diff --git a/examples/full-cluster/cluster-roles/deployer-clusterrole.tf b/examples/full-cluster/cluster-roles/deployer-clusterrole.tf
index 88361ab..0ca031a 100644
--- a/examples/full-cluster/cluster-roles/deployer-clusterrole.tf
+++ b/examples/full-cluster/cluster-roles/deployer-clusterrole.tf
@@ -6,23 +6,42 @@ resource "kubernetes_cluster_role" "cicd_deployer_istiosystem_cluster_role" {
   rule {
     api_groups = ["acme.cert-manager.io"]
     resources  = ["challenges", "orders", "certificaterequests"]
-    verbs      = ["create","delete","deletecollection","get","list","patch","update","patch"]
+
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
   }
 
   rule {
     api_groups = ["cert-manager.io"]
     resources  = ["certificates"]
-    verbs      = ["create","delete","deletecollection","get","list","patch","update","patch"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
   }
 
 
   rule {
-    verbs      = ["create","delete","deletecollection","get","list","patch","update","patch"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+
     api_groups = ["networking.istio.io"]
     resources  = ["gateways"]
   }
 }
 
+resource "kubernetes_cluster_role" "cicd_deployer_istio_cluster_role" {
+  metadata {
+    name = var.deployer_application_istio_role_name
+  }
+  rule {
+    api_groups = ["security.istio.io"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+    resources  = ["requestauthentications", "authorizationpolicies", "peerauthentications"]
+  }
+
+  rule {
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
+    api_groups = ["networking.istio.io"]
+    resources  = ["virtualservices", "destinationrules", "gateways"]
+  }
+}
+
 resource "kubernetes_cluster_role" "cicd_deployer_application_cluster_role" {
   metadata {
     name = var.deployer_application_role_name
@@ -38,24 +57,12 @@ resource "kubernetes_cluster_role" "cicd_deployer_application_cluster_role" {
   rule {
     api_groups = ["acme.cert-manager.io"]
     resources  = ["challenges", "orders", "certificaterequests"]
-    verbs      = ["create","delete","deletecollection","get","list","patch","update","patch"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
   }
 
   rule {
     api_groups = ["cert-manager.io"]
     resources  = ["certificates"]
-    verbs      = ["create","delete","deletecollection","get","list","patch","update","patch"]
-  }
-
-  rule {
-    api_groups = ["security.istio.io"]
-    verbs = ["create","delete","deletecollection","get","list","patch","update","patch"]
-    resources = ["requestauthentications","authorizationpolicies","peerauthentications"]
-  }
-
-  rule {
-    verbs      = ["create","delete","deletecollection","get","list","patch","update","patch"]
-    api_groups = ["networking.istio.io"]
-    resources  = ["virtualservices", "destinationrules", "gateways"]
+    verbs      = ["create", "delete", "deletecollection", "get", "list", "patch", "update", "patch"]
   }
 }
diff --git a/examples/full-cluster/cluster-roles/deployer-rolebinding.tf b/examples/full-cluster/cluster-roles/deployer-rolebinding.tf
index a763fd7..3b90b7b 100644
--- a/examples/full-cluster/cluster-roles/deployer-rolebinding.tf
+++ b/examples/full-cluster/cluster-roles/deployer-rolebinding.tf
@@ -37,6 +37,33 @@ resource "kubernetes_namespace" "cicd_managed_namespaces" {
   }
 }
 
+
+resource "kubernetes_role_binding" "deployer_application_istio_rolebinding" {
+  #  for_each = toset(local.cicd_managed_namespaces)
+  for_each = kubernetes_namespace.cicd_managed_namespaces
+
+  metadata {
+    name      = var.deployer_application_istio_rolebinding_name
+    namespace = each.key
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = var.deployer_application_istio_role_name
+  }
+  subject {
+    kind      = "User"
+    name      = var.cicd_k8s_user_name
+    api_group = "rbac.authorization.k8s.io"
+  }
+  subject {
+    kind      = "Group"
+    name      = local.cicd_k8s_iam_username
+    api_group = "rbac.authorization.k8s.io"
+  }
+  #  depends_on = [kubernetes_namespace.cicd_managed_namespaces]
+}
+
 resource "kubernetes_role_binding" "deployer_application_rolebinding" {
   #  for_each = toset(local.cicd_managed_namespaces)
   for_each = kubernetes_namespace.cicd_managed_namespaces
diff --git a/examples/full-cluster/providers.tf b/examples/full-cluster/providers.tf
index 815e4c1..03c6b10 100644
--- a/examples/full-cluster/providers.tf
+++ b/examples/full-cluster/providers.tf
@@ -2,11 +2,17 @@ terraform {
   required_version = ">= 0.12.31"
 }
 
-provider "kubernetes" {
-  host = local.aws_eks_cluster.endpoint
+# to import, you cannot have provider fields which count on data elements (as these locals show).  You need to use the config_path.
+# see these for more info:
+#  https://github.com/hashicorp/terraform-provider-kubernetes/issues/793
+#  https://www.terraform.io/docs/cli/commands/import.html#provider-configuration
+#  https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs
 
+provider "kubernetes" {
+  host                   = local.aws_eks_cluster.endpoint
   cluster_ca_certificate = base64decode(local.aws_eks_cluster.certificate_authority[0].data)
   token                  = local.aws_eks_cluster_auth.token
+#   config_path = "${path.root}/setup/kube.config"
 }
 
 provider "helm" {