diff --git a/examples/full-cluster-tf-upgrade/1.25/dns-zone.tf b/examples/full-cluster-tf-upgrade/1.25/dns-zone.tf
index a7afc52..a91b668 100644
--- a/examples/full-cluster-tf-upgrade/1.25/dns-zone.tf
+++ b/examples/full-cluster-tf-upgrade/1.25/dns-zone.tf
@@ -31,7 +31,7 @@ provider "aws" {
 # dummy vpc, so we can associate the zone to this account
 #---
 data "aws_vpc" "dummy_vpc" {
-  count = var.shared_vpc_label != null ? 1 : 0
+  count = ! (var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
   filter {
     name   = "tag:Name"
     values = ["vpc0-dummy"]
@@ -44,7 +44,7 @@ resource "aws_route53_zone" "cluster_domain" {
   force_destroy = false
 
   vpc {
-    vpc_id     = var.shared_vpc_label != null ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id
+    vpc_id     = ! (var.shared_vpc_label == null || var.shared_vpc_label == "") ? try(data.aws_vpc.dummy_vpc[0].id, null) : data.aws_vpc.eks_vpc.id
     vpc_region = local.region
   }
 
@@ -65,7 +65,7 @@ resource "aws_route53_zone" "cluster_domain" {
 # need to also associate with network-prod account and this vpc
 #---
 module "route53_cluster_domain_east" {
-  count = local.region == "us-gov-east-1" && var.shared_vpc_label != null ? 1 : 0
+  count = local.region == "us-gov-east-1" && ! (var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
   providers = {
     aws.self = aws
     aws.peer = aws.route53_main_east
@@ -83,7 +83,7 @@ module "route53_cluster_domain_east" {
 }
 
 module "route53_cluster_domain_west" {
-  count = local.region == "us-gov-west-1" && var.shared_vpc_label != null ? 1 : 0
+  count = local.region == "us-gov-west-1" && ! (var.shared_vpc_label == null || var.shared_vpc_label == "") ? 1 : 0
   providers = {
     aws.self = aws
     aws.peer = aws.route53_main_west
diff --git a/examples/full-cluster-tf-upgrade/1.25/ec2-keypair.tf b/examples/full-cluster-tf-upgrade/1.25/ec2-keypair.tf
index e000d4d..23b31c8 100644
--- a/examples/full-cluster-tf-upgrade/1.25/ec2-keypair.tf
+++ b/examples/full-cluster-tf-upgrade/1.25/ec2-keypair.tf
@@ -1,36 +1,93 @@
 locals {
   keypair_name = format("ec2-ssh-%v%v", local._prefixes["eks"], var.cluster_name)
+  timestamp    = formatdate("YYYYMMDD", time_static.timestamp.rfc3339)
 }
 
-# two-step process to create
-#   terraform apply -target=null_resource.generate_keypair
-#   terraform apply
-# when done, add to git
-#   cd setup
-#   echo inf-ec2-keypair >> .gitignore
-#   git-secret add inf-ec2-keypair
-#   git-secret hide
-#   git add inf-ec2-keypair.{pub,secret}
-#   git commit -m'add ec2-keypair: inf-ec2-keypair' inf-ec2-keypair.{pub,secret} .gitignore
-
-# inf-keypair
-resource "null_resource" "generate_keypair" {
-  provisioner "local-exec" {
-    command = "test -d setup || mkdir setup"
-  }
-  provisioner "local-exec" {
-    working_dir = "./setup"
-    command     = "ssh-keygen -f ${local.keypair_name} -N '' -t rsa -b 2048 -C '${local.keypair_name}@${var.cluster_name}.${local.vpc_domain_name}'"
-  }
-}
+resource "time_static" "timestamp" {}
+
+## # two-step process to create
+## #   terraform apply -target=null_resource.generate_keypair
+## #   terraform apply
+## # when done, add to git
+## #   cd setup
+## #   echo inf-ec2-keypair >> .gitignore
+## #   git-secret add inf-ec2-keypair
+## #   git-secret hide
+## #   git add inf-ec2-keypair.{pub,secret}
+## #   git commit -m'add ec2-keypair: inf-ec2-keypair' inf-ec2-keypair.{pub,secret} .gitignore
+## 
+## # inf-keypair
+## resource "null_resource" "generate_keypair" {
+##   provisioner "local-exec" {
+##     command = "test -d setup || mkdir setup"
+##   }
+##   provisioner "local-exec" {
+##     working_dir = "./setup"
+##     command     = "ssh-keygen -f ${local.keypair_name} -N '' -t rsa -b 2048 -C '${local.keypair_name}@${var.cluster_name}.${local.vpc_domain_name}'"
+##   }
+## }
+## 
+## resource "aws_key_pair" "cluster_keypair" {
+##   key_name   = local.keypair_name
+##   public_key = file("setup/${local.keypair_name}.pub")
+##   depends_on = [null_resource.generate_keypair]
+## }
+## 
+## output "cluster_keypair" {
+##   description = "EC2 keypair for EKS Cluster"
+##   value       = aws_key_pair.cluster_keypair.key_name
+## }
+
+module "key_pair" {
+  source = "terraform-aws-modules/key-pair/aws"
+
+  key_name           = local.keypair_name
+  create_private_key = true
 
-resource "aws_key_pair" "cluster_keypair" {
-  key_name   = local.keypair_name
-  public_key = file("setup/${local.keypair_name}.pub")
-  depends_on = [null_resource.generate_keypair]
+  tags = merge(
+    var.tags,
+    {
+      "Name"        = local.keypair_name
+      "launch_time" = time_static.timestamp.rfc3339
+      "launch_vpc"  = local.vpc_label
+    }
+  )
 }
 
 output "cluster_keypair" {
-  description = "EC2 keypair for EKS Cluster"
-  value       = aws_key_pair.cluster_keypair.key_name
+  description = "EC2 Key Pair Name"
+  value       = module.key_pair.key_pair_name
 }
+
+resource "local_sensitive_file" "ssh_private_key" {
+  content              = format("%v\n", module.key_pair.private_key_openssh)
+  directory_permission = "0700"
+  file_permission      = "0600"
+  filename             = format("%v/%v", null_resource.setup_directory.triggers.directory, null_resource.setup_directory.triggers.keypair_name)
+}
+
+resource "local_sensitive_file" "ssh_public_key" {
+  content              = format("%v\n", module.key_pair.public_key_openssh)
+  directory_permission = "0700"
+  file_permission      = "0600"
+  filename             = format("%v/%v.pub", null_resource.setup_directory.triggers.directory, null_resource.setup_directory.triggers.keypair_name)
+}
+
+resource "local_file" "gitignore" {
+  content              = format("%v\n", basename(local_sensitive_file.ssh_private_key.filename))
+  directory_permission = "0700"
+  file_permission      = "0600"
+  filename             = format("%v/%v", null_resource.setup_directory.triggers.directory, ".gitignore")
+}
+
+resource "local_sensitive_file" "gitsecret_script" {
+  content = templatefile("${path.module}/templates/manage-git-secret.sh.tpl", {
+    ssh_key_directory        = null_resource.setup_directory.triggers.directory
+    ssh_private_key_filename = local_sensitive_file.ssh_private_key[0].filename
+    ssh_public_key_filename  = local_sensitive_file.ssh_public_key[0].filename
+  })
+  directory_permission = "0700"
+  file_permission      = "0755"
+  filename             = format("%v/%v", null_resource.setup_directory.triggers.directory, "manage-git-secret.sh")
+}
+
diff --git a/examples/full-cluster-tf-upgrade/1.25/main.tf b/examples/full-cluster-tf-upgrade/1.25/main.tf
index 6f8c098..286fe40 100644
--- a/examples/full-cluster-tf-upgrade/1.25/main.tf
+++ b/examples/full-cluster-tf-upgrade/1.25/main.tf
@@ -159,7 +159,8 @@ resource "aws_launch_template" "eks-nodegroup" {
   instance_type          = var.eks_instance_type
   name                   = format("%v%v-launch-template", local._prefixes["eks"], var.cluster_name)
   update_default_version = true
-  key_name               = aws_key_pair.cluster_keypair.key_name
+  #  key_name               = aws_key_pair.cluster_keypair.key_name
+  key_name = module.key_pair.key_pair_name
   #  vpc_security_group_ids = [aws_security_group.additional_eks_cluster_sg.id]
   vpc_security_group_ids = [aws_security_group.extra_cluster_sg.id]
 
diff --git a/examples/full-cluster-tf-upgrade/1.25/tf-run.data b/examples/full-cluster-tf-upgrade/1.25/tf-run.data
index 260595b..586fd35 100644
--- a/examples/full-cluster-tf-upgrade/1.25/tf-run.data
+++ b/examples/full-cluster-tf-upgrade/1.25/tf-run.data
@@ -1,4 +1,4 @@
-VERSION 1.4.4
+VERSION 1.4.5
 REMOTE-STATE
 COMMENT make sure the private-lb subnet and container subnets are tagged properly (see README.md)
 STOP then continue with at step %%NEXT%% (tag:subnets-verified)
@@ -31,11 +31,12 @@ TAG setup-complete
 POLICY
 
 TAG ec2-key
-COMMENT EC2 key pairs
-null_resource.generate_keypair
-aws_key_pair.cluster_keypair
+module.cluster_key_pair time_static.timestamp local_sensitive_file.ssh_private_key local_sensitive_file.ssh_public_key local_file.gitignore local_sensitive_file.gitsecret_script
+## null_resource.generate_keypair
+## aws_key_pair.cluster_keypair
+
 COMMAND tf-directory-setup.py -l s3
-COMMENT be sure to add the setup/ec2-ssh-eks-{cluster} to git-secret, git-secret hide, add the setup/*secret and setup/*pub got git, and commit the entirety of the change
+## COMMENT be sure to add the setup/ec2-ssh-eks-{cluster} to git-secret, git-secret hide, add the setup/*secret and setup/*pub got git, and commit the entirety of the change
 
 TAG dns-zone
 aws_route53_zone.cluster_domain
diff --git a/examples/full-cluster-tf-upgrade/1.25/tf-run.destroy.data b/examples/full-cluster-tf-upgrade/1.25/tf-run.destroy.data
index 2fbd2f2..cda1525 100644
--- a/examples/full-cluster-tf-upgrade/1.25/tf-run.destroy.data
+++ b/examples/full-cluster-tf-upgrade/1.25/tf-run.destroy.data
@@ -1,16 +1,23 @@
-VERSION 1.0.1
+VERSION 1.0.2
 BACKUP-STATE
 COMMAND tf-init
 COMMAND tf-state list
 
 aws_route53_zone.cluster_domain
+
 aws_eks_node_group.eks-nodegroup aws_eks_cluster.eks_cluster aws_iam_openid_connect_provider.oidc aws_launch_template.eks-nodegroup
-aws_key_pair.cluster_keypair
-null_resource.generate_keypair
+
+## aws_key_pair.cluster_keypair
+## null_resource.generate_keypair
+
+module.cluster_key_pair time_static.timestamp local_sensitive_file.ssh_private_key local_sensitive_file.ssh_public_key local_file.gitignore local_sensitive_file.gitsecret_script
+
 module.role_cluster-admin module.role_eks-cluster module.role_eks-nodegroup
 module.group_cluster-admin.aws_iam_group.this
+
 POLICY
-aws_security_group.additional_eks_cluster_sg aws_security_group.all_worker_mgmt
+
+aws_security_group.additional_eks_cluster_sg aws_security_group.all_worker_mgmt aws_security_group.extra_cluster_sg
 null_resource.cluster_roles["eks-console-full-access"] null_resource.cluster_roles["eks-console-restricted-access"]
 
 ALL
@@ -23,3 +30,8 @@ ALL
 ## NO ./aws-auth/tf-run.destroy.data
 ## ./tf-run.destroy.data
 
+
+
+TAG ec2-key
+## null_resource.generate_keypair
+## aws_key_pair.cluster_keypair
diff --git a/examples/full-cluster-tf-upgrade/1.25/variables.vpc.auto.tfvars.make-link b/examples/full-cluster-tf-upgrade/1.25/variables.vpc.auto.tfvars.make-link
deleted file mode 100644
index 86d88cb..0000000
--- a/examples/full-cluster-tf-upgrade/1.25/variables.vpc.auto.tfvars.make-link
+++ /dev/null
@@ -1,9 +0,0 @@
-# For a submodule/subrepository, copy variables.vpc.auto.tfvars from the appropriate vpc/{region}/vpc{n}/ directory in the main repo.
-# In the apps directory, tf-run.data will create links to it.   Any eks-* directories under that will be picked up  and created
-# by setup-new-directory.sh
-#
-# For something directly in the main repo for the account this wil be handled by setup-new-directory.sh as the apps
-# directory includes it already.
-#
-# If you fail to do this, you will get errors on missing variables.
-#
diff --git a/examples/full-cluster-tf-upgrade/1.25/variables.vpc.tf.make-link b/examples/full-cluster-tf-upgrade/1.25/variables.vpc.tf.make-link
deleted file mode 100644
index 86d88cb..0000000
--- a/examples/full-cluster-tf-upgrade/1.25/variables.vpc.tf.make-link
+++ /dev/null
@@ -1,9 +0,0 @@
-# For a submodule/subrepository, copy variables.vpc.auto.tfvars from the appropriate vpc/{region}/vpc{n}/ directory in the main repo.
-# In the apps directory, tf-run.data will create links to it.   Any eks-* directories under that will be picked up  and created
-# by setup-new-directory.sh
-#
-# For something directly in the main repo for the account this wil be handled by setup-new-directory.sh as the apps
-# directory includes it already.
-#
-# If you fail to do this, you will get errors on missing variables.
-#