fix: Ensure the correct service CIDR and IP family is used in the rendered user data (#2963)

* fix: Ensuring the correct service CIDR and IP family is used in the rendered user data * chore: Updates from testing and validating * chore: Fix example destroy instructions * fix: Only require `cluster_service_cidr` when `create = true` * chore: Clean up commented out code and add note on check length
2026-01-16 16:47:20 +01:00 · 2024-03-12 10:36:19 -04:00
parent 907f70cffd
commit aeb9f0c990
55 changed files with 384 additions and 148 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
  - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.88.0
+    rev: v1.88.1
    hooks:
      - id: terraform_fmt
      - id: terraform_docs
--- a/README.md
+++ b/README.md
@@ -188,7 +188,7 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.40 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9 |
 | <a name="requirement_tls"></a> [tls](#requirement\_tls) | >= 3.0 |
@@ -352,12 +352,14 @@ We are grateful to the community for contributing bugfixes and improvements! Ple
 | <a name="output_cluster_iam_role_unique_id"></a> [cluster\_iam\_role\_unique\_id](#output\_cluster\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
 | <a name="output_cluster_id"></a> [cluster\_id](#output\_cluster\_id) | The ID of the EKS cluster. Note: currently a value is returned only for local EKS clusters created on Outposts |
 | <a name="output_cluster_identity_providers"></a> [cluster\_identity\_providers](#output\_cluster\_identity\_providers) | Map of attribute maps for all EKS identity providers enabled |
 | <a name="output_cluster_ip_family"></a> [cluster\_ip\_family](#output\_cluster\_ip\_family) | The IP family used by the cluster (e.g. `ipv4` or `ipv6`) |
 | <a name="output_cluster_name"></a> [cluster\_name](#output\_cluster\_name) | The name of the EKS cluster |
 | <a name="output_cluster_oidc_issuer_url"></a> [cluster\_oidc\_issuer\_url](#output\_cluster\_oidc\_issuer\_url) | The URL on the EKS cluster for the OpenID Connect identity provider |
 | <a name="output_cluster_platform_version"></a> [cluster\_platform\_version](#output\_cluster\_platform\_version) | Platform version for the cluster |
 | <a name="output_cluster_primary_security_group_id"></a> [cluster\_primary\_security\_group\_id](#output\_cluster\_primary\_security\_group\_id) | Cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication. Referred to as 'Cluster security group' in the EKS console |
 | <a name="output_cluster_security_group_arn"></a> [cluster\_security\_group\_arn](#output\_cluster\_security\_group\_arn) | Amazon Resource Name (ARN) of the cluster security group |
 | <a name="output_cluster_security_group_id"></a> [cluster\_security\_group\_id](#output\_cluster\_security\_group\_id) | ID of the cluster security group |
 | <a name="output_cluster_service_cidr"></a> [cluster\_service\_cidr](#output\_cluster\_service\_cidr) | The CIDR block where Kubernetes pod and service IP addresses are assigned from |
 | <a name="output_cluster_status"></a> [cluster\_status](#output\_cluster\_status) | Status of the EKS cluster. One of `CREATING`, `ACTIVE`, `DELETING`, `FAILED` |
 | <a name="output_cluster_tls_certificate_sha1_fingerprint"></a> [cluster\_tls\_certificate\_sha1\_fingerprint](#output\_cluster\_tls\_certificate\_sha1\_fingerprint) | The SHA1 fingerprint of the public key of the cluster's certificate |
 | <a name="output_cluster_version"></a> [cluster\_version](#output\_cluster\_version) | The Kubernetes version for the cluster |
--- a/examples/eks_managed_node_group/README.md
+++ b/examples/eks_managed_node_group/README.md
@@ -29,7 +29,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.40 |
 ## Providers
--- a/examples/eks_managed_node_group/main.tf
+++ b/examples/eks_managed_node_group/main.tf
@@ -357,9 +357,10 @@ module "disabled_eks" {
 module "eks_managed_node_group" {
  source = "../../modules/eks-managed-node-group"
-  name            = "separate-eks-mng"
+  name                 = "separate-eks-mng"
-  cluster_name    = module.eks.cluster_name
+  cluster_name         = module.eks.cluster_name
-  cluster_version = module.eks.cluster_version
+  cluster_ip_family    = module.eks.cluster_ip_family
  cluster_service_cidr = module.eks.cluster_service_cidr
  subnet_ids                        = module.vpc.private_subnets
  cluster_primary_security_group_id = module.eks.cluster_primary_security_group_id
--- a/examples/eks_managed_node_group/versions.tf
+++ b/examples/eks_managed_node_group/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3"
+  required_version = ">= 1.3.2"
  required_providers {
    aws = {
--- a/examples/fargate_profile/README.md
+++ b/examples/fargate_profile/README.md
@@ -19,7 +19,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.40 |
 ## Providers
--- a/examples/fargate_profile/versions.tf
+++ b/examples/fargate_profile/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3"
+  required_version = ">= 1.3.2"
  required_providers {
    aws = {
--- a/examples/karpenter/README.md
+++ b/examples/karpenter/README.md
@@ -43,7 +43,9 @@ kubectl delete node -l karpenter.sh/provisioner-name=default
 ```bash
 # Necessary to avoid removing Terraform's permissions too soon before its finished
 # cleaning up the resources it deployed inside the cluster
-terraform state rm 'module.eks.aws_eks_access_entry.this["cluster_creator_admin"]' || true
+terraform state rm 'module.eks.aws_eks_access_entry.this["cluster_creator"]' || true
 terraform state rm 'module.eks.aws_eks_access_policy_association.this["cluster_creator_admin"]' || true
 terraform destroy
 ```
@@ -54,7 +56,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.40 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.7 |
 | <a name="requirement_kubectl"></a> [kubectl](#requirement\_kubectl) | >= 2.0 |
--- a/examples/karpenter/main.tf
+++ b/examples/karpenter/main.tf
@@ -169,7 +169,7 @@ resource "helm_release" "karpenter" {
  repository_username = data.aws_ecrpublic_authorization_token.token.user_name
  repository_password = data.aws_ecrpublic_authorization_token.token.password
  chart               = "karpenter"
-  version             = "v0.34.0"
+  version             = "0.35.1"
  wait                = false
  values = [
--- a/examples/karpenter/versions.tf
+++ b/examples/karpenter/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3"
+  required_version = ">= 1.3.2"
  required_providers {
    aws = {
--- a/examples/outposts/README.md
+++ b/examples/outposts/README.md
@@ -48,7 +48,7 @@ terraform destroy
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.40 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.20 |
--- a/examples/outposts/prerequisites/versions.tf
+++ b/examples/outposts/prerequisites/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3"
+  required_version = ">= 1.3.2"
  required_providers {
    aws = {
--- a/examples/outposts/versions.tf
+++ b/examples/outposts/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3"
+  required_version = ">= 1.3.2"
  required_providers {
    aws = {
--- a/examples/self_managed_node_group/README.md
+++ b/examples/self_managed_node_group/README.md
@@ -25,7 +25,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.40 |
 ## Providers
--- a/examples/self_managed_node_group/main.tf
+++ b/examples/self_managed_node_group/main.tf
@@ -309,6 +309,9 @@ module "disabled_self_managed_node_group" {
  source = "../../modules/self-managed-node-group"
  create = false
  # Hard requirement
  cluster_service_cidr = ""
 }
 ################################################################################
--- a/examples/self_managed_node_group/versions.tf
+++ b/examples/self_managed_node_group/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3"
+  required_version = ">= 1.3.2"
  required_providers {
    aws = {
--- a/examples/user_data/README.md
+++ b/examples/user_data/README.md
@@ -17,7 +17,7 @@ $ terraform apply
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | >= 2.4 |
 ## Providers
@@ -36,7 +36,9 @@ $ terraform apply
 | <a name="module_eks_mng_al2023_no_op"></a> [eks\_mng\_al2023\_no\_op](#module\_eks\_mng\_al2023\_no\_op) | ../../modules/_user_data | n/a |
 | <a name="module_eks_mng_al2_additional"></a> [eks\_mng\_al2\_additional](#module\_eks\_mng\_al2\_additional) | ../../modules/_user_data | n/a |
 | <a name="module_eks_mng_al2_custom_ami"></a> [eks\_mng\_al2\_custom\_ami](#module\_eks\_mng\_al2\_custom\_ami) | ../../modules/_user_data | n/a |
 | <a name="module_eks_mng_al2_custom_ami_ipv6"></a> [eks\_mng\_al2\_custom\_ami\_ipv6](#module\_eks\_mng\_al2\_custom\_ami\_ipv6) | ../../modules/_user_data | n/a |
 | <a name="module_eks_mng_al2_custom_template"></a> [eks\_mng\_al2\_custom\_template](#module\_eks\_mng\_al2\_custom\_template) | ../../modules/_user_data | n/a |
 | <a name="module_eks_mng_al2_disabled"></a> [eks\_mng\_al2\_disabled](#module\_eks\_mng\_al2\_disabled) | ../../modules/_user_data | n/a |
 | <a name="module_eks_mng_al2_no_op"></a> [eks\_mng\_al2\_no\_op](#module\_eks\_mng\_al2\_no\_op) | ../../modules/_user_data | n/a |
 | <a name="module_eks_mng_bottlerocket_additional"></a> [eks\_mng\_bottlerocket\_additional](#module\_eks\_mng\_bottlerocket\_additional) | ../../modules/_user_data | n/a |
 | <a name="module_eks_mng_bottlerocket_custom_ami"></a> [eks\_mng\_bottlerocket\_custom\_ami](#module\_eks\_mng\_bottlerocket\_custom\_ami) | ../../modules/_user_data | n/a |
@@ -50,6 +52,7 @@ $ terraform apply
 | <a name="module_self_mng_al2023_custom_template"></a> [self\_mng\_al2023\_custom\_template](#module\_self\_mng\_al2023\_custom\_template) | ../../modules/_user_data | n/a |
 | <a name="module_self_mng_al2023_no_op"></a> [self\_mng\_al2023\_no\_op](#module\_self\_mng\_al2023\_no\_op) | ../../modules/_user_data | n/a |
 | <a name="module_self_mng_al2_bootstrap"></a> [self\_mng\_al2\_bootstrap](#module\_self\_mng\_al2\_bootstrap) | ../../modules/_user_data | n/a |
 | <a name="module_self_mng_al2_bootstrap_ipv6"></a> [self\_mng\_al2\_bootstrap\_ipv6](#module\_self\_mng\_al2\_bootstrap\_ipv6) | ../../modules/_user_data | n/a |
 | <a name="module_self_mng_al2_custom_template"></a> [self\_mng\_al2\_custom\_template](#module\_self\_mng\_al2\_custom\_template) | ../../modules/_user_data | n/a |
 | <a name="module_self_mng_al2_no_op"></a> [self\_mng\_al2\_no\_op](#module\_self\_mng\_al2\_no\_op) | ../../modules/_user_data | n/a |
 | <a name="module_self_mng_bottlerocket_bootstrap"></a> [self\_mng\_bottlerocket\_bootstrap](#module\_self\_mng\_bottlerocket\_bootstrap) | ../../modules/_user_data | n/a |
@@ -69,6 +72,7 @@ $ terraform apply
 | [local_file.eks_mng_al2023_no_op](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [local_file.eks_mng_al2_additional](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [local_file.eks_mng_al2_custom_ami](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [local_file.eks_mng_al2_custom_ami_ipv6](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [local_file.eks_mng_al2_custom_template](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [local_file.eks_mng_al2_no_op](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [local_file.eks_mng_bottlerocket_additional](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
@@ -83,6 +87,7 @@ $ terraform apply
 | [local_file.self_mng_al2023_custom_template](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [local_file.self_mng_al2023_no_op](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [local_file.self_mng_al2_bootstrap](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [local_file.self_mng_al2_bootstrap_ipv6](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [local_file.self_mng_al2_custom_template](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [local_file.self_mng_al2_no_op](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [local_file.self_mng_bottlerocket_bootstrap](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
--- a/examples/user_data/main.tf
+++ b/examples/user_data/main.tf
@@ -4,6 +4,7 @@ locals {
  cluster_endpoint          = "https://012345678903AB2BAE5D1E0BFE0E2B50.gr7.us-east-1.eks.amazonaws.com"
  cluster_auth_base64       = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKbXFqQ1VqNGdGR2w3ZW5PeWthWnZ2RjROOTVOUEZCM2o0cGhVZUsrWGFtN2ZSQnZya0d6OGxKZmZEZWF2b2plTwpQK2xOZFlqdHZncmxCUEpYdHZIZmFzTzYxVzdIZmdWQ2EvamdRM2w3RmkvL1dpQmxFOG9oWUZkdWpjc0s1SXM2CnNkbk5KTTNYUWN2TysrSitkV09NT2ZlNzlsSWdncmdQLzgvRU9CYkw3eUY1aU1hS3lsb1RHL1V3TlhPUWt3ZUcKblBNcjdiUmdkQ1NCZTlXYXowOGdGRmlxV2FOditsTDhsODBTdFZLcWVNVlUxbjQyejVwOVpQRTd4T2l6L0xTNQpYV2lXWkVkT3pMN0xBWGVCS2gzdkhnczFxMkI2d1BKZnZnS1NzWllQRGFpZTloT1NNOUJkNFNPY3JrZTRYSVBOCkVvcXVhMlYrUDRlTWJEQzhMUkVWRDdCdVZDdWdMTldWOTBoL3VJUy9WU2VOcEdUOGVScE5DakszSjc2aFlsWm8KWjNGRG5QWUY0MWpWTHhiOXF0U1ROdEp6amYwWXBEYnFWci9xZzNmQWlxbVorMzd3YWM1eHlqMDZ4cmlaRUgzZgpUM002d2lCUEVHYVlGeWN5TmNYTk5aYW9DWDJVL0N1d2JsUHAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ=="
  cluster_service_ipv4_cidr = "172.16.0.0/16"
  cluster_service_ipv6_cidr = "fdd3:7636:68bc::/108"
  cluster_service_cidr      = "192.168.0.0/16"
 }
@@ -11,13 +12,25 @@ locals {
 # EKS managed node group - AL2
 ################################################################################
 module "eks_mng_al2_disabled" {
  source = "../../modules/_user_data"
  create = false
 }
 module "eks_mng_al2_no_op" {
  source = "../../modules/_user_data"
  # Hard requirement
  cluster_service_cidr = local.cluster_service_cidr
 }
 module "eks_mng_al2_additional" {
  source = "../../modules/_user_data"
  # Hard requirement
  cluster_service_cidr = local.cluster_service_cidr
  pre_bootstrap_user_data = <<-EOT
    export USE_MAX_PODS=false
  EOT
@@ -26,10 +39,32 @@ module "eks_mng_al2_additional" {
 module "eks_mng_al2_custom_ami" {
  source = "../../modules/_user_data"
-  cluster_name              = local.name
+  cluster_name         = local.name
-  cluster_endpoint          = local.cluster_endpoint
+  cluster_endpoint     = local.cluster_endpoint
-  cluster_auth_base64       = local.cluster_auth_base64
+  cluster_auth_base64  = local.cluster_auth_base64
-  cluster_service_ipv4_cidr = local.cluster_service_ipv4_cidr
+  cluster_service_cidr = local.cluster_service_ipv4_cidr
  enable_bootstrap_user_data = true
  pre_bootstrap_user_data = <<-EOT
    export FOO=bar
  EOT
  bootstrap_extra_args = "--kubelet-extra-args '--instance-type t3a.large'"
  post_bootstrap_user_data = <<-EOT
    echo "All done"
  EOT
 }
 module "eks_mng_al2_custom_ami_ipv6" {
  source = "../../modules/_user_data"
  cluster_name         = local.name
  cluster_endpoint     = local.cluster_endpoint
  cluster_auth_base64  = local.cluster_auth_base64
  cluster_ip_family    = "ipv6"
  cluster_service_cidr = local.cluster_service_ipv6_cidr
  enable_bootstrap_user_data = true
@@ -47,9 +82,10 @@ module "eks_mng_al2_custom_ami" {
 module "eks_mng_al2_custom_template" {
  source = "../../modules/_user_data"
-  cluster_name        = local.name
+  cluster_name         = local.name
-  cluster_endpoint    = local.cluster_endpoint
+  cluster_endpoint     = local.cluster_endpoint
-  cluster_auth_base64 = local.cluster_auth_base64
+  cluster_auth_base64  = local.cluster_auth_base64
  cluster_service_cidr = local.cluster_service_ipv4_cidr
  user_data_template_path = "${path.module}/templates/linux_custom.tpl"
@@ -73,6 +109,9 @@ module "eks_mng_al2023_no_op" {
  source = "../../modules/_user_data"
  platform = "al2023"
  # Hard requirement
  cluster_service_cidr = local.cluster_service_cidr
 }
 module "eks_mng_al2023_additional" {
@@ -80,6 +119,9 @@ module "eks_mng_al2023_additional" {
  platform = "al2023"
  # Hard requirement
  cluster_service_cidr = local.cluster_service_cidr
  cloudinit_pre_nodeadm = [{
    content      = <<-EOT
      ---
@@ -106,9 +148,6 @@ module "eks_mng_al2023_custom_ami" {
  cluster_auth_base64  = local.cluster_auth_base64
  cluster_service_cidr = local.cluster_service_cidr
  # Should do nothing
  cluster_service_ipv4_cidr = local.cluster_service_ipv4_cidr
  enable_bootstrap_user_data = true
  cloudinit_pre_nodeadm = [{
@@ -178,15 +217,16 @@ module "eks_mng_bottlerocket_no_op" {
  source = "../../modules/_user_data"
  platform = "bottlerocket"
  # Hard requirement
  cluster_service_cidr = local.cluster_service_cidr
 }
 module "eks_mng_bottlerocket_additional" {
  source = "../../modules/_user_data"
-  platform = "bottlerocket"
+  platform             = "bottlerocket"
-
+  cluster_service_cidr = local.cluster_service_cidr
  # Should do nothing
  cluster_service_ipv4_cidr = local.cluster_service_ipv4_cidr
  bootstrap_extra_args = <<-EOT
    # extra args added
@@ -200,9 +240,10 @@ module "eks_mng_bottlerocket_custom_ami" {
  platform = "bottlerocket"
-  cluster_name        = local.name
+  cluster_name         = local.name
-  cluster_endpoint    = local.cluster_endpoint
+  cluster_endpoint     = local.cluster_endpoint
-  cluster_auth_base64 = local.cluster_auth_base64
+  cluster_auth_base64  = local.cluster_auth_base64
  cluster_service_cidr = local.cluster_service_cidr
  enable_bootstrap_user_data = true
@@ -221,6 +262,8 @@ module "eks_mng_bottlerocket_custom_template" {
  cluster_name        = local.name
  cluster_endpoint    = local.cluster_endpoint
  cluster_auth_base64 = local.cluster_auth_base64
  # Hard requirement
  cluster_service_cidr = local.cluster_service_cidr
  user_data_template_path = "${path.module}/templates/bottlerocket_custom.tpl"
@@ -239,6 +282,9 @@ module "eks_mng_windows_no_op" {
  source = "../../modules/_user_data"
  platform = "windows"
  # Hard requirement
  cluster_service_cidr = local.cluster_service_cidr
 }
 module "eks_mng_windows_additional" {
@@ -246,8 +292,8 @@ module "eks_mng_windows_additional" {
  platform = "windows"
-  # Should do nothing
+  # Hard requirement
-  cluster_service_ipv4_cidr = local.cluster_service_ipv4_cidr
+  cluster_service_cidr = local.cluster_service_cidr
  pre_bootstrap_user_data = <<-EOT
    [string]$Something = 'IDoNotKnowAnyPowerShell ¯\_(ツ)_/¯'
@@ -262,6 +308,8 @@ module "eks_mng_windows_custom_ami" {
  cluster_name        = local.name
  cluster_endpoint    = local.cluster_endpoint
  cluster_auth_base64 = local.cluster_auth_base64
  # Hard requirement
  cluster_service_cidr = local.cluster_service_cidr
  enable_bootstrap_user_data = true
@@ -285,6 +333,9 @@ module "eks_mng_windows_custom_template" {
  cluster_endpoint    = local.cluster_endpoint
  cluster_auth_base64 = local.cluster_auth_base64
  # Hard requirement
  cluster_service_cidr = local.cluster_service_cidr
  enable_bootstrap_user_data = true
  user_data_template_path = "${path.module}/templates/windows_custom.tpl"
@@ -308,6 +359,9 @@ module "self_mng_al2_no_op" {
  source = "../../modules/_user_data"
  is_eks_managed_node_group = false
  # Hard requirement
  cluster_service_cidr = local.cluster_service_cidr
 }
 module "self_mng_al2_bootstrap" {
@@ -316,9 +370,34 @@ module "self_mng_al2_bootstrap" {
  enable_bootstrap_user_data = true
  is_eks_managed_node_group  = false
-  cluster_name        = local.name
+  cluster_name         = local.name
-  cluster_endpoint    = local.cluster_endpoint
+  cluster_endpoint     = local.cluster_endpoint
-  cluster_auth_base64 = local.cluster_auth_base64
+  cluster_auth_base64  = local.cluster_auth_base64
  cluster_service_cidr = local.cluster_service_ipv4_cidr
  pre_bootstrap_user_data = <<-EOT
    echo "foo"
    export FOO=bar
  EOT
  bootstrap_extra_args = "--kubelet-extra-args '--node-labels=node.kubernetes.io/lifecycle=spot'"
  post_bootstrap_user_data = <<-EOT
    echo "All done"
  EOT
 }
 module "self_mng_al2_bootstrap_ipv6" {
  source = "../../modules/_user_data"
  enable_bootstrap_user_data = true
  is_eks_managed_node_group  = false
  cluster_name         = local.name
  cluster_endpoint     = local.cluster_endpoint
  cluster_auth_base64  = local.cluster_auth_base64
  cluster_ip_family    = "ipv6"
  cluster_service_cidr = local.cluster_service_ipv6_cidr
  pre_bootstrap_user_data = <<-EOT
    echo "foo"
@@ -338,9 +417,10 @@ module "self_mng_al2_custom_template" {
  enable_bootstrap_user_data = true
  is_eks_managed_node_group  = false
-  cluster_name        = local.name
+  cluster_name         = local.name
-  cluster_endpoint    = local.cluster_endpoint
+  cluster_endpoint     = local.cluster_endpoint
-  cluster_auth_base64 = local.cluster_auth_base64
+  cluster_auth_base64  = local.cluster_auth_base64
  cluster_service_cidr = local.cluster_service_ipv4_cidr
  user_data_template_path = "${path.module}/templates/linux_custom.tpl"
@@ -366,6 +446,9 @@ module "self_mng_al2023_no_op" {
  platform = "al2023"
  is_eks_managed_node_group = false
  # Hard requirement
  cluster_service_cidr = local.cluster_service_cidr
 }
 module "self_mng_al2023_bootstrap" {
@@ -452,6 +535,9 @@ module "self_mng_bottlerocket_no_op" {
  platform = "bottlerocket"
  is_eks_managed_node_group = false
  # Hard requirement
  cluster_service_cidr = local.cluster_service_cidr
 }
 module "self_mng_bottlerocket_bootstrap" {
@@ -466,8 +552,8 @@ module "self_mng_bottlerocket_bootstrap" {
  cluster_endpoint    = local.cluster_endpoint
  cluster_auth_base64 = local.cluster_auth_base64
-  # Should do nothing
+  # Hard requirement
-  cluster_service_ipv4_cidr = local.cluster_service_ipv4_cidr
+  cluster_service_cidr = local.cluster_service_cidr
  bootstrap_extra_args = <<-EOT
    # extra args added
@@ -488,6 +574,9 @@ module "self_mng_bottlerocket_custom_template" {
  cluster_endpoint    = local.cluster_endpoint
  cluster_auth_base64 = local.cluster_auth_base64
  # Hard requirement
  cluster_service_cidr = local.cluster_service_cidr
  user_data_template_path = "${path.module}/templates/bottlerocket_custom.tpl"
  bootstrap_extra_args = <<-EOT
@@ -507,6 +596,9 @@ module "self_mng_windows_no_op" {
  platform = "windows"
  is_eks_managed_node_group = false
  # Hard requirement
  cluster_service_cidr = local.cluster_service_cidr
 }
 module "self_mng_windows_bootstrap" {
@@ -521,8 +613,8 @@ module "self_mng_windows_bootstrap" {
  cluster_endpoint    = local.cluster_endpoint
  cluster_auth_base64 = local.cluster_auth_base64
-  # Should do nothing
+  # Hard requirement
-  cluster_service_ipv4_cidr = local.cluster_service_ipv4_cidr
+  cluster_service_cidr = local.cluster_service_cidr
  pre_bootstrap_user_data = <<-EOT
    [string]$Something = 'IDoNotKnowAnyPowerShell ¯\_(ツ)_/¯'
@@ -547,6 +639,9 @@ module "self_mng_windows_custom_template" {
  cluster_endpoint    = local.cluster_endpoint
  cluster_auth_base64 = local.cluster_auth_base64
  # Hard requirement
  cluster_service_cidr = local.cluster_service_cidr
  user_data_template_path = "${path.module}/templates/windows_custom.tpl"
  pre_bootstrap_user_data = <<-EOT
--- a/examples/user_data/outputs.tf
+++ b/examples/user_data/outputs.tf
@@ -25,6 +25,11 @@ resource "local_file" "eks_mng_al2_custom_ami" {
  filename = "${path.module}/rendered/al2/eks-mng-custom-ami.sh"
 }
 resource "local_file" "eks_mng_al2_custom_ami_ipv6" {
  content  = base64decode(module.eks_mng_al2_custom_ami_ipv6.user_data)
  filename = "${path.module}/rendered/al2/eks-mng-custom-ami-ipv6.sh"
 }
 resource "local_file" "eks_mng_al2_custom_template" {
  content  = base64decode(module.eks_mng_al2_custom_template.user_data)
  filename = "${path.module}/rendered/al2/eks-mng-custom-template.sh"
@@ -116,6 +121,11 @@ resource "local_file" "self_mng_al2_bootstrap" {
  filename = "${path.module}/rendered/al2/self-mng-bootstrap.sh"
 }
 resource "local_file" "self_mng_al2_bootstrap_ipv6" {
  content  = base64decode(module.self_mng_al2_bootstrap_ipv6.user_data)
  filename = "${path.module}/rendered/al2/self-mng-bootstrap-ipv6.sh"
 }
 resource "local_file" "self_mng_al2_custom_template" {
  content  = base64decode(module.self_mng_al2_custom_template.user_data)
  filename = "${path.module}/rendered/al2/self-mng-custom-template.sh"
--- a/examples/user_data/rendered/al2/eks-mng-custom-ami-ipv6.sh
+++ b/examples/user_data/rendered/al2/eks-mng-custom-ami-ipv6.sh
@@ -0,0 +1,8 @@
 #!/bin/bash
 set -e
 export FOO=bar
 B64_CLUSTER_CA=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKbXFqQ1VqNGdGR2w3ZW5PeWthWnZ2RjROOTVOUEZCM2o0cGhVZUsrWGFtN2ZSQnZya0d6OGxKZmZEZWF2b2plTwpQK2xOZFlqdHZncmxCUEpYdHZIZmFzTzYxVzdIZmdWQ2EvamdRM2w3RmkvL1dpQmxFOG9oWUZkdWpjc0s1SXM2CnNkbk5KTTNYUWN2TysrSitkV09NT2ZlNzlsSWdncmdQLzgvRU9CYkw3eUY1aU1hS3lsb1RHL1V3TlhPUWt3ZUcKblBNcjdiUmdkQ1NCZTlXYXowOGdGRmlxV2FOditsTDhsODBTdFZLcWVNVlUxbjQyejVwOVpQRTd4T2l6L0xTNQpYV2lXWkVkT3pMN0xBWGVCS2gzdkhnczFxMkI2d1BKZnZnS1NzWllQRGFpZTloT1NNOUJkNFNPY3JrZTRYSVBOCkVvcXVhMlYrUDRlTWJEQzhMUkVWRDdCdVZDdWdMTldWOTBoL3VJUy9WU2VOcEdUOGVScE5DakszSjc2aFlsWm8KWjNGRG5QWUY0MWpWTHhiOXF0U1ROdEp6amYwWXBEYnFWci9xZzNmQWlxbVorMzd3YWM1eHlqMDZ4cmlaRUgzZgpUM002d2lCUEVHYVlGeWN5TmNYTk5aYW9DWDJVL0N1d2JsUHAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
 API_SERVER_URL=https://012345678903AB2BAE5D1E0BFE0E2B50.gr7.us-east-1.eks.amazonaws.com
 /etc/eks/bootstrap.sh ex-user-data --kubelet-extra-args '--instance-type t3a.large' --b64-cluster-ca $B64_CLUSTER_CA --apiserver-endpoint $API_SERVER_URL \
  --ip-family ipv6 --service-ipv6-cidr fdd3:7636:68bc::/108
 echo "All done"
--- a/examples/user_data/rendered/al2/eks-mng-custom-ami.sh
+++ b/examples/user_data/rendered/al2/eks-mng-custom-ami.sh
@@ -1,8 +1,8 @@
 #!/bin/bash
 set -e
 export FOO=bar
 export SERVICE_IPV4_CIDR=172.16.0.0/16
 B64_CLUSTER_CA=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKbXFqQ1VqNGdGR2w3ZW5PeWthWnZ2RjROOTVOUEZCM2o0cGhVZUsrWGFtN2ZSQnZya0d6OGxKZmZEZWF2b2plTwpQK2xOZFlqdHZncmxCUEpYdHZIZmFzTzYxVzdIZmdWQ2EvamdRM2w3RmkvL1dpQmxFOG9oWUZkdWpjc0s1SXM2CnNkbk5KTTNYUWN2TysrSitkV09NT2ZlNzlsSWdncmdQLzgvRU9CYkw3eUY1aU1hS3lsb1RHL1V3TlhPUWt3ZUcKblBNcjdiUmdkQ1NCZTlXYXowOGdGRmlxV2FOditsTDhsODBTdFZLcWVNVlUxbjQyejVwOVpQRTd4T2l6L0xTNQpYV2lXWkVkT3pMN0xBWGVCS2gzdkhnczFxMkI2d1BKZnZnS1NzWllQRGFpZTloT1NNOUJkNFNPY3JrZTRYSVBOCkVvcXVhMlYrUDRlTWJEQzhMUkVWRDdCdVZDdWdMTldWOTBoL3VJUy9WU2VOcEdUOGVScE5DakszSjc2aFlsWm8KWjNGRG5QWUY0MWpWTHhiOXF0U1ROdEp6amYwWXBEYnFWci9xZzNmQWlxbVorMzd3YWM1eHlqMDZ4cmlaRUgzZgpUM002d2lCUEVHYVlGeWN5TmNYTk5aYW9DWDJVL0N1d2JsUHAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
 API_SERVER_URL=https://012345678903AB2BAE5D1E0BFE0E2B50.gr7.us-east-1.eks.amazonaws.com
-/etc/eks/bootstrap.sh ex-user-data --kubelet-extra-args '--instance-type t3a.large' --b64-cluster-ca $B64_CLUSTER_CA --apiserver-endpoint $API_SERVER_URL
+/etc/eks/bootstrap.sh ex-user-data --kubelet-extra-args '--instance-type t3a.large' --b64-cluster-ca $B64_CLUSTER_CA --apiserver-endpoint $API_SERVER_URL \
  --ip-family ipv4 --service-ipv4-cidr 172.16.0.0/16
 echo "All done"
--- a/examples/user_data/rendered/al2/eks-mng-custom-template.sh
+++ b/examples/user_data/rendered/al2/eks-mng-custom-template.sh
@@ -7,5 +7,6 @@ export FOO=bar
 # Custom user data template provided for rendering
 B64_CLUSTER_CA=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKbXFqQ1VqNGdGR2w3ZW5PeWthWnZ2RjROOTVOUEZCM2o0cGhVZUsrWGFtN2ZSQnZya0d6OGxKZmZEZWF2b2plTwpQK2xOZFlqdHZncmxCUEpYdHZIZmFzTzYxVzdIZmdWQ2EvamdRM2w3RmkvL1dpQmxFOG9oWUZkdWpjc0s1SXM2CnNkbk5KTTNYUWN2TysrSitkV09NT2ZlNzlsSWdncmdQLzgvRU9CYkw3eUY1aU1hS3lsb1RHL1V3TlhPUWt3ZUcKblBNcjdiUmdkQ1NCZTlXYXowOGdGRmlxV2FOditsTDhsODBTdFZLcWVNVlUxbjQyejVwOVpQRTd4T2l6L0xTNQpYV2lXWkVkT3pMN0xBWGVCS2gzdkhnczFxMkI2d1BKZnZnS1NzWllQRGFpZTloT1NNOUJkNFNPY3JrZTRYSVBOCkVvcXVhMlYrUDRlTWJEQzhMUkVWRDdCdVZDdWdMTldWOTBoL3VJUy9WU2VOcEdUOGVScE5DakszSjc2aFlsWm8KWjNGRG5QWUY0MWpWTHhiOXF0U1ROdEp6amYwWXBEYnFWci9xZzNmQWlxbVorMzd3YWM1eHlqMDZ4cmlaRUgzZgpUM002d2lCUEVHYVlGeWN5TmNYTk5aYW9DWDJVL0N1d2JsUHAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
 API_SERVER_URL=https://012345678903AB2BAE5D1E0BFE0E2B50.gr7.us-east-1.eks.amazonaws.com
-/etc/eks/bootstrap.sh ex-user-data --kubelet-extra-args '--node-labels=node.kubernetes.io/lifecycle=spot' --b64-cluster-ca $B64_CLUSTER_CA --apiserver-endpoint $API_SERVER_URL
+/etc/eks/bootstrap.sh ex-user-data --kubelet-extra-args '--node-labels=node.kubernetes.io/lifecycle=spot' --b64-cluster-ca $B64_CLUSTER_CA --apiserver-endpoint $API_SERVER_URL \
    --ip-family ipv4 --service-ipv4-cidr 172.16.0.0/16
 echo "All done"
--- a/examples/user_data/rendered/al2/self-mng-bootstrap-ipv6.sh
+++ b/examples/user_data/rendered/al2/self-mng-bootstrap-ipv6.sh
@@ -0,0 +1,9 @@
 #!/bin/bash
 set -e
 echo "foo"
 export FOO=bar
 B64_CLUSTER_CA=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKbXFqQ1VqNGdGR2w3ZW5PeWthWnZ2RjROOTVOUEZCM2o0cGhVZUsrWGFtN2ZSQnZya0d6OGxKZmZEZWF2b2plTwpQK2xOZFlqdHZncmxCUEpYdHZIZmFzTzYxVzdIZmdWQ2EvamdRM2w3RmkvL1dpQmxFOG9oWUZkdWpjc0s1SXM2CnNkbk5KTTNYUWN2TysrSitkV09NT2ZlNzlsSWdncmdQLzgvRU9CYkw3eUY1aU1hS3lsb1RHL1V3TlhPUWt3ZUcKblBNcjdiUmdkQ1NCZTlXYXowOGdGRmlxV2FOditsTDhsODBTdFZLcWVNVlUxbjQyejVwOVpQRTd4T2l6L0xTNQpYV2lXWkVkT3pMN0xBWGVCS2gzdkhnczFxMkI2d1BKZnZnS1NzWllQRGFpZTloT1NNOUJkNFNPY3JrZTRYSVBOCkVvcXVhMlYrUDRlTWJEQzhMUkVWRDdCdVZDdWdMTldWOTBoL3VJUy9WU2VOcEdUOGVScE5DakszSjc2aFlsWm8KWjNGRG5QWUY0MWpWTHhiOXF0U1ROdEp6amYwWXBEYnFWci9xZzNmQWlxbVorMzd3YWM1eHlqMDZ4cmlaRUgzZgpUM002d2lCUEVHYVlGeWN5TmNYTk5aYW9DWDJVL0N1d2JsUHAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
 API_SERVER_URL=https://012345678903AB2BAE5D1E0BFE0E2B50.gr7.us-east-1.eks.amazonaws.com
 /etc/eks/bootstrap.sh ex-user-data --kubelet-extra-args '--node-labels=node.kubernetes.io/lifecycle=spot' --b64-cluster-ca $B64_CLUSTER_CA --apiserver-endpoint $API_SERVER_URL \
  --ip-family ipv6 --service-ipv6-cidr fdd3:7636:68bc::/108
 echo "All done"
--- a/examples/user_data/rendered/al2/self-mng-bootstrap.sh
+++ b/examples/user_data/rendered/al2/self-mng-bootstrap.sh
@@ -4,5 +4,6 @@ echo "foo"
 export FOO=bar
 B64_CLUSTER_CA=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKbXFqQ1VqNGdGR2w3ZW5PeWthWnZ2RjROOTVOUEZCM2o0cGhVZUsrWGFtN2ZSQnZya0d6OGxKZmZEZWF2b2plTwpQK2xOZFlqdHZncmxCUEpYdHZIZmFzTzYxVzdIZmdWQ2EvamdRM2w3RmkvL1dpQmxFOG9oWUZkdWpjc0s1SXM2CnNkbk5KTTNYUWN2TysrSitkV09NT2ZlNzlsSWdncmdQLzgvRU9CYkw3eUY1aU1hS3lsb1RHL1V3TlhPUWt3ZUcKblBNcjdiUmdkQ1NCZTlXYXowOGdGRmlxV2FOditsTDhsODBTdFZLcWVNVlUxbjQyejVwOVpQRTd4T2l6L0xTNQpYV2lXWkVkT3pMN0xBWGVCS2gzdkhnczFxMkI2d1BKZnZnS1NzWllQRGFpZTloT1NNOUJkNFNPY3JrZTRYSVBOCkVvcXVhMlYrUDRlTWJEQzhMUkVWRDdCdVZDdWdMTldWOTBoL3VJUy9WU2VOcEdUOGVScE5DakszSjc2aFlsWm8KWjNGRG5QWUY0MWpWTHhiOXF0U1ROdEp6amYwWXBEYnFWci9xZzNmQWlxbVorMzd3YWM1eHlqMDZ4cmlaRUgzZgpUM002d2lCUEVHYVlGeWN5TmNYTk5aYW9DWDJVL0N1d2JsUHAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
 API_SERVER_URL=https://012345678903AB2BAE5D1E0BFE0E2B50.gr7.us-east-1.eks.amazonaws.com
-/etc/eks/bootstrap.sh ex-user-data --kubelet-extra-args '--node-labels=node.kubernetes.io/lifecycle=spot' --b64-cluster-ca $B64_CLUSTER_CA --apiserver-endpoint $API_SERVER_URL
+/etc/eks/bootstrap.sh ex-user-data --kubelet-extra-args '--node-labels=node.kubernetes.io/lifecycle=spot' --b64-cluster-ca $B64_CLUSTER_CA --apiserver-endpoint $API_SERVER_URL \
  --ip-family ipv4 --service-ipv4-cidr 172.16.0.0/16
 echo "All done"
--- a/examples/user_data/rendered/al2/self-mng-custom-template.sh
+++ b/examples/user_data/rendered/al2/self-mng-custom-template.sh
@@ -7,5 +7,6 @@ export FOO=bar
 # Custom user data template provided for rendering
 B64_CLUSTER_CA=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKbXFqQ1VqNGdGR2w3ZW5PeWthWnZ2RjROOTVOUEZCM2o0cGhVZUsrWGFtN2ZSQnZya0d6OGxKZmZEZWF2b2plTwpQK2xOZFlqdHZncmxCUEpYdHZIZmFzTzYxVzdIZmdWQ2EvamdRM2w3RmkvL1dpQmxFOG9oWUZkdWpjc0s1SXM2CnNkbk5KTTNYUWN2TysrSitkV09NT2ZlNzlsSWdncmdQLzgvRU9CYkw3eUY1aU1hS3lsb1RHL1V3TlhPUWt3ZUcKblBNcjdiUmdkQ1NCZTlXYXowOGdGRmlxV2FOditsTDhsODBTdFZLcWVNVlUxbjQyejVwOVpQRTd4T2l6L0xTNQpYV2lXWkVkT3pMN0xBWGVCS2gzdkhnczFxMkI2d1BKZnZnS1NzWllQRGFpZTloT1NNOUJkNFNPY3JrZTRYSVBOCkVvcXVhMlYrUDRlTWJEQzhMUkVWRDdCdVZDdWdMTldWOTBoL3VJUy9WU2VOcEdUOGVScE5DakszSjc2aFlsWm8KWjNGRG5QWUY0MWpWTHhiOXF0U1ROdEp6amYwWXBEYnFWci9xZzNmQWlxbVorMzd3YWM1eHlqMDZ4cmlaRUgzZgpUM002d2lCUEVHYVlGeWN5TmNYTk5aYW9DWDJVL0N1d2JsUHAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
 API_SERVER_URL=https://012345678903AB2BAE5D1E0BFE0E2B50.gr7.us-east-1.eks.amazonaws.com
-/etc/eks/bootstrap.sh ex-user-data --kubelet-extra-args '--node-labels=node.kubernetes.io/lifecycle=spot' --b64-cluster-ca $B64_CLUSTER_CA --apiserver-endpoint $API_SERVER_URL
+/etc/eks/bootstrap.sh ex-user-data --kubelet-extra-args '--node-labels=node.kubernetes.io/lifecycle=spot' --b64-cluster-ca $B64_CLUSTER_CA --apiserver-endpoint $API_SERVER_URL \
    --ip-family ipv4 --service-ipv4-cidr 172.16.0.0/16
 echo "All done"
--- a/examples/user_data/rendered/bottlerocket/eks-mng-custom-ami.toml
+++ b/examples/user_data/rendered/bottlerocket/eks-mng-custom-ami.toml
@@ -2,6 +2,7 @@
 "cluster-name" = "ex-user-data"
 "api-server" = "https://012345678903AB2BAE5D1E0BFE0E2B50.gr7.us-east-1.eks.amazonaws.com"
 "cluster-certificate" = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKbXFqQ1VqNGdGR2w3ZW5PeWthWnZ2RjROOTVOUEZCM2o0cGhVZUsrWGFtN2ZSQnZya0d6OGxKZmZEZWF2b2plTwpQK2xOZFlqdHZncmxCUEpYdHZIZmFzTzYxVzdIZmdWQ2EvamdRM2w3RmkvL1dpQmxFOG9oWUZkdWpjc0s1SXM2CnNkbk5KTTNYUWN2TysrSitkV09NT2ZlNzlsSWdncmdQLzgvRU9CYkw3eUY1aU1hS3lsb1RHL1V3TlhPUWt3ZUcKblBNcjdiUmdkQ1NCZTlXYXowOGdGRmlxV2FOditsTDhsODBTdFZLcWVNVlUxbjQyejVwOVpQRTd4T2l6L0xTNQpYV2lXWkVkT3pMN0xBWGVCS2gzdkhnczFxMkI2d1BKZnZnS1NzWllQRGFpZTloT1NNOUJkNFNPY3JrZTRYSVBOCkVvcXVhMlYrUDRlTWJEQzhMUkVWRDdCdVZDdWdMTldWOTBoL3VJUy9WU2VOcEdUOGVScE5DakszSjc2aFlsWm8KWjNGRG5QWUY0MWpWTHhiOXF0U1ROdEp6amYwWXBEYnFWci9xZzNmQWlxbVorMzd3YWM1eHlqMDZ4cmlaRUgzZgpUM002d2lCUEVHYVlGeWN5TmNYTk5aYW9DWDJVL0N1d2JsUHAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ=="
 "cluster-dns-ip" = "192.168.0.10"
 # extra args added
 [settings.kernel]
 lockdown = "integrity"
--- a/examples/user_data/rendered/bottlerocket/self-mng-bootstrap.toml
+++ b/examples/user_data/rendered/bottlerocket/self-mng-bootstrap.toml
@@ -2,6 +2,7 @@
 "cluster-name" = "ex-user-data"
 "api-server" = "https://012345678903AB2BAE5D1E0BFE0E2B50.gr7.us-east-1.eks.amazonaws.com"
 "cluster-certificate" = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKbXFqQ1VqNGdGR2w3ZW5PeWthWnZ2RjROOTVOUEZCM2o0cGhVZUsrWGFtN2ZSQnZya0d6OGxKZmZEZWF2b2plTwpQK2xOZFlqdHZncmxCUEpYdHZIZmFzTzYxVzdIZmdWQ2EvamdRM2w3RmkvL1dpQmxFOG9oWUZkdWpjc0s1SXM2CnNkbk5KTTNYUWN2TysrSitkV09NT2ZlNzlsSWdncmdQLzgvRU9CYkw3eUY1aU1hS3lsb1RHL1V3TlhPUWt3ZUcKblBNcjdiUmdkQ1NCZTlXYXowOGdGRmlxV2FOditsTDhsODBTdFZLcWVNVlUxbjQyejVwOVpQRTd4T2l6L0xTNQpYV2lXWkVkT3pMN0xBWGVCS2gzdkhnczFxMkI2d1BKZnZnS1NzWllQRGFpZTloT1NNOUJkNFNPY3JrZTRYSVBOCkVvcXVhMlYrUDRlTWJEQzhMUkVWRDdCdVZDdWdMTldWOTBoL3VJUy9WU2VOcEdUOGVScE5DakszSjc2aFlsWm8KWjNGRG5QWUY0MWpWTHhiOXF0U1ROdEp6amYwWXBEYnFWci9xZzNmQWlxbVorMzd3YWM1eHlqMDZ4cmlaRUgzZgpUM002d2lCUEVHYVlGeWN5TmNYTk5aYW9DWDJVL0N1d2JsUHAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ=="
 "cluster-dns-ip" = "192.168.0.10"
 # extra args added
 [settings.kernel]
 lockdown = "integrity"
--- a/examples/user_data/templates/linux_custom.tpl
+++ b/examples/user_data/templates/linux_custom.tpl
@@ -6,5 +6,6 @@ ${pre_bootstrap_user_data ~}
 # Custom user data template provided for rendering
 B64_CLUSTER_CA=${cluster_auth_base64}
 API_SERVER_URL=${cluster_endpoint}
-/etc/eks/bootstrap.sh ${cluster_name} ${bootstrap_extra_args} --b64-cluster-ca $B64_CLUSTER_CA --apiserver-endpoint $API_SERVER_URL
+/etc/eks/bootstrap.sh ${cluster_name} ${bootstrap_extra_args} --b64-cluster-ca $B64_CLUSTER_CA --apiserver-endpoint $API_SERVER_URL \
    --ip-family ${cluster_ip_family} --service-${cluster_ip_family}-cidr ${cluster_service_cidr}
 ${post_bootstrap_user_data ~}
--- a/examples/user_data/versions.tf
+++ b/examples/user_data/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3"
+  required_version = ">= 1.3.2"
  required_providers {
    local = {
--- a/modules/_user_data/README.md
+++ b/modules/_user_data/README.md
@@ -9,14 +9,16 @@ See [`examples/user_data/`](https://github.com/terraform-aws-modules/terraform-a
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
 | <a name="requirement_cloudinit"></a> [cloudinit](#requirement\_cloudinit) | >= 2.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.0 |
 ## Providers
 | Name | Version |
 |------|---------|
 | <a name="provider_cloudinit"></a> [cloudinit](#provider\_cloudinit) | >= 2.0 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 3.0 |
 ## Modules
@@ -26,6 +28,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [null_resource.validate_cluster_service_cidr](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [cloudinit_config.al2023_eks_managed_node_group](https://registry.terraform.io/providers/hashicorp/cloudinit/latest/docs/data-sources/config) | data source |
 | [cloudinit_config.linux_eks_managed_node_group](https://registry.terraform.io/providers/hashicorp/cloudinit/latest/docs/data-sources/config) | data source |
@@ -38,9 +41,10 @@ No modules.
 | <a name="input_cloudinit_pre_nodeadm"></a> [cloudinit\_pre\_nodeadm](#input\_cloudinit\_pre\_nodeadm) | Array of cloud-init document parts that are created before the nodeadm document part | <pre>list(object({<br>    content      = string<br>    content_type = optional(string)<br>    filename     = optional(string)<br>    merge_type   = optional(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_cluster_auth_base64"></a> [cluster\_auth\_base64](#input\_cluster\_auth\_base64) | Base64 encoded CA of associated EKS cluster | `string` | `""` | no |
 | <a name="input_cluster_endpoint"></a> [cluster\_endpoint](#input\_cluster\_endpoint) | Endpoint of associated EKS cluster | `string` | `""` | no |
 | <a name="input_cluster_ip_family"></a> [cluster\_ip\_family](#input\_cluster\_ip\_family) | The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6` | `string` | `"ipv4"` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | `""` | no |
 | <a name="input_cluster_service_cidr"></a> [cluster\_service\_cidr](#input\_cluster\_service\_cidr) | The CIDR block (IPv4 or IPv6) used by the cluster to assign Kubernetes service IP addresses. This is derived from the cluster itself | `string` | `""` | no |
-| <a name="input_cluster_service_ipv4_cidr"></a> [cluster\_service\_ipv4\_cidr](#input\_cluster\_service\_ipv4\_cidr) | The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks | `string` | `null` | no |
+| <a name="input_cluster_service_ipv4_cidr"></a> [cluster\_service\_ipv4\_cidr](#input\_cluster\_service\_ipv4\_cidr) | [Deprecated] The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks | `string` | `null` | no |
 | <a name="input_create"></a> [create](#input\_create) | Determines whether to create user-data or not | `bool` | `true` | no |
 | <a name="input_enable_bootstrap_user_data"></a> [enable\_bootstrap\_user\_data](#input\_enable\_bootstrap\_user\_data) | Determines whether the bootstrap configurations are populated within the user data template | `bool` | `false` | no |
 | <a name="input_is_eks_managed_node_group"></a> [is\_eks\_managed\_node\_group](#input\_is\_eks\_managed\_node\_group) | Determines whether the user data is used on nodes in an EKS managed node group. Used to determine if user data will be appended or not | `bool` | `true` | no |
--- a/modules/_user_data/main.tf
+++ b/modules/_user_data/main.tf
@@ -1,3 +1,17 @@
 # The `cluster_service_cidr` is required when `create == true`
 # This is a hacky way to make that logic work, otherwise Terraform always wants a value
 # and supplying any old value like `""` or `null` is not valid and will silently
 # fail to join nodes to the cluster
 resource "null_resource" "validate_cluster_service_cidr" {
  lifecycle {
    precondition {
      # The length 6 is currently arbitrary, but it's a safe bet that the CIDR will be longer than that
      # The main point is that a value needs to be provided when `create = true`
      condition     = var.create ? length(local.cluster_service_cidr) > 6 : true
      error_message = "`cluster_service_cidr` is required when `create = true`."
    }
  }
 }
 locals {
  template_path = {
@@ -7,6 +21,8 @@ locals {
    windows      = "${path.module}/../../templates/windows_user_data.tpl"
  }
  cluster_service_cidr = try(coalesce(var.cluster_service_ipv4_cidr, var.cluster_service_cidr), "")
  user_data = base64encode(templatefile(
    coalesce(var.user_data_template_path, local.template_path[var.platform]),
    {
@@ -18,14 +34,15 @@ locals {
      cluster_endpoint    = var.cluster_endpoint
      cluster_auth_base64 = var.cluster_auth_base64
-      # Required by AL2023
+      cluster_service_cidr = local.cluster_service_cidr
-      cluster_service_cidr = var.cluster_service_cidr
+      cluster_ip_family    = var.cluster_ip_family
      # Bottlerocket
      cluster_dns_ip = try(cidrhost(local.cluster_service_cidr, 10), "")
      # Optional
-      cluster_service_ipv4_cidr = var.cluster_service_ipv4_cidr != null ? var.cluster_service_ipv4_cidr : ""
+      bootstrap_extra_args     = var.bootstrap_extra_args
-      bootstrap_extra_args      = var.bootstrap_extra_args
+      pre_bootstrap_user_data  = var.pre_bootstrap_user_data
-      pre_bootstrap_user_data   = var.pre_bootstrap_user_data
+      post_bootstrap_user_data = var.post_bootstrap_user_data
      post_bootstrap_user_data  = var.post_bootstrap_user_data
    }
  ))
--- a/modules/_user_data/variables.tf
+++ b/modules/_user_data/variables.tf
@@ -40,16 +40,21 @@ variable "cluster_auth_base64" {
  default     = ""
 }
 # Currently only used by AL2023 since it can be IPv4 or IPv6
 variable "cluster_service_cidr" {
  description = "The CIDR block (IPv4 or IPv6) used by the cluster to assign Kubernetes service IP addresses. This is derived from the cluster itself"
  type        = string
  default     = ""
 }
-# Not used by AL2023
+variable "cluster_ip_family" {
  description = "The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`"
  type        = string
  default     = "ipv4"
 }
 # TODO - remove at next breaking change
 variable "cluster_service_ipv4_cidr" {
-  description = "The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks"
+  description = "[Deprecated] The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks"
  type        = string
  default     = null
 }
--- a/modules/_user_data/versions.tf
+++ b/modules/_user_data/versions.tf
@@ -1,10 +1,14 @@
 terraform {
-  required_version = ">= 1.3"
+  required_version = ">= 1.3.2"
  required_providers {
    cloudinit = {
      source  = "hashicorp/cloudinit"
      version = ">= 2.0"
    }
    null = {
      source  = "hashicorp/null"
      version = ">= 3.0"
    }
  }
 }
--- a/modules/aws-auth/README.md
+++ b/modules/aws-auth/README.md
@@ -44,7 +44,7 @@ module "eks" {
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.20 |
 ## Providers
--- a/modules/aws-auth/versions.tf
+++ b/modules/aws-auth/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3"
+  required_version = ">= 1.3.2"
  required_providers {
    kubernetes = {
--- a/modules/eks-managed-node-group/README.md
+++ b/modules/eks-managed-node-group/README.md
@@ -63,7 +63,7 @@ module "eks_managed_node_group" {
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.40 |
 ## Providers
@@ -114,7 +114,7 @@ module "eks_managed_node_group" {
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of associated EKS cluster | `string` | `null` | no |
 | <a name="input_cluster_primary_security_group_id"></a> [cluster\_primary\_security\_group\_id](#input\_cluster\_primary\_security\_group\_id) | The ID of the EKS cluster primary security group to associate with the instance(s). This is the security group that is automatically created by the EKS service | `string` | `null` | no |
 | <a name="input_cluster_service_cidr"></a> [cluster\_service\_cidr](#input\_cluster\_service\_cidr) | The CIDR block (IPv4 or IPv6) used by the cluster to assign Kubernetes service IP addresses. This is derived from the cluster itself | `string` | `""` | no |
-| <a name="input_cluster_service_ipv4_cidr"></a> [cluster\_service\_ipv4\_cidr](#input\_cluster\_service\_ipv4\_cidr) | The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks | `string` | `null` | no |
+| <a name="input_cluster_service_ipv4_cidr"></a> [cluster\_service\_ipv4\_cidr](#input\_cluster\_service\_ipv4\_cidr) | [Deprecated] The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks | `string` | `null` | no |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | Kubernetes version. Defaults to EKS Cluster Kubernetes version | `string` | `null` | no |
 | <a name="input_cpu_options"></a> [cpu\_options](#input\_cpu\_options) | The CPU options for the instance | `map(string)` | `{}` | no |
 | <a name="input_create"></a> [create](#input\_create) | Determines whether to create EKS managed node group or not | `bool` | `true` | no |
--- a/modules/eks-managed-node-group/main.tf
+++ b/modules/eks-managed-node-group/main.tf
@@ -11,12 +11,11 @@ module "user_data" {
  create   = var.create
  platform = var.platform
-  cluster_name        = var.cluster_name
+  cluster_name         = var.cluster_name
-  cluster_endpoint    = var.cluster_endpoint
+  cluster_endpoint     = var.cluster_endpoint
-  cluster_auth_base64 = var.cluster_auth_base64
+  cluster_auth_base64  = var.cluster_auth_base64
-
+  cluster_ip_family    = var.cluster_ip_family
-  cluster_service_ipv4_cidr = var.cluster_service_ipv4_cidr
+  cluster_service_cidr = try(coalesce(var.cluster_service_cidr, var.cluster_service_ipv4_cidr), "")
  cluster_service_cidr      = var.cluster_service_cidr
  enable_bootstrap_user_data = var.enable_bootstrap_user_data
  pre_bootstrap_user_data    = var.pre_bootstrap_user_data
@@ -468,13 +467,21 @@ resource "aws_eks_node_group" "this" {
 ################################################################################
 locals {
  create_iam_role = var.create && var.create_iam_role
  iam_role_name          = coalesce(var.iam_role_name, "${var.name}-eks-node-group")
  iam_role_policy_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy"
-  cni_policy             = var.cluster_ip_family == "ipv6" ? "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/AmazonEKS_CNI_IPv6_Policy" : "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
+
  ipv4_cni_policy = { for k, v in {
    AmazonEKS_CNI_Policy = "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
  } : k => v if var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv4" }
  ipv6_cni_policy = { for k, v in {
    AmazonEKS_CNI_IPv6_Policy = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/AmazonEKS_CNI_IPv6_Policy"
  } : k => v if var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv6" }
 }
 data "aws_iam_policy_document" "assume_role_policy" {
-  count = var.create && var.create_iam_role ? 1 : 0
+  count = local.create_iam_role ? 1 : 0
  statement {
    sid     = "EKSNodeAssumeRole"
@@ -488,7 +495,7 @@ data "aws_iam_policy_document" "assume_role_policy" {
 }
 resource "aws_iam_role" "this" {
-  count = var.create && var.create_iam_role ? 1 : 0
+  count = local.create_iam_role ? 1 : 0
  name        = var.iam_role_use_name_prefix ? null : local.iam_role_name
  name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
@@ -504,19 +511,21 @@ resource "aws_iam_role" "this" {
 # Policies attached ref https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group
 resource "aws_iam_role_policy_attachment" "this" {
-  for_each = { for k, v in {
+  for_each = { for k, v in merge(
-    AmazonEKSWorkerNodePolicy          = "${local.iam_role_policy_prefix}/AmazonEKSWorkerNodePolicy"
+    {
-    AmazonEC2ContainerRegistryReadOnly = "${local.iam_role_policy_prefix}/AmazonEC2ContainerRegistryReadOnly"
+      AmazonEKSWorkerNodePolicy          = "${local.iam_role_policy_prefix}/AmazonEKSWorkerNodePolicy"
-    AmazonEKS_CNI_IPv6_Policy          = var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv6" ? local.cni_policy : ""
+      AmazonEC2ContainerRegistryReadOnly = "${local.iam_role_policy_prefix}/AmazonEC2ContainerRegistryReadOnly"
-    AmazonEKS_CNI_Policy               = var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv4" ? local.cni_policy : ""
+    },
-  } : k => v if var.create && var.create_iam_role && v != "" }
+    local.ipv4_cni_policy,
    local.ipv6_cni_policy
  ) : k => v if local.create_iam_role }
  policy_arn = each.value
  role       = aws_iam_role.this[0].name
 }
 resource "aws_iam_role_policy_attachment" "additional" {
-  for_each = { for k, v in var.iam_role_additional_policies : k => v if var.create && var.create_iam_role }
+  for_each = { for k, v in var.iam_role_additional_policies : k => v if local.create_iam_role }
  policy_arn = each.value
  role       = aws_iam_role.this[0].name
--- a/modules/eks-managed-node-group/variables.tf
+++ b/modules/eks-managed-node-group/variables.tf
@@ -44,16 +44,15 @@ variable "cluster_auth_base64" {
  default     = ""
 }
 # Currently only used by AL2023 since it can be IPv4 or IPv6
 variable "cluster_service_cidr" {
  description = "The CIDR block (IPv4 or IPv6) used by the cluster to assign Kubernetes service IP addresses. This is derived from the cluster itself"
  type        = string
  default     = ""
 }
-# Not used by AL2023
+# TODO - remove at next breaking change
 variable "cluster_service_ipv4_cidr" {
-  description = "The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks"
+  description = "[Deprecated] The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks"
  type        = string
  default     = null
 }
--- a/modules/eks-managed-node-group/versions.tf
+++ b/modules/eks-managed-node-group/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3"
+  required_version = ">= 1.3.2"
  required_providers {
    aws = {
--- a/modules/fargate-profile/README.md
+++ b/modules/fargate-profile/README.md
@@ -28,7 +28,7 @@ module "fargate_profile" {
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.40 |
 ## Providers
--- a/modules/fargate-profile/main.tf
+++ b/modules/fargate-profile/main.tf
@@ -2,9 +2,17 @@ data "aws_partition" "current" {}
 data "aws_caller_identity" "current" {}
 locals {
  create_iam_role = var.create && var.create_iam_role
  iam_role_name          = coalesce(var.iam_role_name, var.name, "fargate-profile")
  iam_role_policy_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy"
-  cni_policy             = var.cluster_ip_family == "ipv6" ? "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/AmazonEKS_CNI_IPv6_Policy" : "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
+
  ipv4_cni_policy = { for k, v in {
    AmazonEKS_CNI_Policy = "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
  } : k => v if var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv4" }
  ipv6_cni_policy = { for k, v in {
    AmazonEKS_CNI_IPv6_Policy = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/AmazonEKS_CNI_IPv6_Policy"
  } : k => v if var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv6" }
 }
 ################################################################################
@@ -12,7 +20,7 @@ locals {
 ################################################################################
 data "aws_iam_policy_document" "assume_role_policy" {
-  count = var.create && var.create_iam_role ? 1 : 0
+  count = local.create_iam_role ? 1 : 0
  statement {
    effect  = "Allow"
@@ -26,7 +34,7 @@ data "aws_iam_policy_document" "assume_role_policy" {
 }
 resource "aws_iam_role" "this" {
-  count = var.create && var.create_iam_role ? 1 : 0
+  count = local.create_iam_role ? 1 : 0
  name        = var.iam_role_use_name_prefix ? null : local.iam_role_name
  name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
@@ -41,17 +49,20 @@ resource "aws_iam_role" "this" {
 }
 resource "aws_iam_role_policy_attachment" "this" {
-  for_each = { for k, v in toset(compact([
+  for_each = { for k, v in merge(
-    "${local.iam_role_policy_prefix}/AmazonEKSFargatePodExecutionRolePolicy",
+    {
-    var.iam_role_attach_cni_policy ? local.cni_policy : "",
+      AmazonEKSFargatePodExecutionRolePolicy = "${local.iam_role_policy_prefix}/AmazonEKSFargatePodExecutionRolePolicy"
-  ])) : k => v if var.create && var.create_iam_role }
+    },
    local.ipv4_cni_policy,
    local.ipv6_cni_policy
  ) : k => v if local.create_iam_role }
  policy_arn = each.value
  role       = aws_iam_role.this[0].name
 }
 resource "aws_iam_role_policy_attachment" "additional" {
-  for_each = { for k, v in var.iam_role_additional_policies : k => v if var.create && var.create_iam_role }
+  for_each = { for k, v in var.iam_role_additional_policies : k => v if local.create_iam_role }
  policy_arn = each.value
  role       = aws_iam_role.this[0].name
--- a/modules/fargate-profile/migrations.tf
+++ b/modules/fargate-profile/migrations.tf
@@ -0,0 +1,15 @@
 ################################################################################
 # Migrations: v20.8 -> v20.9
 ################################################################################
 # Node IAM role policy attachment
 # Commercial partition only - `moved` does now allow multiple moves to same target
 moved {
  from = aws_iam_role_policy_attachment.this["arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"]
  to   = aws_iam_role_policy_attachment.this["AmazonEKSFargatePodExecutionRolePolicy"]
 }
 moved {
  from = aws_iam_role_policy_attachment.this["arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"]
  to   = aws_iam_role_policy_attachment.this["AmazonEKS_CNI_Policy"]
 }
--- a/modules/fargate-profile/versions.tf
+++ b/modules/fargate-profile/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3"
+  required_version = ">= 1.3.2"
  required_providers {
    aws = {
--- a/modules/karpenter/README.md
+++ b/modules/karpenter/README.md
@@ -84,7 +84,7 @@ module "karpenter" {
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.40 |
 ## Providers
--- a/modules/karpenter/main.tf
+++ b/modules/karpenter/main.tf
@@ -530,7 +530,13 @@ locals {
  node_iam_role_name          = coalesce(var.node_iam_role_name, "Karpenter-${var.cluster_name}")
  node_iam_role_policy_prefix = "arn:${local.partition}:iam::aws:policy"
-  cni_policy                  = var.cluster_ip_family == "ipv6" ? "arn:${local.partition}:iam::${local.account_id}:policy/AmazonEKS_CNI_IPv6_Policy" : "${local.node_iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
+
  ipv4_cni_policy = { for k, v in {
    AmazonEKS_CNI_Policy = "${local.node_iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
  } : k => v if var.node_iam_role_attach_cni_policy && var.cluster_ip_family == "ipv4" }
  ipv6_cni_policy = { for k, v in {
    AmazonEKS_CNI_IPv6_Policy = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/AmazonEKS_CNI_IPv6_Policy"
  } : k => v if var.node_iam_role_attach_cni_policy && var.cluster_ip_family == "ipv6" }
 }
 data "aws_iam_policy_document" "node_assume_role" {
@@ -565,12 +571,14 @@ resource "aws_iam_role" "node" {
 # Policies attached ref https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group
 resource "aws_iam_role_policy_attachment" "node" {
-  for_each = { for k, v in {
+  for_each = { for k, v in merge(
-    AmazonEKSWorkerNodePolicy          = "${local.node_iam_role_policy_prefix}/AmazonEKSWorkerNodePolicy"
+    {
-    AmazonEC2ContainerRegistryReadOnly = "${local.node_iam_role_policy_prefix}/AmazonEC2ContainerRegistryReadOnly"
+      AmazonEKSWorkerNodePolicy          = "${local.node_iam_role_policy_prefix}/AmazonEKSWorkerNodePolicy"
-    AmazonEKS_CNI_IPv6_Policy          = var.node_iam_role_attach_cni_policy && var.cluster_ip_family == "ipv6" ? local.cni_policy : ""
+      AmazonEC2ContainerRegistryReadOnly = "${local.node_iam_role_policy_prefix}/AmazonEC2ContainerRegistryReadOnly"
-    AmazonEKS_CNI_Policy               = var.node_iam_role_attach_cni_policy && var.cluster_ip_family == "ipv4" ? local.cni_policy : ""
+    },
-  } : k => v if local.create_node_iam_role && v != "" }
+    local.ipv4_cni_policy,
    local.ipv6_cni_policy
  ) : k => v if local.create_node_iam_role }
  policy_arn = each.value
  role       = aws_iam_role.node[0].name
--- a/modules/karpenter/versions.tf
+++ b/modules/karpenter/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3"
+  required_version = ">= 1.3.2"
  required_providers {
    aws = {
--- a/modules/self-managed-node-group/README.md
+++ b/modules/self-managed-node-group/README.md
@@ -42,7 +42,7 @@ module "self_managed_node_group" {
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.2 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.40 |
 ## Providers
--- a/modules/self-managed-node-group/main.tf
+++ b/modules/self-managed-node-group/main.tf
@@ -27,6 +27,7 @@ module "user_data" {
  cluster_name         = var.cluster_name
  cluster_endpoint     = var.cluster_endpoint
  cluster_auth_base64  = var.cluster_auth_base64
  cluster_ip_family    = var.cluster_ip_family
  cluster_service_cidr = var.cluster_service_cidr
  enable_bootstrap_user_data = true
@@ -41,12 +42,14 @@ module "user_data" {
 ################################################################################
 data "aws_ec2_instance_type" "this" {
-  count = var.create && var.enable_efa_support && local.instance_type_provided ? 1 : 0
+  count = local.enable_efa_support ? 1 : 0
  instance_type = var.instance_type
 }
 locals {
  enable_efa_support = var.create && var.enable_efa_support && local.instance_type_provided
  instance_type_provided = var.instance_type != ""
  num_network_cards      = try(data.aws_ec2_instance_type.this[0].maximum_network_cards, 0)
@@ -60,7 +63,7 @@ locals {
    }
  ]
-  network_interfaces = var.enable_efa_support && local.instance_type_provided ? local.efa_network_interfaces : var.network_interfaces
+  network_interfaces = local.enable_efa_support ? local.efa_network_interfaces : var.network_interfaces
 }
 ################################################################################
@@ -71,7 +74,7 @@ locals {
  launch_template_name = coalesce(var.launch_template_name, "${var.name}-node-group")
  security_group_ids   = compact(concat([var.cluster_primary_security_group_id], var.vpc_security_group_ids))
-  placement = var.create && var.enable_efa_support ? { group_name = aws_placement_group.this[0].name } : var.placement
+  placement = local.enable_efa_support ? { group_name = aws_placement_group.this[0].name } : var.placement
 }
 resource "aws_launch_template" "this" {
@@ -695,7 +698,7 @@ resource "aws_autoscaling_group" "this" {
  target_group_arns         = var.target_group_arns
  termination_policies      = var.termination_policies
-  vpc_zone_identifier       = var.enable_efa_support ? data.aws_subnets.efa[0].ids : var.subnet_ids
+  vpc_zone_identifier       = local.enable_efa_support ? data.aws_subnets.efa[0].ids : var.subnet_ids
  wait_for_capacity_timeout = var.wait_for_capacity_timeout
  wait_for_elb_capacity     = var.wait_for_elb_capacity
@@ -734,13 +737,21 @@ resource "aws_autoscaling_group" "this" {
 ################################################################################
 locals {
  create_iam_instance_profile = var.create && var.create_iam_instance_profile
  iam_role_name          = coalesce(var.iam_role_name, "${var.name}-node-group")
  iam_role_policy_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy"
-  cni_policy             = var.cluster_ip_family == "ipv6" ? "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/AmazonEKS_CNI_IPv6_Policy" : "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
+
  ipv4_cni_policy = { for k, v in {
    AmazonEKS_CNI_Policy = "${local.iam_role_policy_prefix}/AmazonEKS_CNI_Policy"
  } : k => v if var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv4" }
  ipv6_cni_policy = { for k, v in {
    AmazonEKS_CNI_IPv6_Policy = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/AmazonEKS_CNI_IPv6_Policy"
  } : k => v if var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv6" }
 }
 data "aws_iam_policy_document" "assume_role_policy" {
-  count = var.create && var.create_iam_instance_profile ? 1 : 0
+  count = local.create_iam_instance_profile ? 1 : 0
  statement {
    sid     = "EKSNodeAssumeRole"
@@ -754,7 +765,7 @@ data "aws_iam_policy_document" "assume_role_policy" {
 }
 resource "aws_iam_role" "this" {
-  count = var.create && var.create_iam_instance_profile ? 1 : 0
+  count = local.create_iam_instance_profile ? 1 : 0
  name        = var.iam_role_use_name_prefix ? null : local.iam_role_name
  name_prefix = var.iam_role_use_name_prefix ? "${local.iam_role_name}-" : null
@@ -770,26 +781,28 @@ resource "aws_iam_role" "this" {
 # Policies attached ref https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group
 resource "aws_iam_role_policy_attachment" "this" {
-  for_each = { for k, v in {
+  for_each = { for k, v in merge(
-    AmazonEKSWorkerNodePolicy          = "${local.iam_role_policy_prefix}/AmazonEKSWorkerNodePolicy"
+    {
-    AmazonEC2ContainerRegistryReadOnly = "${local.iam_role_policy_prefix}/AmazonEC2ContainerRegistryReadOnly"
+      AmazonEKSWorkerNodePolicy          = "${local.iam_role_policy_prefix}/AmazonEKSWorkerNodePolicy"
-    AmazonEKS_CNI_IPv6_Policy          = var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv6" ? local.cni_policy : ""
+      AmazonEC2ContainerRegistryReadOnly = "${local.iam_role_policy_prefix}/AmazonEC2ContainerRegistryReadOnly"
-    AmazonEKS_CNI_Policy               = var.iam_role_attach_cni_policy && var.cluster_ip_family == "ipv4" ? local.cni_policy : ""
+    },
-  } : k => v if var.create && var.create_iam_instance_profile && v != "" }
+    local.ipv4_cni_policy,
    local.ipv6_cni_policy
  ) : k => v if local.create_iam_instance_profile }
  policy_arn = each.value
  role       = aws_iam_role.this[0].name
 }
 resource "aws_iam_role_policy_attachment" "additional" {
-  for_each = { for k, v in var.iam_role_additional_policies : k => v if var.create && var.create_iam_instance_profile }
+  for_each = { for k, v in var.iam_role_additional_policies : k => v if local.create_iam_instance_profile }
  policy_arn = each.value
  role       = aws_iam_role.this[0].name
 }
 resource "aws_iam_instance_profile" "this" {
-  count = var.create && var.create_iam_instance_profile ? 1 : 0
+  count = local.create_iam_instance_profile ? 1 : 0
  role = aws_iam_role.this[0].name
@@ -809,7 +822,7 @@ resource "aws_iam_instance_profile" "this" {
 ################################################################################
 resource "aws_placement_group" "this" {
-  count = var.create && var.enable_efa_support ? 1 : 0
+  count = local.enable_efa_support ? 1 : 0
  name     = "${var.cluster_name}-${var.name}"
  strategy = "cluster"
@@ -828,7 +841,7 @@ resource "aws_placement_group" "this" {
 # Find the availability zones supported by the instance type
 data "aws_ec2_instance_type_offerings" "this" {
-  count = var.create && var.enable_efa_support ? 1 : 0
+  count = local.enable_efa_support ? 1 : 0
  filter {
    name   = "instance-type"
@@ -841,7 +854,7 @@ data "aws_ec2_instance_type_offerings" "this" {
 # Reverse the lookup to find one of the subnets provided based on the availability
 # availability zone ID of the queried instance type (supported)
 data "aws_subnets" "efa" {
-  count = var.create && var.enable_efa_support ? 1 : 0
+  count = local.enable_efa_support ? 1 : 0
  filter {
    name   = "subnet-id"
--- a/modules/self-managed-node-group/variables.tf
+++ b/modules/self-managed-node-group/variables.tf
@@ -38,13 +38,18 @@ variable "cluster_auth_base64" {
  default     = ""
 }
 # Currently only used by AL2023 since it can be IPv4 or IPv6
 variable "cluster_service_cidr" {
  description = "The CIDR block (IPv4 or IPv6) used by the cluster to assign Kubernetes service IP addresses. This is derived from the cluster itself"
  type        = string
  default     = ""
 }
 variable "cluster_ip_family" {
  description = "The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`"
  type        = string
  default     = "ipv4"
 }
 variable "pre_bootstrap_user_data" {
  description = "User data that is injected into the user data script ahead of the EKS bootstrap script. Not used when `platform` = `bottlerocket`"
  type        = string
@@ -546,12 +551,6 @@ variable "create_iam_instance_profile" {
  default     = true
 }
 variable "cluster_ip_family" {
  description = "The IP family used to assign Kubernetes pod and service addresses. Valid values are `ipv4` (default) and `ipv6`"
  type        = string
  default     = "ipv4"
 }
 variable "iam_instance_profile_arn" {
  description = "Amazon Resource Name (ARN) of an existing IAM instance profile that provides permissions for the node group. Required if `create_iam_instance_profile` = `false`"
  type        = string
--- a/modules/self-managed-node-group/versions.tf
+++ b/modules/self-managed-node-group/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3"
+  required_version = ">= 1.3.2"
  required_providers {
    aws = {
--- a/node_groups.tf
+++ b/node_groups.tf
@@ -17,6 +17,8 @@ locals {
      min_healthy_percentage = 66
    }
  }
  kubernetes_network_config = try(aws_eks_cluster.this[0].kubernetes_network_config[0], {})
 }
 # This sleep resource is used to provide a timed gap between the cluster creation and the downstream dependencies
@@ -33,7 +35,7 @@ resource "time_sleep" "this" {
    cluster_name         = aws_eks_cluster.this[0].name
    cluster_endpoint     = aws_eks_cluster.this[0].endpoint
    cluster_version      = aws_eks_cluster.this[0].version
-    cluster_service_cidr = var.cluster_ip_family == "ipv6" ? aws_eks_cluster.this[0].kubernetes_network_config[0].service_ipv6_cidr : aws_eks_cluster.this[0].kubernetes_network_config[0].service_ipv4_cidr
+    cluster_service_cidr = var.cluster_ip_family == "ipv6" ? try(local.kubernetes_network_config.service_ipv6_cidr, "") : try(local.kubernetes_network_config.service_ipv4_cidr, "")
    cluster_certificate_authority_data = aws_eks_cluster.this[0].certificate_authority[0].data
  }
@@ -296,9 +298,8 @@ module "eks_managed_node_group" {
  create = try(each.value.create, true)
-  cluster_name      = time_sleep.this[0].triggers["cluster_name"]
+  cluster_name    = time_sleep.this[0].triggers["cluster_name"]
-  cluster_version   = try(each.value.cluster_version, var.eks_managed_node_group_defaults.cluster_version, time_sleep.this[0].triggers["cluster_version"])
+  cluster_version = try(each.value.cluster_version, var.eks_managed_node_group_defaults.cluster_version, time_sleep.this[0].triggers["cluster_version"])
  cluster_ip_family = var.cluster_ip_family
  # EKS Managed Node Group
  name            = try(each.value.name, each.key)
@@ -331,6 +332,7 @@ module "eks_managed_node_group" {
  cluster_endpoint           = try(time_sleep.this[0].triggers["cluster_endpoint"], "")
  cluster_auth_base64        = try(time_sleep.this[0].triggers["cluster_certificate_authority_data"], "")
  cluster_service_ipv4_cidr  = var.cluster_service_ipv4_cidr
  cluster_ip_family          = var.cluster_ip_family
  cluster_service_cidr       = try(time_sleep.this[0].triggers["cluster_service_cidr"], "")
  enable_bootstrap_user_data = try(each.value.enable_bootstrap_user_data, var.eks_managed_node_group_defaults.enable_bootstrap_user_data, false)
  pre_bootstrap_user_data    = try(each.value.pre_bootstrap_user_data, var.eks_managed_node_group_defaults.pre_bootstrap_user_data, "")
@@ -412,8 +414,7 @@ module "self_managed_node_group" {
  create = try(each.value.create, true)
-  cluster_name      = time_sleep.this[0].triggers["cluster_name"]
+  cluster_name = time_sleep.this[0].triggers["cluster_name"]
  cluster_ip_family = var.cluster_ip_family
  # Autoscaling Group
  create_autoscaling_group = try(each.value.create_autoscaling_group, var.self_managed_node_group_defaults.create_autoscaling_group, true)
@@ -466,6 +467,7 @@ module "self_managed_node_group" {
  cluster_endpoint         = try(time_sleep.this[0].triggers["cluster_endpoint"], "")
  cluster_auth_base64      = try(time_sleep.this[0].triggers["cluster_certificate_authority_data"], "")
  cluster_service_cidr     = try(time_sleep.this[0].triggers["cluster_service_cidr"], "")
  cluster_ip_family        = var.cluster_ip_family
  pre_bootstrap_user_data  = try(each.value.pre_bootstrap_user_data, var.self_managed_node_group_defaults.pre_bootstrap_user_data, "")
  post_bootstrap_user_data = try(each.value.post_bootstrap_user_data, var.self_managed_node_group_defaults.post_bootstrap_user_data, "")
  bootstrap_extra_args     = try(each.value.bootstrap_extra_args, var.self_managed_node_group_defaults.bootstrap_extra_args, "")
--- a/outputs.tf
+++ b/outputs.tf
@@ -52,6 +52,16 @@ output "cluster_primary_security_group_id" {
  value       = try(aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id, null)
 }
 output "cluster_service_cidr" {
  description = "The CIDR block where Kubernetes pod and service IP addresses are assigned from"
  value       = try(aws_eks_cluster.this[0].kubernetes_network_config[0].service_ipv4_cidr, aws_eks_cluster.this[0].kubernetes_network_config[0].service_ipv6_cidr, null)
 }
 output "cluster_ip_family" {
  description = "The IP family used by the cluster (e.g. `ipv4` or `ipv6`)"
  value       = try(aws_eks_cluster.this[0].kubernetes_network_config[0].ip_family, null)
 }
 ################################################################################
 # Access Entry
 ################################################################################
--- a/templates/bottlerocket_user_data.tpl
+++ b/templates/bottlerocket_user_data.tpl
@@ -3,5 +3,6 @@
 "cluster-name" = "${cluster_name}"
 "api-server" = "${cluster_endpoint}"
 "cluster-certificate" = "${cluster_auth_base64}"
 "cluster-dns-ip" = "${cluster_dns_ip}"
 %{ endif ~}
 ${bootstrap_extra_args ~}
--- a/templates/linux_user_data.tpl
+++ b/templates/linux_user_data.tpl
@@ -3,12 +3,10 @@
 set -e
 %{ endif ~}
 ${pre_bootstrap_user_data ~}
 %{ if length(cluster_service_ipv4_cidr) > 0 ~}
 export SERVICE_IPV4_CIDR=${cluster_service_ipv4_cidr}
 %{ endif ~}
 %{ if enable_bootstrap_user_data ~}
 B64_CLUSTER_CA=${cluster_auth_base64}
 API_SERVER_URL=${cluster_endpoint}
-/etc/eks/bootstrap.sh ${cluster_name} ${bootstrap_extra_args} --b64-cluster-ca $B64_CLUSTER_CA --apiserver-endpoint $API_SERVER_URL
+/etc/eks/bootstrap.sh ${cluster_name} ${bootstrap_extra_args} --b64-cluster-ca $B64_CLUSTER_CA --apiserver-endpoint $API_SERVER_URL \
  --ip-family ${cluster_ip_family} --service-${cluster_ip_family}-cidr ${cluster_service_cidr}
 ${post_bootstrap_user_data ~}
 %{ endif ~}
--- a/versions.tf
+++ b/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.3"
+  required_version = ">= 1.3.2"
  required_providers {
    aws = {