      Mem_Buf_Limit       5MB
-      Skip_Long_Lines     On
-      Refresh_Interval    10
-      Read_from_Head      ${READ_FROM_HEAD}
-  [INPUT]
-      Name                tail
-      Tag                 application.*
-      Path                /var/log/containers/cloudwatch-agent*
-      multiline.parser    docker, cri
-      DB                  /var/fluent-bit/state/flb_cwagent.db
-      Mem_Buf_Limit       5MB
-      Skip_Long_Lines     On
-      Refresh_Interval    10
-      Read_from_Head      ${READ_FROM_HEAD}
-  [INPUT]
-      Name                systemd
-      Tag                 dataplane.systemd.*
-      Systemd_Filter      _SYSTEMD_UNIT=docker.service
-      Systemd_Filter      _SYSTEMD_UNIT=containerd.service
-      Systemd_Filter      _SYSTEMD_UNIT=kubelet.service
-      DB                  /var/fluent-bit/state/systemd.db
-      Path                /var/log/journal
-      Read_From_Tail      ${READ_FROM_TAIL}
-  [INPUT]
-      Name                tail
-      Tag                 dataplane.tail.*
-      Path                /var/log/containers/aws-node*, /var/log/containers/kube-proxy*
-      multiline.parser    docker, cri
-      DB                  /var/fluent-bit/state/flb_dataplane_tail.db
-      Mem_Buf_Limit       50MB
-      Skip_Long_Lines     On
-      Refresh_Interval    10
-      Rotate_Wait         30
-      storage.type        filesystem
-      Read_from_Head      ${READ_FROM_HEAD}
-  [INPUT]
-      Name                tail
-      Tag                 host.dmesg
-      Path                /var/log/dmesg
-      Key                 message
-      DB                  /var/fluent-bit/state/flb_dmesg.db
-      Mem_Buf_Limit       5MB
-      Skip_Long_Lines     On
-      Refresh_Interval    10
-      Read_from_Head      ${READ_FROM_HEAD}
-  [INPUT]
-      Name                tail
-      Tag                 host.messages
-      Path                /var/log/messages
-      Parser              syslog
-      DB                  /var/fluent-bit/state/flb_messages.db
-      Mem_Buf_Limit       5MB
-      Skip_Long_Lines     On
-      Refresh_Interval    10
-      Read_from_Head      ${READ_FROM_HEAD}
-  [INPUT]
-      Name                tail
-      Tag                 host.secure
-      Path                /var/log/secure
-      Parser              syslog
-      DB                  /var/fluent-bit/state/flb_secure.db
-      Mem_Buf_Limit       5MB
-      Skip_Long_Lines     On
-      Refresh_Interval    10
-      Read_from_Head      ${READ_FROM_HEAD}
-additionalOutputs: |-
-  [OUTPUT]
-      Name                cloudwatch_logs
-      Match               application.*
-      region              ${AWS_REGION}
-      log_group_name      /aws/containerinsights/${CLUSTER_NAME}/application
-      log_stream_prefix   ${HOST_NAME}-
-      auto_create_group   true
-      extra_user_agent    container-insights
-  [OUTPUT]
-      Name                cloudwatch_logs
-      Match               dataplane.*
-      region              ${AWS_REGION}
-      log_group_name      /aws/containerinsights/${CLUSTER_NAME}/dataplane
-      log_stream_prefix   ${HOST_NAME}-
-      auto_create_group   true
-      extra_user_agent    container-insights
-  [OUTPUT]
-      Name                cloudwatch_logs
-      Match               host.*
-      region              ${AWS_REGION}
-      log_group_name      /aws/containerinsights/${CLUSTER_NAME}/host
-      log_stream_prefix   ${HOST_NAME}.
-      auto_create_group   true
-      extra_user_agent    container-insights
-additionalFilters: |-
-  [FILTER]
-      Name                kubernetes
-      Match               application.*
-      Kube_URL            https://kubernetes.default.svc:443
-      Kube_Tag_Prefix     application.var.log.containers.
-      Merge_Log           On
-      Merge_Log_Key       log_processed
-      K8S-Logging.Parser  On
-      K8S-Logging.Exclude Off
-      Labels              Off
-      Annotations         Off
-      Use_Kubelet         On
-      Kubelet_Port        10250
-      Buffer_Size         0
-      Kube_CA_File        /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-      Kube_Token_File     /var/run/secrets/kubernetes.io/serviceaccount/token
-  [FILTER]
-      Name                modify
-      Match               dataplane.systemd.*
-      Rename              _HOSTNAME                   hostname
-      Rename              _SYSTEMD_UNIT               systemd_unit
-      Rename              MESSAGE                     message
-      Remove_regex        ^((?!hostname|systemd_unit|message).)*$
-  [FILTER]
-      Name                aws
-      Match               dataplane.*
-      imds_version        v1
-  [FILTER]
-      Name                aws
-      Match               host.*
-      imds_version        v1
-service:
-  extraParsers: |-
-    [PARSER]
-        Name                syslog
-        Format              regex
-        Regex               ^(?<time>[^ ]* {1,2}[^ ]* [^ ]*) (?<host>[^ ]*) (?<ident>[a-zA-Z0-9_\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$
-        Time_Key            time
-        Time_Format         %b %d %H:%M:%S
-    [PARSER]
-        Name                container_firstline
-        Format              regex
-        Regex               (?<log>(?<="log":")\S(?!\.).*?)(?<!\\)".*(?<stream>(?<="stream":").*?)".*(?<time>\d{4}-\d{1,2}-\d{1,2}T\d{2}:\d{2}:\d{2}\.\w*).*(?=})
-        Time_Key            time
-        Time_Format         %Y-%m-%dT%H:%M:%S.%LZ
-    [PARSER]
-        Name                cwagent_firstline
-        Format              regex
-        Regex               (?<log>(?<="log":")\d{4}[\/-]\d{1,2}[\/-]\d{1,2}[ T]\d{2}:\d{2}:\d{2}(?!\.).*?)(?<!\\)".*(?<stream>(?<="stream":").*?)".*(?<time>\d{4}-\d{1,2}-\d{1,2}T\d{2}:\d{2}:\d{2}\.\w*).*(?=})
-        Time_Key            time
-        Time_Format         %Y-%m-%dT%H:%M:%S.%LZ
-  extraService: |-
-    HTTP_Server  On
-    HTTP_Listen  0.0.0.0
-    HTTP_PORT    2020
-    Health_Check On
-    HC_Errors_Count 5
-    HC_Retry_Failure_Count 5
-    HC_Period 5
-    Flush                     5
-    Grace                     30
-    Log_Level                 info
-    # Log_Level                 debug
-    Daemon                    off
-    #    HTTP_Server               ${HTTP_SERVER}
-    #    HTTP_Listen               0.0.0.0
-    #    HTTP_Port                 ${HTTP_PORT}
-    storage.path              /var/fluent-bit/state/flb-storage/
-    storage.sync              normal
-    storage.checksum          off
-    storage.backlog.mem_limit 5M
diff --git a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/locals.tf b/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/locals.tf
deleted file mode 100644
index 4b9ae5a..0000000
--- a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/locals.tf
+++ /dev/null
@@ -1,17 +0,0 @@
-locals {
-  base_tags = {
-    "eks-cluster-name"      = var.cluster_name
-    "boc:tf_module_version" = local._module_version
-    "boc:created_by"        = "terraform"
-  }
-}
-
-# replace TF remote state accordingly in parent_rs with that from the parent directory, and be sure to make the link
-locals {
-  vpc_id               = local.parent_rs.cluster_vpc_id
-  subnet_ids           = local.parent_rs.cluster_subnet_ids
-  cluster_worker_sg_id = local.parent_rs.cluster_worker_sg_id
-
-  oidc_provider_url = local.parent_rs.oidc_provider_url
-  oidc_provider_arn = local.parent_rs.oidc_provider_arn
-}
diff --git a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/region.tf b/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/region.tf
deleted file mode 100644
index f617506..0000000
--- a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/region.tf
+++ /dev/null
@@ -1,3 +0,0 @@
-locals {
-  region = var.region
-}
diff --git a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/templates/fluentbit.env.yml.tpl b/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/templates/fluentbit.env.yml.tpl
deleted file mode 100644
index b05dcc3..0000000
--- a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/templates/fluentbit.env.yml.tpl
+++ /dev/null
@@ -1,13 +0,0 @@
-env:
-  - name: AWS_REGION
-    value: "${region}"
-  - name: CLUSTER_NAME
-    value: "${cluster_name}"
-  - name: HOST_NAME
-    valueFrom:
-      fieldRef:
-        fieldPath: spec.nodeName
-  - name: READ_FROM_HEAD
-    value: "off"
-  - name: READ_FROM_TAIL
-    value: "on"
diff --git a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/tf-run.data b/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/tf-run.data
deleted file mode 100644
index d868cbe..0000000
--- a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/tf-run.data
+++ /dev/null
@@ -1,32 +0,0 @@
-VERSION 1.4.3
-REMOTE-STATE
-COMMAND tf-directory-setup.py -l none -f
-COMMAND setup-new-directory.sh
-
-LINKTOP init
-LINKTOP includes.d/variables.account_tags.tf
-LINKTOP includes.d/variables.account_tags.auto.tfvars
-LINKTOP includes.d/variables.infrastructure_tags.tf
-LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars
-LINKTOP includes.d/variables.application_tags.tf
-# LINKTOP includes.d/variables.application_tags.auto.tfvars
-LINK variables.application_tags.auto.tfvars
-LINKTOP provider_configs.d/provider.ldap_new.auto.tfvars
-LINKTOP provider_configs.d/provider.ldap_new.tf
-LINKTOP provider_configs.d/provider.ldap_new.variables.tf
-LINK settings.auto.tfvars
-LINK includes.d/parent_rs.tf
-LINK includes.d/data.eks-subdirectory.tf
-LINK includes.d/kubeconfig.eks-subdirectory.tf
-LINK variables.eks.tf
-LINK prefixes.tf
-LINK providers.tf
-LINK variables.addons.tf
-LINK versions.tf
-LINK version.tf
-LINK variables.vpc.tf
-LINK variables.vpc.auto.tfvars
-COMMAND tf-init 
-
-ALL
-COMMAND tf-directory-setup.py -l s3
diff --git a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/tf-run.destroy.data b/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/tf-run.destroy.data
deleted file mode 100644
index 7a82c9f..0000000
--- a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/tf-run.destroy.data
+++ /dev/null
@@ -1,6 +0,0 @@
-VERSION 1.0.1
-BACKUP-STATE
-COMMAND tf-init
-COMMAND tf-state list
-
-ALL
diff --git a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/variables.cloudwatch-agent.auto.tfvars b/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/variables.cloudwatch-agent.auto.tfvars
deleted file mode 100644
index 1687c87..0000000
--- a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/variables.cloudwatch-agent.auto.tfvars
+++ /dev/null
@@ -1,27 +0,0 @@
-cloudwatch_agent_namespace = "aws-cloudwatch"
-cloudwatch_agent_charts = {
-  "cloudwatch-agent" = {
-    name          = "aws-cloudwatch-metrics"
-    documentation = "https://github.com/aws/eks-charts/tree/master/stable/aws-cloudwatch-metrics"
-    repository    = "https://aws.github.io/eks-charts"
-    version       = "0.0.10"
-    use_remote    = true
-  }
-}
-cloudwatch_agent_images = {
-  "cloudwatch-agent" = {
-    name            = "cloudwatch-agent"
-    image           = "public.ecr.aws/cloudwatch-agent/cloudwatch-agent"
-    dest_path       = null
-    source_registry = "public.ecr.aws"
-    source_image    = "cloudwatch-agent/cloudwatch-agent"
-    source_tag      = null
-    tag             = "1.300034.0b498"
-    #    tag            = "latest"
-    enabled = true
-  }
-}
-cloudwatch_agent_log_retention_days = 90
-
-
-
diff --git a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/variables.cloudwatch-agent.tf b/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/variables.cloudwatch-agent.tf
deleted file mode 100644
index b0f9b19..0000000
--- a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/variables.cloudwatch-agent.tf
+++ /dev/null
@@ -1,53 +0,0 @@
-variable "cloudwatch_agent_namespace" {
-  description = "Cloudwatch agent namespace"
-  type        = string
-  default     = "kube-system"
-}
-
-variable "cloudwatch_agent_name" {
-  description = "Cloudwatch Agent service account name"
-  type        = string
-  default     = "cloudwatch"
-}
-
-variable "cloudwatch_agent_charts" {
-  description = "Cloudwatch Map of object with details about remote charts"
-  type = map(object(
-    {
-      name          = string
-      documentation = optional(string, null)
-      repository    = string
-      version       = string
-      use_remote    = bool
-  }))
-  default = {}
-}
-
-variable "cloudwatch_agent_images" {
-  description = "Cloudwatch List of image configuration objects to copy from SOURCE to DESTINATION"
-  type = map(object({
-    name            = string,
-    documentation   = optional(string, null)
-    tag             = string,
-    dest_path       = string,
-    source_registry = string,
-    source_image    = string,
-    source_tag      = string,
-    enabled         = bool,
-  }))
-  default = {}
-}
-
-variable "cloudwatch_agent_log_retention_days" {
-  description = "Cloudwatch log retention in days (default 180)"
-  type        = number
-  default     = 180
-}
-
-variable "cloudwatch_agent_log_names" {
-  description = "Cloudwatch log names"
-  type        = list(string)
-  default     = ["performance"]
-}
-
-
diff --git a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/variables.fluentbit.auto.tfvars b/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/variables.fluentbit.auto.tfvars
deleted file mode 100644
index f2128d4..0000000
--- a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/variables.fluentbit.auto.tfvars
+++ /dev/null
@@ -1,14 +0,0 @@
-fluentbit_namespace          = "aws-cloudwatch"
-fluentbit_name               = "fluent-bit"
-fluentbit_tag                = "2.31.12.20231011"
-fluentbit_log_retention_days = 90
-
-fluentbit_charts = {
-  "fluent-bit" = {
-    documentation = "https://artifacthub.io/packages/helm/aws/aws-for-fluent-bit"
-    name          = "aws-for-fluent-bit"
-    repository    = "https://aws.github.io/eks-charts"
-    version       = "0.1.32"
-    use_remote    = true
-  }
-}
diff --git a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/variables.fluentbit.tf b/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/variables.fluentbit.tf
deleted file mode 100644
index 30525b9..0000000
--- a/examples/full-cluster-tf-upgrade/1.29/common-services/cloudwatch-agent/variables.fluentbit.tf
+++ /dev/null
@@ -1,57 +0,0 @@
-variable "fluentbit_namespace" {
-  description = "Fluent Bit namespace"
-  type        = string
-  default     = "kube-system"
-}
-
-variable "fluentbit_name" {
-  description = "Fluent Bit service account name"
-  type        = string
-  default     = "fluent-bit-sa"
-}
-
-variable "fluentbit_images" {
-  description = "Fluent bit List of image configuration objects to copy from SOURCE to DESTINATION"
-  type = map(object({
-    name            = string,
-    documentation   = optional(string, null)
-    tag             = string,
-    dest_path       = string,
-    source_registry = string,
-    source_image    = string,
-    source_tag      = string,
-    enabled         = bool,
-  }))
-  default = {}
-}
-
-variable "fluentbit_charts" {
-  description = "Fluent bit Map of object with details about remote charts"
-  type = map(object(
-    {
-      name          = string
-      documentation = optional(string, null)
-      repository    = string
-      version       = string
-      use_remote    = bool
-  }))
-  default = {}
-}
-
-variable "fluentbit_tag" {
-  description = "Fluent bit version tag from SSM parameter"
-  type        = string
-  default     = null
-}
-
-variable "fluentbit_log_retention_days" {
-  description = "Fluentbitlog retention in days (default 180)"
-  type        = number
-  default     = 180
-}
-
-variable "fluentbit_log_names" {
-  description = "Fluentbitlog log names"
-  type        = list(string)
-  default     = ["application", "dataplane", "host"]
-}
diff --git a/examples/full-cluster-tf-upgrade/1.29/variables.addons.tf b/examples/full-cluster-tf-upgrade/1.29/variables.addons.tf
index c8512df..5913f12 100644
--- a/examples/full-cluster-tf-upgrade/1.29/variables.addons.tf
+++ b/examples/full-cluster-tf-upgrade/1.29/variables.addons.tf
@@ -1,3 +1,5 @@
+# aws eks describe-addon-versions --kubernetes-version 1.25  --query 'addons[].{Name:addonName,Version:addonVersions[].addonVersion}' --output text
+
 variable "addon_versions" {
   description = "Map of addon versions by Kubernetes version"
   type        = map(map(string))
@@ -9,32 +11,70 @@ variable "addon_versions" {
       "aws-ebs-csi-driver" = "v1.18.0-eksbuild.1"
     }
     "1.25" = {
-      "coredns"            = "v1.9.3-eksbuild.5"
-      "kube-proxy"         = "v1.25.11-eksbuild.2"
-      "vpc-cni"            = "v1.13.4-eksbuild.1"
-      "aws-ebs-csi-driver" = "v1.21.0-eksbuild.1"
-      "aws-efs-csi-driver" = "v1.5.8-eksbuild.1"
-      "adot"               = "v0.78.0-eksbuild.1"
+      "coredns"                         = "v1.9.3-eksbuild.11"
+      "kube-proxy"                      = "v1.25.16-eksbuild.3"
+      "vpc-cni"                         = "v1.17.1-eksbuild.1"
+      "aws-ebs-csi-driver"              = "v1.28.0-eksbuild.1"
+      "aws-efs-csi-driver"              = "v1.7.6-eksbuild.1"
+      "adot"                            = "v0.94.1-eksbuild.1"
+      "amazon-cloudwatch-observability" = "v1.4.0-eksbuild.1"
+    }
+    "1.26" = {
+      "coredns"                         = "v1.9.3-eksbuild.11"
+      "kube-proxy"                      = "v1.26.13-eksbuild.2"
+      "vpc-cni"                         = "v1.17.1-eksbuild.1"
+      "aws-ebs-csi-driver"              = "v1.28.0-eksbuild.1"
+      "aws-efs-csi-driver"              = "v1.7.6-eksbuild.1"
+      "adot"                            = "v0.94.1-eksbuild.1"
+      "snapshot-controller"             = "v6.3.2-eksbuild.1"
+      "amazon-cloudwatch-observability" = "v1.4.0-eksbuild.1"
+    }
+    "1.27" = {
+      "coredns"                         = "v1.10.1-eksbuild.7"
+      "kube-proxy"                      = "v1.27.10-eksbuild.2"
+      "vpc-cni"                         = "v1.17.1-eksbuild.1"
+      "aws-ebs-csi-driver"              = "v1.28.0-eksbuild.1"
+      "aws-efs-csi-driver"              = "v1.7.6-eksbuild.1"
+      "snapshot-controller"             = "v6.3.2-eksbuild.1"
+      "adot"                            = "v0.94.1-eksbuild.1"
+      "amazon-cloudwatch-observability" = "v1.4.0-eksbuild.1"
     }
     "1.28" = {
-      "coredns"            = "v1.10.1-eksbuild.6"
-      "kube-proxy"         = "v1.28.2-eksbuild.2"
-      "vpc-cni"            = "v1.15.4-eksbuild.1"
-      "aws-ebs-csi-driver" = "v1.25.0-eksbuild.1"
-      "aws-efs-csi-driver" = "v1.7.1-eksbuild.1"
-      "adot"               = "v0.88.0-eksbuild.2"
+      "coredns"                         = "v1.10.1-eksbuild.7"
+      "kube-proxy"                      = "v1.28.6-eksbuild.2"
+      "vpc-cni"                         = "v1.17.1-eksbuild.1"
+      "aws-ebs-csi-driver"              = "v1.28.0-eksbuild.1"
+      "aws-efs-csi-driver"              = "v1.7.6-eksbuild.1"
+      "adot"                            = "v0.94.1-eksbuild.1"
+      "snapshot-controller"             = "v6.3.2-eksbuild.1"
+      "amazon-cloudwatch-observability" = "v1.4.0-eksbuild.1"
     }
     "1.29" = {
       "coredns"                         = "v1.11.1-eksbuild.6"
       "kube-proxy"                      = "v1.29.1-eksbuild.2"
-      "vpc-cni"                         = "v1.16.4-eksbuild.2"
+      "vpc-cni"                         = "v1.17.1-eksbuild.1"
       "aws-ebs-csi-driver"              = "v1.28.0-eksbuild.1"
-      "aws-efs-csi-driver"              = "v1.7.5-eksbuild.2"
-      "adot"                            = "v0.92.1-eksbuild.1"
-      "amazon-cloudwatch-observability" = "v1.3.0-eksbuild.1"
+      "aws-efs-csi-driver"              = "v1.7.6-eksbuild.1"
+      "adot"                            = "v0.94.1-eksbuild.1"
       "snapshot-controller"             = "v6.3.2-eksbuild.1"
+      "amazon-cloudwatch-observability" = "v1.4.0-eksbuild.1"
     }
   }
 }
 
+variable "cloudwatch-observability_log_names" {
+  description = "Amazon Cloudwatch Observability log group names"
+  type        = list(string)
+  default     = ["application", "dataplane", "host", "performance"]
+}
+
+variable "cloudwatch-observability_log_retention_days" {
+  description = "Amazon Cloudwatch Observability log group retention in days"
+  type        = number
+  default     = 90
+}
+
+
+
+