From 373fa6bcb0cdfba35a0bb903ff11e0f83cfec462 Mon Sep 17 00:00:00 2001
From: smalltown <smalltown20110306@gmail.com>
Date: Thu, 5 Sep 2019 16:16:26 +0800
Subject: [PATCH 01/11] eks related module upgrade to terraform 0.12

---
 examples/eks-cluster/main.tf                  |  67 +++++-----
 examples/eks-cluster/outputs.tf               |   4 +-
 examples/eks-cluster/providers.tf             |  28 +++++
 examples/eks-cluster/variables.tf             |  23 ++--
 modules/aws/container_linux/main.tf           |   3 -
 modules/aws/container_linux/outputs.tf        |   2 +-
 modules/aws/container_linux/variables.tf      |   4 +-
 modules/aws/eks-worker/ami.tf                 |   8 +-
 modules/aws/eks-worker/data.tf                |   4 +
 modules/aws/eks-worker/main.tf                |  21 ----
 modules/aws/eks-worker/role.tf                |  10 +-
 modules/aws/eks-worker/variables.tf           |  68 +++++-----
 modules/aws/eks-worker/worker.tf              |  84 ++++++-------
 modules/aws/eks/aws-iam-auth.tf               |  97 ++++++--------
 modules/aws/eks/eks.tf                        |  13 +-
 modules/aws/eks/kubeconfig.tf                 |  92 +++++++++-----
 modules/aws/eks/main.tf                       |  20 ---
 modules/aws/eks/outputs.tf                    |  14 +--
 .../config-map-aws-auth-map_accounts.yaml.tpl |   1 -
 .../config-map-aws-auth-map_roles.yaml.tpl    |   4 -
 .../config-map-aws-auth-map_users.yaml.tpl    |   4 -
 .../resources/config-map-aws-auth.yaml.tpl    |  12 +-
 .../eks/resources/kubeconfig.tpl}             |   6 +-
 modules/aws/eks/role-eks.tf                   |   6 +-
 modules/aws/eks/role-workers.tf               |  42 +++----
 modules/aws/eks/sg-eks.tf                     |  20 +--
 modules/aws/eks/sg-worker.tf                  |  26 ++--
 modules/aws/eks/variables.tf                  | 119 +++++++++---------
 modules/aws/network/bastion.tf                |  40 +++---
 modules/aws/network/data.tf                   |   4 +
 modules/aws/network/main.tf                   |  16 ---
 modules/aws/network/outputs.tf                |  10 +-
 modules/aws/network/variables.tf              |  22 ++--
 modules/aws/network/vpc-private.tf            |  40 +++---
 modules/aws/network/vpc-public.tf             |  58 ++++-----
 modules/aws/network/vpc.tf                    |  12 +-
 modules/aws/network/zone.tf                   |  12 +-
 .../ignitions/eks-kube-config/kubeconfig.tf   |  43 -------
 modules/ignitions/eks-kube-config/outputs.tf  |  14 ---
 .../ignitions/eks-kube-config/variables.tf    |  44 -------
 40 files changed, 490 insertions(+), 627 deletions(-)
 create mode 100644 examples/eks-cluster/providers.tf
 create mode 100644 modules/aws/eks-worker/data.tf
 delete mode 100644 modules/aws/eks-worker/main.tf
 delete mode 100644 modules/aws/eks/main.tf
 delete mode 100644 modules/aws/eks/resources/config-map-aws-auth-map_accounts.yaml.tpl
 delete mode 100644 modules/aws/eks/resources/config-map-aws-auth-map_roles.yaml.tpl
 delete mode 100644 modules/aws/eks/resources/config-map-aws-auth-map_users.yaml.tpl
 rename modules/{ignitions/eks-kube-config/resources/kubernetes/kubeconfig => aws/eks/resources/kubeconfig.tpl} (85%)
 create mode 100644 modules/aws/network/data.tf
 delete mode 100644 modules/aws/network/main.tf
 delete mode 100644 modules/ignitions/eks-kube-config/kubeconfig.tf
 delete mode 100644 modules/ignitions/eks-kube-config/outputs.tf
 delete mode 100644 modules/ignitions/eks-kube-config/variables.tf

diff --git a/examples/eks-cluster/main.tf b/examples/eks-cluster/main.tf
index 2fb017e1..915fca5d 100644
--- a/examples/eks-cluster/main.tf
+++ b/examples/eks-cluster/main.tf
@@ -2,22 +2,16 @@ locals {
   cluster_name = "${var.phase}-${var.project}"
 }
 
-provider "aws" {
-  version = "2.3.0"
-  region  = "${var.aws_region}"
-}
-
 # ---------------------------------------------------------------------------------------------------------------------
 # Network
 # ---------------------------------------------------------------------------------------------------------------------
 
 module "network" {
   source           = "../../modules/aws/network"
-  aws_region       = "${var.aws_region}"
-  bastion_key_name = "${var.key_pair_name}"
-  project          = "${var.project}"
-  phase            = "${var.phase}"
-  extra_tags       = "${var.extra_tags}"
+  bastion_key_name = var.key_pair_name
+  project          = var.project
+  phase            = var.phase
+  extra_tags       = var.extra_tags
 }
 
 # ---------------------------------------------------------------------------------------------------------------------
@@ -25,14 +19,13 @@ module "network" {
 # ---------------------------------------------------------------------------------------------------------------------
 module "eks" {
   source                 = "../../modules/aws/eks"
-  aws_region             = "${var.aws_region}"
-  kubernetes_version     = "${var.kubernetes_version}"
-  project                = "${var.project}"
-  phase                  = "${var.phase}"
-  exist_subnet_ids       = "${module.network.private_subnet_ids}"
-  endpoint_public_access = "${var.endpoint_public_access}"
-  worker_groups          = "${var.worker_groups}"
-  extra_tags             = "${var.extra_tags}"
+  kubernetes_version     = var.kubernetes_version
+  project                = var.project
+  phase                  = var.phase
+  exist_subnet_ids       = module.network.private_subnet_ids
+  endpoint_public_access = var.endpoint_public_access
+  worker_groups          = var.worker_groups
+  extra_tags             = var.extra_tags
 }
 
 
@@ -43,11 +36,10 @@ module "eks" {
 module "worker_on_demand" {
   source = "../../modules/aws/eks-worker"
 
-  cluster_name       = "${local.cluster_name}"
-  aws_region         = "${var.aws_region}"
-
-  security_group_ids = ["${module.eks.worker_sg_id}"]
-  subnet_ids         = ["${module.network.private_subnet_ids}"]
+  cluster_name       = local.cluster_name
+  kubernetes_version = var.kubernetes_version
+  security_group_ids = [module.eks.worker_sg_id]
+  subnet_ids         = module.network.private_subnet_ids
 
   worker_config = {
     name             = "on-demand"
@@ -63,12 +55,12 @@ module "worker_on_demand" {
     spot_instance_pools                      = 1
   }
 
-  ssh_key   = "${var.key_pair_name}"
+  ssh_key   = var.key_pair_name
 
-  extra_tags = "${merge(map(
-      "Phase", "${var.phase}",
-      "Project", "${var.project}",
-    ), var.extra_tags)}"
+  extra_tags = merge(map(
+      "Phase", var.phase,
+      "Project", var.project,
+    ), var.extra_tags)
 }
 
 # ---------------------------------------------------------------------------------------------------------------------
@@ -78,11 +70,10 @@ module "worker_on_demand" {
 module "worker_spot" {
   source = "../../modules/aws/eks-worker"
 
-  cluster_name       = "${local.cluster_name}"
-  aws_region         = "${var.aws_region}"
-
-  security_group_ids = ["${module.eks.worker_sg_id}"]
-  subnet_ids         = ["${module.network.private_subnet_ids}"]
+  cluster_name       = local.cluster_name
+  kubernetes_version = var.kubernetes_version
+  security_group_ids = [module.eks.worker_sg_id]
+  subnet_ids         = module.network.private_subnet_ids
 
   worker_config = {
     name             = "spot"
@@ -98,10 +89,10 @@ module "worker_spot" {
     spot_instance_pools                      = 1
   }
 
-  ssh_key   = "${var.key_pair_name}"
+  ssh_key   = var.key_pair_name
 
-  extra_tags = "${merge(map(
-      "Phase", "${var.phase}",
-      "Project", "${var.project}",
-    ), var.extra_tags)}"
+  extra_tags = merge(map(
+      "Phase", var.phase,
+      "Project", var.project,
+    ), var.extra_tags)
 }
\ No newline at end of file
diff --git a/examples/eks-cluster/outputs.tf b/examples/eks-cluster/outputs.tf
index 9ee05f47..f4719f06 100644
--- a/examples/eks-cluster/outputs.tf
+++ b/examples/eks-cluster/outputs.tf
@@ -1,7 +1,7 @@
 output "bastion_public_ip" {
-  value = "${module.network.bastion_public_ip}"
+  value = module.network.bastion_public_ip
 }
 
 output "ignition_s3_bucket" {
-  value = "${module.eks.s3_bucket}"
+  value = module.eks.s3_bucket
 }
\ No newline at end of file
diff --git a/examples/eks-cluster/providers.tf b/examples/eks-cluster/providers.tf
new file mode 100644
index 00000000..de11cced
--- /dev/null
+++ b/examples/eks-cluster/providers.tf
@@ -0,0 +1,28 @@
+terraform {
+  required_version = ">= 0.12.0"
+}
+
+provider "aws" {
+  region  = var.aws_region
+  version = "2.26.0"
+}
+
+provider "external" {
+  version = "1.2.0"
+}
+
+provider "local" {
+  version = "1.3.0"
+}
+
+provider "null" {
+  version = "2.1.2"
+}
+
+provider "random" {
+  version = "2.2.0"
+}
+
+provider "template" {
+  version = "2.1.2"
+}
\ No newline at end of file
diff --git a/examples/eks-cluster/variables.tf b/examples/eks-cluster/variables.tf
index 91c9262f..58ac6483 100644
--- a/examples/eks-cluster/variables.tf
+++ b/examples/eks-cluster/variables.tf
@@ -1,45 +1,46 @@
 variable "aws_region" {
   description = "The AWS region to build network infrastructure"
-  type        = "string"
+  type        = string
   default     = "us-west-2"
 }
 
 variable "key_pair_name" {
   description = "The key pair name for access bastion ec2"
-  type        = "string"
+  type        = string
 }
 
 variable "project" {
-  type = "string"
-  default = "vishwakarma"
   description = "(Optional) project name, used to compose the resource name"  
+  type        = string
+  default     = "vishwakarma"
 }
 
 variable "phase" {
-  type = "string"
-  default = "test"
   description = "(Optional) phase name, used to compose the resource name"
+  type        = string
+  default     = "test"
 }
 
 variable "kubernetes_version" {
-  type        = "string"
-  default     = "1.12.7"
   description = "(Optional) Desired Kubernetes master version. If you do not specify a value, the latest available version is used."
+  type        = string
+  default     = "1.13"
 }
 
 variable "endpoint_public_access" {
-  default = true
   description = "(Optional) kubernetes apiserver endpoint"
+  type        = bool
+  default     = true
 }
 
 variable "worker_groups" {
   description = "The worker groups's name for generating role"
-  type        = "list"
+  type        = list(string)
   default     = ["on-demand", "spot"]
 }
 
 variable "extra_tags" {
   description = "Extra AWS tags to be applied to created resources."
-  type        = "map"
+  type        = map(string)
   default     = {}
 }
diff --git a/modules/aws/container_linux/main.tf b/modules/aws/container_linux/main.tf
index 40454910..e15beb31 100644
--- a/modules/aws/container_linux/main.tf
+++ b/modules/aws/container_linux/main.tf
@@ -1,6 +1,3 @@
-provider "external" {
-  version = "1.0.0"
-}
 
 data "external" "version" {
   program = ["sh", "-c", "curl https://${var.release_channel}.release.core-os.net/amd64-usr/current/version.txt | sed -n 's/COREOS_VERSION=\\(.*\\)$/{\"version\": \"\\1\"}/p'"]
diff --git a/modules/aws/container_linux/outputs.tf b/modules/aws/container_linux/outputs.tf
index 7805bef8..b4e76cdb 100644
--- a/modules/aws/container_linux/outputs.tf
+++ b/modules/aws/container_linux/outputs.tf
@@ -1,3 +1,3 @@
 output "version" {
-  value = "${var.release_version == "latest" ? data.external.version.result["version"] : var.release_version}"
+  value = var.release_version == "latest" ? data.external.version.result["version"] : var.release_version
 }
diff --git a/modules/aws/container_linux/variables.tf b/modules/aws/container_linux/variables.tf
index 48a2493e..dc3ca4be 100644
--- a/modules/aws/container_linux/variables.tf
+++ b/modules/aws/container_linux/variables.tf
@@ -1,5 +1,5 @@
 variable "release_channel" {
-  type = "string"
+  type = string
 
   description = <<EOF
 The Container Linux update channel.
@@ -9,7 +9,7 @@ EOF
 }
 
 variable "release_version" {
-  type = "string"
+  type = string
 
   description = <<EOF
 The Container Linux version to use. Set to `latest` to select the latest available version for the selected update channel.
diff --git a/modules/aws/eks-worker/ami.tf b/modules/aws/eks-worker/ami.tf
index 7134d6de..ef37bc31 100644
--- a/modules/aws/eks-worker/ami.tf
+++ b/modules/aws/eks-worker/ami.tf
@@ -1,16 +1,16 @@
 locals {
-  eks_account_id       = "602401143452"
-  arn                     = "aws"
+  eks_account_id = "602401143452"
+  arn            = "aws"
 }
 
 data "aws_ami" "eks_worker_ami" {
 
-  owners = ["${local.eks_account_id}"]
+  owners      = [local.eks_account_id]
   most_recent = true
 
   filter {
     name   = "name"
-    values = ["amazon-eks-node-1.12-*"]
+    values = ["amazon-eks-node-${var.kubernetes_version}-*"]
   }
 
   filter {
diff --git a/modules/aws/eks-worker/data.tf b/modules/aws/eks-worker/data.tf
new file mode 100644
index 00000000..6baf12bf
--- /dev/null
+++ b/modules/aws/eks-worker/data.tf
@@ -0,0 +1,4 @@
+
+data "aws_eks_cluster" "vishwakarma" {
+  name = var.cluster_name
+}
\ No newline at end of file
diff --git a/modules/aws/eks-worker/main.tf b/modules/aws/eks-worker/main.tf
deleted file mode 100644
index 015e2632..00000000
--- a/modules/aws/eks-worker/main.tf
+++ /dev/null
@@ -1,21 +0,0 @@
-# ---------------------------------------------------------------------------------------------------------------------
-# Configuration
-# ---------------------------------------------------------------------------------------------------------------------
-
-provider "aws" {
-  version = "2.3.0"
-  region  = "${var.aws_region}"
-}
-
-provider "template" {
-  version = "1.0.0"
-}
-
-provider "null" {
-  version = "1.0.0"
-}
-
-
-data "aws_eks_cluster" "vishwakarma" {
-  name = "${var.cluster_name}"
-}
\ No newline at end of file
diff --git a/modules/aws/eks-worker/role.tf b/modules/aws/eks-worker/role.tf
index 67dee40a..cdcd6b3a 100644
--- a/modules/aws/eks-worker/role.tf
+++ b/modules/aws/eks-worker/role.tf
@@ -3,15 +3,15 @@ locals {
 }
 
 data "aws_iam_instance_profile" "worker" {
-  name = "${local.worker_role_name}"
+  name = local.worker_role_name
 }
 
 data "aws_iam_role" "worker" {
-  name = "${local.worker_role_name}"
+  name = local.worker_role_name
 }
 
 resource "aws_iam_role_policy_attachment" "worker" {
-  count      = "${length(var.extra_worker_policy_arns)}"
-  policy_arn = "${var.extra_worker_policy_arns[count.index]}"
-  role       = "${local.worker_role_name}"
+  count      = length(var.extra_worker_policy_arns)
+  policy_arn = var.extra_worker_policy_arns[count.index]
+  role       = local.worker_role_name
 }
\ No newline at end of file
diff --git a/modules/aws/eks-worker/variables.tf b/modules/aws/eks-worker/variables.tf
index 6dba4684..4e25d2bf 100644
--- a/modules/aws/eks-worker/variables.tf
+++ b/modules/aws/eks-worker/variables.tf
@@ -1,89 +1,89 @@
-variable "aws_region" {
-  type        = "string"
-  default     = "us-west-2"
-  description = "The AWS region"
-}
-
 variable "aws_az_number" {
   description = "How many AZs want to use"
-  type    = "string"
-  default = "3"
+  type        = string
+  default     = "3"
 }
 
 variable "cluster_name" {
-  type        = "string"
   description = "the eks cluster name"
+  type        = string
 }
 
 variable "enable_autoscaler" {
-  default     = false
   description = "enable autoscaler or not"
+  type        = bool
+  default     = false
 }
 
 variable "kube_node_labels" {
-  type        = "list"
-  default     = []
   description = "Labels to add when registering the node in the cluster. Labels must be key=value pairs."
+  type        = list(string)
+  default     = []
 }
 
 variable "kube_node_taints" {
-  type    = "list"
-  default = []
-
   description = <<EOF
 Register the node with the given list of taints ("<key>=<value>:<effect>").
 EOF
+  type        = list(string)
+  default     = []
+}
+
+variable "kubernetes_version" {
+  type        = string
+  default     = "1.13"
+  description = "Desired Kubernetes master version. If you do not specify a value, the latest available version is used."
 }
 
 variable "load_balancer_ids" {
-  type        = "list"
-  default     = []
   description = "A list of elastic load balancer names to add to the autoscaling group names. Only valid for classic load balancers. For ALBs, use target_group_arns instead."
+  type        = list(string)
+  default     = []
 }
 
 variable "security_group_ids" {
-  type    = "list"
-  default = []
-
   description = <<EOF
     List of security group IDs for the cross-account elastic network interfaces
     to use to allow communication between your worker nodes and the Kubernetes control plane.
 EOF
+  type        = list(string)
+  default     = []
 }
 
 variable "subnet_ids" {
-  type    = "list"
-  default = []
-
   description = <<EOF
     List of subnet IDs. Must be in at least two different availability zones.
     Cross-account elastic network interfaces will be created in these subnets to allow
     communication between your worker nodes and the Kubernetes control plane.
 EOF
+
+  type        = list(string)
+  default     = []
 }
 
 variable "ssh_key" {
-  type        = "string"
-  default     = ""
   description = "The key name that should be used for the instance."
+  type        = string
+  default     = ""
 }
 
 variable "target_group_arns" {
-  type        = "list"
-  default     = []
   description = "A list of aws_alb_target_group ARNs, for use with Application Load Balancing."
+  type        = list(string)
+  default     = []
 }
 
 variable "extra_worker_policy_arns" {
-  type        = "list"
-  default     = []
   description = "The extra policy need to be attached to worker"
+  type        = list(string)
+  default     = []
 }
 
 variable "worker_config" {
-  type = "map"
+  description = "Desired worker nodes configuration."
+  type        = map(string)
 
-  default = {
+  default     = {
     instance_count   = "1"
     ec2_type_1       = "t3.medium"
     ec2_type_2       = "t2.medium"
@@ -96,12 +96,10 @@ variable "worker_config" {
     on_demand_percentage_above_base_capacity = 100
     spot_instance_pools                      = 1
   }
-
-  description = "Desired worker nodes configuration."
 }
 
 variable "extra_tags" {
-  type        = "map"
-  default     = {}
   description = "Extra AWS tags to be applied to created resources."
+  type        = map(string)
+  default     = {}
 }
\ No newline at end of file
diff --git a/modules/aws/eks-worker/worker.tf b/modules/aws/eks-worker/worker.tf
index 1b702fda..75cf2023 100644
--- a/modules/aws/eks-worker/worker.tf
+++ b/modules/aws/eks-worker/worker.tf
@@ -1,57 +1,57 @@
 data "aws_subnet" "subnet" {
-  id = "${var.subnet_ids[0]}"
+  id = var.subnet_ids[0]
 }
 
 locals {
-  vpc_id = "${data.aws_subnet.subnet.vpc_id}"
+  vpc_id = data.aws_subnet.subnet.vpc_id
 
-  extra_tags_keys   = "${keys(var.extra_tags)}"
-  extra_tags_values = "${values(var.extra_tags)}"
+  extra_tags_keys   = keys(var.extra_tags)
+  extra_tags_values = values(var.extra_tags)
 }
 
 data "null_data_source" "tags" {
-  count = "${length(keys(var.extra_tags))}"
+  count = length(keys(var.extra_tags))
 
   inputs = {
-    key                 = "${local.extra_tags_keys[count.index]}"
-    value               = "${local.extra_tags_values[count.index]}"
+    key                 = local.extra_tags_keys[count.index]
+    value               = local.extra_tags_values[count.index]
     propagate_at_launch = true
   }
 }
 
 resource "aws_autoscaling_group" "worker" {
   name_prefix          = "${var.cluster_name}-worker-${var.worker_config["name"]}-"
-  desired_capacity     = "${var.worker_config["instance_count"]}"
-  max_size             = "${var.worker_config["instance_count"] * 3}"
-  min_size             = "${var.worker_config["instance_count"]}"
-  vpc_zone_identifier  = ["${var.subnet_ids}"]
-  load_balancers       = ["${var.load_balancer_ids}"]
-  target_group_arns    = ["${var.target_group_arns}"]
+  desired_capacity     = var.worker_config["instance_count"]
+  max_size             = var.worker_config["instance_count"] * 3
+  min_size             = var.worker_config["instance_count"]
+  vpc_zone_identifier  = var.subnet_ids
+  load_balancers       = var.load_balancer_ids
+  target_group_arns    = var.target_group_arns
 
   mixed_instances_policy {
     launch_template {
       launch_template_specification {
-        launch_template_id = "${aws_launch_template.worker.id}"
-        version = "$$Latest"
+        launch_template_id = aws_launch_template.worker.id
+        version = "$Latest"
       }
 
       override {
-        instance_type = "${var.worker_config["ec2_type_1"]}"
+        instance_type = var.worker_config["ec2_type_1"]
       }
 
       override {
-        instance_type = "${var.worker_config["ec2_type_2"]}"
+        instance_type = var.worker_config["ec2_type_2"]
       }
     }
 
     instances_distribution {
-      on_demand_base_capacity                  = "${var.worker_config["on_demand_base_capacity"]}"
-      on_demand_percentage_above_base_capacity = "${var.worker_config["on_demand_percentage_above_base_capacity"]}"
-      spot_instance_pools                      = "${var.worker_config["spot_instance_pools"]}"
+      on_demand_base_capacity                  = var.worker_config["on_demand_base_capacity"]
+      on_demand_percentage_above_base_capacity = var.worker_config["on_demand_percentage_above_base_capacity"]
+      spot_instance_pools                      = var.worker_config["spot_instance_pools"]
     }
   }
 
-  tags = [
+  tags = concat([
     {
       key                 = "Name"
       value               = "${var.cluster_name}-worker-${var.worker_config["name"]}"
@@ -64,51 +64,47 @@ resource "aws_autoscaling_group" "worker" {
     },
     {
       key                 = "kubernetes.io/cluster-autoscaler/enabled"
-      value               = "${var.enable_autoscaler}"
-      propagate_at_launch = "${var.enable_autoscaler}"
+      value               = var.enable_autoscaler
+      propagate_at_launch = var.enable_autoscaler
     },
-  ]
-
-  tags = ["${data.null_data_source.tags.*.outputs}"]
+  ], data.null_data_source.tags.*.outputs)
 }
 
 data "template_file" "userdata" {
-  template = "${file("${path.module}/resources/userdata.sh")}"
+  template = file("${path.module}/resources/userdata.sh")
 
-  vars {
-    cluster_name         = "${data.aws_eks_cluster.vishwakarma.id}"
-    endpoint             = "${data.aws_eks_cluster.vishwakarma.endpoint}"
-    cluster_auth_base64  = "${data.aws_eks_cluster.vishwakarma.certificate_authority.0.data}"
-    kubelet_extra_args = "${join(",", compact(concat(
+  vars = {
+    cluster_name         = data.aws_eks_cluster.vishwakarma.id
+    endpoint             = data.aws_eks_cluster.vishwakarma.endpoint
+    cluster_auth_base64  = data.aws_eks_cluster.vishwakarma.certificate_authority.0.data
+    kubelet_extra_args = join(",", compact(concat(
     list("--node-labels=node-role.kubernetes.io/${var.worker_config["name"]}="),
     var.kube_node_labels,
-  )))}"
+  )))
   }
 }
 
 resource "aws_launch_template" "worker" {
-  instance_type = "${var.worker_config["ec2_type_1"]}"
-  image_id      = "${data.aws_ami.eks_worker_ami.image_id}"
-  name_prefix   = "${var.cluster_name}-worker-${var.worker_config["name"]}-"  
+  instance_type = var.worker_config["ec2_type_1"]
+  image_id      = data.aws_ami.eks_worker_ami.image_id
+  name_prefix   = "${var.cluster_name}-worker-${var.worker_config["name"]}-"
 
-  vpc_security_group_ids = [
-    "${var.security_group_ids}",
-  ]
+  vpc_security_group_ids = var.security_group_ids
 
   iam_instance_profile {
-    arn = "${data.aws_iam_instance_profile.worker.arn}"
+    arn = data.aws_iam_instance_profile.worker.arn
   }
 
   key_name  = "${var.ssh_key}"
-  user_data = "${base64encode(data.template_file.userdata.rendered)}"
+  user_data = base64encode(data.template_file.userdata.rendered)
 
   block_device_mappings {
     device_name = "/dev/xvda"
 
     ebs {
-      volume_type = "${var.worker_config["root_volume_type"]}"
-      volume_size = "${var.worker_config["root_volume_size"]}"
-      iops        = "${var.worker_config["root_volume_type"] == "io1" ? var.worker_config["root_volume_iops"] : var.worker_config["root_volume_type"] == "gp2" ? 0 : min(10000, max(100, 3 * var.worker_config["root_volume_size"]))}"
+      volume_type = var.worker_config["root_volume_type"]
+      volume_size = var.worker_config["root_volume_size"]
+      iops        = var.worker_config["root_volume_type"] == "io1" ? var.worker_config["root_volume_iops"] : var.worker_config["root_volume_type"] == "gp2" ? 0 : min(10000, max(100, 3 * var.worker_config["root_volume_size"]))
     }
   }
 
diff --git a/modules/aws/eks/aws-iam-auth.tf b/modules/aws/eks/aws-iam-auth.tf
index 67177e76..162c5744 100644
--- a/modules/aws/eks/aws-iam-auth.tf
+++ b/modules/aws/eks/aws-iam-auth.tf
@@ -1,86 +1,59 @@
 data "aws_caller_identity" "current" {}
 
-data "template_file" "worker_role_arns" {
-  count    = "${length(var.worker_groups)}"
-  template = "${file("${path.module}/resources/worker-role.tpl")}"
-
-  vars {
-    worker_role_arn = "${aws_iam_role.workers.*.arn[count.index]}"
-  }
-}
-
-data "template_file" "map_users" {
-  count    = "${var.map_users_count}"
-  template = "${file("${path.module}/resources/config-map-aws-auth-map_users.yaml.tpl")}"
-
-  vars {
-    user_arn = "${lookup(var.map_users[count.index], "user_arn")}"
-    username = "${lookup(var.map_users[count.index], "username")}"
-    group    = "${lookup(var.map_users[count.index], "group")}"
-  }
-}
-
-data "template_file" "map_roles" {
-  count    = "${var.map_roles_count}"
-  template = "${file("${path.module}/resources/config-map-aws-auth-map_roles.yaml.tpl")}"
-
-  vars {
-    role_arn = "${lookup(var.map_roles[count.index], "role_arn")}"
-    username = "${lookup(var.map_roles[count.index], "username")}"
-    group    = "${lookup(var.map_roles[count.index], "group")}"
-  }
-}
-
-data "template_file" "map_accounts" {
-  count    = "${var.map_accounts_count}"
-  template = "${file("${path.module}/resources/config-map-aws-auth-map_accounts.yaml.tpl")}"
-
-  vars {
-    account_number = "${element(var.map_accounts, count.index)}"
-  }
-}
-
-data "template_file" "config_map_aws_auth" {
-  template = "${file("${path.module}/resources/config-map-aws-auth.yaml.tpl")}"
-
-  vars {
-    worker_role_arn = "${join("", distinct( data.template_file.worker_role_arns.*.rendered))}"
-    map_users       = "${join("", data.template_file.map_users.*.rendered)}"
-    map_roles       = "${join("", data.template_file.map_roles.*.rendered)}"
-    map_accounts    = "${join("", data.template_file.map_accounts.*.rendered)}"
-  }
-}
-
 resource "local_file" "config_map_aws_auth" {
-  content  = "${data.template_file.config_map_aws_auth.rendered}"
+  count    = var.aws_auth_config_output_flag ? 1 : 0
+  content  = data.template_file.config_map_aws_auth.rendered
   filename = "${var.config_output_path}/config-map-aws-auth_${local.cluster_name}.yaml"
-  count    = "${var.aws_auth_config_output_flag ? 1 : 0}"
 }
 
 resource "null_resource" "update_config_map_aws_auth" {
+  count      = var.manage_aws_auth ? 1 : 0
   depends_on = ["aws_eks_cluster.vishwakarma"]
 
   provisioner "local-exec" {
-    working_dir = "${path.module}"
+    working_dir = path.module
 
     command = <<EOS
 for i in `seq 1 10`; do \
-echo "${null_resource.update_config_map_aws_auth.triggers.kube_config_map_rendered}" > kube_config.yaml & \
-echo "${null_resource.update_config_map_aws_auth.triggers.config_map_rendered}" > aws_auth_configmap.yaml & \
+echo "${null_resource.update_config_map_aws_auth[0].triggers.kube_config_map_rendered}" > kube_config.yaml & \
+echo "${null_resource.update_config_map_aws_auth[0].triggers.config_map_rendered}" > aws_auth_configmap.yaml & \
 kubectl apply -f aws_auth_configmap.yaml --kubeconfig kube_config.yaml && break || \
 sleep 10; \
 done; \
 rm aws_auth_configmap.yaml kube_config.yaml;
 EOS
 
-    interpreter = ["${var.local_exec_interpreter}"]
+    interpreter = var.local_exec_interpreter
   }
 
-  triggers {
-    kube_config_map_rendered = "${module.ignition_kubeconfig.rendered}"
-    config_map_rendered      = "${data.template_file.config_map_aws_auth.rendered}"
-    endpoint                 = "${aws_eks_cluster.vishwakarma.endpoint}"
+  triggers = {
+    kube_config_map_rendered = data.template_file.kubeconfig.rendered
+    config_map_rendered      = data.template_file.config_map_aws_auth.rendered
+    endpoint                 = aws_eks_cluster.vishwakarma.endpoint
   }
+}
 
-  count = "${var.manage_aws_auth ? 1 : 0}"
+data "template_file" "worker_role_arns" {
+  count    = length(var.worker_groups)
+  template = file("${path.module}/resources/worker-role.tpl")
+
+  vars = {
+    worker_role_arn = aws_iam_role.workers.*.arn[count.index]
+  }
+}
+
+data "template_file" "config_map_aws_auth" {
+  template = file("${path.module}/resources/config-map-aws-auth.yaml.tpl")
+
+  vars = {
+    worker_role_arn = join(
+      "",
+      distinct(
+        data.template_file.worker_role_arns.*.rendered
+      ),
+    )
+    map_users    = yamlencode(var.map_users),
+    map_roles    = yamlencode(var.map_roles),
+    map_accounts = yamlencode(var.map_accounts)
+  }
 }
\ No newline at end of file
diff --git a/modules/aws/eks/eks.tf b/modules/aws/eks/eks.tf
index f4580ca5..776ea23d 100644
--- a/modules/aws/eks/eks.tf
+++ b/modules/aws/eks/eks.tf
@@ -5,17 +5,18 @@ locals {
 
 resource "aws_eks_cluster" "vishwakarma" {
   name     = "${var.phase}-${var.project}"
-  role_arn = "${aws_iam_role.eks.arn}"
+  version  = var.kubernetes_version
+  role_arn = aws_iam_role.eks.arn
 
   vpc_config {
-    endpoint_private_access = "${var.endpoint_private_access}"
-    endpoint_public_access  =  "${var.endpoint_public_access}"
-    subnet_ids              = ["${var.exist_subnet_ids}"]
-    security_group_ids      = ["${aws_security_group.eks.id}"]
+    endpoint_private_access = var.endpoint_private_access
+    endpoint_public_access  = var.endpoint_public_access
+    subnet_ids              = var.exist_subnet_ids
+    security_group_ids      = [aws_security_group.eks.id]
   }
 
   depends_on = [
     "aws_iam_role_policy_attachment.eks_cluster",
     "aws_iam_role_policy_attachment.eks_service",
   ]
-}
+}
\ No newline at end of file
diff --git a/modules/aws/eks/kubeconfig.tf b/modules/aws/eks/kubeconfig.tf
index 7996f32c..eda0dc7e 100644
--- a/modules/aws/eks/kubeconfig.tf
+++ b/modules/aws/eks/kubeconfig.tf
@@ -1,22 +1,71 @@
+data "aws_region" "current" {}
+
+resource "local_file" "kubeconfig" {
+    count    = var.kubeconfig_output_flag ? 1 : 0
+    content  = data.template_file.kubeconfig.rendered
+    filename = "${var.config_output_path}/kubeconfig"
+}
+
+data "template_file" "kubeconfig" {
+  template = file("${path.module}/resources/kubeconfig.tpl")
+
+  vars = {
+    kubeconfig_name           = aws_eks_cluster.vishwakarma.id
+    endpoint                  = aws_eks_cluster.vishwakarma.endpoint
+    region                    = data.aws_region.current.name
+    cluster_auth_base64       = aws_eks_cluster.vishwakarma.certificate_authority.0.data
+    aws_authenticator_command = var.kubeconfig_aws_authenticator_command
+    aws_authenticator_command_args = length(var.kubeconfig_aws_authenticator_command_args) > 0 ? "        - ${join(
+      "\n        - ",
+      var.kubeconfig_aws_authenticator_command_args,
+      )}" : "        - ${join(
+      "\n        - ",
+      formatlist("\"%s\"", ["token", "-i", aws_eks_cluster.vishwakarma.id]),
+    )}"
+    aws_authenticator_additional_args = length(var.kubeconfig_aws_authenticator_additional_args) > 0 ? "        - ${join(
+      "\n        - ",
+      var.kubeconfig_aws_authenticator_additional_args,
+    )}" : ""
+    aws_authenticator_env_variables = length(var.kubeconfig_aws_authenticator_env_variables) > 0 ? "      env:\n${join(
+      "\n",
+      data.template_file.aws_authenticator_env_variables.*.rendered,
+    )}" : ""
+  }
+}
+
+data "template_file" "aws_authenticator_env_variables" {
+  count = length(var.kubeconfig_aws_authenticator_env_variables)
+
+  template = <<EOF
+        - name: $${key}
+          value: $${value}
+EOF
+
+  vars = {
+    value = values(var.kubeconfig_aws_authenticator_env_variables)[count.index]
+    key   = keys(var.kubeconfig_aws_authenticator_env_variables)[count.index]
+  }
+}
+
 resource "aws_s3_bucket" "eks" {
   # Buckets must start with a lower case name and are limited to 63 characters,
   # so we prepend the letter 'a' and use the md5 hex digest for the case of a long domain
   # leaving 29 chars for the cluster name.
-  bucket = "${ format("%s%s-%s", "a", aws_eks_cluster.vishwakarma.id, md5(format("%s-%s", var.aws_region , aws_eks_cluster.vishwakarma.endpoint))) }"
+  bucket = format("%s%s-%s", "a", aws_eks_cluster.vishwakarma.id, md5(format("%s-%s", data.aws_region.current.name , aws_eks_cluster.vishwakarma.endpoint)))
 
 
   acl = "private"
 
-  tags = "${merge(map(
-      "Name", "${ format("%s%s-%s", "a", aws_eks_cluster.vishwakarma.id, md5(format("%s-%s", var.aws_region , aws_eks_cluster.vishwakarma.endpoint))) }",
-      "KubernetesCluster", "${aws_eks_cluster.vishwakarma.id}",
-      "Phase", "${var.phase}",
-      "Project", "${var.project}"
-    ), var.extra_tags)}"
+  tags = merge(map(
+      "Name", format("%s%s-%s", "a", aws_eks_cluster.vishwakarma.id, md5(format("%s-%s", var.aws_region , aws_eks_cluster.vishwakarma.endpoint))),
+      "KubernetesCluster", aws_eks_cluster.vishwakarma.id,
+      "Phase", var.phase,
+      "Project", var.project
+    ), var.extra_tags)
 }
 
 resource "aws_s3_bucket_public_access_block" "eks" {
-  bucket = "${aws_s3_bucket.eks.id}"
+  bucket = aws_s3_bucket.eks.id
 
   block_public_acls       = true
   block_public_policy     = true
@@ -24,17 +73,10 @@ resource "aws_s3_bucket_public_access_block" "eks" {
   restrict_public_buckets = true
 }
 
-module "ignition_kubeconfig" {
-  source                     = "../../ignitions/eks-kube-config"
-  cluster_name               = "${aws_eks_cluster.vishwakarma.id}" 
-  cluster_endpoint           = "${aws_eks_cluster.vishwakarma.endpoint}"
-  certificate_authority_data = "${aws_eks_cluster.vishwakarma.certificate_authority.0.data}"
-}
-
 resource "aws_s3_bucket_object" "kubeconfig" {
-  bucket  = "${aws_s3_bucket.eks.bucket}"
+  bucket  = aws_s3_bucket.eks.bucket
   key     = "kubeconfig"
-  content = "${module.ignition_kubeconfig.rendered}"
+  content = data.template_file.kubeconfig.rendered
   acl     = "private"
 
   # The current Vishwakarma installer stores bits of the kubeconfig in KMS. As we
@@ -44,16 +86,10 @@ resource "aws_s3_bucket_object" "kubeconfig" {
   server_side_encryption = "AES256"
   content_type = "text/plain"
 
-  tags = "${merge(map(
+  tags = merge(map(
       "Name", "kubeconfig",
-      "KubernetesCluster", "${aws_eks_cluster.vishwakarma.id}",
-      "Phase", "${var.phase}",
-      "Project", "${var.project}"
-    ), var.extra_tags)}"
-}
-
-resource "local_file" "kubeconfig" {
-    count    = "${var.kubeconfig_output_flag ? 1 : 0}"
-    content  = "${module.ignition_kubeconfig.rendered}"
-    filename = "${var.config_output_path}/kubeconfig"
+      "KubernetesCluster", aws_eks_cluster.vishwakarma.id,
+      "Phase", var.phase,
+      "Project", var.project
+    ), var.extra_tags)
 }
diff --git a/modules/aws/eks/main.tf b/modules/aws/eks/main.tf
deleted file mode 100644
index 358af5f5..00000000
--- a/modules/aws/eks/main.tf
+++ /dev/null
@@ -1,20 +0,0 @@
-# ---------------------------------------------------------------------------------------------------------------------
-# Configuration
-# ---------------------------------------------------------------------------------------------------------------------
-
-provider "aws" {
-  region  = "${var.aws_region}"
-  version = "2.3.0"
-}
-
-provider "local" {
-  version = "1.1.0"
-}
-
-provider "null" {
-  version = "1.0.0"
-}
-
-provider "template" {
-  version = "1.0.0"
-}
diff --git a/modules/aws/eks/outputs.tf b/modules/aws/eks/outputs.tf
index 98cbf48c..0b8c4873 100644
--- a/modules/aws/eks/outputs.tf
+++ b/modules/aws/eks/outputs.tf
@@ -1,35 +1,35 @@
 output "id" {
-  value       = "${aws_eks_cluster.vishwakarma.id}"
+  value       = aws_eks_cluster.vishwakarma.id
   description = "the eks cluster name"
 }
 
 output "endpoint" {
-  value = "${aws_eks_cluster.vishwakarma.endpoint}"
+  value       = aws_eks_cluster.vishwakarma.endpoint
   description = "the eks cluster endpoint"
 }
 
 output "kubernetes_version" {
-  value       = "${aws_eks_cluster.vishwakarma.version}"
+  value       = aws_eks_cluster.vishwakarma.version
   description = "the eks cluster version"
 }
 
 output "worker_sg_id" {
-  value       = "${aws_security_group.worker.id}"
+  value       = aws_security_group.worker.id
   description = "the security group id for worker group"
 }
 
 output "s3_bucket" {
-  value       = "${aws_s3_bucket.eks.bucket}"
+  value       = aws_s3_bucket.eks.bucket
   description = "the s3 bucket where put kubeconfig"
 }
 
 output "worker_role_arns" {
-  value       = "${aws_iam_role.workers.*.name}"
+  value       = aws_iam_role.workers.*.name
   description = "the role arns for worker groups"
 }
 
 output "worker_instance_profiles" {
-  value = "${aws_iam_instance_profile.workers.*.name}"
+  value       = aws_iam_instance_profile.workers.*.name
   description = "the instance profiles name for worker groups"
 }
 
diff --git a/modules/aws/eks/resources/config-map-aws-auth-map_accounts.yaml.tpl b/modules/aws/eks/resources/config-map-aws-auth-map_accounts.yaml.tpl
deleted file mode 100644
index 26dc5078..00000000
--- a/modules/aws/eks/resources/config-map-aws-auth-map_accounts.yaml.tpl
+++ /dev/null
@@ -1 +0,0 @@
-    - "${account_number}"
diff --git a/modules/aws/eks/resources/config-map-aws-auth-map_roles.yaml.tpl b/modules/aws/eks/resources/config-map-aws-auth-map_roles.yaml.tpl
deleted file mode 100644
index 9f321b7b..00000000
--- a/modules/aws/eks/resources/config-map-aws-auth-map_roles.yaml.tpl
+++ /dev/null
@@ -1,4 +0,0 @@
-    - rolearn: ${role_arn}
-      username: ${username}
-      groups:
-        - ${group}
diff --git a/modules/aws/eks/resources/config-map-aws-auth-map_users.yaml.tpl b/modules/aws/eks/resources/config-map-aws-auth-map_users.yaml.tpl
deleted file mode 100644
index 92499de4..00000000
--- a/modules/aws/eks/resources/config-map-aws-auth-map_users.yaml.tpl
+++ /dev/null
@@ -1,4 +0,0 @@
-    - userarn: ${user_arn}
-      username: ${username}
-      groups:
-        - ${group}
diff --git a/modules/aws/eks/resources/config-map-aws-auth.yaml.tpl b/modules/aws/eks/resources/config-map-aws-auth.yaml.tpl
index 86f4f5f9..bcff17c4 100644
--- a/modules/aws/eks/resources/config-map-aws-auth.yaml.tpl
+++ b/modules/aws/eks/resources/config-map-aws-auth.yaml.tpl
@@ -6,8 +6,14 @@ metadata:
 data:
   mapRoles: |
 ${worker_role_arn}
-${map_roles}
+  %{if chomp(map_roles) != "[]" }
+    ${indent(4, map_roles)}
+  %{ endif }
+  %{if chomp(map_users) != "[]" }
   mapUsers: |
-${map_users}
+    ${indent(4, map_users)}
+  %{ endif }
+  %{if chomp(map_accounts) != "[]" }
   mapAccounts: |
-${map_accounts}
+    ${indent(4, map_accounts)}
+  %{ endif }
\ No newline at end of file
diff --git a/modules/ignitions/eks-kube-config/resources/kubernetes/kubeconfig b/modules/aws/eks/resources/kubeconfig.tpl
similarity index 85%
rename from modules/ignitions/eks-kube-config/resources/kubernetes/kubeconfig
rename to modules/aws/eks/resources/kubeconfig.tpl
index 8396bee1..4efbf97f 100644
--- a/modules/ignitions/eks-kube-config/resources/kubernetes/kubeconfig
+++ b/modules/aws/eks/resources/kubeconfig.tpl
@@ -4,7 +4,7 @@ kind: Config
 
 clusters:
 - cluster:
-    server: ${cluster_endpoint}
+    server: ${endpoint}
     certificate-authority-data: ${cluster_auth_base64}
   name: ${kubeconfig_name}
 
@@ -12,9 +12,9 @@ contexts:
 - context:
     cluster: ${kubeconfig_name}
     user: ${kubeconfig_name}
-  name: default
+  name: ${kubeconfig_name}
 
-current-context: default
+current-context: ${kubeconfig_name}
 
 users:
 - name: ${kubeconfig_name}
diff --git a/modules/aws/eks/role-eks.tf b/modules/aws/eks/role-eks.tf
index d1d412a2..a64f4f9a 100644
--- a/modules/aws/eks/role-eks.tf
+++ b/modules/aws/eks/role-eks.tf
@@ -16,15 +16,15 @@ data "aws_iam_policy_document" "cluster_assume_role_policy" {
 
 resource "aws_iam_role" "eks" {
   name_prefix        = "${var.phase}-${var.project}-eks-"
-  assume_role_policy = "${data.aws_iam_policy_document.cluster_assume_role_policy.json}"
+  assume_role_policy = data.aws_iam_policy_document.cluster_assume_role_policy.json
 }
 
 resource "aws_iam_role_policy_attachment" "eks_cluster" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
-  role       = "${aws_iam_role.eks.name}"
+  role       = aws_iam_role.eks.name
 }
 
 resource "aws_iam_role_policy_attachment" "eks_service" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
-  role       = "${aws_iam_role.eks.name}"
+  role       = aws_iam_role.eks.name
 }
diff --git a/modules/aws/eks/role-workers.tf b/modules/aws/eks/role-workers.tf
index 4f231bf0..74c51365 100644
--- a/modules/aws/eks/role-workers.tf
+++ b/modules/aws/eks/role-workers.tf
@@ -1,55 +1,55 @@
 resource "aws_iam_role" "workers" {
-  count       = "${length(var.worker_groups)}"
+  count                 = length(var.worker_groups)
   name                  = "${var.phase}-${var.project}-worker-${var.worker_groups[count.index]}"
-  assume_role_policy    = "${data.aws_iam_policy_document.workers_assume_role.json}"
-  permissions_boundary  = "${var.permissions_boundary}"
-  path                  = "${var.iam_path}"
+  assume_role_policy    = data.aws_iam_policy_document.workers_assume_role.json
+  permissions_boundary  = var.permissions_boundary
+  path                  = var.iam_path
   force_detach_policies = true
 }
 
 resource "aws_iam_instance_profile" "workers" {
-  count       = "${length(var.worker_groups)}"
+  count       = length(var.worker_groups)
   name        = "${var.phase}-${var.project}-worker-${var.worker_groups[count.index]}"
-  role        = "${aws_iam_role.workers.*.name[count.index]}"
-  path        = "${var.iam_path}"
+  role        = aws_iam_role.workers.*.name[count.index]
+  path        = var.iam_path
 }
 
 resource "aws_iam_role_policy_attachment" "workers_AmazonEKS_CNI_Policy" {
-  count      = "${length(var.worker_groups)}"
+  count      = length(var.worker_groups)
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
-  role       = "${aws_iam_role.workers.*.name[count.index]}"
+  role       = aws_iam_role.workers.*.name[count.index]
 }
 
 resource "aws_iam_role_policy_attachment" "workers_AmazonEC2ContainerRegistryReadOnly" {
-  count      = "${length(var.worker_groups)}"
+  count      = length(var.worker_groups)
   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
-  role       = "${aws_iam_role.workers.*.name[count.index]}"
+  role       = aws_iam_role.workers.*.name[count.index]
 }
 
 resource "aws_iam_policy" "worker_autoscaling" {
   name_prefix = "${var.phase}-${var.project}-worker-autoscaling-"
   description = "EKS worker node autoscaling policy for cluster ${aws_eks_cluster.vishwakarma.id}"
-  policy      = "${data.aws_iam_policy_document.worker_autoscaling.json}"
-  path        = "${var.iam_path}"
+  policy      = data.aws_iam_policy_document.worker_autoscaling.json
+  path        = var.iam_path
 }
 
 resource "aws_iam_role_policy_attachment" "workers_autoscaling" {
-  count      = "${length(var.worker_groups)}"
-  policy_arn = "${aws_iam_policy.worker_autoscaling.arn}"
-  role       = "${aws_iam_role.workers.*.name[count.index]}"
+  count      = length(var.worker_groups)
+  policy_arn = aws_iam_policy.worker_autoscaling.arn
+  role       = aws_iam_role.workers.*.name[count.index]
 }
 
 resource "aws_iam_policy" "worker_ignition" {
   name_prefix = "${var.phase}-${var.project}-worker-ignition-"
   description = "EKS worker node to get the ignition file from s3"
-  policy      = "${data.aws_iam_policy_document.worker_ignition.json}"
-  path        = "${var.iam_path}"
+  policy      = data.aws_iam_policy_document.worker_ignition.json
+  path        = var.iam_path
 }
 
 resource "aws_iam_role_policy_attachment" "worker_ignition" {
-  count      = "${length(var.worker_groups)}"
-  policy_arn = "${aws_iam_policy.worker_ignition.arn}"
-  role       = "${aws_iam_role.workers.*.name[count.index]}"
+  count      = length(var.worker_groups)
+  policy_arn = aws_iam_policy.worker_ignition.arn
+  role       = aws_iam_role.workers.*.name[count.index]
 }
 
 data "aws_iam_policy_document" "workers_assume_role" {
diff --git a/modules/aws/eks/sg-eks.tf b/modules/aws/eks/sg-eks.tf
index 7729c238..99b80a3c 100644
--- a/modules/aws/eks/sg-eks.tf
+++ b/modules/aws/eks/sg-eks.tf
@@ -1,25 +1,25 @@
 data "aws_subnet" "exist" {
-  id = "${var.exist_subnet_ids[0]}"
+  id = var.exist_subnet_ids[0]
 }
 
 data "aws_vpc" "exist" {
-  id = "${data.aws_subnet.exist.vpc_id}"
+  id = data.aws_subnet.exist.vpc_id
 }
 
 resource "aws_security_group" "eks" {
   name_prefix = "${var.phase}-${var.project}-eks-"
-  vpc_id      = "${data.aws_vpc.exist.id}"
+  vpc_id      = data.aws_vpc.exist.id
 
-  tags = "${merge(map(
+  tags = merge(map(
       "Name", "${var.phase}-${var.project}-eks",
-      "Phase", "${var.phase}",
-      "Project", "${var.project}"
-    ), var.extra_tags)}"
+      "Phase", var.phase,
+      "Project", var.project
+    ), var.extra_tags)
 }
 
 resource "aws_security_group_rule" "eks_egress" {
   type              = "egress"
-  security_group_id = "${aws_security_group.eks.id}"
+  security_group_id = aws_security_group.eks.id
 
   from_port   = 0
   to_port     = 0
@@ -29,10 +29,10 @@ resource "aws_security_group_rule" "eks_egress" {
 
 resource "aws_security_group_rule" "eks_ingress_https_from_vpc" {
   type              = "ingress"
-  security_group_id = "${aws_security_group.eks.id}"
+  security_group_id = aws_security_group.eks.id
 
   protocol    = "tcp"
-  cidr_blocks = "${var.cidr_access_eks_https}"
+  cidr_blocks = var.cidr_access_eks_https
   from_port   = 443
   to_port     = 443
 }
diff --git a/modules/aws/eks/sg-worker.tf b/modules/aws/eks/sg-worker.tf
index 7fa9ed92..38c8b470 100644
--- a/modules/aws/eks/sg-worker.tf
+++ b/modules/aws/eks/sg-worker.tf
@@ -1,20 +1,20 @@
 resource "aws_security_group" "worker" {
   name_prefix = "${var.phase}-${var.project}-worker-"
   description = "Security group for all nodes in the cluster."
-  vpc_id      = "${data.aws_subnet.exist.vpc_id}"
+  vpc_id      = data.aws_subnet.exist.vpc_id
 
-  tags = "${merge(map(
+  tags = merge(map(
       "Name", "${var.phase}-${var.project}-worker",
       "kubernetes.io/cluster/${var.phase}-${var.project}", "owned",
-      "Phase", "${var.phase}",
-      "Project", "${var.project}"
-    ), var.extra_tags)}"
+      "Phase", var.phase,
+      "Project", var.project
+    ), var.extra_tags)
 }
 
 resource "aws_security_group_rule" "worker_egress" {
   description       = "Allow nodes all egress to the Internet."
   protocol          = "-1"
-  security_group_id = "${aws_security_group.worker.id}"
+  security_group_id = aws_security_group.worker.id
   cidr_blocks       = ["0.0.0.0/0"]
   from_port         = 0
   to_port           = 0
@@ -34,8 +34,8 @@ resource "aws_security_group_rule" "worker_ingress_self" {
 resource "aws_security_group_rule" "worker_ingress_from_eks" {
   description              = "Allow workers kubelet and pod to be accessed from the cluster control plane."
   protocol                 = "tcp"
-  security_group_id        = "${aws_security_group.worker.id}"
-  source_security_group_id = "${aws_security_group.eks.id}"
+  security_group_id        = aws_security_group.worker.id
+  source_security_group_id = aws_security_group.eks.id
   from_port                = 1025
   to_port                  = 65535
   type                     = "ingress"
@@ -44,8 +44,8 @@ resource "aws_security_group_rule" "worker_ingress_from_eks" {
 resource "aws_security_group_rule" "worker_ingress_from_ssh" {
   description              = "Allow access from ssh."
   protocol                 = "tcp"
-  security_group_id        = "${aws_security_group.worker.id}"
-  cidr_blocks              = "${var.cidr_access_worker_ssh}"
+  security_group_id        = aws_security_group.worker.id
+  cidr_blocks              = var.cidr_access_worker_ssh
   from_port                = 22
   to_port                  = 22
   type                     = "ingress"
@@ -53,11 +53,11 @@ resource "aws_security_group_rule" "worker_ingress_from_ssh" {
 
 resource "aws_security_group_rule" "worker_ingress_lb" {
 
-  count = "${length(var.lb_sg_ids)}"
+  count = length(var.lb_sg_ids)
 
   type                     = "ingress"
-  security_group_id        = "${aws_security_group.worker.id}"
-  source_security_group_id = "${var.lb_sg_ids[count.index]}"
+  security_group_id        = aws_security_group.worker.id
+  source_security_group_id = var.lb_sg_ids[count.index]
 
   protocol  = "tcp"
   from_port = 30000
diff --git a/modules/aws/eks/variables.tf b/modules/aws/eks/variables.tf
index c3a0e171..213e4a2a 100644
--- a/modules/aws/eks/variables.tf
+++ b/modules/aws/eks/variables.tf
@@ -1,169 +1,168 @@
 variable "aws_region" {
   description = "The AWS region to build eks cluster"
-  type        = "string"
+  type        = string
   default     = ""
 }
 
 variable "cidr_access_eks_https" {
   description = "The CIDR block of AWS VPC for eks cluster"
-  type        = "list"
+  type        = list(string)
   default     = ["0.0.0.0/0"]
 }
 
 variable "cidr_access_worker_ssh" {
   description = "The CIDR block of AWS VPC for eks cluster"
-  type        = "list"
+  type        = list(string)
   default     = ["0.0.0.0/0"]
 }
 
 variable "exist_subnet_ids" {
   description = "The exist AWS subnet ids for EKS cluster"
-  type        = "list"
+  type        = list(string)
 }
 
 variable "phase" {
   description = "Specific which phase is used for this eks cluster, and phase + project become cluster name"
-  type        = "string"
+  type        = string
   default     = "test"
 }
 
 variable "project" {
   description = "Specific which project is used by eks cluster, and phase + project become cluster name"
-  type        = "string"
+  type        = string
   default     = "vishwakarma"
 }
 
 variable "kubernetes_version" {
-  type        = "string"
-  default     = "1.12.7"
+  type        = string
+  default     = "1.13"
   description = "Desired Kubernetes master version. If you do not specify a value, the latest available version is used."
 }
 
 variable "config_output_path" {
   description = "The path to store config, e.g. kubeconfig"
-  type        = "string"
-  default     = "./terraform"
-}
-
-variable "kubeconfig_output_flag" {
-  description = "Whether to write a Kubectl config file containing the cluster configuration. Saved to `config_output_path`."
-  default     = true
-}
-
-variable "manage_aws_auth" {
-  description = "Whether to apply the aws-auth configmap file."
-  default     = true
-}
-
-variable "aws_auth_config_output_flag" {
-  description = "Whether to write the aws-auth configmap file."
-  default     = true
-}
-
-variable "kubeconfig_name" {
-  description = "Override the default name used for items kubeconfig."
-  default     = ""
+  type        = string
+  default     = "./.terraform"
 }
 
 variable "kubeconfig_aws_authenticator_command" {
   description = "Command to use to fetch AWS EKS credentials."
+  type        = string
   default     = "aws-iam-authenticator"
 }
 
 variable "kubeconfig_aws_authenticator_command_args" {
   description = "Default arguments passed to the authenticator command. Defaults to [token -i $cluster_name]."
-  type        = "list"
+  type        = list(string)
   default     = []
 }
 
 variable "kubeconfig_aws_authenticator_additional_args" {
   description = "Any additional arguments to pass to the authenticator such as the role to assume. e.g. [\"-r\", \"MyEksRole\"]."
-  type        = "list"
+  type        = list(string)
   default     = []
 }
 
 variable "kubeconfig_aws_authenticator_env_variables" {
   description = "Environment variables that should be used when executing the authenticator. e.g. { AWS_PROFILE = \"eks\"}."
-  type        = "map"
+  type        = map(string)
   default     = {}
 }
 
+variable "kubeconfig_output_flag" {
+  description = "Whether to write a Kubectl config file containing the cluster configuration. Saved to `config_output_path`."
+  type        = bool
+  default     = true
+}
+
+variable "manage_aws_auth" {
+  description = "Whether to apply the aws-auth configmap file."
+  type        = bool
+  default     = true
+}
+
+variable "aws_auth_config_output_flag" {
+  description = "Whether to write the aws-auth configmap file."
+  type        = bool
+  default     = true
+}
+
+variable "kubeconfig_name" {
+  description = "Override the default name used for items kubeconfig."
+  type        = string
+  default     = ""
+}
+
 variable "worker_groups" {
   description = "The worker groups's name for generating role"
-  type        = "list"
+  type        = list(string)
   default     = []
 }
 
 variable "permissions_boundary" {
   description = "If provided, all IAM roles will be created with this permissions boundary attached."
+  type        = string
   default     = ""
 }
 
 variable "iam_path" {
   description = "If provided, all IAM roles will be created on this path."
+  type        = string
   default     = "/"
 }
 
 variable "map_accounts" {
   description = "Additional AWS account numbers to add to the aws-auth configmap. See examples/eks_test_fixture/variables.tf for example format."
-  type        = "list"
+  type        = list(string)
   default     = []
 }
 
-variable "map_accounts_count" {
-  description = "The count of accounts in the map_accounts list."
-  type        = "string"
-  default     = 0
-}
-
 variable "map_roles" {
   description = "Additional IAM roles to add to the aws-auth configmap. See examples/eks_test_fixture/variables.tf for example format."
-  type        = "list"
+  type = list(object({
+    rolearn  = string
+    username = string
+    groups   = list(string)
+  }))
   default     = []
 }
 
-variable "map_roles_count" {
-  description = "The count of roles in the map_roles list."
-  type        = "string"
-  default     = 0
-}
-
 variable "map_users" {
   description = "Additional IAM users to add to the aws-auth configmap. See examples/eks_test_fixture/variables.tf for example format."
-  type        = "list"
+  type = list(object({
+    userarn  = string
+    username = string
+    groups   = list(string)
+  }))
   default     = []
 }
 
-variable "map_users_count" {
-  description = "The count of roles in the map_users list."
-  type        = "string"
-  default     = 0
-}
-
 variable "lb_sg_ids" {
   description = "The security group id which used by load balancer"
-  type        = "list"
+  type        = list(string)
   default     = []
 }
 
 variable "endpoint_private_access" {
-  default = true
   description = "Kubernetes apiserver endpoint"
+  type        = bool
+  default     = true
 }
 
 variable "endpoint_public_access" {
-  default = false
   description = "Kubernetes apiserver endpoint"
+  type        = bool
+  default     = false
 }
 
 variable "local_exec_interpreter" {
   description = "Command to run for local-exec resources. Must be a shell-style interpreter. If you are on Windows Git Bash is a good choice."
-  type        = "list"
+  type        = list(string)
   default     = ["/bin/sh", "-c"]
 }
 
 variable "extra_tags" {
   description = "Extra AWS tags to be applied to created resources."
-  type        = "map"
+  type        = map(string)
   default     = {}
 }
diff --git a/modules/aws/network/bastion.tf b/modules/aws/network/bastion.tf
index 55cc9b8b..5be53ac5 100644
--- a/modules/aws/network/bastion.tf
+++ b/modules/aws/network/bastion.tf
@@ -1,16 +1,16 @@
 resource "aws_security_group" "bastion" {
-  vpc_id = "${aws_vpc.new_vpc.id}"
+  vpc_id = aws_vpc.new_vpc.id
 
-  tags = "${merge(map(
+  tags = merge(map(
       "Name", "${var.phase}-${var.project}-bastion",
-      "Phase", "${var.phase}",
-      "Project", "${var.project}"
-    ), var.extra_tags)}"
+      "Phase", var.phase,
+      "Project", var.project
+    ), var.extra_tags)
 }
 
 resource "aws_security_group_rule" "bastion_egress" {
   type              = "egress"
-  security_group_id = "${aws_security_group.bastion.id}"
+  security_group_id = aws_security_group.bastion.id
 
   from_port   = 0
   to_port     = 0
@@ -20,7 +20,7 @@ resource "aws_security_group_rule" "bastion_egress" {
 
 resource "aws_security_group_rule" "bastion_ingress_ssh" {
   type              = "ingress"
-  security_group_id = "${aws_security_group.bastion.id}"
+  security_group_id = aws_security_group.bastion.id
 
   protocol    = "tcp"
   cidr_blocks = ["0.0.0.0/0"]
@@ -48,25 +48,25 @@ data "aws_ami" "latest_ubuntu" {
 
 resource "random_integer" "subnet_id_index" {
   min     = 0
-  max     = "${var.aws_az_number - 1}"
+  max     = var.aws_az_number - 1
 
   keepers = {
-    vpc_id = "${aws_vpc.new_vpc.id}"
+    vpc_id = aws_vpc.new_vpc.id
   }
 }
 
 data "template_file" "user_data" {
-  template = "${file("${path.module}/resources/user_data")}"
+  template = file("${path.module}/resources/user_data")
 }
 
 resource "aws_instance" "bastion" {
-  ami                         = "${var.bastion_ami_id == "" ? data.aws_ami.latest_ubuntu.image_id : var.bastion_ami_id}"
+  ami                         = var.bastion_ami_id == "" ? data.aws_ami.latest_ubuntu.image_id : var.bastion_ami_id
   associate_public_ip_address = true
-  instance_type               = "${var.bastion_instance_type}"
-  key_name                    = "${var.bastion_key_name}"
+  instance_type               = var.bastion_instance_type
+  key_name                    = var.bastion_key_name
   source_dest_check           = true
-  subnet_id                   = "${aws_subnet.public_subnet.*.id[random_integer.subnet_id_index.result]}"
-  user_data                   = "${data.template_file.user_data.rendered}" 
+  subnet_id                   = aws_subnet.public_subnet.*.id[random_integer.subnet_id_index.result]
+  user_data                   = data.template_file.user_data.rendered
 
   root_block_device {
     volume_type = "standard"
@@ -74,12 +74,12 @@ resource "aws_instance" "bastion" {
   }
 
   vpc_security_group_ids = [
-    "${ aws_security_group.bastion.id }",
+    aws_security_group.bastion.id,
   ]
 
-  tags = "${merge(map(
+  tags = merge(map(
       "Name", "${var.phase}-${var.project}-bastion",
-      "Phase", "${var.phase}",
-      "Project", "${var.project}"
-    ), var.extra_tags)}"
+      "Phase", var.phase,
+      "Project", var.project
+    ), var.extra_tags)
 }
diff --git a/modules/aws/network/data.tf b/modules/aws/network/data.tf
new file mode 100644
index 00000000..97e654b9
--- /dev/null
+++ b/modules/aws/network/data.tf
@@ -0,0 +1,4 @@
+
+locals {
+  cluster_name      = "${var.phase}-${var.project}"
+}
diff --git a/modules/aws/network/main.tf b/modules/aws/network/main.tf
deleted file mode 100644
index b375ffdf..00000000
--- a/modules/aws/network/main.tf
+++ /dev/null
@@ -1,16 +0,0 @@
-# ---------------------------------------------------------------------------------------------------------------------
-# Configuration
-# ---------------------------------------------------------------------------------------------------------------------
-
-provider "aws" {
-  region  = "${var.aws_region}"
-  version = "2.3.0"
-}
-
-provider "random" {
-  version = "1.3.1"
-}
-
-locals {
-  cluster_name      = "${var.phase}-${var.project}"
-}
diff --git a/modules/aws/network/outputs.tf b/modules/aws/network/outputs.tf
index 50418509..8e89959f 100644
--- a/modules/aws/network/outputs.tf
+++ b/modules/aws/network/outputs.tf
@@ -1,24 +1,24 @@
 output "vpc_id" {
-  value       = "${aws_vpc.new_vpc.id}"
   description = "vpc id created by this module"
+  value       = aws_vpc.new_vpc.id
 }
 
 output "public_subnet_ids" {
-  value       = ["${aws_subnet.public_subnet.*.id}"]
   description = "resource can be accessed publicly when use it"
+  value       = aws_subnet.public_subnet.*.id
 }
 
 output "private_subnet_ids" {
-  value       = ["${aws_subnet.private_subnet.*.id}"]
   description = "resource can not be accessed publicly when use it"
+  value       = aws_subnet.private_subnet.*.id
 }
 
 output "bastion_public_ip" {
-  value       = "${aws_instance.bastion.public_ip}"
   description = "the public ip address for ssh"
+  value       = aws_instance.bastion.public_ip
 }
 
 output "zone_id" {
-  value = "${var.private_zone ? join("", aws_route53_zone.zone.*.zone_id) : ""}"
   description = "private zone id for k8s"
+  value       = var.private_zone ? join("", aws_route53_zone.zone.*.zone_id) : ""
 }
diff --git a/modules/aws/network/variables.tf b/modules/aws/network/variables.tf
index ee1b7099..4274d19f 100644
--- a/modules/aws/network/variables.tf
+++ b/modules/aws/network/variables.tf
@@ -1,56 +1,52 @@
-variable "aws_region" {
-  description = "The AWS region to build network infrastructure"
-  type        = "string"
-}
-
 variable "aws_az_number" {
   description = "How many AZs want to be used"
-  type        = "string"
+  type        = string
   default     = "3"
 }
 
 variable "cidr_block" {
   description = "The CIDR block for AWS VPC"
-  type        = "string"
+  type        = string
   default     = "10.0.0.0/16"
 }
 
 variable "phase" {
   description = "Specific which phase service will be hosted"
-  type        = "string"
+  type        = string
   default     = "test"
 }
 
 variable "project" {
   description = "Specific which project service will host"
-  type        = "string"
+  type        = string
   default     = "vishwakarma"
 }
 
 variable "bastion_ami_id" {
   description = "The AWS AMI id for bastion"
-  type        = "string"
+  type        = string
   default     = ""
 }
 
 variable "bastion_instance_type" {
   description = "The AWS instance type for bastion"
-  type        = "string"
+  type        = string
   default     = "t3.micro"
 }
 
 variable "bastion_key_name" {
   description = "The AWS EC2 key name for bastion"
-  type        = "string"
+  type        = string
 }
 
 variable "private_zone" {
   description = "Create a private Route53 host zone"
+  type        = bool
   default     = false
 }
 
 variable "extra_tags" {
   description = "Extra AWS tags to be applied to created resources"
-  type        = "map"
+  type        = map(string)
   default     = {}
 }
diff --git a/modules/aws/network/vpc-private.tf b/modules/aws/network/vpc-private.tf
index b139e773..37e40fd0 100644
--- a/modules/aws/network/vpc-private.tf
+++ b/modules/aws/network/vpc-private.tf
@@ -1,39 +1,39 @@
 resource "aws_route_table" "private_routes" {
-  count  = "${length(local.aws_azs)}"
-  vpc_id = "${aws_vpc.new_vpc.id}"
+  count  = length(local.aws_azs)
+  vpc_id = aws_vpc.new_vpc.id
 
-  tags = "${merge(map(
+  tags = merge(map(
       "Name", "${var.phase}-${var.project}-private-${local.aws_azs[count.index]}",
-      "Phase", "${var.phase}",
-      "Project", "${var.project}",
+      "Phase", var.phase,
+      "Project", var.project,
       "kubernetes.io/cluster/${var.phase}-${var.project}", "shared"
-    ), var.extra_tags)}"
+    ), var.extra_tags)
 }
 
 resource "aws_route" "to_nat_gw" {
-  count                  = "${length(local.aws_azs)}"
-  route_table_id         = "${aws_route_table.private_routes.*.id[count.index]}"
+  count                  = length(local.aws_azs)
+  route_table_id         = aws_route_table.private_routes.*.id[count.index]
   destination_cidr_block = "0.0.0.0/0"
-  nat_gateway_id         = "${element(aws_nat_gateway.nat_gw.*.id, count.index)}"
+  nat_gateway_id         = element(aws_nat_gateway.nat_gw.*.id, count.index)
   depends_on             = ["aws_route_table.private_routes"]
 }
 
 resource "aws_subnet" "private_subnet" {
-  count             = "${length(local.aws_azs)}"
-  vpc_id            = "${aws_vpc.new_vpc.id}"
-  cidr_block        = "${cidrsubnet(aws_vpc.new_vpc.cidr_block, 4, count.index + length(local.aws_azs))}"
-  availability_zone = "${local.aws_azs[count.index]}"
+  count             = length(local.aws_azs)
+  vpc_id            = aws_vpc.new_vpc.id
+  cidr_block        = cidrsubnet(aws_vpc.new_vpc.cidr_block, 4, count.index + length(local.aws_azs))
+  availability_zone = local.aws_azs[count.index]
 
-  tags = "${merge(map(
+  tags = merge(map(
     "Name", "${var.phase}-${var.project}-private-${local.aws_azs[count.index]}",
-    "Phase", "${var.phase}",
-    "Project", "${var.project}",
+    "Phase", var.phase,
+    "Project", var.project,
     "kubernetes.io/cluster/${var.phase}-${var.project}", "shared"
-    ), var.extra_tags)}"
+    ), var.extra_tags)
 }
 
 resource "aws_route_table_association" "private_routing" {
-  count          = "${length(local.aws_azs)}"
-  route_table_id = "${aws_route_table.private_routes.*.id[count.index]}"
-  subnet_id      = "${aws_subnet.private_subnet.*.id[count.index]}"
+  count          = length(local.aws_azs)
+  route_table_id = aws_route_table.private_routes.*.id[count.index]
+  subnet_id      = aws_subnet.private_subnet.*.id[count.index]
 }
diff --git a/modules/aws/network/vpc-public.tf b/modules/aws/network/vpc-public.tf
index 40384c79..35a6379c 100644
--- a/modules/aws/network/vpc-public.tf
+++ b/modules/aws/network/vpc-public.tf
@@ -1,57 +1,57 @@
 resource "aws_internet_gateway" "igw" {
-  vpc_id = "${aws_vpc.new_vpc.id}"
+  vpc_id = aws_vpc.new_vpc.id
 
-  tags = "${merge(map(
+  tags = merge(map(
       "Name", "${var.phase}-${var.project}-igw",
-      "Phase", "${var.phase}",
-      "Project", "${var.project}",
+      "Phase", var.phase,
+      "Project", var.project,
       "kubernetes.io/cluster/${var.phase}-${var.project}", "shared"
-    ), var.extra_tags)}"
+    ), var.extra_tags)
 }
 
 resource "aws_route_table" "default" {
-  vpc_id = "${aws_vpc.new_vpc.id}"
+  vpc_id = aws_vpc.new_vpc.id
 
-  tags = "${merge(map(
+  tags = merge(map(
       "Name", "${var.phase}-${var.project}-public",
-      "Phase", "${var.phase}",
-      "Project", "${var.project}"
-    ), var.extra_tags)}"
+      "Phase", var.phase,
+      "Project", var.project
+    ), var.extra_tags)
 }
 
 resource "aws_main_route_table_association" "main_vpc_routes" {
-  vpc_id         = "${aws_vpc.new_vpc.id}"
-  route_table_id = "${aws_route_table.default.id}"
+  vpc_id         = aws_vpc.new_vpc.id
+  route_table_id = aws_route_table.default.id
 }
 
 resource "aws_route" "igw_route" {
   destination_cidr_block = "0.0.0.0/0"
-  route_table_id         = "${aws_route_table.default.id}"
-  gateway_id             = "${aws_internet_gateway.igw.id}"
+  route_table_id         = aws_route_table.default.id
+  gateway_id             = aws_internet_gateway.igw.id
 }
 
 resource "aws_subnet" "public_subnet" {
-  count             = "${length(local.aws_azs)}"
-  vpc_id            = "${aws_vpc.new_vpc.id}"
-  cidr_block        = "${cidrsubnet(aws_vpc.new_vpc.cidr_block, 4, count.index)}"
-  availability_zone = "${local.aws_azs[count.index]}"
+  count             = length(local.aws_azs)
+  vpc_id            = aws_vpc.new_vpc.id
+  cidr_block        = cidrsubnet(aws_vpc.new_vpc.cidr_block, 4, count.index)
+  availability_zone = local.aws_azs[count.index]
 
-  tags = "${merge(map(
+  tags = merge(map(
      "Name", "${var.phase}-${var.project}-public-${local.aws_azs[count.index]}",
-     "Phase", "${var.phase}",
-     "Project", "${var.project}",
+     "Phase", var.phase,
+     "Project", var.project,
      "kubernetes.io/cluster/${var.phase}-${var.project}", "shared"
-    ), var.extra_tags)}"
+    ), var.extra_tags)
 }
 
 resource "aws_route_table_association" "route_net" {
-  count          = "${length(local.aws_azs)}"
-  route_table_id = "${aws_route_table.default.id}"
-  subnet_id      = "${aws_subnet.public_subnet.*.id[count.index]}"
+  count          = length(local.aws_azs)
+  route_table_id = aws_route_table.default.id
+  subnet_id      = aws_subnet.public_subnet.*.id[count.index]
 }
 
 resource "aws_eip" "nat_eip" {
-  count = "${length(local.aws_azs)}"
+  count = length(local.aws_azs)
   vpc   = true
 
   # Terraform does not declare an explicit dependency towards the internet gateway.
@@ -61,7 +61,7 @@ resource "aws_eip" "nat_eip" {
 }
 
 resource "aws_nat_gateway" "nat_gw" {
-  count         = "${length(local.aws_azs)}"
-  allocation_id = "${aws_eip.nat_eip.*.id[count.index]}"
-  subnet_id     = "${aws_subnet.public_subnet.*.id[count.index]}"
+  count         = length(local.aws_azs)
+  allocation_id = aws_eip.nat_eip.*.id[count.index]
+  subnet_id     = aws_subnet.public_subnet.*.id[count.index]
 }
diff --git a/modules/aws/network/vpc.tf b/modules/aws/network/vpc.tf
index b7e00960..42fc199c 100644
--- a/modules/aws/network/vpc.tf
+++ b/modules/aws/network/vpc.tf
@@ -1,18 +1,18 @@
 resource "aws_vpc" "new_vpc" {
-  cidr_block           = "${var.cidr_block}"
+  cidr_block           = var.cidr_block
   enable_dns_hostnames = true
   enable_dns_support   = true
 
-  tags = "${merge(map(
+  tags = merge(map(
       "Name", "${var.phase}-${var.project}",
-      "Phase", "${var.phase}",
-      "Project", "${var.project}",
+      "Phase", var.phase,
+      "Project", var.project,
       "kubernetes.io/cluster/${var.phase}-${var.project}", "shared"
-    ), var.extra_tags)}"
+    ), var.extra_tags)
 }
 
 data "aws_availability_zones" "azs" {}
 
 locals {
-  aws_azs = "${slice(data.aws_availability_zones.azs.names, 0, var.aws_az_number)}"
+  aws_azs = slice(data.aws_availability_zones.azs.names, 0, var.aws_az_number)
 }
diff --git a/modules/aws/network/zone.tf b/modules/aws/network/zone.tf
index 84dc375f..f2cfb199 100644
--- a/modules/aws/network/zone.tf
+++ b/modules/aws/network/zone.tf
@@ -1,13 +1,13 @@
 resource "aws_route53_zone" "zone" {
-  count = "${var.private_zone ? 1 : 0}"
+  count = var.private_zone ? 1 : 0
   name  = "${var.phase}-${var.project}.com"
 
-  vpc_id = "${aws_vpc.new_vpc.id}"
+  vpc_id = aws_vpc.new_vpc.id
 
-  tags = "${merge(map(
+  tags = merge(map(
       "Name", "${var.phase}-${var.project}.com",
-      "Phase", "${var.phase}",
-      "Project", "${var.project}",
+      "Phase", var.phase,
+      "Project", var.project,
       "kubernetes.io/cluster/${var.phase}-${var.project}", "shared"
-    ), var.extra_tags)}"
+    ), var.extra_tags)
 }
diff --git a/modules/ignitions/eks-kube-config/kubeconfig.tf b/modules/ignitions/eks-kube-config/kubeconfig.tf
deleted file mode 100644
index 74db9496..00000000
--- a/modules/ignitions/eks-kube-config/kubeconfig.tf
+++ /dev/null
@@ -1,43 +0,0 @@
-locals {
-  kubeconfig_name = "${var.kubeconfig_name == "" ? "${var.cluster_name}" : var.kubeconfig_name}"
-}
-
-
-data "template_file" "aws_authenticator_env_variables" {
-  template = <<EOF
-        - name: $${key}
-          value: $${value}
-EOF
-
-  count = "${length(var.kubeconfig_aws_authenticator_env_variables)}"
-
-  vars {
-    value = "${element(values(var.kubeconfig_aws_authenticator_env_variables), count.index)}"
-    key   = "${element(keys(var.kubeconfig_aws_authenticator_env_variables), count.index)}"
-  }
-}
-
-# kubeconfig
-data "template_file" "kubeconfig" {
-  template = "${file("${path.module}/resources/kubernetes/kubeconfig")}"
-
-  vars {
-    kubeconfig_name                   = "${local.kubeconfig_name}"
-    cluster_endpoint                  = "${var.cluster_endpoint}"
-    cluster_auth_base64               = "${var.certificate_authority_data}"
-    aws_authenticator_command         = "${var.kubeconfig_aws_authenticator_command}"
-    aws_authenticator_command_args    = "${length(var.kubeconfig_aws_authenticator_command_args) > 0 ? "        - ${join("\n        - ", var.kubeconfig_aws_authenticator_command_args)}" : "        - ${join("\n        - ", formatlist("\"%s\"", list("token", "-i", var.cluster_name)))}"}"
-    aws_authenticator_additional_args = "${length(var.kubeconfig_aws_authenticator_additional_args) > 0 ? "        - ${join("\n        - ", var.kubeconfig_aws_authenticator_additional_args)}" : ""}"
-    aws_authenticator_env_variables   = "${length(var.kubeconfig_aws_authenticator_env_variables) > 0 ? "      env:\n${join("\n", data.template_file.aws_authenticator_env_variables.*.rendered)}" : ""}"
-  }
-}
-
-data "ignition_file" "kubeconfig" {
-  path       = "${var.kubeconfig_path}/kubeconfig"
-  filesystem = "root"
-  mode       = 0644
-
-  content {
-    content = "${data.template_file.kubeconfig.rendered}"
-  }
-}
\ No newline at end of file
diff --git a/modules/ignitions/eks-kube-config/outputs.tf b/modules/ignitions/eks-kube-config/outputs.tf
deleted file mode 100644
index e5b2e5f8..00000000
--- a/modules/ignitions/eks-kube-config/outputs.tf
+++ /dev/null
@@ -1,14 +0,0 @@
-output "systemd_units" {
-  value = []
-}
-
-
-output "files" {
-  value = [
-    "${data.ignition_file.kubeconfig.id}",
-  ]
-}
-
-output "rendered" {
-  value = "${data.template_file.kubeconfig.rendered}"
-}
\ No newline at end of file
diff --git a/modules/ignitions/eks-kube-config/variables.tf b/modules/ignitions/eks-kube-config/variables.tf
deleted file mode 100644
index 195eee5e..00000000
--- a/modules/ignitions/eks-kube-config/variables.tf
+++ /dev/null
@@ -1,44 +0,0 @@
-variable "cluster_name" {
-  type    = "string"
-}
-
-variable "cluster_endpoint" {
-  type    = "string"
-}
-
-variable "certificate_authority_data" {
-  type        = "string"
-}
-
-variable "kubeconfig_name" {
-  description = "Override the default name used for items kubeconfig."
-  default     = ""
-}
-
-variable "kubeconfig_path" {
-  description = "The kubeconfig path in the worker instance"
-  default     = "/var/lib/kubelet"
-}
-
-variable "kubeconfig_aws_authenticator_env_variables" {
-  description = "Environment variables that should be used when executing the authenticator. e.g. { AWS_PROFILE = \"eks\"}."
-  type        = "map"
-  default     = {}
-}
-
-variable "kubeconfig_aws_authenticator_command" {
-  description = "Command to use to fetch AWS EKS credentials."
-  default     = "aws-iam-authenticator"
-}
-
-variable "kubeconfig_aws_authenticator_command_args" {
-  description = "Default arguments passed to the authenticator command. Defaults to [token -i $cluster_name]."
-  type        = "list"
-  default     = []
-}
-
-variable "kubeconfig_aws_authenticator_additional_args" {
-  description = "Any additional arguments to pass to the authenticator such as the role to assume. e.g. [\"-r\", \"MyEksRole\"]."
-  type        = "list"
-  default     = []
-}
\ No newline at end of file

From fc488ef47be926b064b3fb26d3d7860a8b4d37e4 Mon Sep 17 00:00:00 2001
From: smalltown <smalltown20110306@gmail.com>
Date: Fri, 6 Sep 2019 23:04:50 +0800
Subject: [PATCH 02/11] upgrade elastikube: tf to 0.12, coredns to 1.6.2 ,
 flannel to 0.11.0

---
 examples/eks-cluster/variables.tf             |   2 +-
 examples/elastikube-cluster/main.tf           |  89 ++++----
 examples/elastikube-cluster/outputs.tf        |   4 +-
 examples/elastikube-cluster/providers.tf      |  32 +++
 examples/elastikube-cluster/variables.tf      |  34 +--
 examples/self-signed-etcd-certs/main.tf       |  34 +--
 examples/self-signed-etcd-certs/providers.tf  |  15 ++
 examples/self-signed-etcd-certs/variables.tf  |   7 +-
 modules/aws/container_linux/variables.tf      |   6 +-
 modules/aws/eks-worker/variables.tf           |   2 +-
 modules/aws/eks/variables.tf                  |   2 +-
 modules/aws/elastikube/etcd.tf                |  25 ++-
 modules/aws/elastikube/ign-essential.tf       |  22 +-
 modules/aws/elastikube/main.tf                |  16 --
 modules/aws/elastikube/master.tf              |  96 ++++-----
 modules/aws/elastikube/outputs.tf             |  16 +-
 modules/aws/elastikube/s3.tf                  |   6 +-
 modules/aws/elastikube/variables.tf           | 140 ++++++------
 modules/aws/elastikube/worker-sg.tf           |  24 +--
 modules/aws/elastikube/zone.tf                |  16 +-
 modules/aws/kube-etcd/ami.tf                  |  11 +-
 modules/aws/kube-etcd/certs.tf                |  67 +++---
 modules/aws/kube-etcd/dns.tf                  |  32 +--
 modules/aws/kube-etcd/etcd.tf                 |  40 ++--
 modules/aws/kube-etcd/ign-node-exporter.tf    |   8 +-
 modules/aws/kube-etcd/ignition.tf             |  42 ++--
 modules/aws/kube-etcd/main.tf                 |  12 --
 modules/aws/kube-etcd/outputs.tf              |   8 +-
 modules/aws/kube-etcd/role.tf                 |   8 +-
 modules/aws/kube-etcd/sg.tf                   |  28 +--
 modules/aws/kube-etcd/variables.tf            |  74 +++----
 modules/aws/kube-master/ami.tf                |  11 +-
 modules/aws/kube-master/certs.tf              |  26 +--
 modules/aws/kube-master/ign-control-plane.tf  |  30 +--
 modules/aws/kube-master/ign-kubelet.tf        |  16 +-
 modules/aws/kube-master/ignition.tf           |  30 +--
 modules/aws/kube-master/lb.tf                 |  28 +--
 modules/aws/kube-master/main.tf               |  20 --
 modules/aws/kube-master/master.tf             |  69 +++---
 modules/aws/kube-master/outputs.tf            |   4 +-
 modules/aws/kube-master/role.tf               |  13 +-
 modules/aws/kube-master/s3.tf                 |   4 +-
 modules/aws/kube-master/sg.tf                 |  30 +--
 modules/aws/kube-master/variables.tf          | 127 +++++------
 modules/aws/kube-worker/ami.tf                |  11 +-
 modules/aws/kube-worker/ignition.tf           |  38 ++--
 modules/aws/kube-worker/main.tf               |  20 --
 modules/aws/kube-worker/role.tf               |  12 +-
 modules/aws/kube-worker/variables.tf          |  88 ++++----
 modules/aws/kube-worker/worker.tf             |  68 +++---
 .../aws-iam-auth-master/manifests.tf          |   2 +-
 .../ignitions/aws-iam-auth-master/outputs.tf  |   6 +-
 .../aws-iam-auth-master/provision.tf          |  10 +-
 .../aws-iam-auth-master/variables.tf          |  15 +-
 .../aws-iam-auth-master/webhook-kubeconfig.tf |  14 +-
 modules/ignitions/docker/assets.tf            |  14 +-
 modules/ignitions/docker/outputs.tf           |   2 +-
 modules/ignitions/docker/variables.tf         |   5 +-
 modules/ignitions/etcd/assets.tf              |  24 +--
 modules/ignitions/etcd/certs.tf               |  36 ++--
 modules/ignitions/etcd/outputs.tf             |  16 +-
 .../resources/dropins/40-etcd-cluster.conf    |   7 +-
 modules/ignitions/etcd/variables.tf           |  12 +-
 modules/ignitions/iscsi/assets.tf             |   2 +-
 modules/ignitions/iscsi/outputs.tf            |   2 +-
 modules/ignitions/iscsi/variables.tf          |   3 +-
 .../ignitions/kube-addon-dns/coredns-yaml.tf  |  24 +--
 modules/ignitions/kube-addon-dns/manifests.tf |   2 +-
 modules/ignitions/kube-addon-dns/outputs.tf   |   2 +-
 .../kubernetes/manifests/coredns.yaml         |  67 +++---
 modules/ignitions/kube-addon-dns/variables.tf |  28 +--
 .../kube-flannel-yaml.tf                      |  15 +-
 .../kube-addon-flannel-vxlan/manifests.tf     |   2 +-
 .../kube-addon-flannel-vxlan/outputs.tf       |   2 +-
 .../resources/addon/kube-flannel.yaml         | 202 ++++++++++++++----
 .../kube-addon-flannel-vxlan/variables.tf     |  18 +-
 .../kube-addon-manager/kube-addon.tf          |   8 +-
 .../ignitions/kube-addon-manager/outputs.tf   |   2 +-
 .../ignitions/kube-addon-manager/variables.tf |  14 +-
 .../kube-addon-proxy/kube-proxy-yaml.tf       |  10 +-
 modules/ignitions/kube-addon-proxy/outputs.tf |   2 +-
 .../ignitions/kube-addon-proxy/variables.tf   |  20 +-
 modules/ignitions/kube-audit/manifests.tf     |   2 +-
 modules/ignitions/kube-audit/outputs.tf       |   2 +-
 modules/ignitions/kube-audit/policy-yaml.tf   |  10 +-
 modules/ignitions/kube-audit/variables.tf     |  12 +-
 modules/ignitions/kube-config/kubeconfig.tf   |  24 +--
 modules/ignitions/kube-config/outputs.tf      |   4 +-
 modules/ignitions/kube-config/variables.tf    |  19 +-
 .../kube-control-plane/kube-apiserver-yaml.tf |  55 +++--
 .../kube-controller-manager-yaml.tf           |  24 +--
 .../kube-control-plane/kube-scheduler-yaml.tf |  12 +-
 .../kube-system-rbac-role-binding.tf          |   8 +-
 .../ignitions/kube-control-plane/manifests.tf |   2 +-
 .../ignitions/kube-control-plane/outputs.tf   |  24 +--
 .../ignitions/kube-control-plane/secrets.tf   |  48 ++---
 .../ignitions/kube-control-plane/variables.tf |  67 +++---
 modules/ignitions/kubelet/kubelet-env.tf      |  12 +-
 modules/ignitions/kubelet/kubelet.tf          |  22 +-
 modules/ignitions/kubelet/outputs.tf          |   4 +-
 modules/ignitions/kubelet/variables.tf        |  41 ++--
 modules/ignitions/locksmithd/assets.tf        |   4 +-
 modules/ignitions/locksmithd/outputs.tf       |   2 +-
 modules/ignitions/locksmithd/variables.tf     |   2 +-
 modules/ignitions/max-user-watches/assets.tf  |  10 +-
 modules/ignitions/max-user-watches/outputs.tf |   2 +-
 .../ignitions/max-user-watches/variables.tf   |   4 +-
 .../node-exporter/node-exporter-fetcher.tf    |   8 +-
 .../ignitions/node-exporter/node-exporter.tf  |   6 +-
 modules/ignitions/node-exporter/outputs.tf    |   4 +-
 modules/ignitions/node-exporter/variables.tf  |   7 +-
 modules/ignitions/ntp/assets.tf               |   8 +-
 modules/ignitions/ntp/outputs.tf              |   2 +-
 modules/ignitions/ntp/variables.tf            |   2 +-
 .../ignitions/pod-checkpointer/manifests.tf   |   2 +-
 modules/ignitions/pod-checkpointer/outputs.tf |   2 +-
 .../pod-checkpointer/pod-checkpointer-yaml.tf |  12 +-
 .../ignitions/pod-checkpointer/variables.tf   |  10 +-
 modules/ignitions/tx-off/assets.tf            |   4 +-
 modules/ignitions/tx-off/outputs.tf           |   2 +-
 .../update-ca-certificates/assets.tf          |  10 +-
 .../update-ca-certificates/outputs.tf         |   2 +-
 modules/tls/certificate-authority/ca.tf       |  24 +--
 modules/tls/certificate-authority/main.tf     |  11 -
 modules/tls/certificate-authority/outputs.tf  |   8 +-
 .../tls/certificate-authority/variables.tf    |  17 +-
 modules/tls/certificate/cert.tf               |  36 ++--
 modules/tls/certificate/main.tf               |  11 -
 modules/tls/certificate/outputs.tf            |   4 +-
 modules/tls/certificate/variables.tf          |  18 +-
 modules/tls/private-key/main.tf               |   3 -
 modules/tls/private-key/outputs.tf            |   6 +-
 132 files changed, 1391 insertions(+), 1395 deletions(-)
 create mode 100644 examples/elastikube-cluster/providers.tf
 create mode 100644 examples/self-signed-etcd-certs/providers.tf
 delete mode 100644 modules/aws/elastikube/main.tf
 delete mode 100644 modules/aws/kube-etcd/main.tf
 delete mode 100644 modules/aws/kube-master/main.tf
 delete mode 100644 modules/aws/kube-worker/main.tf
 delete mode 100644 modules/tls/certificate-authority/main.tf
 delete mode 100644 modules/tls/certificate/main.tf
 delete mode 100644 modules/tls/private-key/main.tf

diff --git a/examples/eks-cluster/variables.tf b/examples/eks-cluster/variables.tf
index 58ac6483..366380ed 100644
--- a/examples/eks-cluster/variables.tf
+++ b/examples/eks-cluster/variables.tf
@@ -24,7 +24,7 @@ variable "phase" {
 variable "kubernetes_version" {
   description = "(Optional) Desired Kubernetes master version. If you do not specify a value, the latest available version is used."
   type        = string
-  default     = "1.13"
+  default     = "1.14"
 }
 
 variable "endpoint_public_access" {
diff --git a/examples/elastikube-cluster/main.tf b/examples/elastikube-cluster/main.tf
index da7fdbf9..06555ae1 100644
--- a/examples/elastikube-cluster/main.tf
+++ b/examples/elastikube-cluster/main.tf
@@ -1,12 +1,5 @@
 locals {
   cluster_name = "${var.phase}-${var.project}"
-
-  kubernetes_version = "v1.13.4"
-}
-
-provider "aws" {
-  version = "2.3.0"
-  region  = "${var.aws_region}"
 }
 
 # ---------------------------------------------------------------------------------------------------------------------
@@ -15,11 +8,10 @@ provider "aws" {
 
 module "network" {
   source           = "../../modules/aws/network"
-  aws_region       = "${var.aws_region}"
-  bastion_key_name = "${var.key_pair_name}"
-  project          = "${var.project}"
-  phase            = "${var.phase}"
-  extra_tags       = "${var.extra_tags}"
+  bastion_key_name = var.key_pair_name
+  project          = var.project
+  phase            = var.phase
+  extra_tags       = var.extra_tags
 }
 
 # ---------------------------------------------------------------------------------------------------------------------
@@ -29,11 +21,10 @@ module "network" {
 module "kubernetes" {
   source = "../../modules/aws/elastikube"
 
-  name               = "${local.cluster_name}"
-  aws_region         = "${var.aws_region}"
-  kubernetes_version = "${local.kubernetes_version}"
-  service_cidr       = "${var.service_cidr}"
-  cluster_cidr       = "${var.cluster_cidr}"
+  name               = local.cluster_name
+  kubernetes_version = var.kubernetes_version
+  service_cidr       = var.service_cidr
+  cluster_cidr       = var.cluster_cidr
 
   etcd_config = {
     instance_count   = "3"
@@ -57,16 +48,16 @@ module "kubernetes" {
   }
 
   hostzone               = "${var.project}.cluster"
-  endpoint_public_access = "${var.endpoint_public_access}"
-  private_subnet_ids     = ["${module.network.private_subnet_ids}"]
-  public_subnet_ids      = ["${module.network.public_subnet_ids}"]
-  ssh_key                = "${var.key_pair_name}"
+  endpoint_public_access = var.endpoint_public_access
+  private_subnet_ids     = module.network.private_subnet_ids
+  public_subnet_ids      = module.network.public_subnet_ids
+  ssh_key                = var.key_pair_name
   reboot_strategy    = "off"
 
-  extra_tags = "${merge(map(
-      "Phase", "${var.phase}",
-      "Project", "${var.project}",
-    ), var.extra_tags)}"
+  extra_tags = merge(map(
+      "Phase", var.phase,
+      "Project", var.project,
+    ), var.extra_tags)
 }
 
 # ---------------------------------------------------------------------------------------------------------------------
@@ -76,13 +67,12 @@ module "kubernetes" {
 module "worker_on_demand" {
   source = "../../modules/aws/kube-worker"
 
-  cluster_name       = "${local.cluster_name}"
-  aws_region         = "${var.aws_region}"
-  kubernetes_version = "${local.kubernetes_version}"
-  kube_service_cidr  = "${var.service_cidr}"
+  cluster_name       = local.cluster_name
+  kubernetes_version = var.kubernetes_version
+  kube_service_cidr  = var.service_cidr
 
-  security_group_ids = ["${module.kubernetes.worker_sg_ids}"]
-  subnet_ids         = ["${module.network.private_subnet_ids}"]
+  security_group_ids = module.kubernetes.worker_sg_ids
+  subnet_ids         = module.network.private_subnet_ids
 
   worker_config = {
     name             = "on-demand"
@@ -98,14 +88,14 @@ module "worker_on_demand" {
     spot_instance_pools                      = 1
   }
 
-  s3_bucket = "${module.kubernetes.s3_bucket}"
-  ssh_key   = "${var.key_pair_name}"
+  s3_bucket = module.kubernetes.s3_bucket
+  ssh_key   = var.key_pair_name
 
-  extra_tags = "${merge(map(
-      "Phase", "${var.phase}",
-      "Project", "${var.project}",
-    ), var.extra_tags)}"
-}
+  extra_tags = merge(map(
+      "Phase", var.phase,
+      "Project", var.project,
+    ), var.extra_tags)
+} 
 
 # ---------------------------------------------------------------------------------------------------------------------
 # Worker Node (On Spot Instance)
@@ -114,13 +104,12 @@ module "worker_on_demand" {
 module "worker_spot" {
   source = "../../modules/aws/kube-worker"
 
-  cluster_name       = "${local.cluster_name}"
-  aws_region         = "${var.aws_region}"
-  kubernetes_version = "${local.kubernetes_version}"
-  kube_service_cidr  = "${var.service_cidr}"
+  cluster_name       = local.cluster_name
+  kubernetes_version = var.kubernetes_version
+  kube_service_cidr  = var.service_cidr
 
-  security_group_ids = ["${module.kubernetes.worker_sg_ids}"]
-  subnet_ids         = ["${module.network.private_subnet_ids}"]
+  security_group_ids = module.kubernetes.worker_sg_ids
+  subnet_ids         = module.network.private_subnet_ids
 
   worker_config = {
     name             = "spot"
@@ -136,11 +125,11 @@ module "worker_spot" {
     spot_instance_pools                      = 1
   }
 
-  s3_bucket = "${module.kubernetes.s3_bucket}"
-  ssh_key   = "${var.key_pair_name}"
+  s3_bucket = module.kubernetes.s3_bucket
+  ssh_key   = var.key_pair_name
 
-  extra_tags = "${merge(map(
-      "Phase", "${var.phase}",
-      "Project", "${var.project}",
-    ), var.extra_tags)}"
+  extra_tags = merge(map(
+      "Phase", var.phase,
+      "Project", var.project,
+    ), var.extra_tags)
 }
diff --git a/examples/elastikube-cluster/outputs.tf b/examples/elastikube-cluster/outputs.tf
index a4fa922e..02a8dff9 100644
--- a/examples/elastikube-cluster/outputs.tf
+++ b/examples/elastikube-cluster/outputs.tf
@@ -1,7 +1,7 @@
 output "bastion_public_ip" {
-  value = "${module.network.bastion_public_ip}"
+  value = module.network.bastion_public_ip
 }
 
 output "ignition_s3_bucket" {
-  value = "${module.kubernetes.s3_bucket}"
+  value = module.kubernetes.s3_bucket
 }
diff --git a/examples/elastikube-cluster/providers.tf b/examples/elastikube-cluster/providers.tf
new file mode 100644
index 00000000..e5d8b8dc
--- /dev/null
+++ b/examples/elastikube-cluster/providers.tf
@@ -0,0 +1,32 @@
+terraform {
+  required_version = ">= 0.12.0"
+}
+
+provider "aws" {
+  region  = var.aws_region
+  version = "2.26.0"
+}
+
+provider "external" {
+  version = "1.2.0"
+}
+
+provider "ignition" {
+  version = "1.1.0"
+}
+
+provider "null" {
+  version = "2.1.2"
+}
+
+provider "random" {
+  version = "2.2.0"
+}
+
+provider "template" {
+  version = "2.1.2"
+}
+
+provider "tls" {
+  version = "2.1.0"
+}
\ No newline at end of file
diff --git a/examples/elastikube-cluster/variables.tf b/examples/elastikube-cluster/variables.tf
index 15cc0420..adc93fe1 100644
--- a/examples/elastikube-cluster/variables.tf
+++ b/examples/elastikube-cluster/variables.tf
@@ -1,45 +1,51 @@
 variable "aws_region" {
-  type        = "string"
-  default     = "us-west-2"
   description = "(Optional) The AWS region"
+  type        = string
+  default     = "us-west-2"
 }
 
 variable "service_cidr" {
-  type        = "string"
-  default     = "172.16.0.0/13"
   description = "(Optional) The Kubernetes service CIDR."
+  type        = string
+  default     = "172.16.0.0/13"
 }
 
 variable "cluster_cidr" {
-  type        = "string"
-  default     = "172.24.0.0/13"
   description = "(Optional) The Kubernetes cluster CIDR."
+  type        = string
+  default     = "172.24.0.0/13"
 }
 
 variable "key_pair_name" {
-  type        = "string"
   description = "The ssh key name for all instance, e.g. bastion, master, etcd, worker"
+  type        = string
+}
+
+variable "kubernetes_version" {
+  description = "(Optional) Desired Kubernetes master version. If you do not specify a value, the latest available version is used."
+  type        = string
+  default     = "v1.14.6"
 }
 
 variable "project" {
-  type = "string"
-  default = "elastikube"
   description = "(Optional) project name, used to compose the resource name"  
+  type = string
+  default = "elastikube"
 }
 
 variable "phase" {
-  type = "string"
-  default = "test"
   description = "(Optional) phase name, used to compose the resource name"
+  type        = string
+  default     = "test"
 }
 
 variable "endpoint_public_access" {
-  default = false
   description = "(Optional) kubernetes apiserver endpoint"
+  default     = false
 }
 
 variable "extra_tags" {
-  type        = "map"
-  default     = {}
   description = "Extra AWS tags to be applied to created resources."
+  type        = map(string)
+  default     = {}
 }
diff --git a/examples/self-signed-etcd-certs/main.tf b/examples/self-signed-etcd-certs/main.tf
index e7d6bc4b..4af1815c 100644
--- a/examples/self-signed-etcd-certs/main.tf
+++ b/examples/self-signed-etcd-certs/main.tf
@@ -4,7 +4,7 @@ module "etcd_ca" {
   cert_config = {
     common_name           = "etcd"
     organization          = "etcd"
-    validity_period_hours = "${var.validity_period_hours}"
+    validity_period_hours = var.validity_period_hours
   }
 
   rsa_bits    = 2048
@@ -15,15 +15,15 @@ module "etcd_server_cert" {
   source = "../../modules/tls/certificate"
 
   ca_config = {
-    algorithm = "${module.etcd_ca.algorithm}"
-    key_pem   = "${module.etcd_ca.private_key_pem}"
-    cert_pem  = "${module.etcd_ca.cert_pem}"
+    algorithm = module.etcd_ca.algorithm
+    key_pem   = module.etcd_ca.private_key_pem
+    cert_pem  = module.etcd_ca.cert_pem
   }
 
   cert_config = {
     common_name           = "etcd"
     organization          = "etcd"
-    validity_period_hours = "${var.validity_period_hours}"
+    validity_period_hours = var.validity_period_hours
   }
 
   cert_hostnames = [
@@ -34,8 +34,8 @@ module "etcd_server_cert" {
 
   cert_ip_addresses = [
     "127.0.0.1",
-    "${cidrhost(var.service_cidr, 15)}",
-    "${cidrhost(var.service_cidr, 20)}",
+    cidrhost(var.service_cidr, 15),
+    cidrhost(var.service_cidr, 20),
   ]
 
   cert_uses = ["server_auth"]
@@ -47,15 +47,15 @@ module "etcd_client_cert" {
   source = "../../modules/tls/certificate"
 
   ca_config = {
-    algorithm = "${module.etcd_ca.algorithm}"
-    key_pem   = "${module.etcd_ca.private_key_pem}"
-    cert_pem  = "${module.etcd_ca.cert_pem}"
+    algorithm = module.etcd_ca.algorithm
+    key_pem   = module.etcd_ca.private_key_pem
+    cert_pem  = module.etcd_ca.cert_pem
   }
 
   cert_config = {
     common_name           = "etcd"
     organization          = "etcd"
-    validity_period_hours = "${var.validity_period_hours}"
+    validity_period_hours = var.validity_period_hours
   }
 
   cert_uses = ["client_auth"]
@@ -67,15 +67,15 @@ module "etcd_peer_cert" {
   source = "../../modules/tls/certificate"
 
   ca_config = {
-    algorithm = "${module.etcd_ca.algorithm}"
-    key_pem   = "${module.etcd_ca.private_key_pem}"
-    cert_pem  = "${module.etcd_ca.cert_pem}"
+    algorithm = module.etcd_ca.algorithm
+    key_pem   = module.etcd_ca.private_key_pem
+    cert_pem  = module.etcd_ca.cert_pem
   }
 
   cert_config = {
     common_name           = "etcd"
     organization          = "etcd"
-    validity_period_hours = "${var.validity_period_hours}"
+    validity_period_hours = var.validity_period_hours
   }
 
   cert_hostnames = [
@@ -85,8 +85,8 @@ module "etcd_peer_cert" {
 
   cert_ip_addresses = [
     "127.0.0.1",
-    "${cidrhost(var.service_cidr, 15)}",
-    "${cidrhost(var.service_cidr, 20)}",
+    cidrhost(var.service_cidr, 15),
+    cidrhost(var.service_cidr, 20),
   ]
 
   cert_uses = ["server_auth", "client_auth"]
diff --git a/examples/self-signed-etcd-certs/providers.tf b/examples/self-signed-etcd-certs/providers.tf
new file mode 100644
index 00000000..141b795f
--- /dev/null
+++ b/examples/self-signed-etcd-certs/providers.tf
@@ -0,0 +1,15 @@
+terraform {
+  required_version = ">= 0.12.0"
+}
+
+provider "local" {
+  version = "1.3.0"
+}
+
+provider "template" {
+  version = "2.1.2"
+}
+
+provider "tls" {
+  version = "2.1.0"
+}
\ No newline at end of file
diff --git a/examples/self-signed-etcd-certs/variables.tf b/examples/self-signed-etcd-certs/variables.tf
index 67eb2a35..02c9fbab 100644
--- a/examples/self-signed-etcd-certs/variables.tf
+++ b/examples/self-signed-etcd-certs/variables.tf
@@ -3,17 +3,16 @@ variable "validity_period_hours" {
 Validity period of the self-signed certificates (in hours).
 Default is 3 years.
 EOF
-
-  type = "string"
+  type        = string
 
   // Default is provided only in this case
   // bacause *some* of etcd internal certs are still self-generated and need
   // this variable set
-  default = 26280
+  default     = 26280
 }
 
 variable "service_cidr" {
-  type    = "string"
+  type    = string
   default = "172.16.0.0/16"
 
   description = <<EOF
diff --git a/modules/aws/container_linux/variables.tf b/modules/aws/container_linux/variables.tf
index dc3ca4be..024cffc6 100644
--- a/modules/aws/container_linux/variables.tf
+++ b/modules/aws/container_linux/variables.tf
@@ -1,19 +1,17 @@
 variable "release_channel" {
-  type = string
-
   description = <<EOF
 The Container Linux update channel.
 
 Examples: `stable`, `beta`, `alpha`
 EOF
+  type        = string
 }
 
 variable "release_version" {
-  type = string
-
   description = <<EOF
 The Container Linux version to use. Set to `latest` to select the latest available version for the selected update channel.
 
 Examples: `latest`, `1465.6.0`
 EOF
+  type        = string
 }
diff --git a/modules/aws/eks-worker/variables.tf b/modules/aws/eks-worker/variables.tf
index 4e25d2bf..d453ebc0 100644
--- a/modules/aws/eks-worker/variables.tf
+++ b/modules/aws/eks-worker/variables.tf
@@ -31,7 +31,7 @@ EOF
 
 variable "kubernetes_version" {
   type        = string
-  default     = "1.13"
+  default     = "1.14"
   description = "Desired Kubernetes master version. If you do not specify a value, the latest available version is used."
 }
 
diff --git a/modules/aws/eks/variables.tf b/modules/aws/eks/variables.tf
index 213e4a2a..3523ad64 100644
--- a/modules/aws/eks/variables.tf
+++ b/modules/aws/eks/variables.tf
@@ -35,7 +35,7 @@ variable "project" {
 
 variable "kubernetes_version" {
   type        = string
-  default     = "1.13"
+  default     = "1.14"
   description = "Desired Kubernetes master version. If you do not specify a value, the latest available version is used."
 }
 
diff --git a/modules/aws/elastikube/etcd.tf b/modules/aws/elastikube/etcd.tf
index 74f18da9..2932b69e 100644
--- a/modules/aws/elastikube/etcd.tf
+++ b/modules/aws/elastikube/etcd.tf
@@ -1,21 +1,20 @@
 module "etcd" {
   source = "../../aws/kube-etcd"
 
-  name       = "${var.name}"
-  aws_region = "${var.aws_region}"
+  name        = var.name
+  ssh_key     = var.ssh_key
+  etcd_config = var.etcd_config
 
-  ssh_key     = "${var.ssh_key}"
-  etcd_config = "${var.etcd_config}"
+  subnet_ids                  = var.private_subnet_ids
+  master_security_group_id    = module.master.master_sg_id
+  zone_id                     = aws_route53_zone.private.zone_id
+  s3_bucket                   = aws_s3_bucket.ignition.id
+  reboot_strategy             = var.reboot_strategy
+  certs_validity_period_hours = var.certs_validity_period_hours
 
-  subnet_ids               = ["${var.private_subnet_ids}"]
-  master_security_group_id = "${module.master.master_sg_id}"
-  zone_id                  = "${aws_route53_zone.private.zone_id}"
-  s3_bucket                = "${aws_s3_bucket.ignition.id}"
-  reboot_strategy          = "${var.reboot_strategy}"
+  extra_ignition_file_ids = var.extra_etcd_ignition_file_ids
 
-  extra_ignition_file_ids = "${var.extra_etcd_ignition_file_ids}"
+  extra_ignition_systemd_unit_ids = var.extra_etcd_ignition_systemd_unit_ids
 
-  extra_ignition_systemd_unit_ids = "${var.extra_etcd_ignition_systemd_unit_ids}"
-
-  extra_tags = "${var.extra_tags}"
+  extra_tags = var.extra_tags
 }
diff --git a/modules/aws/elastikube/ign-essential.tf b/modules/aws/elastikube/ign-essential.tf
index 35935ba3..6baa5c00 100644
--- a/modules/aws/elastikube/ign-essential.tf
+++ b/modules/aws/elastikube/ign-essential.tf
@@ -1,3 +1,7 @@
+locals {
+  cluster_dns_ip = cidrhost(var.service_cidr, 10)
+}
+
 # Essential components can be replaced.
 # E.g., You could use your other DNS solution instead of KubeDNS.
 
@@ -10,7 +14,7 @@ module "ignition_kube_addon_manager" {
 
   hyperkube = {
     image_path = "gcr.io/google-containers/hyperkube-amd64"
-    image_tag  = "${var.kubernetes_version}"
+    image_tag  = var.kubernetes_version
   }
 }
 
@@ -21,8 +25,8 @@ module "ignition_kube_addon_manager" {
 module "ignition_kube_addon_dns" {
   source = "../../ignitions/kube-addon-dns"
 
-  reverse_cidrs  = "${var.service_cidr}"
-  cluster_dns_ip = "${local.cluster_dns_ip}"
+  reverse_cidrs  = var.service_cidr
+  cluster_dns_ip = local.cluster_dns_ip
 }
 
 # ---------------------------------------------------------------------------------------------------------------------
@@ -32,11 +36,11 @@ module "ignition_kube_addon_dns" {
 module "ignition_kube_addon_proxy" {
   source = "../../ignitions/kube-addon-proxy"
 
-  cluster_cidr = "${var.cluster_cidr}"
+  cluster_cidr = var.cluster_cidr
 
   hyperkube = {
     image_path = "gcr.io/google-containers/hyperkube-amd64"
-    image_tag  = "${var.kubernetes_version}"
+    image_tag  = var.kubernetes_version
   }
 }
 
@@ -46,7 +50,7 @@ module "ignition_kube_addon_proxy" {
 
 resource "aws_security_group_rule" "master_ingress_flannel" {
   type              = "ingress"
-  security_group_id = "${module.master.master_sg_id}"
+  security_group_id = module.master.master_sg_id
 
   protocol  = "udp"
   from_port = 4789
@@ -56,8 +60,8 @@ resource "aws_security_group_rule" "master_ingress_flannel" {
 
 resource "aws_security_group_rule" "master_ingress_flannel_from_worker" {
   type                     = "ingress"
-  security_group_id        = "${module.master.master_sg_id}"
-  source_security_group_id = "${aws_security_group.workers.id}"
+  security_group_id        = module.master.master_sg_id
+  source_security_group_id = aws_security_group.workers.id
 
   protocol  = "udp"
   from_port = 4789
@@ -67,5 +71,5 @@ resource "aws_security_group_rule" "master_ingress_flannel_from_worker" {
 module "ignition_kube_addon_flannel_vxlan" {
   source = "../../ignitions/kube-addon-flannel-vxlan"
 
-  cluster_cidr = "${var.cluster_cidr}"
+  cluster_cidr = var.cluster_cidr
 }
diff --git a/modules/aws/elastikube/main.tf b/modules/aws/elastikube/main.tf
deleted file mode 100644
index 67552d3f..00000000
--- a/modules/aws/elastikube/main.tf
+++ /dev/null
@@ -1,16 +0,0 @@
-provider "aws" {
-  version = "2.3.0"
-  region  = "${var.aws_region}"
-}
-
-provider "template" {
-  version = "1.0.0"
-}
-
-provider "ignition" {
-  version = "~>1.0"
-}
-
-locals {
-  cluster_dns_ip = "${cidrhost(var.service_cidr, 10)}"
-}
diff --git a/modules/aws/elastikube/master.tf b/modules/aws/elastikube/master.tf
index a327d2a1..1a12e11b 100644
--- a/modules/aws/elastikube/master.tf
+++ b/modules/aws/elastikube/master.tf
@@ -1,72 +1,66 @@
 module "master" {
   source = "../../aws/kube-master"
 
-  name       = "${var.name}"
-  aws_region = "${var.aws_region}"
+  name               = var.name
+  ssh_key            = var.ssh_key
+  master_config      = var.master_config
+  role_name          = var.role_name
+  kubernetes_version = var.kubernetes_version
 
-  ssh_key       = "${var.ssh_key}"
-  master_config = "${var.master_config}"
-  role_name     = "${var.role_name}"
-  version       = "${var.kubernetes_version}"
+  security_group_ids = var.security_group_ids
 
-  security_group_ids = [
-    "${var.security_group_ids}"
-  ]
+  lb_security_group_ids       = var.lb_security_group_ids
+  public_subnet_ids           = var.public_subnet_ids
+  private_subnet_ids          = var.private_subnet_ids
+  endpoint_public_access      = var.endpoint_public_access
+  certs_validity_period_hours = var.certs_validity_period_hours
 
-  lb_security_group_ids  = ["${var.lb_security_group_ids}"]
-  public_subnet_ids      = ["${var.public_subnet_ids}"]
-  private_subnet_ids     = ["${var.private_subnet_ids}"]
-  endpoint_public_access = "${var.endpoint_public_access}"
-
-  etcd_endpoints = ["${module.etcd.endpoints}"]
+  etcd_endpoints = module.etcd.endpoints
 
   etcd_certs_config = {
-    ca_cert_pem     = "${module.etcd.ca_cert_pem}"
-    client_key_pem  = "${module.etcd.client_key_pem}"
-    client_cert_pem = "${module.etcd.client_cert_pem}"
+    ca_cert_pem     = module.etcd.ca_cert_pem
+    client_key_pem  = module.etcd.client_key_pem
+    client_cert_pem = module.etcd.client_cert_pem
   }
 
-  kube_service_cidr = "${var.service_cidr}"
-  kube_cluster_cidr = "${var.cluster_cidr}"
+  kube_service_cidr = var.service_cidr
+  kube_cluster_cidr = var.cluster_cidr
 
-  kube_node_labels = [
-    "${compact(concat(
+  kube_node_labels = compact(concat(
         list("node-role.kubernetes.io/master"),
-        var.extra_master_node_labels,
-      ))}",
-  ]
+        var.extra_master_node_labels
+  ))
 
-  kube_node_taints = [
-    "${compact(concat(
+  kube_node_taints = compact(concat(
         list("node-role.kubernetes.io/master=:NoSchedule"),
-        var.extra_master_node_taints,
-      ))}",
-  ]
+        var.extra_master_node_taints
+  ))
+  
 
-  s3_bucket       = "${aws_s3_bucket.ignition.id}"
-  reboot_strategy = "${var.reboot_strategy}"
+  s3_bucket       = aws_s3_bucket.ignition.id
+  reboot_strategy = var.reboot_strategy
 
-  extra_ignition_file_ids = [
-    "${module.ignition_kube_addon_manager.files}",
-    "${module.ignition_kube_addon_dns.files}",
-    "${module.ignition_kube_addon_proxy.files}",
-    "${module.ignition_kube_addon_flannel_vxlan.files}",
-    "${var.extra_ignition_file_ids}"
-  ]
+  extra_ignition_file_ids = compact(concat(
+    module.ignition_kube_addon_manager.files,
+    module.ignition_kube_addon_dns.files,
+    module.ignition_kube_addon_proxy.files,
+    module.ignition_kube_addon_flannel_vxlan.files,
+    var.extra_ignition_file_ids
+  ))
 
-  extra_ignition_systemd_unit_ids = [
-    "${module.ignition_kube_addon_manager.systemd_units}",
-    "${module.ignition_kube_addon_dns.systemd_units}",
-    "${module.ignition_kube_addon_proxy.systemd_units}",
-    "${module.ignition_kube_addon_flannel_vxlan.systemd_units}",
-    "${var.extra_ignition_systemd_unit_ids}"
-  ]
+  extra_ignition_systemd_unit_ids = compact(concat(
+    module.ignition_kube_addon_manager.systemd_units,
+    module.ignition_kube_addon_dns.systemd_units,
+    module.ignition_kube_addon_proxy.systemd_units,
+    module.ignition_kube_addon_flannel_vxlan.systemd_units,
+    var.extra_ignition_systemd_unit_ids
+  ))
 
-  kubelet_flag_extra_flags = "${var.kubelet_flag_extra_flags}"
+  kubelet_flag_extra_flags = var.kubelet_flag_extra_flags
 
-  extra_tags = "${var.extra_tags}"
+  extra_tags = var.extra_tags
 
-  auth_webhook_path = "${var.auth_webhook_path}"
-  audit_policy_path = "${var.audit_policy_path}"
-  audit_log_backend = "${var.audit_log_backend}"
+  auth_webhook_path = var.auth_webhook_path
+  audit_policy_path = var.audit_policy_path
+  audit_log_backend = var.audit_log_backend
 }
diff --git a/modules/aws/elastikube/outputs.tf b/modules/aws/elastikube/outputs.tf
index 282c36f5..3aefac5b 100644
--- a/modules/aws/elastikube/outputs.tf
+++ b/modules/aws/elastikube/outputs.tf
@@ -1,39 +1,39 @@
 output "id" {
-  value       = "${var.name}"
+  value       = var.name
   description = "K8S cluster name"
 }
 
 output "certificate_authority" {
-  value       = "${module.master.certificate_authority}"
+  value       = module.master.certificate_authority
   description = "K8S root CA Cert"
 }
 
 output "endpoint" {
-  value       = "${module.master.endpoint}"
+  value       = module.master.endpoint
   description = "K8S cluster endpoint"
 }
 
 output "version" {
-  value = "${var.kubernetes_version}"
+  value = var.kubernetes_version
   description = "K8S cluster version"
 }
 
 output "vpc_id" {
-  value       = "${local.vpc_id}"
+  value       = local.vpc_id
   description = "The VPC id used by K8S"
 }
 
 output "s3_bucket" {
-  value       = "${aws_s3_bucket.ignition.id}"
+  value       = aws_s3_bucket.ignition.id
   description = "The S3 bucket for storing provision ignition file"
 }
 
 output "master_sg_ids" {
-  value       = ["${module.master.master_sg_id}"]
+  value       = [module.master.master_sg_id]
   description = "The security group which used by K8S master"
 }
 
 output "worker_sg_ids" {
-  value       = ["${aws_security_group.workers.id}"]
+  value       = [aws_security_group.workers.id]
   description = "The security gruop for worker group"
 }
diff --git a/modules/aws/elastikube/s3.tf b/modules/aws/elastikube/s3.tf
index 18b593a2..b1231eaa 100644
--- a/modules/aws/elastikube/s3.tf
+++ b/modules/aws/elastikube/s3.tf
@@ -2,14 +2,14 @@ resource "aws_s3_bucket" "ignition" {
   bucket = "${var.name}-${md5(aws_route53_zone.private.zone_id)}"
   acl    = "private"
 
-  tags = "${merge(map(
+  tags = merge(map(
       "Name", "${var.name}-${md5(aws_route53_zone.private.zone_id)}",
       "kubernetes.io/cluster/${var.name}", "owned",
-    ), var.extra_tags)}"
+    ), var.extra_tags)
 }
 
 resource "aws_s3_bucket_public_access_block" "ignition" {
-  bucket = "${aws_s3_bucket.ignition.id}"
+  bucket = aws_s3_bucket.ignition.id
 
   block_public_acls       = true
   block_public_policy     = true
diff --git a/modules/aws/elastikube/variables.tf b/modules/aws/elastikube/variables.tf
index 45e9175a..5e5c8e06 100644
--- a/modules/aws/elastikube/variables.tf
+++ b/modules/aws/elastikube/variables.tf
@@ -3,83 +3,73 @@
 // -----------------------------------------
 
 variable "name" {
-  type        = "string"
   description = " (Required) Name of the cluster."
+  type        = string
 }
 
 variable "role_name" {
-  type        = "string"
-  default     = ""
   description = "(Optional) The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf."
+  type        = string
+  default     = ""
 }
 
 variable "security_group_ids" {
-  type    = "list"
-  default = []
-
   description = <<EOF
     (Optional) List of security group IDs for the cross-account elastic network interfaces
     to use to allow communication between your worker nodes and the Kubernetes control plane.
 EOF
+  type       = list(string)
+  default    = []
 }
 
 variable "lb_security_group_ids" {
-  type    = "list"
-  default = []
-
   description = <<EOF
     (Optional) List of security group IDs for the cross-account elastic network interfaces
     to use to allow communication to the kubernetes api server load balancer.
 EOF
+  type        = list(string)
+  default     = []
 }
 
 variable "public_subnet_ids" {
-  type    = "list"
-  default = []
-
   description = <<EOF
     (Required) List of public subnet IDs. Must be in at least two different availability zones.
     Cross-account elastic network interfaces will be created in these subnets to allow
     communication between your worker nodes and the Kubernetes control plane.
 EOF
+  type        = list(string)
+  default     = []
 }
 
 variable "private_subnet_ids" {
-  type    = "list"
-  default = []
-
   description = <<EOF
     (Required) List of private subnet IDs. Must be in at least two different availability zones.
     Cross-account elastic network interfaces will be created in these subnets to allow
     communication between your worker nodes and the Kubernetes control plane.
 EOF
+  type        = list(string)
+  default     = []
 }
 
 variable "endpoint_public_access" {
-  default = false
   description = "(Optional) kubernetes apiserver endpoint"
+  type        = bool
+  default     = false
 }
 
 variable "kubernetes_version" {
-  type        = "string"
-  default     = "v1.13.4"
   description = "(Optional) Desired Kubernetes master version. If you do not specify a value, the latest available version is used."
+  type        = string
+  default     = "v1.14.6"
 }
 
 // -----------------------------------------
 // Extra Arguments
 // -----------------------------------------
-
-variable "aws_region" {
-  type        = "string"
-  default     = "us-east-1"
-  description = "(Optional) The AWS region"
-}
-
 variable "master_config" {
-  type = "map"
-
-  default = {
+  description = "(Optional) Desired master nodes configuration."
+  type        = map(string)
+  default     = {
     instance_count   = "1"
     ec2_type_1       = "t3.medium"
     ec2_type_2       = "t2.medium"
@@ -91,132 +81,140 @@ variable "master_config" {
     on_demand_percentage_above_base_capacity = 100
     spot_instance_pools                      = 1
   }
+}
 
-  description = "(Optional) Desired master nodes configuration."
+variable "certs_validity_period_hours" {
+  description = <<EOF
+    Validity period of the self-signed certificates (in hours). Default is 3 years.
+EOF
+  type        = string
+
+  // Default is provided only in this case
+  // bacause *some* of etcd internal certs are still self-generated and need
+  // this variable set
+  default     = 26280
 }
-variable "etcd_config" {
-  type = "map"
 
-  default = {
+variable "etcd_config" {
+  description = "(Optional) Desired etcd nodes configuration."
+  type        = map(string)
+  default     = {
     instance_count   = "1"
     ec2_type         = "t2.medium"
     root_volume_iops = "100"
     root_volume_size = "256"
     root_volume_type = "gp2"
   }
-
-  description = "(Optional) Desired etcd nodes configuration."
 }
 
 variable "ssh_key" {
-  type        = "string"
-  default     = ""
   description = "The key name that should be used for the instances."
+  type        = string
+  default     = ""
 }
 
 variable "allowed_ssh_cidr" {
-  type        = "list"
-  default     = ["0.0.0.0/0"]
   description = "(Optional) A list of CIDR networks to allow ssh access to. Defaults to \"0.0.0.0/0\""
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
 }
 
 variable "service_cidr" {
-  type        = "string"
-  default     = "172.16.0.0/13"
   description = "(Optional) The Kubernetes service CIDR."
+  type        = string
+  default     = "172.16.0.0/13"
 }
 
 variable "cluster_cidr" {
-  type        = "string"
-  default     = "172.24.0.0/13"
   description = "(Optional) The Kubernetes cluster CIDR."
+  type        = string
+  default     = "172.24.0.0/13"
 }
 
 variable "hostzone" {
-  type        = "string"
-  default     = ""
   description = "(Optional) The cluster private hostname. If not specified, <cluster name>.com will be used."
+  type        = string
+  default     = ""
 }
 
 variable "reboot_strategy" {
-  type    = "string"
-  default = "off"
   description = "(Optional) CoreOS reboot strategies on updates, two option here: etcd-lock or off"
+  type    = string
+  default = "off"
 }
 
 variable "extra_master_node_labels" {
-  type        = "list"
-  default     = []
   description = "(Optional) Labels to add when registering the node in the cluster. Labels must be key=value pairs."
+  type        = list(string)
+  default     = []
 }
 
 variable "extra_master_node_taints" {
-  type    = "list"
-  default = []
-
   description = <<EOF
 (Optional) Register the node with the given list of taints ("<key>=<value>:<effect>").
 EOF
+  type        = list(string)
+  default     = []
 }
 
 variable "extra_etcd_ignition_file_ids" {
-  type        = "list"
-  default     = []
   description = "(Optional) Additional ignition file IDs for etcds. See https://www.terraform.io/docs/providers/ignition/d/file.html for more details."
+  type        = list(string)
+  default     = []
 }
 
 variable "extra_etcd_ignition_systemd_unit_ids" {
-  type        = "list"
-  default     = []
   description = "(Optional) Additional ignition systemd unit IDs for etcds. See https://www.terraform.io/docs/providers/ignition/d/systemd_unit.html for more details."
+  type        = list(string)
+  default     = []
 }
 
 variable "extra_ignition_file_ids" {
-  type        = "list"
-  default     = []
   description = "(Optional) Additional ignition file IDs for masters. See https://www.terraform.io/docs/providers/ignition/d/file.html for more details."
+  type        = list(string)
+  default     = []
 }
 
 variable "extra_ignition_systemd_unit_ids" {
-  type        = "list"
-  default     = []
   description = "(Optional) Additional ignition systemd unit IDs for masters. See https://www.terraform.io/docs/providers/ignition/d/systemd_unit.html for more details."
+  type        = list(string)
+  default     = []
 }
 
 variable "kubelet_flag_extra_flags" {
-  type        = "list"
-  default     = []
   description = "Extra user-provided flags to kubelet."
+  type        = list(string)
+  default     = []
 }
 
 variable "extra_tags" {
   description = "(Optional) Extra AWS tags to be applied to the resources."
-  type        = "map"
+  type        = map(string)
   default     = {}
 }
 
 variable "auth_webhook_path" {
-  type        = "string"
-  default     = ""
   description = "(Optional) A path for using customize machine to authenticate to a Kubernetes cluster."
+  type        = string
+  default     = ""
 }
 
 variable "audit_policy_path" {
-  type        = "string"
-  default     = ""
   description = "(Optional) A policy path for Kubernetes apiserver to enable auditing log."
+  type        = string
+  default     = ""
 }
 
 variable "audit_log_backend" {
-  type        = "map"
+  description = <<EOF
+    (Optional) Kubernetes apiserver auditing log backend configuration,
+    there are four parameters: path, maxage, maxbackup, maxsize.
+EOF
+  type        = map(string)
   default     = {
     path      = ""
     maxage    = ""
     maxbackup = ""
     maxsize   = ""
   }
-  description = <<EOF
-    (Optional) Kubernetes apiserver auditing log backend configuration,
-    there are four parameters: path, maxage, maxbackup, maxsize.
-EOF
 }
\ No newline at end of file
diff --git a/modules/aws/elastikube/worker-sg.tf b/modules/aws/elastikube/worker-sg.tf
index 5f149838..4a56b431 100644
--- a/modules/aws/elastikube/worker-sg.tf
+++ b/modules/aws/elastikube/worker-sg.tf
@@ -1,18 +1,18 @@
 resource "aws_security_group" "workers" {
   name_prefix = "${var.name}-worker-"
   description = "Security group for all nodes in the cluster."
-  vpc_id      = "${local.vpc_id}"
+  vpc_id      = local.vpc_id
 
-  tags = "${merge(map(
+  tags = merge(map(
       "Name", "${var.name}-worker",
       "kubernetes.io/cluster/${var.name}", "owned",
-    ), var.extra_tags)}"
+    ), var.extra_tags)
 }
 
 resource "aws_security_group_rule" "workers_egress_internet" {
   type              = "egress"
   description       = "Allow nodes all egress to the Internet."
-  security_group_id = "${aws_security_group.workers.id}"
+  security_group_id = aws_security_group.workers.id
 
   protocol    = "-1"
   cidr_blocks = ["0.0.0.0/0"]
@@ -23,7 +23,7 @@ resource "aws_security_group_rule" "workers_egress_internet" {
 resource "aws_security_group_rule" "workers_ingress_self" {
   type              = "ingress"
   description       = "Allow node to communicate with each other."
-  security_group_id = "${aws_security_group.workers.id}"
+  security_group_id = aws_security_group.workers.id
 
   protocol  = "-1"
   from_port = 0
@@ -34,8 +34,8 @@ resource "aws_security_group_rule" "workers_ingress_self" {
 resource "aws_security_group_rule" "workers_ingress_cluster" {
   type                     = "ingress"
   description              = "Allow workers Kubelets and pods to receive communication from the cluster control plane."
-  security_group_id        = "${aws_security_group.workers.id}"
-  source_security_group_id = "${module.master.master_sg_id}"
+  security_group_id        = aws_security_group.workers.id
+  source_security_group_id = module.master.master_sg_id
 
   protocol  = "tcp"
   from_port = 1025
@@ -45,10 +45,10 @@ resource "aws_security_group_rule" "workers_ingress_cluster" {
 resource "aws_security_group_rule" "workers_ingress_ssh" {
   type              = "ingress"
   description       = "Allow access from ssh."
-  security_group_id = "${aws_security_group.workers.id}"
+  security_group_id = aws_security_group.workers.id
 
   protocol    = "tcp"
-  cidr_blocks = ["${var.allowed_ssh_cidr}"]
+  cidr_blocks = var.allowed_ssh_cidr
   from_port   = 22
   to_port     = 22
 }
@@ -56,7 +56,7 @@ resource "aws_security_group_rule" "workers_ingress_ssh" {
 resource "aws_security_group_rule" "worker_ingress_flannel" {
   description       = "Allow access from other worker flannel."
   type              = "ingress"
-  security_group_id = "${aws_security_group.workers.id}"
+  security_group_id = aws_security_group.workers.id
 
   protocol  = "udp"
   from_port = 4789
@@ -67,8 +67,8 @@ resource "aws_security_group_rule" "worker_ingress_flannel" {
 resource "aws_security_group_rule" "worker_ingress_flannel_from_master" {
   description              = "Allow access from other master flannel."
   type                     = "ingress"
-  security_group_id        = "${aws_security_group.workers.id}"
-  source_security_group_id = "${module.master.master_sg_id}"
+  security_group_id        = aws_security_group.workers.id
+  source_security_group_id = module.master.master_sg_id
 
   protocol  = "udp"
   from_port = 4789
diff --git a/modules/aws/elastikube/zone.tf b/modules/aws/elastikube/zone.tf
index 69f81da3..29a93453 100644
--- a/modules/aws/elastikube/zone.tf
+++ b/modules/aws/elastikube/zone.tf
@@ -1,21 +1,21 @@
 data "aws_subnet" "subnet" {
-  id = "${var.private_subnet_ids[0]}"
+  id = var.private_subnet_ids[0]
 }
 
 locals {
-  vpc_id            = "${data.aws_subnet.subnet.vpc_id}"
-  private_zone_name = "${coalesce(var.hostzone, format("%s.com", var.name))}"
+  vpc_id            = data.aws_subnet.subnet.vpc_id
+  private_zone_name = coalesce(var.hostzone, format("%s.com", var.name))
 }
 
 resource "aws_route53_zone" "private" {
-  name = "${local.private_zone_name}"
+  name = local.private_zone_name
 
   vpc {
-    vpc_id = "${local.vpc_id}"
+    vpc_id = local.vpc_id
   }
 
-  tags = "${merge(map(
-      "Name", "${local.private_zone_name}",
+  tags = merge(map(
+      "Name", local.private_zone_name,
       "kubernetes.io/cluster/${var.name}", "shared"
-    ), var.extra_tags)}"
+    ), var.extra_tags)
 }
diff --git a/modules/aws/kube-etcd/ami.tf b/modules/aws/kube-etcd/ami.tf
index 33fdc0b2..807acccf 100644
--- a/modules/aws/kube-etcd/ami.tf
+++ b/modules/aws/kube-etcd/ami.tf
@@ -8,13 +8,13 @@ locals {
 module "container_linux" {
   source = "../container_linux"
 
-  release_channel = "${local.container_linux_channel}"
-  release_version = "${local.container_linux_version}"
+  release_channel = local.container_linux_channel
+  release_version = local.container_linux_version
 }
 
 data "aws_ami" "coreos_ami" {
 
-  owners = ["${local.coreos_account_id}"]
+  owners = [local.coreos_account_id]
 
   filter {
     name   = "name"
@@ -30,9 +30,4 @@ data "aws_ami" "coreos_ami" {
     name   = "virtualization-type"
     values = ["hvm"]
   }
-
-  filter {
-    name   = "owner-id"
-    values = ["${local.coreos_account_id}"]
-  }
 }
diff --git a/modules/aws/kube-etcd/certs.tf b/modules/aws/kube-etcd/certs.tf
index e7975cb0..bb613ba9 100644
--- a/modules/aws/kube-etcd/certs.tf
+++ b/modules/aws/kube-etcd/certs.tf
@@ -1,10 +1,12 @@
+data "aws_region" "current" {}
+
 module "etcd_root_ca" {
   source = "../../tls/certificate-authority"
 
   cert_config = {
     common_name           = "etcd"
     organization          = "etcd"
-    validity_period_hours = "${var.certs_validity_period_hours}"
+    validity_period_hours = var.certs_validity_period_hours
   }
 
   rsa_bits    = 2048
@@ -15,34 +17,39 @@ module "etcd_server_cert" {
   source = "../../tls/certificate"
 
   ca_config = {
-    algorithm = "${module.etcd_root_ca.algorithm}"
-    key_pem   = "${module.etcd_root_ca.private_key_pem}"
-    cert_pem  = "${module.etcd_root_ca.cert_pem}"
+    algorithm = module.etcd_root_ca.algorithm
+    key_pem   = module.etcd_root_ca.private_key_pem
+    cert_pem  = module.etcd_root_ca.cert_pem
   }
 
   cert_config = {
     common_name           = "etcd"
     organization          = "etcd"
-    validity_period_hours = "${var.certs_validity_period_hours}"
+    validity_period_hours = var.certs_validity_period_hours
   }
 
-  cert_hostnames = ["${compact(concat(
+  cert_hostnames = compact(concat(
     list(
       "localhost",
       "*.kube-etcd.kube-system.svc.cluster.local",
       "kube-etcd-client.kube-system.svc.cluster.local",
       local.discovery_service,
       "*.${local.discovery_service}",
+      "*.${data.aws_region.current.name}.compute.internal"
     ),
     var.certs_hostnames,
-  ))}"]
+  ))
 
-  cert_ip_addresses = ["${compact(concat(
+  cert_ip_addresses = compact(concat(
     list("127.0.0.1"),
     var.certs_ip_addresses,
-  ))}"]
+  ))
 
-  cert_uses = ["server_auth"]
+  cert_uses = [
+    "digital_signature",
+    "server_auth",
+    "client_auth"
+  ]
 
   self_signed = true
 }
@@ -51,18 +58,21 @@ module "etcd_client_cert" {
   source = "../../tls/certificate"
 
   ca_config = {
-    algorithm = "${module.etcd_root_ca.algorithm}"
-    key_pem   = "${module.etcd_root_ca.private_key_pem}"
-    cert_pem  = "${module.etcd_root_ca.cert_pem}"
+    algorithm = module.etcd_root_ca.algorithm
+    key_pem   = module.etcd_root_ca.private_key_pem
+    cert_pem  = module.etcd_root_ca.cert_pem
   }
 
   cert_config = {
     common_name           = "etcd"
     organization          = "etcd"
-    validity_period_hours = "${var.certs_validity_period_hours}"
+    validity_period_hours = var.certs_validity_period_hours
   }
 
-  cert_uses = ["client_auth"]
+  cert_uses = [
+    "digital_signature",
+    "client_auth"
+  ]
 
   self_signed = true
 }
@@ -71,33 +81,38 @@ module "etcd_peer_cert" {
   source = "../../tls/certificate"
 
   ca_config = {
-    algorithm = "${module.etcd_root_ca.algorithm}"
-    key_pem   = "${module.etcd_root_ca.private_key_pem}"
-    cert_pem  = "${module.etcd_root_ca.cert_pem}"
+    algorithm = module.etcd_root_ca.algorithm
+    key_pem   = module.etcd_root_ca.private_key_pem
+    cert_pem  = module.etcd_root_ca.cert_pem
   }
 
   cert_config = {
     common_name           = "etcd"
     organization          = "etcd"
-    validity_period_hours = "${var.certs_validity_period_hours}"
+    validity_period_hours = var.certs_validity_period_hours
   }
 
-  cert_hostnames = ["${compact(concat(
+  cert_hostnames = compact(concat(
     list(
       "*.kube-etcd.kube-system.svc.cluster.local",
       "kube-etcd-client.kube-system.svc.cluster.local",
-       local.discovery_service,
-       "*.${local.discovery_service}",
+      local.discovery_service,
+      "*.${local.discovery_service}",
+      "*.${data.aws_region.current.name}.compute.internal"
     ),
     var.certs_hostnames,
-  ))}"]
+  ))
 
-  cert_ip_addresses = ["${compact(concat(
+  cert_ip_addresses = compact(concat(
     list("127.0.0.1"),
     var.certs_ip_addresses,
-  ))}"]
+  ))
 
-  cert_uses = ["server_auth", "client_auth"]
+  cert_uses = [
+    "digital_signature",
+    "server_auth",
+    "client_auth"
+  ]
 
   self_signed = true
 }
diff --git a/modules/aws/kube-etcd/dns.tf b/modules/aws/kube-etcd/dns.tf
index fff42c47..670e86e5 100644
--- a/modules/aws/kube-etcd/dns.tf
+++ b/modules/aws/kube-etcd/dns.tf
@@ -1,51 +1,51 @@
 data "aws_route53_zone" "etcd" {
-  zone_id      = "${var.zone_id}"
+  zone_id      = var.zone_id
   private_zone = true
 }
 
 locals {
-  discovery_service = "${substr(data.aws_route53_zone.etcd.name, 0, length(data.aws_route53_zone.etcd.name) - 1)}"
+  discovery_service = substr(data.aws_route53_zone.etcd.name, 0, length(data.aws_route53_zone.etcd.name) - 1)
 }
 
 data "template_file" "etcd_names" {
-  count    = "${var.etcd_config["instance_count"]}"
+  count    = var.etcd_config["instance_count"]
   template = "ip-${replace(aws_instance.etcd.*.private_ip[count.index], ".", "-")}.${local.discovery_service}"
 }
 
 data "template_file" "etcd_endpoints" {
-  count    = "${var.etcd_config["instance_count"]}"
-  template = "${format("https://%s:%s", data.template_file.etcd_names.*.rendered[count.index], local.client_port)}"
+  count    = var.etcd_config["instance_count"]
+  template = format("https://%s:%s", data.template_file.etcd_names.*.rendered[count.index], local.client_port)
 }
 
 resource "aws_route53_record" "etcd_discovery" {
-  zone_id = "${data.aws_route53_zone.etcd.zone_id}"
-  name    = "${local.discovery_service}"
+  zone_id = data.aws_route53_zone.etcd.zone_id
+  name    = local.discovery_service
   type    = "SRV"
   ttl     = "300"
-  records = ["${formatlist("0 0 %s %s", local.peer_port, data.template_file.etcd_names.*.rendered)}"]
+  records = formatlist("0 0 %s %s", local.peer_port, data.template_file.etcd_names.*.rendered)
 }
 
 resource "aws_route53_record" "etcd_discovery_server_ssl" {
-  zone_id = "${data.aws_route53_zone.etcd.zone_id}"
+  zone_id = data.aws_route53_zone.etcd.zone_id
   name    = "_etcd-server-ssl._tcp.${local.discovery_service}"
   type    = "SRV"
   ttl     = "300"
-  records = ["${formatlist("0 0 %s %s", local.peer_port, data.template_file.etcd_names.*.rendered)}"]
+  records = formatlist("0 0 %s %s", local.peer_port, data.template_file.etcd_names.*.rendered)
 }
 
 resource "aws_route53_record" "etcd_discovery_client_ssl" {
-  zone_id = "${data.aws_route53_zone.etcd.zone_id}"
+  zone_id = data.aws_route53_zone.etcd.zone_id
   name    = "_etcd-client-ssl._tcp.${local.discovery_service}"
   type    = "SRV"
   ttl     = "300"
-  records = ["${formatlist("0 0 %s %s", local.client_port, data.template_file.etcd_names.*.rendered)}"]
+  records = formatlist("0 0 %s %s", local.client_port, data.template_file.etcd_names.*.rendered)
 }
 
 resource "aws_route53_record" "etcd" {
-  count   = "${var.etcd_config["instance_count"]}"
-  zone_id = "${data.aws_route53_zone.etcd.zone_id}"
-  name    = "${data.template_file.etcd_names.*.rendered[count.index]}"
+  count   = var.etcd_config["instance_count"]
+  zone_id = data.aws_route53_zone.etcd.zone_id
+  name    = data.template_file.etcd_names.*.rendered[count.index]
   type    = "A"
   ttl     = "300"
-  records = ["${aws_instance.etcd.*.private_ip[count.index]}"]
+  records = [aws_instance.etcd.*.private_ip[count.index]]
 }
diff --git a/modules/aws/kube-etcd/etcd.tf b/modules/aws/kube-etcd/etcd.tf
index d059858e..9022151c 100644
--- a/modules/aws/kube-etcd/etcd.tf
+++ b/modules/aws/kube-etcd/etcd.tf
@@ -1,28 +1,28 @@
 data "aws_subnet" "subnet" {
-  id = "${var.subnet_ids[0]}"
+  id = var.subnet_ids[0]
 }
 
 locals {
-  vpc_id      = "${data.aws_subnet.subnet.vpc_id}"
+  vpc_id      = data.aws_subnet.subnet.vpc_id
   client_port = 2379
   peer_port   = 2380
 }
 
 resource "aws_instance" "etcd" {
-  count = "${var.etcd_config["instance_count"]}"
+  count = var.etcd_config["instance_count"]
 
-  ami                  = "${data.aws_ami.coreos_ami.image_id}"
-  instance_type        = "${var.etcd_config["ec2_type"]}"
-  key_name             = "${var.ssh_key}"
-  iam_instance_profile = "${aws_iam_instance_profile.etcd.id}"
-  subnet_id            = "${var.subnet_ids[count.index % length(var.subnet_ids)]}"
+  ami                  = data.aws_ami.coreos_ami.image_id
+  instance_type        = var.etcd_config["ec2_type"]
+  key_name             = var.ssh_key
+  iam_instance_profile = aws_iam_instance_profile.etcd.id
+  subnet_id            = var.subnet_ids[count.index % length(var.subnet_ids)]
 
-  vpc_security_group_ids = [
-    "${var.security_group_ids}",
-    "${aws_security_group.etcd.id}",
-  ]
+  vpc_security_group_ids = compact(concat(
+    var.security_group_ids,
+    list(aws_security_group.etcd.id)
+  ))
 
-  user_data = "${data.ignition_config.s3.rendered}"
+  user_data = data.ignition_config.s3.rendered
 
   lifecycle {
     # Ignore changes in the AMI which force recreation of the resource. This
@@ -31,19 +31,19 @@ resource "aws_instance" "etcd" {
     ignore_changes = ["ami"]
   }
 
-  tags = "${merge(map(
+  tags = merge(map(
     "Name", "${var.name}-etcd-${count.index}",
     "kubernetes.io/cluster/${var.name}", "owned",
-    ), var.extra_tags)}"
+    ), var.extra_tags)
 
   root_block_device {
-    volume_type = "${var.etcd_config["root_volume_type"]}"
-    volume_size = "${var.etcd_config["root_volume_size"]}"
-    iops        = "${var.etcd_config["root_volume_type"] == "io1" ? var.etcd_config["root_volume_iops"] : var.etcd_config["root_volume_type"] == "gp2" ? min(10000, max(100, 3 * var.etcd_config["root_volume_size"])) : 0}"
+    volume_type = var.etcd_config["root_volume_type"]
+    volume_size = var.etcd_config["root_volume_size"]
+    iops        = var.etcd_config["root_volume_type"] == "io1" ? var.etcd_config["root_volume_iops"] : var.etcd_config["root_volume_type"] == "gp2" ? min(10000, max(100, 3 * var.etcd_config["root_volume_size"])) : 0
   }
 
-  volume_tags = "${merge(map(
+  volume_tags = merge(map(
     "Name", "${var.name}-etcd-${count.index}-vol",
     "kubernetes.io/cluster/${var.name}", "owned",
-    ), var.extra_tags)}"
+    ), var.extra_tags)
 }
diff --git a/modules/aws/kube-etcd/ign-node-exporter.tf b/modules/aws/kube-etcd/ign-node-exporter.tf
index 9fcd79e6..94759b2a 100644
--- a/modules/aws/kube-etcd/ign-node-exporter.tf
+++ b/modules/aws/kube-etcd/ign-node-exporter.tf
@@ -4,12 +4,12 @@ locals {
 
 resource "aws_security_group_rule" "ingress_node_exporter_from_worker" {
   type              = "ingress"
-  security_group_id = "${aws_security_group.etcd.id}"
+  security_group_id = aws_security_group.etcd.id
 
   protocol    = "tcp"
-  cidr_blocks = ["${data.aws_vpc.etcd.cidr_block}"]
-  from_port   = "${local.node_exporter_port}"
-  to_port     = "${local.node_exporter_port}"
+  cidr_blocks = [data.aws_vpc.etcd.cidr_block]
+  from_port   = local.node_exporter_port
+  to_port     = local.node_exporter_port
 }
 
 module "ignition_node_exporter" {
diff --git a/modules/aws/kube-etcd/ignition.tf b/modules/aws/kube-etcd/ignition.tf
index 1481f91b..5d2608d6 100644
--- a/modules/aws/kube-etcd/ignition.tf
+++ b/modules/aws/kube-etcd/ignition.tf
@@ -4,7 +4,7 @@ module "ignition_docker" {
 
 module "ignition_locksmithd" {
   source          = "../../ignitions/locksmithd"
-  reboot_strategy = "${var.reboot_strategy}"
+  reboot_strategy = var.reboot_strategy
 }
 
 module "ignition_update_ca_certificates" {
@@ -14,60 +14,60 @@ module "ignition_update_ca_certificates" {
 module "ignition_etcd" {
   source = "../../ignitions/etcd"
 
-  name              = "${var.name}"
-  discovery_service = "${local.discovery_service}"
-  client_port       = "${local.client_port}"
-  peer_port         = "${local.peer_port}"
+  name              = var.name
+  discovery_service = local.discovery_service
+  client_port       = local.client_port
+  peer_port         = local.peer_port
 
   certs_config = {
-    ca_cert_pem     = "${module.etcd_root_ca.cert_pem}"
-    client_key_pem  = "${module.etcd_client_cert.private_key_pem}"
-    client_cert_pem = "${module.etcd_client_cert.cert_pem}"
-    server_key_pem  = "${module.etcd_server_cert.private_key_pem}"
-    server_cert_pem = "${module.etcd_server_cert.cert_pem}"
-    peer_key_pem    = "${module.etcd_peer_cert.private_key_pem}"
-    peer_cert_pem   = "${module.etcd_peer_cert.cert_pem}"
+    ca_cert_pem     = module.etcd_root_ca.cert_pem
+    client_key_pem  = module.etcd_client_cert.private_key_pem
+    client_cert_pem = module.etcd_client_cert.cert_pem
+    server_key_pem  = module.etcd_server_cert.private_key_pem
+    server_cert_pem = module.etcd_server_cert.cert_pem
+    peer_key_pem    = module.etcd_peer_cert.private_key_pem
+    peer_cert_pem   = module.etcd_peer_cert.cert_pem
   }
 }
 
 data "ignition_config" "main" {
-  files = ["${compact(concat(
+  files = compact(concat(
     module.ignition_docker.files,
     module.ignition_locksmithd.files,
     module.ignition_update_ca_certificates.files,
     module.ignition_etcd.files,
     module.ignition_node_exporter.files,
     var.extra_ignition_file_ids
-  ))}"]
+  ))
 
-  systemd = ["${compact(concat(
+  systemd = compact(concat(
     module.ignition_docker.systemd_units,
     module.ignition_locksmithd.systemd_units,
     module.ignition_update_ca_certificates.systemd_units,
     module.ignition_etcd.systemd_units,
     module.ignition_node_exporter.systemd_units,
     var.extra_ignition_systemd_unit_ids
-  ))}"]
+  ))
 }
 
 resource "aws_s3_bucket_object" "ignition" {
-  bucket  = "${var.s3_bucket}"
+  bucket  = var.s3_bucket
   key     = "ign-etcd-${var.name}.json"
-  content = "${data.ignition_config.main.rendered}"
+  content = data.ignition_config.main.rendered
   acl     = "private"
 
   server_side_encryption = "AES256"
 
-  tags = "${merge(map(
+  tags = merge(map(
       "Name", "ign-etcd-${var.name}.json",
       "Role", "etcd",
       "kubernetes.io/cluster/${var.name}", "owned",
-    ), var.extra_tags)}"
+    ), var.extra_tags)
 }
 
 data "ignition_config" "s3" {
   replace {
-    source       = "${format("s3://%s/%s", var.s3_bucket, aws_s3_bucket_object.ignition.key)}"
+    source       = format("s3://%s/%s", var.s3_bucket, aws_s3_bucket_object.ignition.key)
     verification = "sha512-${sha512(data.ignition_config.main.rendered)}"
   }
 }
diff --git a/modules/aws/kube-etcd/main.tf b/modules/aws/kube-etcd/main.tf
deleted file mode 100644
index 74085b59..00000000
--- a/modules/aws/kube-etcd/main.tf
+++ /dev/null
@@ -1,12 +0,0 @@
-# ---------------------------------------------------------------------------------------------------------------------
-# Configuration
-# ---------------------------------------------------------------------------------------------------------------------
-
-provider "aws" {
-  version = "2.3.0"
-  region  = "${var.aws_region}"
-}
-
-provider "template" {
-  version = "1.0.0"
-}
diff --git a/modules/aws/kube-etcd/outputs.tf b/modules/aws/kube-etcd/outputs.tf
index 4f51dc14..c2995894 100644
--- a/modules/aws/kube-etcd/outputs.tf
+++ b/modules/aws/kube-etcd/outputs.tf
@@ -1,18 +1,18 @@
 output "endpoints" {
-  value = ["${data.template_file.etcd_endpoints.*.rendered}"]
+  value = data.template_file.etcd_endpoints.*.rendered
 }
 
 output "ca_cert_pem" {
-  value     = "${module.etcd_root_ca.cert_pem}"
+  value     = module.etcd_root_ca.cert_pem
   sensitive = true
 }
 
 output "client_cert_pem" {
-  value     = "${module.etcd_client_cert.cert_pem}"
+  value     = module.etcd_client_cert.cert_pem
   sensitive = true
 }
 
 output "client_key_pem" {
-  value     = "${module.etcd_client_cert.private_key_pem}"
+  value     = module.etcd_client_cert.private_key_pem
   sensitive = true
 }
diff --git a/modules/aws/kube-etcd/role.tf b/modules/aws/kube-etcd/role.tf
index 7da32481..dece4515 100644
--- a/modules/aws/kube-etcd/role.tf
+++ b/modules/aws/kube-etcd/role.tf
@@ -15,12 +15,12 @@ data "aws_iam_policy_document" "default" {
 
 resource "aws_iam_role" "etcd" {
   name_prefix        = "${var.name}-etcd-"
-  assume_role_policy = "${data.aws_iam_policy_document.default.json}"
+  assume_role_policy = data.aws_iam_policy_document.default.json
 }
 
 resource "aws_iam_instance_profile" "etcd" {
   name = "${var.name}-etcd"
-  role = "${aws_iam_role.etcd.name}"
+  role = aws_iam_role.etcd.name
 }
 
 resource "aws_iam_policy" "etcd" {
@@ -45,6 +45,6 @@ EOF
 }
 
 resource "aws_iam_role_policy_attachment" "etcd" {
-  policy_arn = "${aws_iam_policy.etcd.arn}"
-  role       = "${aws_iam_role.etcd.name}"
+  policy_arn = aws_iam_policy.etcd.arn
+  role       = aws_iam_role.etcd.name
 }
diff --git a/modules/aws/kube-etcd/sg.tf b/modules/aws/kube-etcd/sg.tf
index c4c9f55e..faa355b0 100644
--- a/modules/aws/kube-etcd/sg.tf
+++ b/modules/aws/kube-etcd/sg.tf
@@ -1,19 +1,19 @@
 data "aws_vpc" "etcd" {
-  id = "${local.vpc_id}"
+  id = local.vpc_id
 }
 
 resource "aws_security_group" "etcd" {
   name_prefix = "${var.name}-etcd-"
-  vpc_id      = "${local.vpc_id}"
+  vpc_id      = local.vpc_id
 
-  tags = "${merge(map(
+  tags = merge(map(
       "Name", "${var.name}-etcd",
-    ), var.extra_tags)}"
+    ), var.extra_tags)
 }
 
 resource "aws_security_group_rule" "etcd_egress" {
   type              = "egress"
-  security_group_id = "${aws_security_group.etcd.id}"
+  security_group_id = aws_security_group.etcd.id
 
   from_port   = 0
   to_port     = 0
@@ -23,30 +23,30 @@ resource "aws_security_group_rule" "etcd_egress" {
 
 resource "aws_security_group_rule" "etcd_ingress" {
   type              = "ingress"
-  security_group_id = "${aws_security_group.etcd.id}"
+  security_group_id = aws_security_group.etcd.id
 
   protocol  = "tcp"
-  from_port = "${min(local.peer_port, local.client_port)}"
-  to_port   = "${max(local.peer_port, local.client_port)}"
+  from_port = min(local.peer_port, local.client_port)
+  to_port   = max(local.peer_port, local.client_port)
   self      = true
 }
 
 resource "aws_security_group_rule" "etcd_ingress_from_master" {
   type                     = "ingress"
-  security_group_id        = "${aws_security_group.etcd.id}"
-  source_security_group_id = "${var.master_security_group_id}"
+  security_group_id        = aws_security_group.etcd.id
+  source_security_group_id = var.master_security_group_id
 
   protocol  = "tcp"
-  from_port = "${local.client_port}"
-  to_port   = "${local.client_port}"
+  from_port = local.client_port
+  to_port   = local.client_port
 }
 
 resource "aws_security_group_rule" "etcd_ssh" {
   type              = "ingress"
-  security_group_id = "${aws_security_group.etcd.id}"
+  security_group_id = aws_security_group.etcd.id
 
   protocol    = "tcp"
-  cidr_blocks = ["${data.aws_vpc.etcd.cidr_block}"]
+  cidr_blocks = [data.aws_vpc.etcd.cidr_block]
   from_port   = 22
   to_port     = 22
 }
diff --git a/modules/aws/kube-etcd/variables.tf b/modules/aws/kube-etcd/variables.tf
index 43fbb2b2..e410fb90 100644
--- a/modules/aws/kube-etcd/variables.tf
+++ b/modules/aws/kube-etcd/variables.tf
@@ -1,131 +1,115 @@
-variable "aws_region" {
-  type        = "string"
-  default     = "us-east-1"
-  description = "(Optional) The AWS region"
-}
-
 variable "name" {
-  type        = "string"
   description = " (Required) Name of the etcd cluster."
+  type        = string
 }
 
 variable "master_security_group_id" {
-  type = "string"
-
   description = <<EOF
     (Required) Main security group ID to use to allow communication between your etcd nodes
     and the Kubernetes control plane.
 EOF
+  type        = string
 }
 
 variable "security_group_ids" {
-  type    = "list"
-  default = []
-
   description = <<EOF
     (Optional) List of security group IDs for the cross-account elastic network interfaces
     to use to allow communication between your etcd nodes and the Kubernetes control plane.
 EOF
+  type        = list(string)
+  default     = []
 }
 
 variable "subnet_ids" {
-  type = "list"
-
   description = <<EOF
     (Required) List of subnet IDs. Must be in at least two different availability zones.
     Cross-account elastic network interfaces will be created in these subnets to allow
     communication between your etcd nodes and the Kubernetes control plane.
 EOF
+  type        = list(string)
 }
 
 variable "zone_id" {
-  type = "string"
-
   description = <<EOF
     (Required) The ID of a private Route53 hosted zone.
 EOF
+  type        = string
 }
 
 variable "certs_hostnames" {
-  type    = "list"
-  default = []
-
   description = <<EOF
     (Optional) This declares the hostnames to be used in the certificates.
 EOF
+  type        = list(string)
+  default     = []
 }
 
 variable "certs_ip_addresses" {
-  type    = "list"
-  default = []
-
   description = <<EOF
     (Optional) This declares the IP addresses to be used in the certificates.
 EOF
+  type        = list(string)
+  default     = []
 }
 
 variable "certs_validity_period_hours" {
-  type = "string"
+  description = <<EOF
+    Validity period of the self-signed certificates (in hours). Default is 3 years.
+EOF
+  type        = string
 
   // Default is provided only in this case
   // bacause *some* of etcd internal certs are still self-generated and need
   // this variable set
-  default = 26280
-
-  description = <<EOF
-    Validity period of the self-signed certificates (in hours). Default is 3 years.
-EOF
+  default     = 26280
 }
 
 variable "etcd_config" {
-  type = "map"
-
-  default = {
+  description = "(Optional) Desired etcd nodes configuration."
+  type        = map(string)
+  default     = {
     instance_count   = "1"
     ec2_type         = "t2.medium"
     root_volume_iops = "100"
     root_volume_size = "256"
     root_volume_type = "gp2"
   }
-
-  description = "(Optional) Desired etcd nodes configuration."
 }
 
 variable "ssh_key" {
-  type        = "string"
-  default     = ""
   description = "The key name that should be used for the instances."
+  type        = string
+  default     = ""
 }
 
 variable "s3_bucket" {
-  type    = "string"
-  default = ""
-
   description = <<EOF
     (Optional) Unique name under which the Amazon S3 bucket will be created. Bucket name must start with a lower case name and is limited to 63 characters.
     If name is not provided the installer will construct the name using "name" and current AWS region.
 EOF
+  type        = string
+  default     = ""
 }
 
 variable "reboot_strategy" {
-  type    = "string"
   description = "(Optional) CoreOS reboot strategies on updates, two option here: etcd-lock or off"
+  type        = string
 }
 
 variable "extra_ignition_file_ids" {
-  type        = "list"
-  default     = []
   description = "(Optional) Additional ignition file IDs. See https://www.terraform.io/docs/providers/ignition/d/file.html for more details."
+  type        = list(string)
+  default     = []
 }
 
 variable "extra_ignition_systemd_unit_ids" {
-  type        = "list"
-  default     = []
   description = "(Optional) Additional ignition systemd unit IDs. See https://www.terraform.io/docs/providers/ignition/d/systemd_unit.html for more details."
+  type        = list(string)
+  default     = []
 }
 
 variable "extra_tags" {
-  type        = "map"
-  default     = {}
   description = "Extra AWS tags to be applied to created resources."
+  type        = map(string)
+  default     = {}
 }
diff --git a/modules/aws/kube-master/ami.tf b/modules/aws/kube-master/ami.tf
index 33fdc0b2..807acccf 100644
--- a/modules/aws/kube-master/ami.tf
+++ b/modules/aws/kube-master/ami.tf
@@ -8,13 +8,13 @@ locals {
 module "container_linux" {
   source = "../container_linux"
 
-  release_channel = "${local.container_linux_channel}"
-  release_version = "${local.container_linux_version}"
+  release_channel = local.container_linux_channel
+  release_version = local.container_linux_version
 }
 
 data "aws_ami" "coreos_ami" {
 
-  owners = ["${local.coreos_account_id}"]
+  owners = [local.coreos_account_id]
 
   filter {
     name   = "name"
@@ -30,9 +30,4 @@ data "aws_ami" "coreos_ami" {
     name   = "virtualization-type"
     values = ["hvm"]
   }
-
-  filter {
-    name   = "owner-id"
-    values = ["${local.coreos_account_id}"]
-  }
 }
diff --git a/modules/aws/kube-master/certs.tf b/modules/aws/kube-master/certs.tf
index 6b79ef64..9cdb718f 100644
--- a/modules/aws/kube-master/certs.tf
+++ b/modules/aws/kube-master/certs.tf
@@ -4,7 +4,7 @@ module "kube_root_ca" {
   cert_config = {
     common_name           = "kubernetes"
     organization          = "kubernetes"
-    validity_period_hours = "${var.certs_validity_period_hours}"
+    validity_period_hours = var.certs_validity_period_hours
   }
 
   rsa_bits    = 2048
@@ -15,18 +15,18 @@ module "kube_api_server_cert" {
   source = "../../tls/certificate"
 
   ca_config = {
-    algorithm = "${module.kube_root_ca.algorithm}"
-    key_pem   = "${module.kube_root_ca.private_key_pem}"
-    cert_pem  = "${module.kube_root_ca.cert_pem}"
+    algorithm = module.kube_root_ca.algorithm
+    key_pem   = module.kube_root_ca.private_key_pem
+    cert_pem  = module.kube_root_ca.cert_pem
   }
 
   cert_config = {
     common_name           = "kube-apiserver"
     organization          = "kube-master"
-    validity_period_hours = "${var.certs_validity_period_hours}"
+    validity_period_hours = var.certs_validity_period_hours
   }
 
-  cert_hostnames = ["${compact(concat(
+  cert_hostnames = compact(concat(
     list(
       "localhost",
       "kubernetes",
@@ -35,14 +35,14 @@ module "kube_api_server_cert" {
       "kubernetes.default.svc.cluster.local",
       aws_elb.master_internal.dns_name,
     ),
-  ))}"]
+  ))
 
-  cert_ip_addresses = ["${compact(concat(
+  cert_ip_addresses = compact(concat(
     list(
       "127.0.0.1",
       "${cidrhost(var.kube_service_cidr, 1)}",
     ),
-  ))}"]
+  ))
 
   cert_uses = [
     "key_encipherment",
@@ -58,15 +58,15 @@ module "kube_kubelet_cert" {
   source = "../../tls/certificate"
 
   ca_config = {
-    algorithm = "${module.kube_root_ca.algorithm}"
-    key_pem   = "${module.kube_root_ca.private_key_pem}"
-    cert_pem  = "${module.kube_root_ca.cert_pem}"
+    algorithm = module.kube_root_ca.algorithm
+    key_pem   = module.kube_root_ca.private_key_pem
+    cert_pem  = module.kube_root_ca.cert_pem
   }
 
   cert_config = {
     common_name           = "kubelet"
     organization          = "system:masters"
-    validity_period_hours = "${var.certs_validity_period_hours}"
+    validity_period_hours = var.certs_validity_period_hours
   }
 
   cert_uses = [
diff --git a/modules/aws/kube-master/ign-control-plane.tf b/modules/aws/kube-master/ign-control-plane.tf
index 548f8bef..1237f1ff 100644
--- a/modules/aws/kube-master/ign-control-plane.tf
+++ b/modules/aws/kube-master/ign-control-plane.tf
@@ -1,9 +1,9 @@
 resource "aws_security_group_rule" "master_ingress" {
   type              = "ingress"
-  security_group_id = "${local.master_sg_id}"
+  security_group_id = local.master_sg_id
 
   protocol    = "tcp"
-  cidr_blocks = ["${data.aws_vpc.master.cidr_block}"]
+  cidr_blocks = [data.aws_vpc.master.cidr_block]
   from_port   = 443
   to_port     = 443
 }
@@ -12,29 +12,29 @@ module "ignition_kube_control_plane" {
   source = "../../ignitions/kube-control-plane"
 
   kube_certs = {
-    ca_cert_pem        = "${module.kube_root_ca.cert_pem}"
-    apiserver_key_pem  = "${module.kube_api_server_cert.private_key_pem}"
-    apiserver_cert_pem = "${module.kube_api_server_cert.cert_pem}"
+    ca_cert_pem        = module.kube_root_ca.cert_pem
+    apiserver_key_pem  = module.kube_api_server_cert.private_key_pem
+    apiserver_cert_pem = module.kube_api_server_cert.cert_pem
   }
 
   etcd_certs = {
-    ca_cert_pem     = "${var.etcd_certs_config["ca_cert_pem"]}"
-    client_key_pem  = "${var.etcd_certs_config["client_key_pem"]}"
-    client_cert_pem = "${var.etcd_certs_config["client_cert_pem"]}"
+    ca_cert_pem     = var.etcd_certs_config["ca_cert_pem"]
+    client_key_pem  = var.etcd_certs_config["client_key_pem"]
+    client_cert_pem = var.etcd_certs_config["client_cert_pem"]
   }
 
   etcd_config = {
-    endpoints = "${join(",", var.etcd_endpoints)}"
+    endpoints = join(",", var.etcd_endpoints)
   }
 
   apiserver_config = {
     anonymous_auth    = false
     advertise_address = "0.0.0.0"
-    auth_webhook_path = "${var.auth_webhook_path}"
-    audit_policy_path = "${var.audit_policy_path}"
+    auth_webhook_path = var.auth_webhook_path
+    audit_policy_path = var.audit_policy_path
   }
 
-  audit_log_backend = "${var.audit_log_backend}"
+  audit_log_backend = var.audit_log_backend
 
   cloud_provider = {
     name   = "aws"
@@ -44,12 +44,12 @@ module "ignition_kube_control_plane" {
   cluster_config = {
     node_monitor_grace_period = "40s"
     pod_eviction_timeout      = "5m"
-    service_cidr              = "${var.kube_service_cidr}"
-    pod_cidr                  = "${var.kube_cluster_cidr}"
+    service_cidr              = var.kube_service_cidr
+    pod_cidr                  = var.kube_cluster_cidr
   }
 
   hyperkube = {
     image_path = "gcr.io/google-containers/hyperkube-amd64"
-    image_tag  = "${var.kubernetes_version}"
+    image_tag  = var.kubernetes_version
   }
 }
diff --git a/modules/aws/kube-master/ign-kubelet.tf b/modules/aws/kube-master/ign-kubelet.tf
index 07584c95..22318745 100644
--- a/modules/aws/kube-master/ign-kubelet.tf
+++ b/modules/aws/kube-master/ign-kubelet.tf
@@ -1,6 +1,6 @@
 resource "aws_security_group_rule" "master_ingress_kubelet_secure" {
   type              = "ingress"
-  security_group_id = "${local.master_sg_id}"
+  security_group_id = local.master_sg_id
 
   protocol  = "tcp"
   from_port = 10255
@@ -10,10 +10,10 @@ resource "aws_security_group_rule" "master_ingress_kubelet_secure" {
 
 resource "aws_security_group_rule" "master_ingress_kubelet_secure_from_worker" {
   type              = "ingress"
-  security_group_id = "${local.master_sg_id}"
+  security_group_id = local.master_sg_id
 
   protocol    = "tcp"
-  cidr_blocks = ["${data.aws_vpc.master.cidr_block}"]
+  cidr_blocks = [data.aws_vpc.master.cidr_block]
   from_port   = 10255
   to_port     = 10255
 }
@@ -22,13 +22,13 @@ module "ignition_kubelet" {
   source = "../../ignitions/kubelet"
 
   kubelet_flag_cloud_provider       = "aws"
-  kubelet_flag_cluster_dns          = "${local.cluster_dns_ip}"
-  kubelet_flag_node_labels          = "${join(",", var.kube_node_labels)}"
-  kubelet_flag_register_with_taints = "${join(",", var.kube_node_taints)}"
-  kubelet_flag_extra_flags          = "${var.kubelet_flag_extra_flags}"
+  kubelet_flag_cluster_dns          = local.cluster_dns_ip
+  kubelet_flag_node_labels          = join(",", var.kube_node_labels)
+  kubelet_flag_register_with_taints = join(",", var.kube_node_taints)
+  kubelet_flag_extra_flags          = var.kubelet_flag_extra_flags
 
   hyperkube = {
     image_path = "gcr.io/google-containers/hyperkube-amd64"
-    image_tag  = "${var.kubernetes_version}"
+    image_tag  = var.kubernetes_version
   }
 }
diff --git a/modules/aws/kube-master/ignition.tf b/modules/aws/kube-master/ignition.tf
index f91ebffa..dc557cc2 100644
--- a/modules/aws/kube-master/ignition.tf
+++ b/modules/aws/kube-master/ignition.tf
@@ -1,5 +1,5 @@
 locals {
-  cluster_dns_ip = "${cidrhost(var.kube_service_cidr, 10)}"
+  cluster_dns_ip = cidrhost(var.kube_service_cidr, 10)
 }
 
 module "ignition_docker" {
@@ -8,7 +8,7 @@ module "ignition_docker" {
 
 module "ignition_locksmithd" {
   source          = "../../ignitions/locksmithd"
-  reboot_strategy = "${var.reboot_strategy}"
+  reboot_strategy = var.reboot_strategy
 }
 
 module "ignition_update_ca_certificates" {
@@ -18,18 +18,18 @@ module "ignition_update_ca_certificates" {
 module "ignition_kube_config" {
   source = "../../ignitions/kube-config"
 
-  cluster_name        = "${var.name}"
+  cluster_name        = var.name
   api_server_endpoint = "https://${aws_elb.master_internal.dns_name}"
 
   kube_certs = {
-    ca_cert_pem      = "${module.kube_root_ca.cert_pem}"
-    kubelet_key_pem  = "${module.kube_kubelet_cert.private_key_pem}"
-    kubelet_cert_pem = "${module.kube_kubelet_cert.cert_pem}"
+    ca_cert_pem      = module.kube_root_ca.cert_pem
+    kubelet_key_pem  = module.kube_kubelet_cert.private_key_pem
+    kubelet_cert_pem = module.kube_kubelet_cert.cert_pem
   }
 }
 
 data "ignition_config" "main" {
-  files = ["${compact(concat(
+  files = compact(concat(
     module.ignition_docker.files,
     module.ignition_locksmithd.files,
     module.ignition_kube_control_plane.files,
@@ -37,9 +37,9 @@ data "ignition_config" "main" {
     module.ignition_kubelet.files,
     module.ignition_kube_config.files,
     var.extra_ignition_file_ids,
-  ))}"]
+  ))
 
-  systemd = ["${compact(concat(
+  systemd = compact(concat(
     module.ignition_docker.systemd_units,
     module.ignition_locksmithd.systemd_units,
     module.ignition_kube_control_plane.systemd_units,
@@ -47,27 +47,27 @@ data "ignition_config" "main" {
     module.ignition_kubelet.systemd_units,
     module.ignition_kube_config.systemd_units,
     var.extra_ignition_systemd_unit_ids,
-  ))}"]
+  ))
 }
 
 resource "aws_s3_bucket_object" "ignition" {
-  bucket  = "${var.s3_bucket}"
+  bucket  = var.s3_bucket
   key     = "ign-master-${var.name}.json"
-  content = "${data.ignition_config.main.rendered}"
+  content = data.ignition_config.main.rendered
   acl     = "private"
 
   server_side_encryption = "AES256"
 
-  tags = "${merge(map(
+  tags = merge(map(
       "Name", "ign-master-${var.name}.json",
       "Role", "master",
       "kubernetes.io/cluster/${var.name}", "owned",
-    ), var.extra_tags)}"
+    ), var.extra_tags)
 }
 
 data "ignition_config" "s3" {
   replace {
-    source       = "${format("s3://%s/%s", var.s3_bucket, aws_s3_bucket_object.ignition.key)}"
+    source       = format("s3://%s/%s", var.s3_bucket, aws_s3_bucket_object.ignition.key)
     verification = "sha512-${sha512(data.ignition_config.main.rendered)}"
   }
 }
diff --git a/modules/aws/kube-master/lb.tf b/modules/aws/kube-master/lb.tf
index a52309a4..424dec09 100644
--- a/modules/aws/kube-master/lb.tf
+++ b/modules/aws/kube-master/lb.tf
@@ -1,12 +1,12 @@
 resource "aws_elb" "master_internal" {
   name     = "${var.name}-master"
-  subnets  = ["${split(",", var.endpoint_public_access == true ? join(",", var.public_subnet_ids) : join(",", var.private_subnet_ids))}"]
-  internal = "${var.endpoint_public_access == true ? false : true }"
+  subnets  = split(",", var.endpoint_public_access == true ? join(",", var.public_subnet_ids) : join(",", var.private_subnet_ids))
+  internal = var.endpoint_public_access == true ? false : true
 
-  security_groups = [
-    "${aws_security_group.master_lb.id}",
-    "${var.lb_security_group_ids}",
-  ]
+  security_groups = compact(concat(
+    list(aws_security_group.master_lb.id),
+    var.lb_security_group_ids
+  ))
 
   idle_timeout                = 3600
   connection_draining         = true
@@ -27,25 +27,25 @@ resource "aws_elb" "master_internal" {
     interval            = 5
   }
 
-  tags = "${merge(map(
+  tags = merge(map(
       "Name", "${var.name}-master",
       "kubernetes.io/cluster/${var.name}", "owned",
-    ), var.extra_tags)}"
+    ), var.extra_tags)
 }
 
 resource "aws_security_group" "master_lb" {
   name_prefix = "${var.name}-master-lb-"
-  vpc_id      = "${data.aws_vpc.master.id}"
+  vpc_id      = data.aws_vpc.master.id
 
-  tags = "${merge(map(
+  tags = merge(map(
       "Name", "${var.name}-master-lb",
       "kubernetes.io/cluster/${var.name}", "owned",
-    ), var.extra_tags)}"
+    ), var.extra_tags)
 }
 
 resource "aws_security_group_rule" "master_lb_egress" {
   type              = "egress"
-  security_group_id = "${aws_security_group.master_lb.id}"
+  security_group_id = aws_security_group.master_lb.id
 
   protocol    = "-1"
   cidr_blocks = ["0.0.0.0/0"]
@@ -55,10 +55,10 @@ resource "aws_security_group_rule" "master_lb_egress" {
 
 resource "aws_security_group_rule" "master_lb_ingress_from_internal" {
   type              = "ingress"
-  security_group_id = "${aws_security_group.master_lb.id}"
+  security_group_id = aws_security_group.master_lb.id
 
   protocol    = "tcp"
-  cidr_blocks = ["${ var.endpoint_public_access == true ? "0.0.0.0/0" : data.aws_vpc.master.cidr_block}"]
+  cidr_blocks = [var.endpoint_public_access == true ? "0.0.0.0/0" : data.aws_vpc.master.cidr_block]
   from_port   = 443
   to_port     = 443
 }
diff --git a/modules/aws/kube-master/main.tf b/modules/aws/kube-master/main.tf
deleted file mode 100644
index 055e0212..00000000
--- a/modules/aws/kube-master/main.tf
+++ /dev/null
@@ -1,20 +0,0 @@
-# ---------------------------------------------------------------------------------------------------------------------
-# Configuration
-# ---------------------------------------------------------------------------------------------------------------------
-
-provider "aws" {
-  version = "2.3.0"
-  region  = "${var.aws_region}"
-}
-
-provider "template" {
-  version = "1.0.0"
-}
-
-provider "ignition" {
-  version = "1.0.0"
-}
-
-provider "null" {
-  version = "1.0.0"
-}
diff --git a/modules/aws/kube-master/master.tf b/modules/aws/kube-master/master.tf
index ee37bc28..4e9e0fea 100644
--- a/modules/aws/kube-master/master.tf
+++ b/modules/aws/kube-master/master.tf
@@ -1,56 +1,56 @@
 data "aws_subnet" "subnet" {
-  id = "${var.private_subnet_ids[0]}"
+  id = var.private_subnet_ids[0]
 }
 
 locals {
-  vpc_id = "${data.aws_subnet.subnet.vpc_id}"
+  vpc_id = data.aws_subnet.subnet.vpc_id
 
-  extra_tags_keys   = "${keys(var.extra_tags)}"
-  extra_tags_values = "${values(var.extra_tags)}"
+  extra_tags_keys   = keys(var.extra_tags)
+  extra_tags_values = values(var.extra_tags)
 }
 
 data "null_data_source" "tags" {
-  count = "${length(keys(var.extra_tags))}"
+  count = length(keys(var.extra_tags))
 
   inputs = {
-    key                 = "${local.extra_tags_keys[count.index]}"
-    value               = "${local.extra_tags_values[count.index]}"
+    key                 = local.extra_tags_keys[count.index]
+    value               = local.extra_tags_values[count.index]
     propagate_at_launch = true
   }
 }
 
 resource "aws_autoscaling_group" "master" {
   name_prefix          = "${var.name}-master-"
-  desired_capacity     = "${var.master_config["instance_count"]}"
-  max_size             = "${var.master_config["instance_count"] * 3}"
-  min_size             = "${var.master_config["instance_count"]}"
-  vpc_zone_identifier  = ["${var.private_subnet_ids}"]
-  load_balancers       = ["${aws_elb.master_internal.id}"]
+  desired_capacity     = var.master_config["instance_count"]
+  max_size             = var.master_config["instance_count"] * 3
+  min_size             = var.master_config["instance_count"]
+  vpc_zone_identifier  = var.private_subnet_ids
+  load_balancers       = [aws_elb.master_internal.id]
 
   mixed_instances_policy {
     launch_template {
       launch_template_specification {
-        launch_template_id = "${aws_launch_template.master.id}"
-        version = "$$Latest"
+        launch_template_id = aws_launch_template.master.id
+        version = "$Latest"
       }
 
       override {
-        instance_type = "${var.master_config["ec2_type_1"]}"
+        instance_type = var.master_config["ec2_type_1"]
       }
 
       override {
-        instance_type = "${var.master_config["ec2_type_2"]}"
+        instance_type = var.master_config["ec2_type_2"]
       }
     }
 
     instances_distribution {
-      on_demand_base_capacity                  = "${var.master_config["on_demand_base_capacity"]}"
-      on_demand_percentage_above_base_capacity = "${var.master_config["on_demand_percentage_above_base_capacity"]}"
-      spot_instance_pools                      = "${var.master_config["spot_instance_pools"]}"
+      on_demand_base_capacity                  = var.master_config["on_demand_base_capacity"]
+      on_demand_percentage_above_base_capacity = var.master_config["on_demand_percentage_above_base_capacity"]
+      spot_instance_pools                      = var.master_config["spot_instance_pools"]
     }
   }
 
-  tags = [
+  tags = concat([
     {
       key                 = "Name"
       value               = "${var.name}-master"
@@ -61,34 +61,33 @@ resource "aws_autoscaling_group" "master" {
       value               = "owned"
       propagate_at_launch = true
     },
-  ]
-
-  tags = ["${data.null_data_source.tags.*.outputs}"]
+  ], data.null_data_source.tags.*.outputs)
 }
+
 resource "aws_launch_template" "master" {
-  instance_type = "${var.master_config["ec2_type_1"]}"
-  image_id      = "${data.aws_ami.coreos_ami.image_id}"
+  instance_type = var.master_config["ec2_type_1"]
+  image_id      = data.aws_ami.coreos_ami.image_id
   name_prefix   = "${var.name}-master-"
 
-  vpc_security_group_ids = [
-    "${var.security_group_ids}",
-    "${local.master_sg_id}",
-  ]
+  vpc_security_group_ids = compact(concat(
+    var.security_group_ids,
+    list(local.master_sg_id)
+  ))
 
   iam_instance_profile {
-    arn = "${aws_iam_instance_profile.master.arn}"
+    arn = aws_iam_instance_profile.master.arn
   }
 
-  key_name  = "${var.ssh_key}"
-  user_data = "${base64encode(data.ignition_config.s3.rendered)}"
+  key_name  = var.ssh_key
+  user_data = base64encode(data.ignition_config.s3.rendered)
 
   block_device_mappings {
     device_name = "/dev/xvda"
 
     ebs {
-      volume_type = "${var.master_config["root_volume_type"]}"
-      volume_size = "${var.master_config["root_volume_size"]}"
-      iops        = "${var.master_config["root_volume_type"] == "io1" ? var.master_config["root_volume_iops"] : var.master_config["root_volume_type"] == "gp2" ? 0 : min(10000, max(100, 3 * var.master_config["root_volume_size"]))}"
+      volume_type = var.master_config["root_volume_type"]
+      volume_size = var.master_config["root_volume_size"]
+      iops        = var.master_config["root_volume_type"] == "io1" ? var.master_config["root_volume_iops"] : var.master_config["root_volume_type"] == "gp2" ? 0 : min(10000, max(100, 3 * var.master_config["root_volume_size"]))
     }
   }
 
diff --git a/modules/aws/kube-master/outputs.tf b/modules/aws/kube-master/outputs.tf
index f0f6494c..3a9f104f 100644
--- a/modules/aws/kube-master/outputs.tf
+++ b/modules/aws/kube-master/outputs.tf
@@ -1,5 +1,5 @@
 output "certificate_authority" {
-  value = "${base64encode(module.kube_root_ca.cert_pem)}"
+  value = base64encode(module.kube_root_ca.cert_pem)
 }
 
 output "endpoint" {
@@ -7,5 +7,5 @@ output "endpoint" {
 }
 
 output "master_sg_id" {
-  value = "${local.master_sg_id}"
+  value = local.master_sg_id
 }
diff --git a/modules/aws/kube-master/role.tf b/modules/aws/kube-master/role.tf
index f849bb1c..39df92a6 100644
--- a/modules/aws/kube-master/role.tf
+++ b/modules/aws/kube-master/role.tf
@@ -15,20 +15,17 @@ data "aws_iam_policy_document" "default" {
 
 resource "aws_iam_role" "master" {
   name_prefix        = "${var.name}-master-"
-  assume_role_policy = "${data.aws_iam_policy_document.default.json}"
+  assume_role_policy = data.aws_iam_policy_document.default.json
 }
 
 resource "aws_iam_instance_profile" "master" {
   name_prefix = "${var.name}-master-"
 
-  role = "${var.role_name == "" ?
-    join("|", aws_iam_role.master.*.name) :
-    var.role_name
-  }"
+  role = var.role_name == "" ? join("|", aws_iam_role.master.*.name) : var.role_name
 }
 
 resource "aws_iam_policy" "master" {
-  count       = "${var.role_name == "" ? 1 : 0}"
+  count       = var.role_name == "" ? 1 : 0
   name        = "${var.name}-master"
   path        = "/"
   description = "policy for kubernetes masters"
@@ -68,6 +65,6 @@ EOF
 }
 
 resource "aws_iam_role_policy_attachment" "master" {
-  policy_arn = "${aws_iam_policy.master.arn}"
-  role       = "${aws_iam_role.master.name}"
+  policy_arn = aws_iam_policy.master[0].arn
+  role       = aws_iam_role.master.name
 }
diff --git a/modules/aws/kube-master/s3.tf b/modules/aws/kube-master/s3.tf
index 0a9cfd6a..15bab2e4 100644
--- a/modules/aws/kube-master/s3.tf
+++ b/modules/aws/kube-master/s3.tf
@@ -1,7 +1,7 @@
 resource "aws_s3_bucket_object" "kubeconfig" {
-  bucket  = "${var.s3_bucket}"
+  bucket  = var.s3_bucket
   key     = "kubeconfig"
-  content = "${module.ignition_kube_config.content}"
+  content = module.ignition_kube_config.content
   acl     = "private"
 
   server_side_encryption = "AES256"
diff --git a/modules/aws/kube-master/sg.tf b/modules/aws/kube-master/sg.tf
index ff2e999e..6997eeca 100644
--- a/modules/aws/kube-master/sg.tf
+++ b/modules/aws/kube-master/sg.tf
@@ -1,26 +1,26 @@
 data "aws_vpc" "master" {
-  id = "${local.vpc_id}"
+  id = local.vpc_id
 }
 
 resource "aws_security_group" "master" {
   name_prefix = "${var.name}-master-"
-  vpc_id      = "${data.aws_vpc.master.id}"
+  vpc_id      = data.aws_vpc.master.id
 
-  tags = "${merge(map(
+  tags = merge(map(
       "Name", "${var.name}-master",
       "kubernetes.io/cluster/${var.name}", "owned",
-    ), var.extra_tags)}"
+    ), var.extra_tags)
 
-  count = "${var.master_security_group_id == "" ? 1 : 0}"
+  count = var.master_security_group_id == "" ? 1 : 0
 }
 
 locals {
-  master_sg_id = "${coalesce(var.master_security_group_id, join("", aws_security_group.master.*.id))}"
+  master_sg_id = coalesce(var.master_security_group_id, join("", aws_security_group.master.*.id))
 }
 
 resource "aws_security_group_rule" "master_egress" {
   type              = "egress"
-  security_group_id = "${local.master_sg_id}"
+  security_group_id = local.master_sg_id
 
   protocol    = "-1"
   cidr_blocks = ["0.0.0.0/0"]
@@ -30,7 +30,7 @@ resource "aws_security_group_rule" "master_egress" {
 
 resource "aws_security_group_rule" "master_ingress_icmp" {
   type              = "ingress"
-  security_group_id = "${local.master_sg_id}"
+  security_group_id = local.master_sg_id
 
   protocol    = "icmp"
   cidr_blocks = ["0.0.0.0/0"]
@@ -40,7 +40,7 @@ resource "aws_security_group_rule" "master_ingress_icmp" {
 
 resource "aws_security_group_rule" "master_ingress_etcd" {
   type              = "ingress"
-  security_group_id = "${local.master_sg_id}"
+  security_group_id = local.master_sg_id
 
   protocol  = "tcp"
   from_port = 2379
@@ -50,7 +50,7 @@ resource "aws_security_group_rule" "master_ingress_etcd" {
 
 resource "aws_security_group_rule" "master_ingress_services" {
   type              = "ingress"
-  security_group_id = "${local.master_sg_id}"
+  security_group_id = local.master_sg_id
 
   protocol  = "tcp"
   from_port = 30000
@@ -60,7 +60,7 @@ resource "aws_security_group_rule" "master_ingress_services" {
 
 resource "aws_security_group_rule" "master_all_self" {
   type              = "ingress"
-  security_group_id = "${local.master_sg_id}"
+  security_group_id = local.master_sg_id
 
   protocol  = -1
   from_port = 0
@@ -70,8 +70,8 @@ resource "aws_security_group_rule" "master_all_self" {
 
 resource "aws_security_group_rule" "master_ingress_from_lb" {
   type                     = "ingress"
-  security_group_id        = "${local.master_sg_id}"
-  source_security_group_id = "${aws_security_group.master_lb.id}"
+  security_group_id        = local.master_sg_id
+  source_security_group_id = aws_security_group.master_lb.id
 
   protocol  = "tcp"
   from_port = 443
@@ -80,10 +80,10 @@ resource "aws_security_group_rule" "master_ingress_from_lb" {
 
 resource "aws_security_group_rule" "master_ssh" {
   type              = "ingress"
-  security_group_id = "${local.master_sg_id}"
+  security_group_id = local.master_sg_id
 
   protocol    = "tcp"
-  cidr_blocks = ["${data.aws_vpc.master.cidr_block}"]
+  cidr_blocks = [data.aws_vpc.master.cidr_block]
   from_port   = 22
   to_port     = 22
 }
diff --git a/modules/aws/kube-master/variables.tf b/modules/aws/kube-master/variables.tf
index ad5aaa23..f72b565a 100644
--- a/modules/aws/kube-master/variables.tf
+++ b/modules/aws/kube-master/variables.tf
@@ -1,86 +1,78 @@
-variable "aws_region" {
-  type        = "string"
-  default     = "us-east-1"
-  description = "(Optional) The AWS region"
-}
-
 variable "name" {
-  type        = "string"
   description = " (Required) Name of the cluster."
+  type        = string
 }
 
 variable "role_name" {
-  type        = "string"
-  default     = ""
   description = "(Optional) The Amazon Resource Name of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf."
+  type        = string
+  default     = ""
 }
 
 variable "master_security_group_id" {
-  type    = "string"
-  default = ""
-
   description = <<EOF
     (Optional) Main security group ID of the Kubernetes control plane.
 EOF
+  type        = string
+  default     = ""
 }
 
 variable "security_group_ids" {
-  type    = "list"
-  default = []
-
   description = <<EOF
     (Optional) List of security group IDs for the cross-account elastic network interfaces
     to use to allow communication between your worker nodes and the Kubernetes control plane.
 EOF
+  type        = list(string)
+  default     = []
+
+
 }
 
 variable "lb_security_group_ids" {
-  type    = "list"
-  default = []
-
   description = <<EOF
     (Optional) List of security group IDs for the cross-account elastic network interfaces
     to use to allow communication between you and the kubernetes api server load balancer.
 EOF
+  type    = list(string)
+  default = []
 }
 
 variable "public_subnet_ids" {
-  type    = "list"
-  default = []
-
   description = <<EOF
     (Required) List of public subnet IDs. Must be in at least two different availability zones.
     Cross-account elastic network interfaces will be created in these subnets to allow
     communication between your worker nodes and the Kubernetes control plane.
 EOF
+  type        = list(string)
+  default     = []
 }
 
 variable "private_subnet_ids" {
-  type    = "list"
-  default = []
-
   description = <<EOF
     (Required) List of private subnet IDs. Must be in at least two different availability zones.
     Cross-account elastic network interfaces will be created in these subnets to allow
     communication between your worker nodes and the Kubernetes control plane.
 EOF
+  type    = list(string)
+  default = []
 }
 
 variable "endpoint_public_access" {
-  default = false
   description = "(Optional) kubernetes apiserver endpoint"
+  type        = bool
+  default     = false
 }
 
 variable "kubernetes_version" {
-  type        = "string"
-  default     = "v1.13.4"
   description = "(Optional) Desired Kubernetes master version. If you do not specify a value, the latest available version is used."
+  type        = string
+  default     = "1.14.6"
 }
 
 variable "master_config" {
-  type = "map"
-
-  default = {
+  description = "(Optional) Desired master nodes configuration."
+  type        = map(string)
+  default     = {
     instance_count   = "1"
     ec2_type_1       = "t3.medium"
     ec2_type_2       = "t2.medium"
@@ -92,122 +84,117 @@ variable "master_config" {
     on_demand_percentage_above_base_capacity = 100
     spot_instance_pools                      = 1
   }
-
-  description = "(Optional) Desired master nodes configuration."
 }
 
 variable "ssh_key" {
-  type        = "string"
-  default     = ""
   description = "The key name that should be used for the instance."
+  type        = string
+  default     = ""
 }
 
 variable "etcd_endpoints" {
-  type = "list"
-
   description = <<EOF
   (Required) The etcd endpoints to be accessed by the Kubernetes API server.
   EOF
+  type        = list(string)
 }
 
 variable "etcd_certs_config" {
-  type = "map"
+  type = map(string)
 }
 
 variable "certs_validity_period_hours" {
-  type = "string"
+  description = <<EOF
+    Validity period of the self-signed certificates (in hours). Default is 3 years.
+EOF
+  type        = string
 
   // Default is provided only in this case
   // bacause *some* of etcd internal certs are still self-generated and need
   // this variable set
-  default = 26280
-
-  description = <<EOF
-    Validity period of the self-signed certificates (in hours). Default is 3 years.
-EOF
+  default     = 26280
 }
 
 variable "kube_service_cidr" {
-  type        = "string"
-  description = ""
+  description = "The kubernetes service ip range"
+  type        = string
 }
 
 variable "kube_cluster_cidr" {
-  type        = "string"
-  description = ""
+  description = "The kubernetes cluster ip range"
+  type        = string
 }
 
 variable "kube_node_labels" {
-  type        = "list"
-  default     = []
   description = "Labels to add when registering the node in the cluster. Labels must be key=value pairs."
+  type        = list(string)
+  default     = []
 }
 
 variable "kube_node_taints" {
-  type    = "list"
-  default = []
-
   description = <<EOF
 Register the node with the given list of taints ("<key>=<value>:<effect>").
 EOF
+  type        = list(string)
+  default     = []
 }
 
 variable "s3_bucket" {
-  type    = "string"
-  default = ""
-
   description = <<EOF
     (Optional) Unique name under which the Amazon S3 bucket will be created. Bucket name must start with a lower case name and is limited to 63 characters.
     If name is not provided the installer will construct the name using "name" and current AWS region.
 EOF
+  type        = string
+  default     = ""
 }
 
 variable "reboot_strategy" {
-  type    = "string"
   description = "(Optional) CoreOS reboot strategies on updates, two option here: etcd-lock or off"
+  type        = string
 }
 
 variable "extra_ignition_file_ids" {
-  type        = "list"
-  default     = []
   description = "(Optional) Additional ignition file IDs. See https://www.terraform.io/docs/providers/ignition/d/file.html for more details."
+  type        = list(string)
+  default     = []
 }
 
 variable "extra_ignition_systemd_unit_ids" {
-  type        = "list"
-  default     = []
   description = "(Optional) Additional ignition systemd unit IDs. See https://www.terraform.io/docs/providers/ignition/d/systemd_unit.html for more details."
+  type        = list(string)
+  default     = []
 }
 
 variable "kubelet_flag_extra_flags" {
-  type        = "list"
-  default     = []
   description = "Extra user-provided flags to kubelet."
+  type        = list(string)
+  default     = []
 }
 
 variable "extra_tags" {
-  type        = "map"
-  default     = {}
   description = "Extra AWS tags to be applied to created resources."
+  type        = map(string)
+  default     = {}
 }
 
 variable "auth_webhook_path" {
-  type        = "string"
-  default     = ""
   description = "(Optional) A path for using customized machine to authenticate to a Kubernetes cluster."
+  type        = string
+  default     = ""
 }
 
 variable "audit_policy_path" {
-  type        = "string"
-  default     = ""
   description = "(Optional) A policy path for Kubernetes apiserver to enable auditing log."
+  type        = string
+  default     = ""
 }
 
 variable "audit_log_backend" {
-  type        = "map"
-  default     = {}
   description = <<EOF
     (Optional) Kubernetes apiserver auditing log backend configuration,
     there are four parameters: path, maxage, maxbackup, maxsize.
 EOF
+  type            = map(string)
+  default         = {}
+
 }
\ No newline at end of file
diff --git a/modules/aws/kube-worker/ami.tf b/modules/aws/kube-worker/ami.tf
index 33fdc0b2..807acccf 100644
--- a/modules/aws/kube-worker/ami.tf
+++ b/modules/aws/kube-worker/ami.tf
@@ -8,13 +8,13 @@ locals {
 module "container_linux" {
   source = "../container_linux"
 
-  release_channel = "${local.container_linux_channel}"
-  release_version = "${local.container_linux_version}"
+  release_channel = local.container_linux_channel
+  release_version = local.container_linux_version
 }
 
 data "aws_ami" "coreos_ami" {
 
-  owners = ["${local.coreos_account_id}"]
+  owners = [local.coreos_account_id]
 
   filter {
     name   = "name"
@@ -30,9 +30,4 @@ data "aws_ami" "coreos_ami" {
     name   = "virtualization-type"
     values = ["hvm"]
   }
-
-  filter {
-    name   = "owner-id"
-    values = ["${local.coreos_account_id}"]
-  }
 }
diff --git a/modules/aws/kube-worker/ignition.tf b/modules/aws/kube-worker/ignition.tf
index 5823f55a..cca02e9a 100644
--- a/modules/aws/kube-worker/ignition.tf
+++ b/modules/aws/kube-worker/ignition.tf
@@ -1,5 +1,5 @@
 locals {
-  cluster_dns_ip = "${cidrhost(var.kube_service_cidr, 10)}"
+  cluster_dns_ip = cidrhost(var.kube_service_cidr, 10)
 }
 
 module "ignition_docker" {
@@ -8,7 +8,7 @@ module "ignition_docker" {
 
 module "ignition_locksmithd" {
   source          = "../../ignitions/locksmithd"
-  reboot_strategy = "${var.reboot_strategy}"
+  reboot_strategy = var.reboot_strategy
 }
 
 module "ignition_update_ca_certificates" {
@@ -16,73 +16,73 @@ module "ignition_update_ca_certificates" {
 }
 
 data "aws_s3_bucket_object" "kubeconfig" {
-  bucket = "${var.s3_bucket}"
+  bucket = var.s3_bucket
   key    = "kubeconfig"
 }
 
 module "ignition_kube_config" {
   source  = "../../ignitions/kube-config"
-  content = "${data.aws_s3_bucket_object.kubeconfig.body}"
+  content = data.aws_s3_bucket_object.kubeconfig.body
 }
 
 module "ignition_kubelet" {
   source = "../../ignitions/kubelet"
 
   kubelet_flag_cloud_provider = "aws"
-  kubelet_flag_cluster_dns    = "${local.cluster_dns_ip}"
+  kubelet_flag_cluster_dns    = local.cluster_dns_ip
 
-  kubelet_flag_node_labels = "${join(",", compact(concat(
+  kubelet_flag_node_labels = join(",", compact(concat(
     list("node-role.kubernetes.io/${var.worker_config["name"]}"),
     var.kube_node_labels,
-  )))}"
+  )))
 
-  kubelet_flag_register_with_taints = "${join(",", var.kube_node_taints)}"
-  kubelet_flag_extra_flags          = "${var.kubelet_flag_extra_flags}"
+  kubelet_flag_register_with_taints = join(",", var.kube_node_taints)
+  kubelet_flag_extra_flags          = var.kubelet_flag_extra_flags
 
   hyperkube = {
     image_path = "gcr.io/google-containers/hyperkube-amd64"
-    image_tag  = "${var.kubernetes_version}"
+    image_tag  = var.kubernetes_version
   }
 }
 
 data "ignition_config" "main" {
-  files = ["${compact(concat(
+  files = compact(concat(
     module.ignition_docker.files,
     module.ignition_locksmithd.files,
     module.ignition_update_ca_certificates.files,
     module.ignition_kubelet.files,
     module.ignition_kube_config.files,
     var.extra_ignition_file_ids,
-  ))}"]
+  ))
 
-  systemd = ["${compact(concat(
+  systemd = compact(concat(
     module.ignition_docker.systemd_units,
     module.ignition_locksmithd.systemd_units,
     module.ignition_update_ca_certificates.systemd_units,
     module.ignition_kubelet.systemd_units,
     module.ignition_kube_config.systemd_units,
     var.extra_ignition_systemd_unit_ids,
-  ))}"]
+  ))
 }
 
 resource "aws_s3_bucket_object" "ignition" {
-  bucket  = "${var.s3_bucket}"
+  bucket  = var.s3_bucket
   key     = "ign-worker-${var.worker_config["name"]}.json"
-  content = "${data.ignition_config.main.rendered}"
+  content = data.ignition_config.main.rendered
   acl     = "private"
 
   server_side_encryption = "AES256"
 
-  tags = "${merge(map(
+  tags = merge(map(
       "Name", "ign-worker-${var.worker_config["name"]}.json",
       "Role", "worker",
       "kubernetes.io/cluster/${var.cluster_name}", "owned",
-    ), var.extra_tags)}"
+    ), var.extra_tags)
 }
 
 data "ignition_config" "s3" {
   replace {
-    source       = "${format("s3://%s/%s", var.s3_bucket, aws_s3_bucket_object.ignition.key)}"
+    source       = format("s3://%s/%s", var.s3_bucket, aws_s3_bucket_object.ignition.key)
     verification = "sha512-${sha512(data.ignition_config.main.rendered)}"
   }
 }
diff --git a/modules/aws/kube-worker/main.tf b/modules/aws/kube-worker/main.tf
deleted file mode 100644
index 055e0212..00000000
--- a/modules/aws/kube-worker/main.tf
+++ /dev/null
@@ -1,20 +0,0 @@
-# ---------------------------------------------------------------------------------------------------------------------
-# Configuration
-# ---------------------------------------------------------------------------------------------------------------------
-
-provider "aws" {
-  version = "2.3.0"
-  region  = "${var.aws_region}"
-}
-
-provider "template" {
-  version = "1.0.0"
-}
-
-provider "ignition" {
-  version = "1.0.0"
-}
-
-provider "null" {
-  version = "1.0.0"
-}
diff --git a/modules/aws/kube-worker/role.tf b/modules/aws/kube-worker/role.tf
index 0465354e..a666fc24 100644
--- a/modules/aws/kube-worker/role.tf
+++ b/modules/aws/kube-worker/role.tf
@@ -15,16 +15,16 @@ data "aws_iam_policy_document" "default" {
 
 resource "aws_iam_role" "worker" {
   name_prefix        = "${var.cluster_name}-worker-"
-  assume_role_policy = "${data.aws_iam_policy_document.default.json}"
+  assume_role_policy = data.aws_iam_policy_document.default.json
 }
 
 resource "aws_iam_instance_profile" "worker" {
   name_prefix = "${var.cluster_name}-worker-${var.worker_config["name"]}-"
-  role        = "${var.role_name == "" ? join("|", aws_iam_role.worker.*.name) : var.role_name}"
+  role        = var.role_name == "" ? join("|", aws_iam_role.worker.*.name) : var.role_name
 }
 
 resource "aws_iam_policy" "worker" {
-  count       = "${var.role_name == "" ? 1 : 0}"
+  count       = var.role_name == "" ? 1 : 0
   name_prefix = "${var.cluster_name}-worker-${var.worker_config["name"]}-"
   path        = "/"
   description = "policy for kubernetes workers"
@@ -64,7 +64,7 @@ EOF
 }
 
 resource "aws_iam_role_policy_attachment" "worker" {
-  count      = "${var.role_name == "" ? 1 : 0}"
-  policy_arn = "${aws_iam_policy.worker.arn}"
-  role       = "${aws_iam_role.worker.name}"
+  count      = var.role_name == "" ? 1 : 0
+  policy_arn = aws_iam_policy.worker[0].arn
+  role       = aws_iam_role.worker.name
 }
diff --git a/modules/aws/kube-worker/variables.tf b/modules/aws/kube-worker/variables.tf
index 6f106681..a9258b25 100644
--- a/modules/aws/kube-worker/variables.tf
+++ b/modules/aws/kube-worker/variables.tf
@@ -1,57 +1,49 @@
-variable "aws_region" {
-  type        = "string"
-  default     = "us-east-1"
-  description = "The AWS region"
-}
-
 variable "cluster_name" {
-  type        = "string"
   description = "Name of the cluster."
+  type        = string
 }
 
 variable "enable_autoscaler" {
-  type        = "string"
-  default     = "false"
   description = "Enable to add autoscaler tag or not"
+  type        = string
+  default     = "false"
 }
 
 variable "role_name" {
-  type        = "string"
-  default     = ""
   description = "The Amazon Resource Name of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf."
+  type        = string
+  default     = ""
 }
 
 variable "security_group_ids" {
-  type    = "list"
-  default = []
-
   description = <<EOF
     List of security group IDs for the cross-account elastic network interfaces
     to use to allow communication between your worker nodes and the Kubernetes control plane.
 EOF
+  type        = list(string)
+  default     = []
 }
 
 variable "subnet_ids" {
-  type    = "list"
-  default = []
-
   description = <<EOF
     List of subnet IDs. Must be in at least two different availability zones.
     Cross-account elastic network interfaces will be created in these subnets to allow
     communication between your worker nodes and the Kubernetes control plane.
 EOF
+  type        = list(string)
+  default     = []
 }
 
 variable "kubernetes_version" {
-  type        = "string"
-  default     = "v1.13.4"
   description = "Desired Kubernetes kubelet version. If you do not specify a value, the latest available version is used."
+  type        = string
+  default     = "v1.14.6"
 }
 
 variable "worker_config" {
-  type = "map"
-
-  default = {
+  description = "Desired worker nodes configuration."
+  type        = map(string)
+  default     = {
     instance_count   = "1"
     ec2_type_1       = "t3.medium"
     ec2_type_2       = "t2.medium"
@@ -64,84 +56,80 @@ variable "worker_config" {
     on_demand_percentage_above_base_capacity = 100
     spot_instance_pools                      = 1
   }
-
-  description = "Desired worker nodes configuration."
 }
 
 variable "ssh_key" {
-  type        = "string"
-  default     = ""
   description = "The key name that should be used for the instance."
+  type        = string
+  default     = ""
 }
 
 variable "kube_service_cidr" {
-  type        = "string"
-  description = ""
+  description = "The kubernetes service ip range"
+  type        = string
 }
 
 variable "kube_node_labels" {
-  type        = "list"
-  default     = []
   description = "Labels to add when registering the node in the cluster. Labels must be key=value pairs."
+  type        = list(string)
+  default     = []
 }
 
 variable "kube_node_taints" {
-  type    = "list"
-  default = []
-
   description = <<EOF
 Register the node with the given list of taints ("<key>=<value>:<effect>").
 EOF
+  type    = list(string)
+  default = []
 }
 
 variable "s3_bucket" {
-  type    = "string"
-  default = ""
-
   description = <<EOF
     Unique name under which the Amazon S3 bucket will be created. Bucket name must start with a lower case name and is limited to 63 characters.
     If name is not provided the installer will construct the name using "name" and current AWS region.
 EOF
+  type        = string
+  default     = ""
 }
 
 variable "reboot_strategy" {
-  type    = "string"
-  default = "etcd-lock"
   description = "CoreOS reboot strategies on updates, two option here: etcd-lock or off"
+  type    = string
+  default = "etcd-lock"
 }
 
 variable "extra_ignition_file_ids" {
-  type        = "list"
-  default     = []
   description = "Additional ignition file IDs. See https://www.terraform.io/docs/providers/ignition/d/file.html for more details."
+  type        = list(string)
+  default     = []
 }
 
 variable "extra_ignition_systemd_unit_ids" {
-  type        = "list"
-  default     = []
   description = "Additional ignition systemd unit IDs. See https://www.terraform.io/docs/providers/ignition/d/systemd_unit.html for more details."
+  type        = list(string)
+  default     = []
 }
 
 variable "load_balancer_ids" {
-  type        = "list"
-  default     = []
   description = "A list of elastic load balancer names to add to the autoscaling group names. Only valid for classic load balancers. For ALBs, use target_group_arns instead."
+  type        = list(string)
+  default     = []
 }
 
 variable "target_group_arns" {
-  type        = "list"
-  default     = []
   description = "A list of aws_alb_target_group ARNs, for use with Application Load Balancing."
+  type        = list(string)
+  default     = []
 }
 
 variable "kubelet_flag_extra_flags" {
-  type        = "list"
-  default     = []
   description = "Extra user-provided flags to kubelet."
+  type        = list(string)
+  default     = []
 }
 
 variable "extra_tags" {
-  type        = "map"
-  default     = {}
   description = "Extra AWS tags to be applied to created resources."
+  type        = map(string)
+  default     = {}
 }
diff --git a/modules/aws/kube-worker/worker.tf b/modules/aws/kube-worker/worker.tf
index f6ba2943..1593f5a4 100644
--- a/modules/aws/kube-worker/worker.tf
+++ b/modules/aws/kube-worker/worker.tf
@@ -1,57 +1,57 @@
 data "aws_subnet" "subnet" {
-  id = "${var.subnet_ids[0]}"
+  id = var.subnet_ids[0]
 }
 
 locals {
-  vpc_id = "${data.aws_subnet.subnet.vpc_id}"
+  vpc_id = data.aws_subnet.subnet.vpc_id
 
-  extra_tags_keys   = "${keys(var.extra_tags)}"
-  extra_tags_values = "${values(var.extra_tags)}"
+  extra_tags_keys   = keys(var.extra_tags)
+  extra_tags_values = values(var.extra_tags)
 }
 
 data "null_data_source" "tags" {
-  count = "${length(keys(var.extra_tags))}"
+  count = length(keys(var.extra_tags))
 
   inputs = {
-    key                 = "${local.extra_tags_keys[count.index]}"
-    value               = "${local.extra_tags_values[count.index]}"
+    key                 = local.extra_tags_keys[count.index]
+    value               = local.extra_tags_values[count.index]
     propagate_at_launch = true
   }
 }
 
 resource "aws_autoscaling_group" "worker" {
   name_prefix          = "${var.cluster_name}-worker-${var.worker_config["name"]}-"
-  desired_capacity     = "${var.worker_config["instance_count"]}"
-  max_size             = "${var.worker_config["instance_count"] * 3}"
-  min_size             = "${var.worker_config["instance_count"]}"
-  vpc_zone_identifier  = ["${var.subnet_ids}"]
-  load_balancers       = ["${var.load_balancer_ids}"]
-  target_group_arns    = ["${var.target_group_arns}"]
+  desired_capacity     = var.worker_config["instance_count"]
+  max_size             = var.worker_config["instance_count"] * 3
+  min_size             = var.worker_config["instance_count"]
+  vpc_zone_identifier  = var.subnet_ids
+  load_balancers       = var.load_balancer_ids
+  target_group_arns    = var.target_group_arns
 
   mixed_instances_policy {
     launch_template {
       launch_template_specification {
-        launch_template_id = "${aws_launch_template.worker.id}"
-        version = "$$Latest"
+        launch_template_id = aws_launch_template.worker.id
+        version = "$Latest"
       }
 
       override {
-        instance_type = "${var.worker_config["ec2_type_1"]}"
+        instance_type = var.worker_config["ec2_type_1"]
       }
 
       override {
-        instance_type = "${var.worker_config["ec2_type_2"]}"
+        instance_type = var.worker_config["ec2_type_2"]
       }
     }
 
     instances_distribution {
-      on_demand_base_capacity                  = "${var.worker_config["on_demand_base_capacity"]}"
-      on_demand_percentage_above_base_capacity = "${var.worker_config["on_demand_percentage_above_base_capacity"]}"
-      spot_instance_pools                      = "${var.worker_config["spot_instance_pools"]}"
+      on_demand_base_capacity                  = var.worker_config["on_demand_base_capacity"]
+      on_demand_percentage_above_base_capacity = var.worker_config["on_demand_percentage_above_base_capacity"]
+      spot_instance_pools                      = var.worker_config["spot_instance_pools"]
     }
   }
 
-  tags = [
+  tags = concat([
     {
       key                 = "Name"
       value               = "${var.cluster_name}-worker-${var.worker_config["name"]}"
@@ -66,35 +66,31 @@ resource "aws_autoscaling_group" "worker" {
       key                 = "k8s.io/cluster-autoscaler/enabled"
       value               = "${var.enable_autoscaler}"
       propagate_at_launch = true
-    },
-  ]
-
-  tags = ["${data.null_data_source.tags.*.outputs}"]
+    }
+  ], data.null_data_source.tags.*.outputs)
 }
 
 resource "aws_launch_template" "worker" {
-  instance_type = "${var.worker_config["ec2_type_1"]}"
-  image_id      = "${data.aws_ami.coreos_ami.image_id}"
+  instance_type = var.worker_config["ec2_type_1"]
+  image_id      = data.aws_ami.coreos_ami.image_id
   name_prefix   = "${var.cluster_name}-worker-${var.worker_config["name"]}-"  
 
-  vpc_security_group_ids = [
-    "${var.security_group_ids}",
-  ]
+  vpc_security_group_ids = var.security_group_ids
 
   iam_instance_profile {
-    arn = "${aws_iam_instance_profile.worker.arn}"
+    arn = aws_iam_instance_profile.worker.arn
   }
 
-  key_name  = "${var.ssh_key}"
-  user_data = "${base64encode(data.ignition_config.s3.rendered)}"
+  key_name  = var.ssh_key
+  user_data = base64encode(data.ignition_config.s3.rendered)
 
   block_device_mappings {
     device_name = "/dev/xvda"
 
     ebs {
-      volume_type = "${var.worker_config["root_volume_type"]}"
-      volume_size = "${var.worker_config["root_volume_size"]}"
-      iops        = "${var.worker_config["root_volume_type"] == "io1" ? var.worker_config["root_volume_iops"] : var.worker_config["root_volume_type"] == "gp2" ? 0 : min(10000, max(100, 3 * var.worker_config["root_volume_size"]))}"
+      volume_type = var.worker_config["root_volume_type"]
+      volume_size = var.worker_config["root_volume_size"]
+      iops        = var.worker_config["root_volume_type"] == "io1" ? var.worker_config["root_volume_iops"] : var.worker_config["root_volume_type"] == "gp2" ? 0 : min(10000, max(100, 3 * var.worker_config["root_volume_size"]))
     }
   }
 
diff --git a/modules/ignitions/aws-iam-auth-master/manifests.tf b/modules/ignitions/aws-iam-auth-master/manifests.tf
index 06b6f12f..fb37bd82 100644
--- a/modules/ignitions/aws-iam-auth-master/manifests.tf
+++ b/modules/ignitions/aws-iam-auth-master/manifests.tf
@@ -1,4 +1,4 @@
 locals {
   filesystem = "root"
-  mode       = 0644
+  mode       = 420
 }
diff --git a/modules/ignitions/aws-iam-auth-master/outputs.tf b/modules/ignitions/aws-iam-auth-master/outputs.tf
index 2109efb0..25e44e5c 100644
--- a/modules/ignitions/aws-iam-auth-master/outputs.tf
+++ b/modules/ignitions/aws-iam-auth-master/outputs.tf
@@ -1,15 +1,15 @@
 output "systemd_units" {
   value = [
-    "${data.ignition_systemd_unit.provision.id}",
+    data.ignition_systemd_unit.provision.rendered
   ]
 }
 
 output "files" {
   value = [
-    "${data.ignition_file.kubeconfig.id}",
+    data.ignition_file.kubeconfig.rendered
   ]
 }
 
 output "kubeconfig_path" {
-  value = "${var.webhook_kubeconfig_path}"
+  value = var.webhook_kubeconfig_path
 }
diff --git a/modules/ignitions/aws-iam-auth-master/provision.tf b/modules/ignitions/aws-iam-auth-master/provision.tf
index 6e0ce82f..ef30d148 100644
--- a/modules/ignitions/aws-iam-auth-master/provision.tf
+++ b/modules/ignitions/aws-iam-auth-master/provision.tf
@@ -1,12 +1,12 @@
 data "template_file" "provision" {
-  template = "${file("${path.module}/resources/services/provision.service")}"
+  template = file("${path.module}/resources/services/provision.service")
 
-  vars {
-    api_server_secret_path = "${local.api_server_secret_path}"
+  vars = {
+    api_server_secret_path = local.api_server_secret_path
     api_server_secret_key_path = "${local.api_server_secret_path}/apiserver.key"
     api_server_secret_crt_path = "${local.api_server_secret_path}/apiserver.crt"
 
-    state_path = "${var.state_path}"
+    state_path = var.state_path
     state_key_path = "${var.state_path}/key.pem"
     state_crt_path = "${var.state_path}/cert.pem"
   }
@@ -15,7 +15,7 @@ data "template_file" "provision" {
 data "ignition_systemd_unit" "provision" {
   name    = "authenticator-provision.service"
   enabled = true
-  content = "${data.template_file.provision.rendered}"
+  content = data.template_file.provision.rendered
 }
 
 locals {
diff --git a/modules/ignitions/aws-iam-auth-master/variables.tf b/modules/ignitions/aws-iam-auth-master/variables.tf
index 9bdc9a9a..fc5de603 100644
--- a/modules/ignitions/aws-iam-auth-master/variables.tf
+++ b/modules/ignitions/aws-iam-auth-master/variables.tf
@@ -1,22 +1,23 @@
 variable "state_path" {
-  type        = "string"
-  default     = "/var/aws-iam-authenticator"
   description = "Persisted TLS certificate and keys."
+  type        = string
+  default     = "/var/aws-iam-authenticator"
 }
 
 variable "server_port" {
-  default     = 21362
   description = "Localhost port where the server will serve the /authenticate endpoint"
+  type        = number
+  default     = 21362
 }
 
 variable "webhook_kubeconfig_path" {
-  type        = "string"
-  default     = "/etc/kubernetes/aws-iam-authenticator"
   description = "A path for using iam aws authenticator to authenticate to a Kubernetes cluster."
+  type        = string
+  default     = "/etc/kubernetes/aws-iam-authenticator"
 }
 
 variable "webhook_kubeconfig_ca" {
-  type        = "string"
-  default     = ""
   description = "A certificate for verifying the remote service."
+  type        = string
+  default     = ""
 }
diff --git a/modules/ignitions/aws-iam-auth-master/webhook-kubeconfig.tf b/modules/ignitions/aws-iam-auth-master/webhook-kubeconfig.tf
index c25048f4..6edcfab0 100644
--- a/modules/ignitions/aws-iam-auth-master/webhook-kubeconfig.tf
+++ b/modules/ignitions/aws-iam-auth-master/webhook-kubeconfig.tf
@@ -1,19 +1,19 @@
 data "template_file" "kubeconfig" {
-  template = "${file("${path.module}/resources/kubernetes/webhook/kubeconfig")}"
+  template = file("${path.module}/resources/kubernetes/webhook/kubeconfig")}"
 
-  vars {
-    webhook_ca = "${var.webhook_kubeconfig_ca}"
-    webhook_server_port = "${var.server_port}"
+  vars = {
+    webhook_ca = var.webhook_kubeconfig_ca
+    webhook_server_port = var.server_port
   }
 }
 
 data "ignition_file" "kubeconfig" {
-  filesystem = "${local.filesystem}"
-  mode       = "${local.mode}"
+  filesystem = local.filesystem
+  mode       = local.mode
 
   path = "${pathexpand(var.webhook_kubeconfig_path)}/kubeconfig"
 
   content {
-    content = "${data.template_file.kubeconfig.rendered}"
+    content = data.template_file.kubeconfig.rendered
   }
 }
diff --git a/modules/ignitions/docker/assets.tf b/modules/ignitions/docker/assets.tf
index 6e02a03a..5f8d338b 100644
--- a/modules/ignitions/docker/assets.tf
+++ b/modules/ignitions/docker/assets.tf
@@ -1,8 +1,8 @@
 data "template_file" "docker_dropin" {
-  template = "${file("${path.module}/resources/dropins/10-dockeropts.conf")}"
+  template = file("${path.module}/resources/dropins/10-dockeropts.conf")
 
-  vars {
-    docker_opts = "${join(" ", var.docker_opts)}"
+  vars = {
+    docker_opts = join(" ", var.docker_opts)
   }
 }
 
@@ -10,10 +10,8 @@ data "ignition_systemd_unit" "docker_dropin" {
   name    = "docker.service"
   enabled = true
 
-  dropin = [
-    {
+  dropin {
       name    = "10-dockeropts.conf"
-      content = "${data.template_file.docker_dropin.rendered}"
-    },
-  ]
+      content = data.template_file.docker_dropin.rendered
+  }
 }
diff --git a/modules/ignitions/docker/outputs.tf b/modules/ignitions/docker/outputs.tf
index 927ddb96..787fc014 100644
--- a/modules/ignitions/docker/outputs.tf
+++ b/modules/ignitions/docker/outputs.tf
@@ -1,6 +1,6 @@
 output "systemd_units" {
   value = [
-    "${data.ignition_systemd_unit.docker_dropin.id}",
+    data.ignition_systemd_unit.docker_dropin.rendered
   ]
 }
 
diff --git a/modules/ignitions/docker/variables.tf b/modules/ignitions/docker/variables.tf
index 8d2f4661..cedd8bc4 100644
--- a/modules/ignitions/docker/variables.tf
+++ b/modules/ignitions/docker/variables.tf
@@ -1,8 +1,7 @@
 variable "docker_opts" {
-  type        = "list"
   description = "See official docker documentation and https://coreos.com/os/docs/latest/customizing-docker.html for details."
-
-  default = [
+  type        = list(string)
+  default     = [
     "--log-opt",
     "max-size=50m",
     "--log-opt",
diff --git a/modules/ignitions/etcd/assets.tf b/modules/ignitions/etcd/assets.tf
index b72528c6..b8b651a2 100644
--- a/modules/ignitions/etcd/assets.tf
+++ b/modules/ignitions/etcd/assets.tf
@@ -1,15 +1,15 @@
 data "template_file" "etcd" {
-  template = "${file("${path.module}/resources/dropins/40-etcd-cluster.conf")}"
+  template = file("${path.module}/resources/dropins/40-etcd-cluster.conf")
 
   vars = {
-    certs_path          = "${var.certs_path}"
-    container_image_url = "${var.container["image_path"]}"
-    container_image_tag = "${var.container["image_tag"]}"
-    client_port         = "${var.client_port}"
-    peer_port           = "${var.peer_port}"
-    cluster_name        = "${var.name}"
+    certs_path          = var.certs_path
+    container_image_url = var.container["image_path"]
+    container_image_tag = var.container["image_tag"]
+    client_port         = var.client_port
+    peer_port           = var.peer_port
+    cluster_name        = var.name
     scheme              = "https"
-    discovery_service   = "${var.discovery_service}"
+    discovery_service   = var.discovery_service
   }
 }
 
@@ -17,10 +17,8 @@ data "ignition_systemd_unit" "etcd" {
   name    = "etcd-member.service"
   enabled = true
 
-  dropin = [
-    {
+  dropin {
       name    = "40-etcd-cluster.conf"
-      content = "${data.template_file.etcd.rendered}"
-    },
-  ]
+      content = data.template_file.etcd.rendered
+  }
 }
diff --git a/modules/ignitions/etcd/certs.tf b/modules/ignitions/etcd/certs.tf
index df6755f0..3be86036 100644
--- a/modules/ignitions/etcd/certs.tf
+++ b/modules/ignitions/etcd/certs.tf
@@ -1,83 +1,83 @@
 data "ignition_file" "etcd_ca" {
   path       = "${var.certs_path}/ca.crt"
-  mode       = 0644
+  mode       = 420
   uid        = 232
   gid        = 232
   filesystem = "root"
 
   content {
-    content = "${var.certs_config["ca_cert_pem"]}"
+    content = var.certs_config["ca_cert_pem"]
   }
 }
 
 data "ignition_file" "etcd_client_key" {
   path       = "${var.certs_path}/client.key"
-  mode       = 0400
-  uid        = 0
-  gid        = 0
+  mode       = 256
+  uid        = 232
+  gid        = 232
   filesystem = "root"
 
   content {
-    content = "${var.certs_config["client_key_pem"]}"
+    content = var.certs_config["client_key_pem"]
   }
 }
 
 data "ignition_file" "etcd_client_cert" {
   path       = "${var.certs_path}/client.crt"
-  mode       = 0400
-  uid        = 0
-  gid        = 0
+  mode       = 256
+  uid        = 232
+  gid        = 232
   filesystem = "root"
 
   content {
-    content = "${var.certs_config["client_cert_pem"]}"
+    content = var.certs_config["client_cert_pem"]
   }
 }
 
 data "ignition_file" "etcd_server_key" {
   path       = "${var.certs_path}/server.key"
-  mode       = 0400
+  mode       = 256
   uid        = 232
   gid        = 232
   filesystem = "root"
 
   content {
-    content = "${var.certs_config["server_key_pem"]}"
+    content = var.certs_config["server_key_pem"]
   }
 }
 
 data "ignition_file" "etcd_server_cert" {
   path       = "${var.certs_path}/server.crt"
-  mode       = 0400
+  mode       = 256
   uid        = 232
   gid        = 232
   filesystem = "root"
 
   content {
-    content = "${var.certs_config["server_cert_pem"]}"
+    content = var.certs_config["server_cert_pem"]
   }
 }
 
 data "ignition_file" "etcd_peer_key" {
   path       = "${var.certs_path}/peer.key"
-  mode       = 0400
+  mode       = 256
   uid        = 232
   gid        = 232
   filesystem = "root"
 
   content {
-    content = "${var.certs_config["peer_key_pem"]}"
+    content = var.certs_config["peer_key_pem"]
   }
 }
 
 data "ignition_file" "etcd_peer_cert" {
   path       = "${var.certs_path}/peer.crt"
-  mode       = 0400
+  mode       = 256
   uid        = 232
   gid        = 232
   filesystem = "root"
 
   content {
-    content = "${var.certs_config["peer_cert_pem"]}"
+    content = var.certs_config["peer_cert_pem"]
   }
 }
diff --git a/modules/ignitions/etcd/outputs.tf b/modules/ignitions/etcd/outputs.tf
index de1a10f5..5414f99d 100644
--- a/modules/ignitions/etcd/outputs.tf
+++ b/modules/ignitions/etcd/outputs.tf
@@ -1,17 +1,17 @@
 output "systemd_units" {
   value = [
-    "${data.ignition_systemd_unit.etcd.id}",
+    data.ignition_systemd_unit.etcd.rendered
   ]
 }
 
 output "files" {
   value = [
-    "${data.ignition_file.etcd_ca.id}",
-    "${data.ignition_file.etcd_client_cert.id}",
-    "${data.ignition_file.etcd_client_key.id}",
-    "${data.ignition_file.etcd_server_cert.id}",
-    "${data.ignition_file.etcd_server_key.id}",
-    "${data.ignition_file.etcd_peer_cert.id}",
-    "${data.ignition_file.etcd_peer_key.id}",
+    data.ignition_file.etcd_ca.rendered,
+    data.ignition_file.etcd_client_cert.rendered,
+    data.ignition_file.etcd_client_key.rendered,
+    data.ignition_file.etcd_server_cert.rendered,
+    data.ignition_file.etcd_server_key.rendered,
+    data.ignition_file.etcd_peer_cert.rendered,
+    data.ignition_file.etcd_peer_key.rendered
   ]
 }
diff --git a/modules/ignitions/etcd/resources/dropins/40-etcd-cluster.conf b/modules/ignitions/etcd/resources/dropins/40-etcd-cluster.conf
index 1ec27b7a..4a17bfe7 100644
--- a/modules/ignitions/etcd/resources/dropins/40-etcd-cluster.conf
+++ b/modules/ignitions/etcd/resources/dropins/40-etcd-cluster.conf
@@ -2,8 +2,6 @@
 Environment="ETCD_IMAGE=${container_image_url}:${container_image_tag}"
 Environment="RKT_RUN_ARGS=--volume etcd-ssl,kind=host,source=${certs_path} \
         --mount volume=etcd-ssl,target=${certs_path}"
-Environment="ETCD_SSL_DIR=${certs_path}"
-
 ExecStartPre=/usr/bin/sh -c "HOSTNAME=$(curl -s http://169.254.169.254/latest/meta-data/local-hostname | cut -d '.' -f 1); /usr/bin/systemctl set-environment MY_NAME=$HOSTNAME"
 ExecStartPre=/usr/bin/sh -c "HOST_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4); /usr/bin/systemctl set-environment HOST_IP=$HOST_IP"
 
@@ -11,6 +9,7 @@ ExecStart=
 ExecStart=/usr/lib/coreos/etcd-wrapper \
   --name=$${MY_NAME} \
   --discovery-srv=${discovery_service} \
+  --data-dir=/var/lib/etcd \
   --initial-cluster-token=${cluster_name} \
   --initial-cluster-state=new \
   --cert-file=${certs_path}/server.crt \
@@ -23,5 +22,5 @@ ExecStart=/usr/lib/coreos/etcd-wrapper \
   --trusted-ca-file=${certs_path}/ca.crt \
   --advertise-client-urls=${scheme}://$${MY_NAME}.${discovery_service}:${client_port} \
   --initial-advertise-peer-urls=${scheme}://$${MY_NAME}.${discovery_service}:${peer_port} \
-  --listen-client-urls=${scheme}://$${MY_NAME}.${discovery_service}:${client_port} \
-  --listen-peer-urls=${scheme}://$${MY_NAME}.${discovery_service}:${peer_port}
+  --listen-client-urls=${scheme}://0.0.0.0:${client_port} \
+  --listen-peer-urls=${scheme}://0.0.0.0:${peer_port}
diff --git a/modules/ignitions/etcd/variables.tf b/modules/ignitions/etcd/variables.tf
index 58b221c5..21c2a032 100644
--- a/modules/ignitions/etcd/variables.tf
+++ b/modules/ignitions/etcd/variables.tf
@@ -1,9 +1,9 @@
 variable "name" {
-  type = "string"
+  type = string
 }
 
 variable "discovery_service" {
-  type = "string"
+  type = string
 }
 
 variable "client_port" {
@@ -15,12 +15,12 @@ variable "peer_port" {
 }
 
 variable "certs_path" {
-  type    = "string"
+  type    = string
   default = "/etc/ssl/etcd"
 }
 
 variable "certs_config" {
-  type = "map"
+  type = map(string)
 
   default = {
     # ca_cert_pem     = ""
@@ -34,10 +34,10 @@ variable "certs_config" {
 }
 
 variable "container" {
-  type = "map"
+  type = map(string)
 
   default = {
     image_path = "quay.io/coreos/etcd"
-    image_tag  = "v3.1.8"
+    image_tag  = "v3.3.15"
   }
 }
diff --git a/modules/ignitions/iscsi/assets.tf b/modules/ignitions/iscsi/assets.tf
index 33b64133..556dde10 100644
--- a/modules/ignitions/iscsi/assets.tf
+++ b/modules/ignitions/iscsi/assets.tf
@@ -1,4 +1,4 @@
 data "ignition_systemd_unit" "iscsi" {
   name    = "iscsid.service"
-  enabled = "${var.enabled ? true : false}"
+  enabled = var.enabled ? true : false
 }
diff --git a/modules/ignitions/iscsi/outputs.tf b/modules/ignitions/iscsi/outputs.tf
index 210bff7a..b28fdb99 100644
--- a/modules/ignitions/iscsi/outputs.tf
+++ b/modules/ignitions/iscsi/outputs.tf
@@ -1,6 +1,6 @@
 output "systemd_units" {
   value = [
-    "${data.ignition_systemd_unit.iscsi.id}",
+    data.ignition_systemd_unit.iscsi.rendered
   ]
 }
 
diff --git a/modules/ignitions/iscsi/variables.tf b/modules/ignitions/iscsi/variables.tf
index cc9110af..7916c718 100644
--- a/modules/ignitions/iscsi/variables.tf
+++ b/modules/ignitions/iscsi/variables.tf
@@ -1,4 +1,5 @@
 variable "enabled" {
-  default     = true
   description = "Enable iSCSI"
+  type        = bool
+  default     = true
 }
diff --git a/modules/ignitions/kube-addon-dns/coredns-yaml.tf b/modules/ignitions/kube-addon-dns/coredns-yaml.tf
index f9db68ca..401af7ce 100644
--- a/modules/ignitions/kube-addon-dns/coredns-yaml.tf
+++ b/modules/ignitions/kube-addon-dns/coredns-yaml.tf
@@ -1,24 +1,24 @@
 data "template_file" "coredns_yaml" {
-  template = "${file("${path.module}/resources/kubernetes/manifests/coredns.yaml")}"
+  template = file("${path.module}/resources/kubernetes/manifests/coredns.yaml")
 
-  vars {
-    image               = "${var.image}"
-    reverse_cidrs       = "${var.reverse_cidrs}"
-    cluster_dns_ip      = "${var.cluster_dns_ip}"
-    cluster_domain      = "${var.cluster_domain}"
-    federations         = "${var.federations}"
-    subdomains          = "${var.subdomains}"
-    upstream_nameserver = "${var.upstream_nameserver}"
+  vars = {
+    image               = var.image
+    reverse_cidrs       = var.reverse_cidrs
+    cluster_dns_ip      = var.cluster_dns_ip
+    cluster_domain      = var.cluster_domain
+    federations         = var.federations
+    subdomains          = var.subdomains
+    upstream_nameserver = var.upstream_nameserver
   }
 }
 
 data "ignition_file" "coredns_yaml" {
-  filesystem = "${local.filesystem}"
-  mode       = "${local.mode}"
+  filesystem = local.filesystem
+  mode       = local.mode
 
   path = "${pathexpand(var.addon_path)}/coredns.yaml"
 
   content {
-    content = "${data.template_file.coredns_yaml.rendered}"
+    content = data.template_file.coredns_yaml.rendered
   }
 }
diff --git a/modules/ignitions/kube-addon-dns/manifests.tf b/modules/ignitions/kube-addon-dns/manifests.tf
index 06b6f12f..fb37bd82 100644
--- a/modules/ignitions/kube-addon-dns/manifests.tf
+++ b/modules/ignitions/kube-addon-dns/manifests.tf
@@ -1,4 +1,4 @@
 locals {
   filesystem = "root"
-  mode       = 0644
+  mode       = 420
 }
diff --git a/modules/ignitions/kube-addon-dns/outputs.tf b/modules/ignitions/kube-addon-dns/outputs.tf
index 6fe03d4e..a57809db 100644
--- a/modules/ignitions/kube-addon-dns/outputs.tf
+++ b/modules/ignitions/kube-addon-dns/outputs.tf
@@ -4,6 +4,6 @@ output "systemd_units" {
 
 output "files" {
   value = [
-    "${data.ignition_file.coredns_yaml.id}",
+    data.ignition_file.coredns_yaml.rendered
   ]
 }
diff --git a/modules/ignitions/kube-addon-dns/resources/kubernetes/manifests/coredns.yaml b/modules/ignitions/kube-addon-dns/resources/kubernetes/manifests/coredns.yaml
index bcfe34b7..25ac6a20 100644
--- a/modules/ignitions/kube-addon-dns/resources/kubernetes/manifests/coredns.yaml
+++ b/modules/ignitions/kube-addon-dns/resources/kubernetes/manifests/coredns.yaml
@@ -1,14 +1,19 @@
+
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: coredns
   namespace: kube-system
+  labels:
+      kubernetes.io/cluster-service: "true"
+      addonmanager.kubernetes.io/mode: Reconcile
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
     kubernetes.io/bootstrapping: rbac-defaults
+    addonmanager.kubernetes.io/mode: Reconcile
   name: system:coredns
 rules:
 - apiGroups:
@@ -28,13 +33,14 @@ rules:
   verbs:
   - get
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   annotations:
     rbac.authorization.kubernetes.io/autoupdate: "true"
   labels:
     kubernetes.io/bootstrapping: rbac-defaults
+    addonmanager.kubernetes.io/mode: EnsureExists
   name: system:coredns
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -50,31 +56,36 @@ kind: ConfigMap
 metadata:
   name: coredns
   namespace: kube-system
+  labels:
+      addonmanager.kubernetes.io/mode: EnsureExists
 data:
   Corefile: |
     .:53 {
         errors
         health
-        kubernetes ${cluster_domain} ${reverse_cidrs} {
-          pods insecure
-          upstream
-          fallthrough in-addr.arpa ip6.arpa
-        }${federations}
+        ready
+        kubernetes {{ pillar['dns_domain'] }} in-addr.arpa ip6.arpa {
+            pods insecure
+            fallthrough in-addr.arpa ip6.arpa
+            ttl 30
+        }
         prometheus :9153
-        proxy . ${upstream_nameserver}
+        forward . /etc/resolv.conf
         cache 30
         loop
         reload
         loadbalance
-    }${subdomains}
+    }
 ---
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: coredns
   namespace: kube-system
   labels:
     k8s-app: kube-dns
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
     kubernetes.io/name: "CoreDNS"
 spec:
   replicas: 2
@@ -89,11 +100,17 @@ spec:
     metadata:
       labels:
         k8s-app: kube-dns
+      annotations:
+        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
+      priorityClassName: system-cluster-critical
       serviceAccountName: coredns
       tolerations:
         - key: "CriticalAddonsOnly"
           operator: "Exists"
+        - key: "node-role.kubernetes.io/master"
+          operator: "Exists"
+          effect: "NoSchedule"
       nodeSelector:
         beta.kubernetes.io/os: linux
       containers:
@@ -121,14 +138,6 @@ spec:
         - containerPort: 9153
           name: metrics
           protocol: TCP
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            add:
-            - NET_BIND_SERVICE
-            drop:
-            - all
-          readOnlyRootFilesystem: true
         livenessProbe:
           httpGet:
             path: /health
@@ -138,13 +147,20 @@ spec:
           timeoutSeconds: 5
           successThreshold: 1
           failureThreshold: 5
+        readinessProbe:
+          httpGet:
+            path: /ready
+            port: 8181
+            scheme: HTTP
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - all
+          readOnlyRootFilesystem: true
       dnsPolicy: Default
-      tolerations:
-      - key: "node-role.kubernetes.io/master"
-        operator: "Exists"
-        effect: "NoSchedule"
-      nodeSelector:
-        node-role.kubernetes.io/master: ""
       volumes:
         - name: config-volume
           configMap:
@@ -164,6 +180,7 @@ metadata:
   labels:
     k8s-app: kube-dns
     kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
     kubernetes.io/name: "CoreDNS"
 spec:
   selector:
@@ -178,4 +195,4 @@ spec:
     protocol: TCP
   - name: metrics
     port: 9153
-    protocol: TCP
+    protocol: TCP
\ No newline at end of file
diff --git a/modules/ignitions/kube-addon-dns/variables.tf b/modules/ignitions/kube-addon-dns/variables.tf
index 319da5f3..9b304d2f 100644
--- a/modules/ignitions/kube-addon-dns/variables.tf
+++ b/modules/ignitions/kube-addon-dns/variables.tf
@@ -1,45 +1,45 @@
 variable "addon_path" {
-  type        = "string"
-  default     = "/etc/kubernetes/addons"
   description = "Path to the directory containing Kubernetes addons"
+  type        = string
+  default     = "/etc/kubernetes/addons"
 }
 
 variable "image" {
-  type        = "string"
-  default     = "coredns/coredns:1.2.6"
   description = "The CoreDNS image name and tag"
+  type        = "string"
+  default     = "k8s.gcr.io/coredns:1.6.2"
 }
 
 variable "reverse_cidrs" {
-  type        = "string"
   description = "CoreDNS reverse cidrs"
+  type        = string
 }
 
 variable "cluster_dns_ip" {
-  type        = "string"
   description = "K8S cluster dns ip"
+  type        = string
 }
 
 variable "cluster_domain" {
-  type        = "string"
-  default     = "cluster.local."
   description = "K8S cluster domain"
+  type        = string
+  default     = "cluster.local."
 }
 
 variable "federations" {
-  type        = "string"
-  default     = ""
   description = "federations"
+  type        = string
+  default     = ""
 }
 
 variable "subdomains" {
-  type        = "string"
-  default     = ""
   description = "subdomains"
+  type        = string
+  default     = ""
 }
 
 variable "upstream_nameserver" {
-  type        = "string"
-  default     = "/etc/resolv.conf"
   description = "upstream nameserver"
+  type        = string
+  default     = "/etc/resolv.conf"
 }
\ No newline at end of file
diff --git a/modules/ignitions/kube-addon-flannel-vxlan/kube-flannel-yaml.tf b/modules/ignitions/kube-addon-flannel-vxlan/kube-flannel-yaml.tf
index c82f2722..c296926f 100644
--- a/modules/ignitions/kube-addon-flannel-vxlan/kube-flannel-yaml.tf
+++ b/modules/ignitions/kube-addon-flannel-vxlan/kube-flannel-yaml.tf
@@ -1,20 +1,19 @@
 data "template_file" "kube_flannel_yaml" {
-  template = "${file("${path.module}/resources/addon/kube-flannel.yaml")}"
+  template = file("${path.module}/resources/addon/kube-flannel.yaml")
 
-  vars {
-    cluster_cidr      = "${var.cluster_cidr}"
-    flannel_image     = "${var.container_images["flannel"]}"
-    flannel_cni_image = "${var.container_images["flannel_cni"]}"
+  vars = {
+    cluster_cidr      = var.cluster_cidr
+    flannel_image     = var.container_images["flannel"]
   }
 }
 
 data "ignition_file" "kube_flannel_yaml" {
-  filesystem = "${local.filesystem}"
-  mode       = "${local.mode}"
+  filesystem = local.filesystem
+  mode       = local.mode
 
   path = "${pathexpand(var.addon_path)}/kube-flannel.yaml"
 
   content {
-    content = "${data.template_file.kube_flannel_yaml.rendered}"
+    content = data.template_file.kube_flannel_yaml.rendered
   }
 }
diff --git a/modules/ignitions/kube-addon-flannel-vxlan/manifests.tf b/modules/ignitions/kube-addon-flannel-vxlan/manifests.tf
index 06b6f12f..fb37bd82 100644
--- a/modules/ignitions/kube-addon-flannel-vxlan/manifests.tf
+++ b/modules/ignitions/kube-addon-flannel-vxlan/manifests.tf
@@ -1,4 +1,4 @@
 locals {
   filesystem = "root"
-  mode       = 0644
+  mode       = 420
 }
diff --git a/modules/ignitions/kube-addon-flannel-vxlan/outputs.tf b/modules/ignitions/kube-addon-flannel-vxlan/outputs.tf
index 562d84b4..48f66529 100644
--- a/modules/ignitions/kube-addon-flannel-vxlan/outputs.tf
+++ b/modules/ignitions/kube-addon-flannel-vxlan/outputs.tf
@@ -4,6 +4,6 @@ output "systemd_units" {
 
 output "files" {
   value = [
-    "${data.ignition_file.kube_flannel_yaml.id}",
+    data.ignition_file.kube_flannel_yaml.rendered
   ]
 }
diff --git a/modules/ignitions/kube-addon-flannel-vxlan/resources/addon/kube-flannel.yaml b/modules/ignitions/kube-addon-flannel-vxlan/resources/addon/kube-flannel.yaml
index 52790dec..a64b515d 100644
--- a/modules/ignitions/kube-addon-flannel-vxlan/resources/addon/kube-flannel.yaml
+++ b/modules/ignitions/kube-addon-flannel-vxlan/resources/addon/kube-flannel.yaml
@@ -1,20 +1,126 @@
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: psp.flannel.unprivileged
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
+    seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+spec:
+  privileged: false
+  volumes:
+    - configMap
+    - secret
+    - emptyDir
+    - hostPath
+  allowedHostPaths:
+    - pathPrefix: "/etc/cni/net.d"
+    - pathPrefix: "/etc/kube-flannel"
+    - pathPrefix: "/run/flannel"
+  readOnlyRootFilesystem: false
+  # Users and groups
+  runAsUser:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  fsGroup:
+    rule: RunAsAny
+  # Privilege Escalation
+  allowPrivilegeEscalation: false
+  defaultAllowPrivilegeEscalation: false
+  # Capabilities
+  allowedCapabilities: ['NET_ADMIN']
+  defaultAddCapabilities: []
+  requiredDropCapabilities: []
+  # Host namespaces
+  hostPID: false
+  hostIPC: false
+  hostNetwork: true
+  hostPorts:
+  - min: 0
+    max: 65535
+  # SELinux
+  seLinux:
+    # SELinux is unsed in CaaSP
+    rule: 'RunAsAny'
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: flannel
+rules:
+  - apiGroups: ['extensions']
+    resources: ['podsecuritypolicies']
+    verbs: ['use']
+    resourceNames: ['psp.flannel.unprivileged']
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes/status
+    verbs:
+      - patch
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: flannel
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: flannel
+subjects:
+- kind: ServiceAccount
+  name: flannel
+  namespace: kube-system
+---
 apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: flannel
+  namespace: kube-system
+---
 kind: ConfigMap
+apiVersion: v1
 metadata:
   name: kube-flannel-cfg
   namespace: kube-system
   labels:
     tier: node
-    k8s-app: flannel
+    app: flannel
 data:
   cni-conf.json: |
     {
       "name": "cbr0",
-      "type": "flannel",
-      "delegate": {
-        "isDefaultGateway": true,
-        "hairpinMode": true
-      }
+      "plugins": [
+        {
+          "type": "flannel",
+          "delegate": {
+            "hairpinMode": true,
+            "isDefaultGateway": true
+          }
+        },
+        {
+          "type": "portmap",
+          "capabilities": {
+            "portMappings": true
+          }
+        }
+      ]
     }
   net-conf.json: |
     {
@@ -25,6 +131,7 @@ data:
       }
     }
 ---
+---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -32,28 +139,57 @@ metadata:
   namespace: kube-system
   labels:
     tier: node
-    k8s-app: flannel
+    app: flannel
 spec:
   selector:
     matchLabels:
-      tier: node
-      k8s-app: flannel
-  updateStrategy:
-    rollingUpdate:
-      maxUnavailable: 1
-    type: RollingUpdate
+      app: flannel
   template:
     metadata:
       labels:
         tier: node
-        k8s-app: flannel
+        app: flannel
     spec:
+      hostNetwork: true
+      nodeSelector:
+        beta.kubernetes.io/arch: amd64
+      tolerations:
+      - operator: Exists
+        effect: NoSchedule
+      serviceAccountName: flannel
+      initContainers:
+      - name: install-cni
+        image: ${flannel_image}
+        command:
+        - cp
+        args:
+        - -f
+        - /etc/kube-flannel/cni-conf.json
+        - /etc/cni/net.d/10-flannel.conflist
+        volumeMounts:
+        - name: cni
+          mountPath: /etc/cni/net.d
+        - name: flannel-cfg
+          mountPath: /etc/kube-flannel/
       containers:
       - name: kube-flannel
         image: ${flannel_image}
-        command: [ "/opt/bin/flanneld", "--ip-masq", "--kube-subnet-mgr", "--iface=$(POD_IP)"]
+        command:
+        - /opt/bin/flanneld
+        args:
+        - --ip-masq
+        - --kube-subnet-mgr
+        resources:
+          requests:
+            cpu: "100m"
+            memory: "50Mi"
+          limits:
+            cpu: "100m"
+            memory: "50Mi"
         securityContext:
-          privileged: true
+          privileged: false
+          capabilities:
+             add: ["NET_ADMIN"]
         env:
         - name: POD_NAME
           valueFrom:
@@ -63,44 +199,18 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        - name: POD_IP
-          valueFrom:
-            fieldRef:
-              fieldPath: status.podIP
         volumeMounts:
         - name: run
-          mountPath: /run
-        - name: cni
-          mountPath: /etc/cni/net.d
+          mountPath: /run/flannel
         - name: flannel-cfg
           mountPath: /etc/kube-flannel/
-      - name: install-cni
-        image: ${flannel_cni_image}
-        command: ["/install-cni.sh"]
-        env:
-        - name: CNI_NETWORK_CONFIG
-          valueFrom:
-            configMapKeyRef:
-              name: kube-flannel-cfg
-              key: cni-conf.json
-        volumeMounts:
-        - name: cni
-          mountPath: /host/etc/cni/net.d
-        - name: host-cni-bin
-          mountPath: /host/opt/cni/bin/
-      hostNetwork: true
-      tolerations:
-      - operator: "Exists"
       volumes:
         - name: run
           hostPath:
-            path: /run
+            path: /run/flannel
         - name: cni
           hostPath:
-            path: /etc/kubernetes/cni/net.d
+            path: /etc/cni/net.d
         - name: flannel-cfg
           configMap:
-            name: kube-flannel-cfg
-        - name: host-cni-bin
-          hostPath:
-            path: /var/lib/cni/bin
+            name: kube-flannel-cfg
\ No newline at end of file
diff --git a/modules/ignitions/kube-addon-flannel-vxlan/variables.tf b/modules/ignitions/kube-addon-flannel-vxlan/variables.tf
index 3034df4e..012eec4c 100644
--- a/modules/ignitions/kube-addon-flannel-vxlan/variables.tf
+++ b/modules/ignitions/kube-addon-flannel-vxlan/variables.tf
@@ -1,26 +1,24 @@
 variable "manifest_path" {
-  type        = "string"
-  default     = "/etc/kubernetes/manifests"
   description = "Path to the directory containing static manifests"
+  type        = string
+  default     = "/etc/kubernetes/manifests"
 }
 
 variable "addon_path" {
-  type        = "string"
-  default     = "/etc/kubernetes/addons"
   description = "Path to the directory containing Kubernetes addons"
+  type        = string
+  default     = "/etc/kubernetes/addons"
 }
 
 variable "container_images" {
   description = "Container images to use"
-  type        = "map"
-
-  default = {
-    flannel_cni = "quay.io/coreos/flannel-cni:v0.2.0"
-    flannel     = "quay.io/coreos/flannel:v0.8.0-amd64"
+  type        = map(string)
+  default     = {
+    flannel     = "quay.io/coreos/flannel:v0.11.0-amd64"
   }
 }
 
 variable "cluster_cidr" {
   description = "A CIDR notation IP range from which to assign pod IPs"
-  type        = "string"
+  type        = string
 }
diff --git a/modules/ignitions/kube-addon-manager/kube-addon.tf b/modules/ignitions/kube-addon-manager/kube-addon.tf
index 00eed4f5..970e05ab 100644
--- a/modules/ignitions/kube-addon-manager/kube-addon.tf
+++ b/modules/ignitions/kube-addon-manager/kube-addon.tf
@@ -1,14 +1,14 @@
 data "template_file" "kube_addon_manager" {
-  template = "${file("${path.module}/resources/services/kube-addon-manager.service")}"
+  template = file("${path.module}/resources/services/kube-addon-manager.service")
 
-  vars {
+  vars = {
     hyperkube_image = "${var.hyperkube["image_path"]}:${var.hyperkube["image_tag"]}"
-    addon_path      = "${var.addon_path}"
+    addon_path      = var.addon_path
   }
 }
 
 data "ignition_systemd_unit" "kube_addon_manager" {
   name    = "kube-addon-manager.service"
   enabled = true
-  content = "${data.template_file.kube_addon_manager.rendered}"
+  content = data.template_file.kube_addon_manager.rendered
 }
diff --git a/modules/ignitions/kube-addon-manager/outputs.tf b/modules/ignitions/kube-addon-manager/outputs.tf
index 81b3b6e3..dbbbc3c7 100644
--- a/modules/ignitions/kube-addon-manager/outputs.tf
+++ b/modules/ignitions/kube-addon-manager/outputs.tf
@@ -1,6 +1,6 @@
 output "systemd_units" {
   value = [
-    "${data.ignition_systemd_unit.kube_addon_manager.id}",
+    data.ignition_systemd_unit.kube_addon_manager.rendered
   ]
 }
 
diff --git a/modules/ignitions/kube-addon-manager/variables.tf b/modules/ignitions/kube-addon-manager/variables.tf
index 432ee2aa..e4cbdfac 100644
--- a/modules/ignitions/kube-addon-manager/variables.tf
+++ b/modules/ignitions/kube-addon-manager/variables.tf
@@ -1,16 +1,14 @@
 variable "hyperkube" {
-  type = "map"
-
-  default = {
+  description = "(Optional) The hyperkube container image path and tag."
+  type        = map(string)
+  default     = {
     image_path = "gcr.io/google-containers/hyperkube-amd64"
-    image_tag  = "v1.13.4"
+    image_tag  = "v1.14.6"
   }
-
-  description = "(Optional) The hyperkube container image path and tag."
 }
 
 variable "addon_path" {
-  type        = "string"
-  default     = "/etc/kubernetes/addons"
   description = "(Optional) The absolute path of the addons to be installed."
+  type        = string
+  default     = "/etc/kubernetes/addons"
 }
diff --git a/modules/ignitions/kube-addon-proxy/kube-proxy-yaml.tf b/modules/ignitions/kube-addon-proxy/kube-proxy-yaml.tf
index 8b19578b..f5ab6f1c 100644
--- a/modules/ignitions/kube-addon-proxy/kube-proxy-yaml.tf
+++ b/modules/ignitions/kube-addon-proxy/kube-proxy-yaml.tf
@@ -1,18 +1,18 @@
 data "template_file" "kube_proxy_yaml" {
-  template = "${file("${path.module}/resources/kubernetes/addon/kube-proxy.yaml")}"
+  template = file("${path.module}/resources/kubernetes/addon/kube-proxy.yaml")
 
-  vars {
+  vars = {
     hyperkube_image = "${var.hyperkube["image_path"]}:${var.hyperkube["image_tag"]}"
-    cluster_cidr    = "${var.cluster_cidr}"
+    cluster_cidr    = var.cluster_cidr
   }
 }
 
 data "ignition_file" "kube_proxy_yaml" {
   filesystem = "root"
-  mode       = "0644"
+  mode       = 420
   path       = "${pathexpand(var.addon_path)}/kube-proxy.yaml"
 
   content {
-    content = "${data.template_file.kube_proxy_yaml.rendered}"
+    content = data.template_file.kube_proxy_yaml.rendered
   }
 }
diff --git a/modules/ignitions/kube-addon-proxy/outputs.tf b/modules/ignitions/kube-addon-proxy/outputs.tf
index 5720e631..bec99561 100644
--- a/modules/ignitions/kube-addon-proxy/outputs.tf
+++ b/modules/ignitions/kube-addon-proxy/outputs.tf
@@ -4,6 +4,6 @@ output "systemd_units" {
 
 output "files" {
   value = [
-    "${data.ignition_file.kube_proxy_yaml.id}",
+    data.ignition_file.kube_proxy_yaml.rendered
   ]
 }
diff --git a/modules/ignitions/kube-addon-proxy/variables.tf b/modules/ignitions/kube-addon-proxy/variables.tf
index ad0b8d4e..a3365955 100644
--- a/modules/ignitions/kube-addon-proxy/variables.tf
+++ b/modules/ignitions/kube-addon-proxy/variables.tf
@@ -1,22 +1,20 @@
 variable "hyperkube" {
-  type = "map"
-
-  default = {
+  description = "(Optional) The hyperkube container image path and tag."
+  type        = map(string)
+  default     = {
     image_path = "gcr.io/google-containers/hyperkube-amd64"
-    image_tag  = "v1.13.4"
+    image_tag  = "v1.14.6"
   }
-
-  description = "(Optional) The hyperkube container image path and tag."
 }
 
 variable "addon_path" {
-  type        = "string"
-  default     = "/etc/kubernetes/addons"
   description = "(Optional) The absolute path of the addons to be installed."
+  type        = string
+  default     = "/etc/kubernetes/addons"
 }
 
 variable "cluster_cidr" {
-  type = "string"
-
-  default = "10.2.0.0/16"
+  description = "The kubernetes cluster range"
+  type        = string
+  default     = "10.2.0.0/16"
 }
diff --git a/modules/ignitions/kube-audit/manifests.tf b/modules/ignitions/kube-audit/manifests.tf
index 06b6f12f..fb37bd82 100644
--- a/modules/ignitions/kube-audit/manifests.tf
+++ b/modules/ignitions/kube-audit/manifests.tf
@@ -1,4 +1,4 @@
 locals {
   filesystem = "root"
-  mode       = 0644
+  mode       = 420
 }
diff --git a/modules/ignitions/kube-audit/outputs.tf b/modules/ignitions/kube-audit/outputs.tf
index fe29bbdc..a281e785 100644
--- a/modules/ignitions/kube-audit/outputs.tf
+++ b/modules/ignitions/kube-audit/outputs.tf
@@ -4,6 +4,6 @@ output "systemd_units" {
 
 output "files" {
   value = [
-    "${data.ignition_file.policy_yaml.id}",
+    data.ignition_file.policy_yaml.rendered
   ]
 }
\ No newline at end of file
diff --git a/modules/ignitions/kube-audit/policy-yaml.tf b/modules/ignitions/kube-audit/policy-yaml.tf
index dc7a63ae..3e19d2b2 100644
--- a/modules/ignitions/kube-audit/policy-yaml.tf
+++ b/modules/ignitions/kube-audit/policy-yaml.tf
@@ -1,18 +1,18 @@
 data "template_file" "policy_yaml" {
-  template = "${file("${path.module}/resources/kubernetes/policy.yaml")}"
+  template = file("${path.module}/resources/kubernetes/policy.yaml")
 
   vars {
-    audit_policy = "${var.audit_policy}"
+    audit_policy = var.audit_policy
   }
 }
 
 data "ignition_file" "policy_yaml" {
-  filesystem = "${local.filesystem}"
-  mode       = "${local.mode}"
+  filesystem = local.filesystem
+  mode       = local.mode
 
   path = "${pathexpand(var.audit_policy_path)}/policy.yaml"
 
   content {
-    content = "${data.template_file.policy_yaml.rendered}"
+    content = data.template_file.policy_yaml.rendered
   }
 }
diff --git a/modules/ignitions/kube-audit/variables.tf b/modules/ignitions/kube-audit/variables.tf
index 079cbda3..109aebed 100644
--- a/modules/ignitions/kube-audit/variables.tf
+++ b/modules/ignitions/kube-audit/variables.tf
@@ -1,17 +1,18 @@
 variable "state_path" {
-  type        = "string"
-  default     = "/var/aws-iam-authenticator"
   description = "Persisted TLS certificate and keys."
+  type        = string
+  default     = "/var/aws-iam-authenticator"
 }
 
 variable "audit_policy_path" {
-  type        = "string"
-  default     = "/etc/kubernetes/audit"
   description = "A path for autit policy file."
+  type        = string
+  default     = "/etc/kubernetes/audit"
 }
 
 variable "audit_policy" {
-  type        = "string"
+  description = "The policy for auditing log."
+  type        = string
   default     = <<EOF
 # Log all requests at the Metadata level.
 apiVersion: audit.k8s.io/v1
@@ -19,5 +20,4 @@ kind: Policy
 rules:
 - level: Metadata
 EOF
-  description = "The policy for auditing log."
 }
\ No newline at end of file
diff --git a/modules/ignitions/kube-config/kubeconfig.tf b/modules/ignitions/kube-config/kubeconfig.tf
index ffa88e14..0c420c29 100644
--- a/modules/ignitions/kube-config/kubeconfig.tf
+++ b/modules/ignitions/kube-config/kubeconfig.tf
@@ -1,28 +1,28 @@
 locals {
-  kubeconfig_name = "${var.kubeconfig_name == "" ? "${var.cluster_name}" : var.kubeconfig_name}"
+  kubeconfig_name = var.kubeconfig_name == "" ? var.cluster_name : var.kubeconfig_name
 }
 
 data "template_file" "kubeconfig" {
-  template = "${file("${path.module}/resources/kubernetes/kubeconfig")}"
+  template = file("${path.module}/resources/kubernetes/kubeconfig")
 
-  vars {
-    cluster_name        = "${var.cluster_name}"
-    kubeconfig_name     = "${local.kubeconfig_name}"
-    api_server_endpoint = "${var.api_server_endpoint}"
-    kubelet_ca          = "${base64encode(var.kube_certs["ca_cert_pem"])}"
-    kubelet_cert        = "${base64encode(var.kube_certs["kubelet_cert_pem"])}"
-    kubelet_key         = "${base64encode(var.kube_certs["kubelet_key_pem"])}"
+  vars = {
+    cluster_name        = var.cluster_name
+    kubeconfig_name     = local.kubeconfig_name
+    api_server_endpoint = var.api_server_endpoint
+    kubelet_ca          = base64encode(var.kube_certs["ca_cert_pem"])
+    kubelet_cert        = base64encode(var.kube_certs["kubelet_cert_pem"])
+    kubelet_key         = base64encode(var.kube_certs["kubelet_key_pem"])
   }
 
-  count = "${var.content == "" ? 1 : 0}"
+  count = var.content == "" ? 1 : 0
 }
 
 data "ignition_file" "kubeconfig" {
   filesystem = "root"
   path       = "/etc/kubernetes/kubeconfig"
-  mode       = 0644
+  mode       = 420
 
   content {
-    content = "${coalesce(var.content, join("", data.template_file.kubeconfig.*.rendered))}"
+    content = coalesce(var.content, join("", data.template_file.kubeconfig.*.rendered))
   }
 }
diff --git a/modules/ignitions/kube-config/outputs.tf b/modules/ignitions/kube-config/outputs.tf
index 7c855b9f..97fc0bbd 100644
--- a/modules/ignitions/kube-config/outputs.tf
+++ b/modules/ignitions/kube-config/outputs.tf
@@ -4,10 +4,10 @@ output "systemd_units" {
 
 output "files" {
   value = [
-    "${data.ignition_file.kubeconfig.id}",
+    data.ignition_file.kubeconfig.rendered,
   ]
 }
 
 output "content" {
-  value = "${coalesce(var.content, join("", data.template_file.kubeconfig.*.rendered))}"
+  value = coalesce(var.content, join("", data.template_file.kubeconfig.*.rendered))
 }
diff --git a/modules/ignitions/kube-config/variables.tf b/modules/ignitions/kube-config/variables.tf
index 0d28f294..33be9e42 100644
--- a/modules/ignitions/kube-config/variables.tf
+++ b/modules/ignitions/kube-config/variables.tf
@@ -1,30 +1,31 @@
 variable "content" {
-  type        = "string"
-  default     = ""
   description = "The content of the kubeconfig file."
+  type        = string
+  default     = ""
 }
 
 variable "kubeconfig_name" {
   description = "Override the default name used for items kubeconfig."
+  type        = string
   default     = ""
 }
 
 variable "cluster_name" {
-  type        = "string"
-  default     = ""
   description = "(Required) Name of the cluster."
+  type        = string
+  default     = ""
 }
 
 variable "api_server_endpoint" {
-  type        = "string"
-  default     = ""
   description = "(Required) The endpoint of the API server."
+  type        = string
+  default     = ""
 }
 
 variable "kube_certs" {
-  type = "map"
-
-  default = {
+  description = "The kubernetes certificate"
+  type        = map(string)
+  default     = {
     ca_cert_pem      = ""
     kubelet_key_pem  = ""
     kubelet_cert_pem = ""
diff --git a/modules/ignitions/kube-control-plane/kube-apiserver-yaml.tf b/modules/ignitions/kube-control-plane/kube-apiserver-yaml.tf
index 29240245..7d0163b0 100644
--- a/modules/ignitions/kube-control-plane/kube-apiserver-yaml.tf
+++ b/modules/ignitions/kube-control-plane/kube-apiserver-yaml.tf
@@ -1,40 +1,39 @@
 data "template_file" "kube_apiserver_yaml" {
-  template = "${file("${path.module}/resources/kubernetes/manifests/kube-apiserver.yaml")}"
+  template = file("${path.module}/resources/kubernetes/manifests/kube-apiserver.yaml")
 
-  vars {
+  vars = {
     hyperkube_image = "${var.hyperkube["image_path"]}:${var.hyperkube["image_tag"]}"
-    secret_path     = "${var.secret_path}"
-
-    etcd_servers   = "${var.etcd_config["endpoints"]}"
-    etcd_ca_flag   = "${var.etcd_certs["ca_cert_pem"] != "" ? "- --etcd-cafile=${var.secret_path}/etcd-client-ca.crt" : "# no etcd-client-ca.crt given" }"
-    etcd_cert_flag = "${var.etcd_certs["client_cert_pem"] != "" ? "- --etcd-certfile=${var.secret_path}/etcd-client.crt" : "# no etcd-client.crt given" }"
-    etcd_key_flag  = "${var.etcd_certs["client_key_pem"] != "" ? "- --etcd-keyfile=${var.secret_path}/etcd-client.key" : "# no etcd-client.key given" }"
-
-    anonymous_auth    = "${var.apiserver_config["anonymous_auth"]}"
-    advertise_address = "${var.apiserver_config["advertise_address"]}"
-    service_cidr      = "${var.cluster_config["service_cidr"]}"
-
-    auth_webhook_flag       = "${var.apiserver_config["auth_webhook_path"] != "" ? "- --authentication-token-webhook-config-file=${var.apiserver_config["auth_webhook_path"]}/kubeconfig" : "# no authentication token webhook provider"}"
-    auth_mount_volume_block = "${var.apiserver_config["auth_webhook_path"] != "" ? "${join("\n      ", list("${local.auth_volume_mount_name}", "${local.auth_volume_mount_path}", "${local.auth_volume_read_only}"))}" : "# no authentication token webhook provider"}"
-    auth_volume_block       = "${var.apiserver_config["auth_webhook_path"] != "" ? "${join("\n    ", list("${local.auth_volume_name}", "${local.auth_volume_host_path}", "${local.auth_volume_path}"))}" : "# no authentication token webhook provider"}"
-
-    audit_policy_flag        = "${var.apiserver_config["audit_policy_path"] != "" ? "${join("\n    ", list("- --audit-policy-file=${var.apiserver_config["audit_policy_path"]}/policy.yaml", "- --audit-log-path=${var.audit_log_backend["path"]}", "- --audit-log-maxage=${var.audit_log_backend["maxage"]}", "- --audit-log-maxbackup=${var.audit_log_backend["maxbackup"]}", "- --audit-log-maxsize=${var.audit_log_backend["maxsize"]}"))}" : "# not enable auditing"}"
-    audit_mount_volume_block = "${var.apiserver_config["audit_policy_path"] != "" ? "${join("\n      ", list("${local.audit_volume_mount_name}", "${local.audit_volume_mount_path}", "${local.audit_volume_read_only}"))}" : "# not enable auditing"}"
-    audit_volume_block       = "${var.apiserver_config["audit_policy_path"] != "" ? "${join("\n    ", list("${local.audit_volume_name}", "${local.audit_volume_host_path}", "${local.audit_volume_path}"))}" : "# not enable auditing"}"
-
-    cloud_provider             = "${var.cloud_provider["name"]}"
-    cloud_provider_config_flag = "${var.cloud_provider["config"] != "" ? "- --cloud-config=/etc/kubernetes/cloud/config" : "# no cloud provider config given"}"
+    secret_path     = var.secret_path
+
+    etcd_servers   = var.etcd_config["endpoints"]
+    etcd_ca_flag   = var.etcd_certs["ca_cert_pem"] != "" ? "- --etcd-cafile=${var.secret_path}/etcd-client-ca.crt" : "# no etcd-client-ca.crt given"
+    etcd_cert_flag = var.etcd_certs["client_cert_pem"] != "" ? "- --etcd-certfile=${var.secret_path}/etcd-client.crt" : "# no etcd-client.crt given"
+    etcd_key_flag  = var.etcd_certs["client_key_pem"] != "" ? "- --etcd-keyfile=${var.secret_path}/etcd-client.key" : "# no etcd-client.key given"
+
+    anonymous_auth    = var.apiserver_config["anonymous_auth"]
+    advertise_address = var.apiserver_config["advertise_address"]
+    service_cidr      = var.cluster_config["service_cidr"]
+
+    auth_webhook_flag        = var.apiserver_config["auth_webhook_path"] != "" ? "- --authentication-token-webhook-config-file=${var.apiserver_config["auth_webhook_path"]}/kubeconfig" : "# no authentication token webhook provider"
+    auth_mount_volume_block  = var.apiserver_config["auth_webhook_path"] != "" ? join("\n      ", list(local.auth_volume_mount_name, local.auth_volume_mount_path, local.auth_volume_read_only)) : "# no authentication token webhook provider"
+    auth_volume_block        = var.apiserver_config["auth_webhook_path"] != "" ? join("\n    ", list(local.auth_volume_name, local.auth_volume_host_path, local.auth_volume_path)) : "# no authentication token webhook provider"
+    audit_policy_flag        = var.apiserver_config["audit_policy_path"] != "" ? join("\n    ", list("- --audit-policy-file=${var.apiserver_config["audit_policy_path"]}/policy.yaml", "- --audit-log-path=${var.audit_log_backend["path"]}", "- --audit-log-maxage=${var.audit_log_backend["maxage"]}", "- --audit-log-maxbackup=${var.audit_log_backend["maxbackup"]}", "- --audit-log-maxsize=${var.audit_log_backend["maxsize"]}")) : "# not enable auditing"
+    audit_mount_volume_block = var.apiserver_config["audit_policy_path"] != "" ? join("\n      ", list(local.audit_volume_mount_name, local.audit_volume_mount_path, local.audit_volume_read_only)) : "# not enable auditing"
+    audit_volume_block       = var.apiserver_config["audit_policy_path"] != "" ? join("\n    ", list(local.audit_volume_name, local.audit_volume_host_path, local.audit_volume_path)) : "# not enable auditing"
+
+    cloud_provider             = var.cloud_provider["name"]
+    cloud_provider_config_flag = var.cloud_provider["config"] != "" ? "- --cloud-config=/etc/kubernetes/cloud/config" : "# no cloud provider config given"
   }
 }
 
 data "ignition_file" "kube_apiserver_yaml" {
-  filesystem = "${local.filesystem}"
-  mode       = "${local.mode}"
+  filesystem = local.filesystem
+  mode       = local.mode
 
   path = "${pathexpand(var.manifest_path)}/kube-apiserver.yaml"
 
   content {
-    content = "${data.template_file.kube_apiserver_yaml.rendered}"
+    content = data.template_file.kube_apiserver_yaml.rendered
   }
 }
 
@@ -43,7 +42,7 @@ locals {
   auth_volume_mount_path = "mountPath: ${var.apiserver_config["auth_webhook_path"]}"
   auth_volume_read_only  = "readOnly: true"
 
-  auth_volume_name      = "${local.auth_volume_mount_name}"
+  auth_volume_name      = local.auth_volume_mount_name
   auth_volume_host_path = "hostPath:"
   auth_volume_path      = "  path: ${var.apiserver_config["auth_webhook_path"]}"
 
@@ -52,7 +51,7 @@ locals {
   audit_volume_mount_path = "mountPath: ${var.apiserver_config["audit_policy_path"]}"
   audit_volume_read_only  = "readOnly: true"
 
-  audit_volume_name      = "${local.audit_volume_mount_name}"
+  audit_volume_name      = local.audit_volume_mount_name
   audit_volume_host_path = "hostPath:"
   audit_volume_path      = "  path: ${var.apiserver_config["audit_policy_path"]}"
 }
diff --git a/modules/ignitions/kube-control-plane/kube-controller-manager-yaml.tf b/modules/ignitions/kube-control-plane/kube-controller-manager-yaml.tf
index b6c5d124..0178d7b6 100644
--- a/modules/ignitions/kube-control-plane/kube-controller-manager-yaml.tf
+++ b/modules/ignitions/kube-control-plane/kube-controller-manager-yaml.tf
@@ -1,27 +1,27 @@
 data "template_file" "kube_controller_manager_yaml" {
-  template = "${file("${path.module}/resources/kubernetes/manifests/kube-controller-manager.yaml")}"
+  template = file("${path.module}/resources/kubernetes/manifests/kube-controller-manager.yaml")
 
-  vars {
+  vars = {
     hyperkube_image           = "${var.hyperkube["image_path"]}:${var.hyperkube["image_tag"]}"
-    kubernetes_version        = "${element(split("_", var.hyperkube["image_tag"]), 0)}"
-    secret_path               = "${var.secret_path}"
-    node_monitor_grace_period = "${var.cluster_config["node_monitor_grace_period"]}"
-    pod_eviction_timeout      = "${var.cluster_config["pod_eviction_timeout"]}"
+    kubernetes_version        = element(split("_", var.hyperkube["image_tag"]), 0)
+    secret_path               = var.secret_path
+    node_monitor_grace_period = var.cluster_config["node_monitor_grace_period"]
+    pod_eviction_timeout      = var.cluster_config["pod_eviction_timeout"]
 
-    cluster_cidr = "${var.cluster_config["pod_cidr"]}"
+    cluster_cidr = var.cluster_config["pod_cidr"]
 
-    cloud_provider             = "${var.cloud_provider["name"]}"
-    cloud_provider_config_flag = "${var.cloud_provider["config"] != "" ? "- --cloud-config=/etc/kubernetes/cloud/config" : "# no cloud provider config given"}"
+    cloud_provider             = var.cloud_provider["name"]
+    cloud_provider_config_flag = var.cloud_provider["config"] != "" ? "- --cloud-config=/etc/kubernetes/cloud/config" : "# no cloud provider config given"
   }
 }
 
 data "ignition_file" "kube_controller_manager_yaml" {
-  filesystem = "${local.filesystem}"
-  mode       = "${local.mode}"
+  filesystem = local.filesystem
+  mode       = local.mode
 
   path = "${pathexpand(var.manifest_path)}/kube-controller-manager.yaml"
 
   content {
-    content = "${data.template_file.kube_controller_manager_yaml.rendered}"
+    content = data.template_file.kube_controller_manager_yaml.rendered
   }
 }
diff --git a/modules/ignitions/kube-control-plane/kube-scheduler-yaml.tf b/modules/ignitions/kube-control-plane/kube-scheduler-yaml.tf
index 84ca43f7..95d85d30 100644
--- a/modules/ignitions/kube-control-plane/kube-scheduler-yaml.tf
+++ b/modules/ignitions/kube-control-plane/kube-scheduler-yaml.tf
@@ -1,19 +1,19 @@
 data "template_file" "kube_scheduler_yaml" {
-  template = "${file("${path.module}/resources/kubernetes/manifests/kube-scheduler.yaml")}"
+  template = file("${path.module}/resources/kubernetes/manifests/kube-scheduler.yaml")
 
-  vars {
+  vars = {
     hyperkube_image    = "${var.hyperkube["image_path"]}:${var.hyperkube["image_tag"]}"
-    kubernetes_version = "${element(split("_", var.hyperkube["image_tag"]), 0)}"
+    kubernetes_version = element(split("_", var.hyperkube["image_tag"]), 0)
   }
 }
 
 data "ignition_file" "kube_scheduler_yaml" {
-  filesystem = "${local.filesystem}"
-  mode       = "${local.mode}"
+  filesystem = local.filesystem
+  mode       = local.mode
 
   path = "${pathexpand(var.manifest_path)}/kube-scheduler.yaml"
 
   content {
-    content = "${data.template_file.kube_scheduler_yaml.rendered}"
+    content = data.template_file.kube_scheduler_yaml.rendered
   }
 }
diff --git a/modules/ignitions/kube-control-plane/kube-system-rbac-role-binding.tf b/modules/ignitions/kube-control-plane/kube-system-rbac-role-binding.tf
index 70d52f7a..35fae361 100644
--- a/modules/ignitions/kube-control-plane/kube-system-rbac-role-binding.tf
+++ b/modules/ignitions/kube-control-plane/kube-system-rbac-role-binding.tf
@@ -1,13 +1,13 @@
 data "template_file" "kube_system_rbac_role_binding_yaml" {
-  template = "${file("${path.module}/resources/kubernetes/addon/kube-system-rbac-role-binding.yaml")}"
+  template = file("${path.module}/resources/kubernetes/addon/kube-system-rbac-role-binding.yaml")
 }
 
 data "ignition_file" "kube_system_rbac_role_binding_yaml" {
-  filesystem = "${local.filesystem}"
-  mode       = "${local.mode}"
+  filesystem = local.filesystem
+  mode       = local.mode
   path       = "${pathexpand(var.addon_path)}/kube-system-rbac-role-binding.yaml"
 
   content {
-    content = "${data.template_file.kube_system_rbac_role_binding_yaml.rendered}"
+    content = data.template_file.kube_system_rbac_role_binding_yaml.rendered
   }
 }
diff --git a/modules/ignitions/kube-control-plane/manifests.tf b/modules/ignitions/kube-control-plane/manifests.tf
index 06b6f12f..fb37bd82 100644
--- a/modules/ignitions/kube-control-plane/manifests.tf
+++ b/modules/ignitions/kube-control-plane/manifests.tf
@@ -1,4 +1,4 @@
 locals {
   filesystem = "root"
-  mode       = 0644
+  mode       = 420
 }
diff --git a/modules/ignitions/kube-control-plane/outputs.tf b/modules/ignitions/kube-control-plane/outputs.tf
index 33dfc80e..48b97e05 100644
--- a/modules/ignitions/kube-control-plane/outputs.tf
+++ b/modules/ignitions/kube-control-plane/outputs.tf
@@ -4,17 +4,17 @@ output "systemd_units" {
 
 output "files" {
   value = [
-    "${data.ignition_file.kube_apiserver_yaml.id}",
-    "${data.ignition_file.kube_controller_manager_yaml.id}",
-    "${data.ignition_file.kube_scheduler_yaml.id}",
-    "${data.ignition_file.kube_system_rbac_role_binding_yaml.id}",
-    "${data.ignition_file.kube_ca_cert_pem.id}",
-    "${data.ignition_file.apiserver_key_pem.id}",
-    "${data.ignition_file.apiserver_cert_pem.id}",
-    "${data.ignition_file.service_account_pub.id}",
-    "${data.ignition_file.service_account_key.id}",
-    "${data.ignition_file.etcd_ca_cert_pem.id}",
-    "${data.ignition_file.etcd_client_cert_pem.id}",
-    "${data.ignition_file.etcd_client_key_pem.id}",
+    data.ignition_file.kube_apiserver_yaml.rendered,
+    data.ignition_file.kube_controller_manager_yaml.rendered,
+    data.ignition_file.kube_scheduler_yaml.rendered,
+    data.ignition_file.kube_system_rbac_role_binding_yaml.rendered,
+    data.ignition_file.kube_ca_cert_pem.rendered,
+    data.ignition_file.apiserver_key_pem.rendered,
+    data.ignition_file.apiserver_cert_pem.rendered,
+    data.ignition_file.service_account_pub.rendered,
+    data.ignition_file.service_account_key.rendered,
+    data.ignition_file.etcd_ca_cert_pem.rendered,
+    data.ignition_file.etcd_client_cert_pem.rendered,
+    data.ignition_file.etcd_client_key_pem.rendered,
   ]
 }
diff --git a/modules/ignitions/kube-control-plane/secrets.tf b/modules/ignitions/kube-control-plane/secrets.tf
index da1161cb..2ac72ee8 100644
--- a/modules/ignitions/kube-control-plane/secrets.tf
+++ b/modules/ignitions/kube-control-plane/secrets.tf
@@ -4,89 +4,89 @@ resource "tls_private_key" "service_account" {
 }
 
 data "ignition_file" "kube_ca_cert_pem" {
-  filesystem = "${local.filesystem}"
-  mode       = "${local.mode}"
+  filesystem = local.filesystem
+  mode       = local.mode
 
   path = "/etc/kubernetes/secrets/ca.crt"
 
   content {
-    content = "${var.kube_certs["ca_cert_pem"]}"
+    content = var.kube_certs["ca_cert_pem"]
   }
 }
 
 data "ignition_file" "apiserver_key_pem" {
-  filesystem = "${local.filesystem}"
-  mode       = "${local.mode}"
+  filesystem = local.filesystem
+  mode       = local.mode
 
   path = "/etc/kubernetes/secrets/apiserver.key"
 
   content {
-    content = "${var.kube_certs["apiserver_key_pem"]}"
+    content = var.kube_certs["apiserver_key_pem"]
   }
 }
 
 data "ignition_file" "apiserver_cert_pem" {
-  filesystem = "${local.filesystem}"
-  mode       = "${local.mode}"
+  filesystem = local.filesystem
+  mode       = local.mode
 
   path = "/etc/kubernetes/secrets/apiserver.crt"
 
   content {
-    content = "${var.kube_certs["apiserver_cert_pem"]}"
+    content = var.kube_certs["apiserver_cert_pem"]
   }
 }
 
 data "ignition_file" "service_account_pub" {
-  filesystem = "${local.filesystem}"
-  mode       = "${local.mode}"
+  filesystem = local.filesystem
+  mode       = local.mode
 
   path = "/etc/kubernetes/secrets/service-account.pub"
 
   content {
-    content = "${tls_private_key.service_account.public_key_pem}"
+    content = tls_private_key.service_account.public_key_pem
   }
 }
 
 data "ignition_file" "service_account_key" {
-  filesystem = "${local.filesystem}"
-  mode       = "${local.mode}"
+  filesystem = local.filesystem
+  mode       = local.mode
 
   path = "/etc/kubernetes/secrets/service-account.key"
 
   content {
-    content = "${tls_private_key.service_account.private_key_pem}"
+    content = tls_private_key.service_account.private_key_pem
   }
 }
 
 data "ignition_file" "etcd_ca_cert_pem" {
-  filesystem = "${local.filesystem}"
-  mode       = "${local.mode}"
+  filesystem = local.filesystem
+  mode       = local.mode
 
   path = "/etc/kubernetes/secrets/etcd-client-ca.crt"
 
   content {
-    content = "${var.etcd_certs["ca_cert_pem"]}"
+    content = var.etcd_certs["ca_cert_pem"]
   }
 }
 
 data "ignition_file" "etcd_client_cert_pem" {
-  filesystem = "${local.filesystem}"
-  mode       = "${local.mode}"
+  filesystem = local.filesystem
+  mode       = local.mode
 
   path = "/etc/kubernetes/secrets/etcd-client.crt"
 
   content {
-    content = "${var.etcd_certs["client_cert_pem"]}"
+    content = var.etcd_certs["client_cert_pem"]
   }
 }
 
 data "ignition_file" "etcd_client_key_pem" {
-  filesystem = "${local.filesystem}"
-  mode       = "${local.mode}"
+  filesystem = local.filesystem
+  mode       = local.mode
 
   path = "/etc/kubernetes/secrets/etcd-client.key"
 
   content {
-    content = "${var.etcd_certs["client_key_pem"]}"
+    content = var.etcd_certs["client_key_pem"]
   }
 }
diff --git a/modules/ignitions/kube-control-plane/variables.tf b/modules/ignitions/kube-control-plane/variables.tf
index 6dc937d2..dabb0b24 100644
--- a/modules/ignitions/kube-control-plane/variables.tf
+++ b/modules/ignitions/kube-control-plane/variables.tf
@@ -1,25 +1,25 @@
 variable "manifest_path" {
-  type        = "string"
-  default     = "/etc/kubernetes/manifests"
   description = "(Optional) Path to the directory containing static manifests"
+  type        = string
+  default     = "/etc/kubernetes/manifests"
 }
 
 variable "addon_path" {
-  type        = "string"
-  default     = "/etc/kubernetes/addons"
   description = "(Optional) The absolute path of the addons to be installed."
+  type        = string
+  default     = "/etc/kubernetes/addons"
 }
 
 variable "secret_path" {
-  type        = "string"
-  default     = "/etc/kubernetes/secrets"
   description = "(Optional) Path to the directory containing static secrets"
+  type        = string
+  default     = "/etc/kubernetes/secrets"
 }
 
 variable "kube_certs" {
-  type = "map"
-
-  default = {
+  description = "The kubernetes certificate"
+  type        = map(string)
+  default     = {
     # ca_cert_pem        = ""
     # apiserver_key_pem  = ""
     # apiserver_cert_pem = ""
@@ -27,9 +27,9 @@ variable "kube_certs" {
 }
 
 variable "etcd_certs" {
-  type = "map"
-
-  default = {
+  description = "The ectd certificate"
+  type        = map(string)
+  default     = {
     # ca_cert_pem     = ""
     # client_key_pem  = ""
     # client_cert_pem = ""
@@ -37,20 +37,17 @@ variable "etcd_certs" {
 }
 
 variable "etcd_config" {
-  type = "map"
-
-  default = {
-    endpoints = ""
-  }
-
   description = <<EOF
   endpoints: The comma separated list of etcd endpoints (e.g., "http://etcd1:2379,http://etcd2:2379").
   EOF
+  type        = map(string)
+  default     = {
+    endpoints = ""
+  }
 }
 
 variable "apiserver_config" {
-  type = "map"
-
+  type    = map(string)
   default = {
     anonymous_auth    = false
     advertise_address = "0.0.0.0"
@@ -60,14 +57,12 @@ variable "apiserver_config" {
 }
 
 variable "audit_log_backend" {
-  type = "map"
+  type    = map(string)
   default = {}
 }
 
-
 variable "cloud_provider" {
-  type = "map"
-
+  type    = map(string)
   default = {
     name   = "aws"
     config = ""
@@ -75,28 +70,24 @@ variable "cloud_provider" {
 }
 
 variable "cluster_config" {
-  type = "map"
-
-  default = {
+  description = <<EOF
+  node_monitor_grace_period: Amount of time which we allow running Node to be unresponsive before marking it unhealthy. Must be N times more than kubelet's nodeStatusUpdateFrequency, where N means number of retries allowed for kubelet to post node status. N must be stricly > 1.
+  pod_eviction_timeout: The grace period for deleting pods on failed nodes. The eviction process will start after node_monitor_grace_period + pod_eviction_timeout.
+  EOF
+  type        = map(string)
+  default     = {
     node_monitor_grace_period = "40s"
     pod_eviction_timeout      = "5m"
     service_cidr              = "10.3.0.0/16"
     pod_cidr                  = "10.2.0.0/16"
   }
-
-  description = <<EOF
-  node_monitor_grace_period: Amount of time which we allow running Node to be unresponsive before marking it unhealthy. Must be N times more than kubelet's nodeStatusUpdateFrequency, where N means number of retries allowed for kubelet to post node status. N must be stricly > 1.
-  pod_eviction_timeout: The grace period for deleting pods on failed nodes. The eviction process will start after node_monitor_grace_period + pod_eviction_timeout.
-  EOF
 }
 
 variable "hyperkube" {
-  type = "map"
-
-  default = {
+  description = "The hyperkube container image path and tag"
+  type        = map(string)
+  default     = {
     image_path = "gcr.io/google-containers/hyperkube-amd64"
-    image_tag  = "v1.13.4"
+    image_tag  = "v1.14.6"
   }
-
-  description = "The hyperkube container image path and tag"
 }
diff --git a/modules/ignitions/kubelet/kubelet-env.tf b/modules/ignitions/kubelet/kubelet-env.tf
index a4786a8f..f87dd50b 100644
--- a/modules/ignitions/kubelet/kubelet-env.tf
+++ b/modules/ignitions/kubelet/kubelet-env.tf
@@ -1,18 +1,18 @@
 data "template_file" "kubelet_env" {
-  template = "${file("${path.module}/resources/kubernetes/kubelet.env")}"
+  template = file("${path.module}/resources/kubernetes/kubelet.env")
 
-  vars {
-    kubelet_image_url = "${var.hyperkube["image_path"]}"
-    kubelet_image_tag = "${var.hyperkube["image_tag"]}"
+  vars = {
+    kubelet_image_url = var.hyperkube["image_path"]
+    kubelet_image_tag = var.hyperkube["image_tag"]
   }
 }
 
 data "ignition_file" "kubelet_env" {
   filesystem = "root"
   path       = "/etc/kubernetes/kubelet.env"
-  mode       = 0644
+  mode       = 420
 
   content {
-    content = "${data.template_file.kubelet_env.rendered}"
+    content = data.template_file.kubelet_env.rendered
   }
 }
diff --git a/modules/ignitions/kubelet/kubelet.tf b/modules/ignitions/kubelet/kubelet.tf
index 12c09c5e..d8ea0c40 100644
--- a/modules/ignitions/kubelet/kubelet.tf
+++ b/modules/ignitions/kubelet/kubelet.tf
@@ -1,20 +1,20 @@
 data "template_file" "kubelet" {
-  template = "${file("${path.module}/resources/services/kubelet.service")}"
+  template = file("${path.module}/resources/services/kubelet.service")
 
-  vars {
-    kubelet_flag_cloud_provider       = "${var.kubelet_flag_cloud_provider != "" ? "--cloud-provider=${var.kubelet_flag_cloud_provider}" : ""}"
-    kubelet_flag_cloud_config         = "${var.kubelet_flag_cloud_config != "" ? "--cloud-config=/etc/kubernetes/cloud/config" : ""}"
-    kubelet_flag_cluster_dns          = "${var.kubelet_flag_cluster_dns != "" ? "--cluster-dns=${var.kubelet_flag_cluster_dns}": ""}"
-    kubelet_flag_cni_bin_dir          = "${var.kubelet_flag_cni_bin_dir != "" ? "--cni-bin-dir=${var.kubelet_flag_cni_bin_dir}" : ""}"
-    kubelet_flag_pod_manifest_path    = "${var.kubelet_flag_pod_manifest_path != "" ? "--pod-manifest-path=${var.kubelet_flag_pod_manifest_path}" : ""}"
-    kubelet_flag_node_labels          = "${var.kubelet_flag_node_labels != "" ? "--node-labels=${var.kubelet_flag_node_labels}" : ""}"
-    kubelet_flag_register_with_taints = "${var.kubelet_flag_register_with_taints != "" ? "--register-with-taints=${var.kubelet_flag_register_with_taints}" : ""}"
-    kubelet_flag_extra_flags          = "${length(var.kubelet_flag_extra_flags) > 0 ? join(" ", var.kubelet_flag_extra_flags) : ""}"
+  vars = {
+    kubelet_flag_cloud_provider       = var.kubelet_flag_cloud_provider != "" ? "--cloud-provider=${var.kubelet_flag_cloud_provider}" : ""
+    kubelet_flag_cloud_config         = var.kubelet_flag_cloud_config != "" ? "--cloud-config=/etc/kubernetes/cloud/config" : ""
+    kubelet_flag_cluster_dns          = var.kubelet_flag_cluster_dns != "" ? "--cluster-dns=${var.kubelet_flag_cluster_dns}": ""
+    kubelet_flag_cni_bin_dir          = var.kubelet_flag_cni_bin_dir != "" ? "--cni-bin-dir=${var.kubelet_flag_cni_bin_dir}" : ""
+    kubelet_flag_pod_manifest_path    = var.kubelet_flag_pod_manifest_path != "" ? "--pod-manifest-path=${var.kubelet_flag_pod_manifest_path}" : ""
+    kubelet_flag_node_labels          = var.kubelet_flag_node_labels != "" ? "--node-labels=${var.kubelet_flag_node_labels}" : ""
+    kubelet_flag_register_with_taints = var.kubelet_flag_register_with_taints != "" ? "--register-with-taints=${var.kubelet_flag_register_with_taints}" : ""
+    kubelet_flag_extra_flags          = length(var.kubelet_flag_extra_flags) > 0 ? join(" ", var.kubelet_flag_extra_flags) : ""
   }
 }
 
 data "ignition_systemd_unit" "kubelet" {
   name    = "kubelet.service"
   enabled = true
-  content = "${data.template_file.kubelet.rendered}"
+  content = data.template_file.kubelet.rendered
 }
diff --git a/modules/ignitions/kubelet/outputs.tf b/modules/ignitions/kubelet/outputs.tf
index 9b844455..ffb78d32 100644
--- a/modules/ignitions/kubelet/outputs.tf
+++ b/modules/ignitions/kubelet/outputs.tf
@@ -1,11 +1,11 @@
 output "systemd_units" {
   value = [
-    "${data.ignition_systemd_unit.kubelet.id}",
+    data.ignition_systemd_unit.kubelet.rendered
   ]
 }
 
 output "files" {
   value = [
-    "${data.ignition_file.kubelet_env.id}",
+    data.ignition_file.kubelet_env.rendered
   ]
 }
diff --git a/modules/ignitions/kubelet/variables.tf b/modules/ignitions/kubelet/variables.tf
index e44f0aa3..cb313242 100644
--- a/modules/ignitions/kubelet/variables.tf
+++ b/modules/ignitions/kubelet/variables.tf
@@ -1,18 +1,16 @@
 variable "kubelet_flag_cloud_provider" {
-  type        = "string"
-  default     = "aws"
   description = "The provider for cloud services. Specify empty string for running with no cloud provider."
+  type        = string
+  default     = "aws"
 }
 
 variable "kubelet_flag_cloud_config" {
-  type        = "string"
-  default     = ""
   description = "The path to the cloud provider configuration file.  Empty string for no configuration file."
+  type        = string
+  default     = ""
 }
 
 variable "kubelet_flag_cluster_dns" {
-  type = "string"
-
   description = <<EOF
 Comma-separated list of DNS server IP address.
 This value is used for containers DNS server in case of Pods with "dnsPolicy=ClusterFirst".
@@ -21,48 +19,47 @@ Note: all DNS servers appearing in the list MUST serve the same set of records o
 within the cluster may not work correctly. There is no guarantee as to which DNS server may be contacted
 for name resolution.
 EOF
+  type        = string
 }
 
 variable "kubelet_flag_cni_bin_dir" {
-  type        = "string"
-  default     = ""
   description = "The full path of the directory in which to search for CNI plugin binaries."
+  type        = string
+  default     = ""
 }
 
 variable "kubelet_flag_node_labels" {
-  type        = "string"
-  default     = ""
   description = "Labels to add when registering the node in the cluster. Labels must be key=value pairs separated by ','."
+  type        = string
+  default     = ""
 }
 
 variable "kubelet_flag_register_with_taints" {
-  type    = "string"
-  default = ""
-
   description = <<EOF
 Register the node with the given list of taints (comma separated "<key>=<value>:<effect>").
 EOF
+  type    = string
+  default = ""
 }
 
 variable "kubelet_flag_pod_manifest_path" {
-  type        = "string"
-  default     = "/etc/kubernetes/manifests"
   description = "Path to the directory containing static pod files to run, or the path to a single static pod file. Files starting with dots will be ignored."
+  type        = string
+  default     = "/etc/kubernetes/manifests"
 }
 
 variable "kubelet_flag_extra_flags" {
-  type        = "list"
-  default     = []
   description = "Extra user-provided flags to kubelet."
+  type        = list(string)
+  default     = []
 }
 
 variable "hyperkube" {
-  type = "map"
 
-  default = {
+  description = "(Optional) The hyperkube container image path and tag."
+  type        = map(string)
+  default     = {
     image_path = "gcr.io/google-containers/hyperkube-amd64"
-    image_tag  = "v1.13.4"
+    image_tag  = "v1.14.6"
   }
-
-  description = "(Optional) The hyperkube container image path and tag."
 }
diff --git a/modules/ignitions/locksmithd/assets.tf b/modules/ignitions/locksmithd/assets.tf
index 8096d2a1..8680132c 100644
--- a/modules/ignitions/locksmithd/assets.tf
+++ b/modules/ignitions/locksmithd/assets.tf
@@ -1,8 +1,8 @@
 locals {
-  mask = "${ var.reboot_strategy == "off" ? true : false }"
+  mask = var.reboot_strategy == "off" ? true : false
 }
 
 data "ignition_systemd_unit" "locksmithd" {
   name = "locksmithd.service"
-  mask = "${local.mask}"
+  mask = local.mask
 }
diff --git a/modules/ignitions/locksmithd/outputs.tf b/modules/ignitions/locksmithd/outputs.tf
index 1087da09..d3c02088 100644
--- a/modules/ignitions/locksmithd/outputs.tf
+++ b/modules/ignitions/locksmithd/outputs.tf
@@ -1,6 +1,6 @@
 output "systemd_units" {
   value = [
-    "${data.ignition_systemd_unit.locksmithd.id}",
+    data.ignition_systemd_unit.locksmithd.rendered
   ]
 }
 
diff --git a/modules/ignitions/locksmithd/variables.tf b/modules/ignitions/locksmithd/variables.tf
index 5642c24d..94a9576d 100644
--- a/modules/ignitions/locksmithd/variables.tf
+++ b/modules/ignitions/locksmithd/variables.tf
@@ -1,4 +1,4 @@
 variable "reboot_strategy" {
-  type    = "string"
   description = "(Optional) CoreOS reboot strategies on updates, two option here: etcd-lock or off"
+  type        = string
 }
diff --git a/modules/ignitions/max-user-watches/assets.tf b/modules/ignitions/max-user-watches/assets.tf
index 8d09a850..550f41f2 100644
--- a/modules/ignitions/max-user-watches/assets.tf
+++ b/modules/ignitions/max-user-watches/assets.tf
@@ -1,17 +1,17 @@
 data "template_file" "max_user_watches" {
-  template = "${file("${path.module}/resources/sysctl.d/max-user-watches.conf")}"
+  template = file("${path.module}/resources/sysctl.d/max-user-watches.conf")
 
-  vars {
-    max_user_watches = "${var.max_user_watches}"
+  vars = {
+    max_user_watches = var.max_user_watches
   }
 }
 
 data "ignition_file" "max_user_watches" {
   filesystem = "root"
   path       = "/etc/sysctl.d/10-max-user-watches.conf"
-  mode       = 0644
+  mode       = 420
 
   content {
-    content = "${data.template_file.max_user_watches.rendered}"
+    content = data.template_file.max_user_watches.rendered
   }
 }
diff --git a/modules/ignitions/max-user-watches/outputs.tf b/modules/ignitions/max-user-watches/outputs.tf
index 1177bb60..21d4e103 100644
--- a/modules/ignitions/max-user-watches/outputs.tf
+++ b/modules/ignitions/max-user-watches/outputs.tf
@@ -4,6 +4,6 @@ output "systemd_units" {
 
 output "files" {
   value = [
-    "${data.ignition_file.max_user_watches.id}",
+    data.ignition_file.max_user_watches.rendered
   ]
 }
diff --git a/modules/ignitions/max-user-watches/variables.tf b/modules/ignitions/max-user-watches/variables.tf
index 75f6400f..4e8e6b3c 100644
--- a/modules/ignitions/max-user-watches/variables.tf
+++ b/modules/ignitions/max-user-watches/variables.tf
@@ -1,5 +1,5 @@
 variable "max_user_watches" {
-  default = 16184
-
   description = "(Optional) The max amount of inotify watchers"
+  type        = number
+  default     = 16184
 }
diff --git a/modules/ignitions/node-exporter/node-exporter-fetcher.tf b/modules/ignitions/node-exporter/node-exporter-fetcher.tf
index 9e1c709e..4597727e 100644
--- a/modules/ignitions/node-exporter/node-exporter-fetcher.tf
+++ b/modules/ignitions/node-exporter/node-exporter-fetcher.tf
@@ -1,13 +1,13 @@
 data "template_file" "node_exporter_fetcher" {
-  template = "${file("${path.module}/resources/services/node-exporter-fetcher.service")}"
+  template = file("${path.module}/resources/services/node-exporter-fetcher.service")
 
-  vars {
-    version = "${var.node_exporter_version}"
+  vars = {
+    version = var.node_exporter_version
   }
 }
 
 data "ignition_systemd_unit" "node_exporter_fetcher" {
   name    = "node-exporter-fetcher.service"
   enabled = true
-  content = "${data.template_file.node_exporter_fetcher.rendered}"
+  content = data.template_file.node_exporter_fetcher.rendered
 }
diff --git a/modules/ignitions/node-exporter/node-exporter.tf b/modules/ignitions/node-exporter/node-exporter.tf
index 0796a24f..bf4c5029 100644
--- a/modules/ignitions/node-exporter/node-exporter.tf
+++ b/modules/ignitions/node-exporter/node-exporter.tf
@@ -1,7 +1,7 @@
 data "template_file" "node_exporter" {
-  template = "${file("${path.module}/resources/services/node-exporter.service")}"
+  template = file("${path.module}/resources/services/node-exporter.service")
 
-  vars {
+  vars = {
     listen_address = "${var.listen_address}:${var.listen_port}"
   }
 }
@@ -9,5 +9,5 @@ data "template_file" "node_exporter" {
 data "ignition_systemd_unit" "node_exporter" {
   name    = "node-exporter.service"
   enabled = true
-  content = "${data.template_file.node_exporter.rendered}"
+  content = data.template_file.node_exporter.rendered
 }
diff --git a/modules/ignitions/node-exporter/outputs.tf b/modules/ignitions/node-exporter/outputs.tf
index f9107d6a..46fb614a 100644
--- a/modules/ignitions/node-exporter/outputs.tf
+++ b/modules/ignitions/node-exporter/outputs.tf
@@ -1,7 +1,7 @@
 output "systemd_units" {
   value = [
-    "${data.ignition_systemd_unit.node_exporter.id}",
-    "${data.ignition_systemd_unit.node_exporter_fetcher.id}",
+    data.ignition_systemd_unit.node_exporter.rendered,
+    data.ignition_systemd_unit.node_exporter_fetcher.rendered,
   ]
 }
 
diff --git a/modules/ignitions/node-exporter/variables.tf b/modules/ignitions/node-exporter/variables.tf
index dcb650f2..5f007101 100644
--- a/modules/ignitions/node-exporter/variables.tf
+++ b/modules/ignitions/node-exporter/variables.tf
@@ -1,13 +1,14 @@
 variable "listen_address" {
-  type    = "string"
+  type    = string
   default = "0.0.0.0"
 }
 
 variable "listen_port" {
+  type    = number
   default = 9100
 }
 
 variable "node_exporter_version" {
-  type    = "string"
-  default = "0.16.0"
+  type    = string
+  default = "0.18.1"
 }
diff --git a/modules/ignitions/ntp/assets.tf b/modules/ignitions/ntp/assets.tf
index 0271a44e..a25e3a83 100644
--- a/modules/ignitions/ntp/assets.tf
+++ b/modules/ignitions/ntp/assets.tf
@@ -1,17 +1,17 @@
 data "template_file" "ntp_dropin" {
-  template = "${file("${path.module}/resources/systemd/timesyncd.conf.d/10-timesyncd.conf")}"
+  template = file("${path.module}/resources/systemd/timesyncd.conf.d/10-timesyncd.conf")
 
   vars {
-    ntp_servers = "${join(" ", var.ntp_servers)}"
+    ntp_servers = join(" ", var.ntp_servers)
   }
 }
 
 data "ignition_file" "ntp_dropin" {
   path       = "/etc/systemd/timesyncd.conf.d/10-timesyncd.conf"
   filesystem = "root"
-  mode       = 0644
+  mode       = 420
 
   content {
-    content = "${data.template_file.ntp_dropin.rendered}"
+    content = data.template_file.ntp_dropin.rendered
   }
 }
diff --git a/modules/ignitions/ntp/outputs.tf b/modules/ignitions/ntp/outputs.tf
index 1cab0f99..12cd82a4 100644
--- a/modules/ignitions/ntp/outputs.tf
+++ b/modules/ignitions/ntp/outputs.tf
@@ -4,6 +4,6 @@ output "systemd_units" {
 
 output "files" {
   value = [
-    "${data.ignition_file.ntp_dropin.id}",
+    data.ignition_file.ntp_dropin.rendered
   ]
 }
diff --git a/modules/ignitions/ntp/variables.tf b/modules/ignitions/ntp/variables.tf
index 0f473384..c56196bd 100644
--- a/modules/ignitions/ntp/variables.tf
+++ b/modules/ignitions/ntp/variables.tf
@@ -1,4 +1,4 @@
 variable "ntp_servers" {
-  type        = "list"
   description = "A list of NTP servers to be used for time synchronization on the cluster nodes."
+  type        = list(string)
 }
diff --git a/modules/ignitions/pod-checkpointer/manifests.tf b/modules/ignitions/pod-checkpointer/manifests.tf
index 06b6f12f..fb37bd82 100644
--- a/modules/ignitions/pod-checkpointer/manifests.tf
+++ b/modules/ignitions/pod-checkpointer/manifests.tf
@@ -1,4 +1,4 @@
 locals {
   filesystem = "root"
-  mode       = 0644
+  mode       = 420
 }
diff --git a/modules/ignitions/pod-checkpointer/outputs.tf b/modules/ignitions/pod-checkpointer/outputs.tf
index 48382a4e..cc99b17a 100644
--- a/modules/ignitions/pod-checkpointer/outputs.tf
+++ b/modules/ignitions/pod-checkpointer/outputs.tf
@@ -4,6 +4,6 @@ output "systemd_units" {
 
 output "files" {
   value = [
-    "${data.ignition_file.pod_checkpointer_yaml.id}",
+    data.ignition_file.pod_checkpointer_yaml.rendered
   ]
 }
diff --git a/modules/ignitions/pod-checkpointer/pod-checkpointer-yaml.tf b/modules/ignitions/pod-checkpointer/pod-checkpointer-yaml.tf
index a21b4d6d..db28dbb4 100644
--- a/modules/ignitions/pod-checkpointer/pod-checkpointer-yaml.tf
+++ b/modules/ignitions/pod-checkpointer/pod-checkpointer-yaml.tf
@@ -1,18 +1,18 @@
 data "template_file" "pod_checkpointer_yaml" {
-  template = "${file("${path.module}/resources/kubernetes/addon/pod-checkpointer.yaml")}"
+  template = file("${path.module}/resources/kubernetes/addon/pod-checkpointer.yaml")
 
-  vars {
-    pod_checkpointer_image = "${var.pod_checkpointer["image_path"]}:${var.pod_checkpointer["image_tag"]}"
+  vars  ={
+    pod_checkpointer_image = var.pod_checkpointer["image_path"]}:${var.pod_checkpointer["image_tag"]
   }
 }
 
 data "ignition_file" "pod_checkpointer_yaml" {
-  filesystem = "${local.filesystem}"
-  mode       = "${local.mode}"
+  filesystem = local.filesystem
+  mode       = local.mode
 
   path = "${pathexpand(var.addon_path)}/pod-checkpointer.yaml"
 
   content {
-    content = "${data.template_file.pod_checkpointer_yaml.rendered}"
+    content = data.template_file.pod_checkpointer_yaml.rendered
   }
 }
diff --git a/modules/ignitions/pod-checkpointer/variables.tf b/modules/ignitions/pod-checkpointer/variables.tf
index ca1d04ab..6b3e1d7e 100644
--- a/modules/ignitions/pod-checkpointer/variables.tf
+++ b/modules/ignitions/pod-checkpointer/variables.tf
@@ -1,16 +1,14 @@
 variable "pod_checkpointer" {
-  type = "map"
-
+  description = "The hyperkube container image path and tag"
+  type = map(string)
   default = {
     image_path = "quay.io/coreos/pod-checkpointer"
     image_tag  = "e22cc0e3714378de92f45326474874eb602ca0ac"
   }
-
-  description = "The hyperkube container image path and tag"
 }
 
 variable "addon_path" {
-  type        = "string"
-  default     = "/etc/kubernetes/addons"
   description = "(Optional) The absolute path of the addons to be installed."
+  type        = string
+  default     = "/etc/kubernetes/addons"
 }
diff --git a/modules/ignitions/tx-off/assets.tf b/modules/ignitions/tx-off/assets.tf
index 9df18361..153ac806 100644
--- a/modules/ignitions/tx-off/assets.tf
+++ b/modules/ignitions/tx-off/assets.tf
@@ -1,9 +1,9 @@
 data "template_file" "tx_off" {
-  template = "${file("${path.module}/resources/services/tx-off.service")}"
+  template = file("${path.module}/resources/services/tx-off.service")
 }
 
 data "ignition_systemd_unit" "tx_off" {
   name    = "tx-off.service"
   enabled = true
-  content = "${data.template_file.tx_off.rendered}"
+  content = data.template_file.tx_off.rendered
 }
diff --git a/modules/ignitions/tx-off/outputs.tf b/modules/ignitions/tx-off/outputs.tf
index b82d0ecf..351011a9 100644
--- a/modules/ignitions/tx-off/outputs.tf
+++ b/modules/ignitions/tx-off/outputs.tf
@@ -1,6 +1,6 @@
 output "systemd_units" {
   value = [
-    "${data.ignition_systemd_unit.tx_off.id}",
+    data.ignition_systemd_unit.tx_off.rendered
   ]
 }
 
diff --git a/modules/ignitions/update-ca-certificates/assets.tf b/modules/ignitions/update-ca-certificates/assets.tf
index 8f7e1cd8..8146cb58 100644
--- a/modules/ignitions/update-ca-certificates/assets.tf
+++ b/modules/ignitions/update-ca-certificates/assets.tf
@@ -1,15 +1,13 @@
 data "template_file" "update_ca_certificates_dropin" {
-  template = "${file("${path.module}/resources/dropins/10-always-update-ca-certificates.conf")}"
+  template = file("${path.module}/resources/dropins/10-always-update-ca-certificates.conf")
 }
 
 data "ignition_systemd_unit" "update_ca_certificates_dropin" {
   name    = "update-ca-certificates.service"
   enabled = true
 
-  dropin = [
-    {
+  dropin {
       name    = "10-always-update-ca-certificates.conf"
-      content = "${data.template_file.update_ca_certificates_dropin.rendered}"
-    },
-  ]
+      content = data.template_file.update_ca_certificates_dropin.rendered
+  }
 }
diff --git a/modules/ignitions/update-ca-certificates/outputs.tf b/modules/ignitions/update-ca-certificates/outputs.tf
index 19d03b8b..561702ec 100644
--- a/modules/ignitions/update-ca-certificates/outputs.tf
+++ b/modules/ignitions/update-ca-certificates/outputs.tf
@@ -1,6 +1,6 @@
 output "systemd_units" {
   value = [
-    "${data.ignition_systemd_unit.update_ca_certificates_dropin.id}",
+    data.ignition_systemd_unit.update_ca_certificates_dropin.rendered
   ]
 }
 
diff --git a/modules/tls/certificate-authority/ca.tf b/modules/tls/certificate-authority/ca.tf
index 3ccab8d5..2511bfd0 100644
--- a/modules/tls/certificate-authority/ca.tf
+++ b/modules/tls/certificate-authority/ca.tf
@@ -3,29 +3,25 @@ locals {
 }
 
 resource "tls_private_key" "ca" {
-  count = "${var.self_signed ? 1 : 0}"
+  count = var.self_signed ? 1 : 0
 
-  algorithm = "${local.algorithm}"
-  rsa_bits  = "${var.rsa_bits}"
+  algorithm = local.algorithm
+  rsa_bits  = var.rsa_bits
 }
 
 resource "tls_self_signed_cert" "ca" {
-  count = "${var.self_signed ? 1 : 0}"
+  count = var.self_signed ? 1 : 0
 
-  key_algorithm   = "${tls_private_key.ca.algorithm}"
-  private_key_pem = "${tls_private_key.ca.private_key_pem}"
+  key_algorithm   = tls_private_key.ca[count.index].algorithm
+  private_key_pem = tls_private_key.ca[count.index].private_key_pem
 
   subject {
-    common_name  = "${var.cert_config["common_name"]}"
-    organization = "${var.cert_config["organization"]}"
+    common_name  = var.cert_config["common_name"]
+    organization = var.cert_config["organization"]
   }
 
   is_ca_certificate     = true
-  validity_period_hours = "${var.cert_config["validity_period_hours"]}"
+  validity_period_hours = var.cert_config["validity_period_hours"]
 
-  allowed_uses = [
-    "key_encipherment",
-    "digital_signature",
-    "cert_signing",
-  ]
+  allowed_uses = var.ca_uses
 }
diff --git a/modules/tls/certificate-authority/main.tf b/modules/tls/certificate-authority/main.tf
deleted file mode 100644
index f54063ca..00000000
--- a/modules/tls/certificate-authority/main.tf
+++ /dev/null
@@ -1,11 +0,0 @@
-provider "local" {
-  version = "~> 1.1"
-}
-
-provider "template" {
-  version = "~> 1.0"
-}
-
-provider "tls" {
-  version = "~> 1.1"
-}
diff --git a/modules/tls/certificate-authority/outputs.tf b/modules/tls/certificate-authority/outputs.tf
index 39175bfb..27345065 100644
--- a/modules/tls/certificate-authority/outputs.tf
+++ b/modules/tls/certificate-authority/outputs.tf
@@ -1,19 +1,19 @@
 output "algorithm" {
-  value = "${var.self_signed ? join("", tls_private_key.ca.*.algorithm) : ""}"
+  value = var.self_signed ? join("", tls_private_key.ca.*.algorithm) : ""
 }
 
 output "rsa_bits" {
-  value = "${var.self_signed ? var.rsa_bits : 0}"
+  value = var.self_signed ? var.rsa_bits : 0
 }
 
 output "private_key_pem" {
-  value = "${var.self_signed ? join("", tls_private_key.ca.*.private_key_pem) : ""}"
+  value = var.self_signed ? join("", tls_private_key.ca.*.private_key_pem) : ""
 
   sensitive = true
 }
 
 output "cert_pem" {
-  value = "${var.self_signed ? join("", tls_self_signed_cert.ca.*.cert_pem) : file(var.ca_cert_path)}"
+  value = var.self_signed ? join("", tls_self_signed_cert.ca.*.cert_pem) : file(var.ca_cert_path)
 
   sensitive = true
 }
diff --git a/modules/tls/certificate-authority/variables.tf b/modules/tls/certificate-authority/variables.tf
index fee9c7da..d954794a 100644
--- a/modules/tls/certificate-authority/variables.tf
+++ b/modules/tls/certificate-authority/variables.tf
@@ -3,10 +3,9 @@ variable "rsa_bits" {
 }
 
 variable "cert_config" {
-  type        = "map"
   description = "Certificate configuration"
-
-  default = {
+  type        = map(string)
+  default     = {
     common_name           = ""
     organization          = ""
     validity_period_hours = "26280"
@@ -14,14 +13,24 @@ variable "cert_config" {
 }
 
 variable "ca_cert_path" {
-  type        = "string"
   description = "external CA certificate"
+  type        = string
   default     = "/dev/null"
 }
 
+variable "ca_uses" {
+  type    = list(string)
+  default = [
+    "key_encipherment",
+    "digital_signature",
+    "cert_signing"
+  ]
+}
+
 variable "self_signed" {
   description = <<EOF
 If set to true, self-signed certificates are generated.
 If set to false, only the passed CA and client certs are being used.
 EOF
+  type        = bool
 }
diff --git a/modules/tls/certificate/cert.tf b/modules/tls/certificate/cert.tf
index 542d24c1..45fda89a 100644
--- a/modules/tls/certificate/cert.tf
+++ b/modules/tls/certificate/cert.tf
@@ -3,39 +3,37 @@ locals {
 }
 
 resource "tls_private_key" "pk" {
-  count = "${var.self_signed ? 1 : 0}"
+  count = var.self_signed ? 1 : 0
 
-  algorithm = "${local.algorithm}"
-  rsa_bits  = "${var.rsa_bits}"
+  algorithm = local.algorithm
+  rsa_bits  = var.rsa_bits
 }
 
 resource "tls_cert_request" "request" {
-  count = "${var.self_signed ? 1 : 0}"
+  count = var.self_signed ? 1 : 0
 
-  key_algorithm   = "${tls_private_key.pk.algorithm}"
-  private_key_pem = "${tls_private_key.pk.private_key_pem}"
+  key_algorithm   = tls_private_key.pk[count.index].algorithm
+  private_key_pem = tls_private_key.pk[count.index].private_key_pem
 
   subject {
-    common_name  = "${var.cert_config["common_name"]}"
-    organization = "${var.cert_config["organization"]}"
+    common_name  = var.cert_config["common_name"]
+    organization = var.cert_config["organization"]
   }
 
-  dns_names = ["${distinct(var.cert_hostnames)}"]
+  dns_names = distinct(var.cert_hostnames)
 
-  ip_addresses = ["${distinct(var.cert_ip_addresses)}"]
+  ip_addresses = distinct(var.cert_ip_addresses)
 }
 
 resource "tls_locally_signed_cert" "cert" {
-  count = "${var.self_signed ? 1 : 0}"
+  count = var.self_signed ? 1 : 0
 
-  cert_request_pem = "${tls_cert_request.request.cert_request_pem}"
+  cert_request_pem = tls_cert_request.request[count.index].cert_request_pem
 
-  ca_key_algorithm      = "${var.ca_config["algorithm"]}"
-  ca_private_key_pem    = "${var.ca_config["key_pem"]}"
-  ca_cert_pem           = "${var.ca_config["cert_pem"]}"
-  validity_period_hours = "${var.cert_config["validity_period_hours"]}"
+  ca_key_algorithm      = var.ca_config["algorithm"]
+  ca_private_key_pem    = var.ca_config["key_pem"]
+  ca_cert_pem           = var.ca_config["cert_pem"]
+  validity_period_hours = var.cert_config["validity_period_hours"]
 
-  allowed_uses = [
-    "${concat(list("key_encipherment"), var.cert_uses)}",
-  ]
+  allowed_uses = concat(list("key_encipherment"), var.cert_uses)
 }
diff --git a/modules/tls/certificate/main.tf b/modules/tls/certificate/main.tf
deleted file mode 100644
index f54063ca..00000000
--- a/modules/tls/certificate/main.tf
+++ /dev/null
@@ -1,11 +0,0 @@
-provider "local" {
-  version = "~> 1.1"
-}
-
-provider "template" {
-  version = "~> 1.0"
-}
-
-provider "tls" {
-  version = "~> 1.1"
-}
diff --git a/modules/tls/certificate/outputs.tf b/modules/tls/certificate/outputs.tf
index bb22c0b1..9fcab6a6 100644
--- a/modules/tls/certificate/outputs.tf
+++ b/modules/tls/certificate/outputs.tf
@@ -1,11 +1,11 @@
 output "private_key_pem" {
-  value = "${element(concat(tls_private_key.pk.*.private_key_pem, list("")), 0)}"
+  value = element(concat(tls_private_key.pk.*.private_key_pem, list("")), 0)
 
   sensitive = true
 }
 
 output "cert_pem" {
-  value = "${element(concat(tls_locally_signed_cert.cert.*.cert_pem, list("")), 0)}"
+  value = element(concat(tls_locally_signed_cert.cert.*.cert_pem, list("")), 0)
 
   sensitive = true
 }
diff --git a/modules/tls/certificate/variables.tf b/modules/tls/certificate/variables.tf
index eeee4b5a..c674a1ad 100644
--- a/modules/tls/certificate/variables.tf
+++ b/modules/tls/certificate/variables.tf
@@ -1,12 +1,12 @@
 variable "rsa_bits" {
+  type    = number
   default = 2048
 }
 
 variable "ca_config" {
-  type        = "map"
   description = "Certificate Authority configuration"
-
-  default = {
+  type        = map(string)
+  default     = {
     algorithm = "RSA"
     key_pem   = ""
     cert_pem  = ""
@@ -14,10 +14,9 @@ variable "ca_config" {
 }
 
 variable "cert_config" {
-  type        = "map"
   description = "Certificate configuration"
-
-  default = {
+  type        = map(string)
+  default     = {
     common_name           = ""
     organization          = ""
     validity_period_hours = "26280"
@@ -25,17 +24,17 @@ variable "cert_config" {
 }
 
 variable "cert_hostnames" {
-  type    = "list"
+  type    = list(string)
   default = []
 }
 
 variable "cert_ip_addresses" {
-  type    = "list"
+  type    = list(string)
   default = []
 }
 
 variable "cert_uses" {
-  type    = "list"
+  type    = list(string)
   default = []
 }
 
@@ -44,4 +43,5 @@ variable "self_signed" {
 If set to true, self-signed certificates are generated.
 If set to false, only the passed CA and client certs are being used.
 EOF
+  type        = bool
 }
diff --git a/modules/tls/private-key/main.tf b/modules/tls/private-key/main.tf
deleted file mode 100644
index 86316ce9..00000000
--- a/modules/tls/private-key/main.tf
+++ /dev/null
@@ -1,3 +0,0 @@
-provider "tls" {
-  version = "~> 1.1"
-}
\ No newline at end of file
diff --git a/modules/tls/private-key/outputs.tf b/modules/tls/private-key/outputs.tf
index 63702f16..063404c9 100644
--- a/modules/tls/private-key/outputs.tf
+++ b/modules/tls/private-key/outputs.tf
@@ -1,12 +1,12 @@
 output "private_key_pem" {
-  value = "${tls_private_key.main.private_key_pem}"
+  value = tls_private_key.main.private_key_pem
 }
 
 output "public_key_pem" {
-  value = "${tls_private_key.main.public_key_pem}"
+  value = tls_private_key.main.public_key_pem
 }
 
 output "public_key_openssh" {
-  value = "${tls_private_key.main.public_key_openssh}"
+  value = tls_private_key.main.public_key_openssh
 }
 

From 1ec87dd89476f8db9cd91ab28e3aee05099df8fb Mon Sep 17 00:00:00 2001
From: smalltown <smalltown20110306@gmail.com>
Date: Sat, 7 Sep 2019 17:19:44 +0800
Subject: [PATCH 03/11] upgrade etcd to 3.4.0 and bug fix

---
 examples/elastikube-cluster/main.tf           |  2 +-
 modules/aws/elastikube/variables.tf           |  4 +-
 modules/aws/kube-etcd/dns.tf                  | 30 ++++++------
 modules/aws/kube-etcd/etcd.tf                 |  9 ++--
 modules/aws/kube-etcd/outputs.tf              |  5 +-
 modules/aws/kube-etcd/variables.tf            |  4 +-
 modules/ignitions/etcd/assets.tf              | 24 ----------
 modules/ignitions/etcd/certs.tf               | 28 +++++------
 modules/ignitions/etcd/etcd.tf                | 36 +++++++++++++++
 modules/ignitions/etcd/outputs.tf             |  6 ++-
 .../ignitions/etcd/resources/config/etcd.env  | 46 +++++++++++++++++++
 .../resources/dropins/40-etcd-cluster.conf    | 26 -----------
 .../etcd/resources/services/etcd.service      | 27 +++++++++++
 modules/ignitions/etcd/variables.tf           | 12 ++++-
 .../resources/addon/kube-flannel.yaml         |  2 +-
 15 files changed, 168 insertions(+), 93 deletions(-)
 delete mode 100644 modules/ignitions/etcd/assets.tf
 create mode 100644 modules/ignitions/etcd/etcd.tf
 create mode 100644 modules/ignitions/etcd/resources/config/etcd.env
 delete mode 100644 modules/ignitions/etcd/resources/dropins/40-etcd-cluster.conf
 create mode 100644 modules/ignitions/etcd/resources/services/etcd.service

diff --git a/examples/elastikube-cluster/main.tf b/examples/elastikube-cluster/main.tf
index 06555ae1..39a55ef3 100644
--- a/examples/elastikube-cluster/main.tf
+++ b/examples/elastikube-cluster/main.tf
@@ -30,7 +30,7 @@ module "kubernetes" {
     instance_count   = "3"
     ec2_type         = "t3.medium"
     root_volume_iops = "0"
-    root_volume_size = "256"
+    root_volume_size = "100"
     root_volume_type = "gp2"
   }
 
diff --git a/modules/aws/elastikube/variables.tf b/modules/aws/elastikube/variables.tf
index 5e5c8e06..6fb80ea3 100644
--- a/modules/aws/elastikube/variables.tf
+++ b/modules/aws/elastikube/variables.tf
@@ -100,9 +100,9 @@ variable "etcd_config" {
   type        = map(string)
   default     = {
     instance_count   = "1"
-    ec2_type         = "t2.medium"
+    ec2_type         = "t3.medium"
     root_volume_iops = "100"
-    root_volume_size = "256"
+    root_volume_size = "100"
     root_volume_type = "gp2"
   }
 }
diff --git a/modules/aws/kube-etcd/dns.tf b/modules/aws/kube-etcd/dns.tf
index 670e86e5..95d03d6c 100644
--- a/modules/aws/kube-etcd/dns.tf
+++ b/modules/aws/kube-etcd/dns.tf
@@ -7,22 +7,15 @@ locals {
   discovery_service = substr(data.aws_route53_zone.etcd.name, 0, length(data.aws_route53_zone.etcd.name) - 1)
 }
 
-data "template_file" "etcd_names" {
-  count    = var.etcd_config["instance_count"]
-  template = "ip-${replace(aws_instance.etcd.*.private_ip[count.index], ".", "-")}.${local.discovery_service}"
-}
-
-data "template_file" "etcd_endpoints" {
-  count    = var.etcd_config["instance_count"]
-  template = format("https://%s:%s", data.template_file.etcd_names.*.rendered[count.index], local.client_port)
-}
-
 resource "aws_route53_record" "etcd_discovery" {
   zone_id = data.aws_route53_zone.etcd.zone_id
   name    = local.discovery_service
   type    = "SRV"
   ttl     = "300"
-  records = formatlist("0 0 %s %s", local.peer_port, data.template_file.etcd_names.*.rendered)
+  records = [
+    for instance_ip in aws_instance.etcd.*.private_ip:
+      "0 0 ${local.peer_port} ip-${replace(instance_ip, ".", "-")}.${local.discovery_service}"
+  ]
 }
 
 resource "aws_route53_record" "etcd_discovery_server_ssl" {
@@ -30,7 +23,10 @@ resource "aws_route53_record" "etcd_discovery_server_ssl" {
   name    = "_etcd-server-ssl._tcp.${local.discovery_service}"
   type    = "SRV"
   ttl     = "300"
-  records = formatlist("0 0 %s %s", local.peer_port, data.template_file.etcd_names.*.rendered)
+  records = [
+    for instance_ip in aws_instance.etcd.*.private_ip:
+      "0 0 ${local.peer_port} ip-${replace(instance_ip, ".", "-")}.${local.discovery_service}"
+  ]
 }
 
 resource "aws_route53_record" "etcd_discovery_client_ssl" {
@@ -38,14 +34,18 @@ resource "aws_route53_record" "etcd_discovery_client_ssl" {
   name    = "_etcd-client-ssl._tcp.${local.discovery_service}"
   type    = "SRV"
   ttl     = "300"
-  records = formatlist("0 0 %s %s", local.client_port, data.template_file.etcd_names.*.rendered)
+
+  records = [
+    for instance_ip in aws_instance.etcd.*.private_ip:
+      "0 0 ${local.client_port} ip-${replace(instance_ip, ".", "-")}.${local.discovery_service}"
+  ]
 }
 
 resource "aws_route53_record" "etcd" {
   count   = var.etcd_config["instance_count"]
   zone_id = data.aws_route53_zone.etcd.zone_id
-  name    = data.template_file.etcd_names.*.rendered[count.index]
+  name    = "ip-${replace(aws_instance.etcd.*.private_ip[count.index], ".", "-")}.${local.discovery_service}"
   type    = "A"
   ttl     = "300"
   records = [aws_instance.etcd.*.private_ip[count.index]]
-}
+}
\ No newline at end of file
diff --git a/modules/aws/kube-etcd/etcd.tf b/modules/aws/kube-etcd/etcd.tf
index 9022151c..34c3e6e4 100644
--- a/modules/aws/kube-etcd/etcd.tf
+++ b/modules/aws/kube-etcd/etcd.tf
@@ -1,9 +1,10 @@
-data "aws_subnet" "subnet" {
-  id = var.subnet_ids[0]
+data "aws_subnet" "etcd" {
+  count = var.etcd_config["instance_count"]
+  id    = var.subnet_ids[count.index % length(var.subnet_ids)]
 }
 
 locals {
-  vpc_id      = data.aws_subnet.subnet.vpc_id
+  vpc_id      = data.aws_subnet.etcd[0].vpc_id
   client_port = 2379
   peer_port   = 2380
 }
@@ -46,4 +47,4 @@ resource "aws_instance" "etcd" {
     "Name", "${var.name}-etcd-${count.index}-vol",
     "kubernetes.io/cluster/${var.name}", "owned",
     ), var.extra_tags)
-}
+}
\ No newline at end of file
diff --git a/modules/aws/kube-etcd/outputs.tf b/modules/aws/kube-etcd/outputs.tf
index c2995894..20cdf36c 100644
--- a/modules/aws/kube-etcd/outputs.tf
+++ b/modules/aws/kube-etcd/outputs.tf
@@ -1,5 +1,8 @@
 output "endpoints" {
-  value = data.template_file.etcd_endpoints.*.rendered
+  value = [
+    for instance_ip in aws_instance.etcd.*.private_ip:
+      "https://ip-${replace(instance_ip, ".", "-")}.${local.discovery_service}:${local.client_port}"
+  ]
 }
 
 output "ca_cert_pem" {
diff --git a/modules/aws/kube-etcd/variables.tf b/modules/aws/kube-etcd/variables.tf
index e410fb90..12894a67 100644
--- a/modules/aws/kube-etcd/variables.tf
+++ b/modules/aws/kube-etcd/variables.tf
@@ -69,9 +69,9 @@ variable "etcd_config" {
   type        = map(string)
   default     = {
     instance_count   = "1"
-    ec2_type         = "t2.medium"
+    ec2_type         = "t3.medium"
     root_volume_iops = "100"
-    root_volume_size = "256"
+    root_volume_size = "100"
     root_volume_type = "gp2"
   }
 }
diff --git a/modules/ignitions/etcd/assets.tf b/modules/ignitions/etcd/assets.tf
deleted file mode 100644
index b8b651a2..00000000
--- a/modules/ignitions/etcd/assets.tf
+++ /dev/null
@@ -1,24 +0,0 @@
-data "template_file" "etcd" {
-  template = file("${path.module}/resources/dropins/40-etcd-cluster.conf")
-
-  vars = {
-    certs_path          = var.certs_path
-    container_image_url = var.container["image_path"]
-    container_image_tag = var.container["image_tag"]
-    client_port         = var.client_port
-    peer_port           = var.peer_port
-    cluster_name        = var.name
-    scheme              = "https"
-    discovery_service   = var.discovery_service
-  }
-}
-
-data "ignition_systemd_unit" "etcd" {
-  name    = "etcd-member.service"
-  enabled = true
-
-  dropin {
-      name    = "40-etcd-cluster.conf"
-      content = data.template_file.etcd.rendered
-  }
-}
diff --git a/modules/ignitions/etcd/certs.tf b/modules/ignitions/etcd/certs.tf
index 3be86036..4c9d4f93 100644
--- a/modules/ignitions/etcd/certs.tf
+++ b/modules/ignitions/etcd/certs.tf
@@ -1,8 +1,8 @@
 data "ignition_file" "etcd_ca" {
   path       = "${var.certs_path}/ca.crt"
   mode       = 420
-  uid        = 232
-  gid        = 232
+  uid        = var.etcd_user_id
+  gid        = var.etcd_user_id
   filesystem = "root"
 
   content {
@@ -13,8 +13,8 @@ data "ignition_file" "etcd_ca" {
 data "ignition_file" "etcd_client_key" {
   path       = "${var.certs_path}/client.key"
   mode       = 256
-  uid        = 232
-  gid        = 232
+  uid        = var.etcd_user_id
+  gid        = var.etcd_user_id
   filesystem = "root"
 
   content {
@@ -25,8 +25,8 @@ data "ignition_file" "etcd_client_key" {
 data "ignition_file" "etcd_client_cert" {
   path       = "${var.certs_path}/client.crt"
   mode       = 256
-  uid        = 232
-  gid        = 232
+  uid        = var.etcd_user_id
+  gid        = var.etcd_user_id
   filesystem = "root"
 
   content {
@@ -37,8 +37,8 @@ data "ignition_file" "etcd_client_cert" {
 data "ignition_file" "etcd_server_key" {
   path       = "${var.certs_path}/server.key"
   mode       = 256
-  uid        = 232
-  gid        = 232
+  uid        = var.etcd_user_id
+  gid        = var.etcd_user_id
   filesystem = "root"
 
   content {
@@ -49,8 +49,8 @@ data "ignition_file" "etcd_server_key" {
 data "ignition_file" "etcd_server_cert" {
   path       = "${var.certs_path}/server.crt"
   mode       = 256
-  uid        = 232
-  gid        = 232
+  uid        = var.etcd_user_id
+  gid        = var.etcd_user_id
   filesystem = "root"
 
   content {
@@ -61,8 +61,8 @@ data "ignition_file" "etcd_server_cert" {
 data "ignition_file" "etcd_peer_key" {
   path       = "${var.certs_path}/peer.key"
   mode       = 256
-  uid        = 232
-  gid        = 232
+  uid        = var.etcd_user_id
+  gid        = var.etcd_user_id
   filesystem = "root"
 
   content {
@@ -73,8 +73,8 @@ data "ignition_file" "etcd_peer_key" {
 data "ignition_file" "etcd_peer_cert" {
   path       = "${var.certs_path}/peer.crt"
   mode       = 256
-  uid        = 232
-  gid        = 232
+  uid        = var.etcd_user_id
+  gid        = var.etcd_user_id
   filesystem = "root"
 
   content {
diff --git a/modules/ignitions/etcd/etcd.tf b/modules/ignitions/etcd/etcd.tf
new file mode 100644
index 00000000..332b679d
--- /dev/null
+++ b/modules/ignitions/etcd/etcd.tf
@@ -0,0 +1,36 @@
+data "template_file" "etcd_env" {
+  template = file("${path.module}/resources/config/etcd.env")
+
+  vars = {
+    image_url    = var.container["image_path"]
+    image_tag    = var.container["image_tag"]
+    user_id      = var.etcd_user_id
+    cluster_name      = var.name
+    certs_path        = var.certs_path
+    data_path         = var.data_path
+    discovery_service = var.discovery_service
+    scheme            = "https"
+    client_port       = var.client_port
+    peer_port         = var.peer_port
+  }
+}
+
+data "ignition_file" "etcd_env" {
+  filesystem = "root"
+  path       = "/etc/etcd/etcd.env"
+  mode       = 420
+
+  content {
+    content = data.template_file.etcd_env.rendered
+  }
+}
+
+data "template_file" "etcd_service" {
+  template = file("${path.module}/resources/services/etcd.service")
+}
+
+data "ignition_systemd_unit" "etcd_service" {
+  name    = "etcd.service"
+  enabled = true
+  content = data.template_file.etcd_service.rendered
+}
\ No newline at end of file
diff --git a/modules/ignitions/etcd/outputs.tf b/modules/ignitions/etcd/outputs.tf
index 5414f99d..4f23840e 100644
--- a/modules/ignitions/etcd/outputs.tf
+++ b/modules/ignitions/etcd/outputs.tf
@@ -1,11 +1,13 @@
 output "systemd_units" {
   value = [
-    data.ignition_systemd_unit.etcd.rendered
+    data.ignition_systemd_unit.etcd_service.rendered,
+    #data.ignition_systemd_unit.etcd_data.rendered
   ]
 }
 
 output "files" {
   value = [
+    data.ignition_file.etcd_env.rendered,
     data.ignition_file.etcd_ca.rendered,
     data.ignition_file.etcd_client_cert.rendered,
     data.ignition_file.etcd_client_key.rendered,
@@ -14,4 +16,4 @@ output "files" {
     data.ignition_file.etcd_peer_cert.rendered,
     data.ignition_file.etcd_peer_key.rendered
   ]
-}
+}
\ No newline at end of file
diff --git a/modules/ignitions/etcd/resources/config/etcd.env b/modules/ignitions/etcd/resources/config/etcd.env
new file mode 100644
index 00000000..e4f6d869
--- /dev/null
+++ b/modules/ignitions/etcd/resources/config/etcd.env
@@ -0,0 +1,46 @@
+# ETCD SELF DEFINE CONFIGURATION
+IMAGE_URL="${image_url}"
+IMAGE_TAG="${image_tag}"
+CLIENT_PORT="${client_port}"
+PEER_PORT="${peer_port}"
+SCHEME="${scheme}"
+USER_ID="${user_id}"
+
+# ETCD OFFICIAL CONFIGURATION
+ETCD_CERT_FILE="${certs_path}/server.crt"
+ETCD_KEY_FILE="${certs_path}/server.key"
+ETCD_PEER_CERT_FILE="${certs_path}/peer.crt"
+ETCD_PEER_KEY_FILE="${certs_path}/peer.key"
+ETCD_PEER_TRUSTED_CA_FILE="${certs_path}/ca.crt"
+ETCD_TRUSTED_CA_FILE="${certs_path}/ca.crt"
+ETCD_PEER_CLIENT_CERT_AUTH="true"
+ETCD_CLIENT_CERT_AUTH="true"
+ETCD_LISTEN_CLIENT_URLS="${scheme}://0.0.0.0:${client_port}"
+ETCD_LISTEN_PEER_URLS="${scheme}://0.0.0.0:${peer_port}"
+ETCD_DATA_DIR="${data_path}"
+ETCD_DISCOVERY_SRV="${discovery_service}"
+ETCD_INITIAL_CLUSTER_STATE="new"
+ETCD_INITIAL_CLUSTER_TOKEN="${cluster_name}"
+ETCD_LOGGER="zap"
+
+# RKT VOLUME CONFIGURATION
+RKT_RUN_ARGS="--volume etcd-ssl,kind=host,source=${certs_path} \
+  --mount volume=etcd-ssl,target=${certs_path} \
+  --volume coreos-systemd-dir,kind=host,source=/run/systemd/system,readOnly=true \
+  --mount volume=coreos-systemd-dir,target=/run/systemd/system \
+  --volume coreos-notify,kind=host,source=/run/systemd/notify \
+  --mount volume=coreos-notify,target=/run/systemd/notify \
+  --volume coreos-data-dir,kind=host,source=${data_path},readOnly=false \
+  --mount volume=coreos-data-dir,target=/var/lib/etcd \
+  --volume coreos-etc-ssl-certs,kind=host,source=/etc/ssl/certs,readOnly=true \
+  --mount volume=coreos-etc-ssl-certs,target=/etc/ssl/certs \
+  --volume coreos-usr-share-certs,kind=host,source=/usr/share/ca-certificates,readOnly=true \
+  --mount volume=coreos-usr-share-certs,target=/usr/share/ca-certificates \
+  --volume coreos-etc-hosts,kind=host,source=/etc/hosts,readOnly=true \
+  --mount volume=coreos-etc-hosts,target=/etc/hosts \
+  --volume coreos-etc-resolv,kind=host,source=/etc/resolv.conf,readOnly=true \
+  --mount volume=coreos-etc-resolv,target=/etc/resolv.conf \
+  --set-env=NOTIFY_SOCKET=/run/systemd/notify \
+  --stage1-from-dir=stage1-fly.aci \
+  --inherit-env \
+  --trust-keys-from-https"
\ No newline at end of file
diff --git a/modules/ignitions/etcd/resources/dropins/40-etcd-cluster.conf b/modules/ignitions/etcd/resources/dropins/40-etcd-cluster.conf
deleted file mode 100644
index 4a17bfe7..00000000
--- a/modules/ignitions/etcd/resources/dropins/40-etcd-cluster.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-[Service]
-Environment="ETCD_IMAGE=${container_image_url}:${container_image_tag}"
-Environment="RKT_RUN_ARGS=--volume etcd-ssl,kind=host,source=${certs_path} \
-        --mount volume=etcd-ssl,target=${certs_path}"
-ExecStartPre=/usr/bin/sh -c "HOSTNAME=$(curl -s http://169.254.169.254/latest/meta-data/local-hostname | cut -d '.' -f 1); /usr/bin/systemctl set-environment MY_NAME=$HOSTNAME"
-ExecStartPre=/usr/bin/sh -c "HOST_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4); /usr/bin/systemctl set-environment HOST_IP=$HOST_IP"
-
-ExecStart=
-ExecStart=/usr/lib/coreos/etcd-wrapper \
-  --name=$${MY_NAME} \
-  --discovery-srv=${discovery_service} \
-  --data-dir=/var/lib/etcd \
-  --initial-cluster-token=${cluster_name} \
-  --initial-cluster-state=new \
-  --cert-file=${certs_path}/server.crt \
-  --key-file=${certs_path}/server.key \
-  --peer-cert-file=${certs_path}/peer.crt \
-  --peer-key-file=${certs_path}/peer.key \
-  --peer-trusted-ca-file=${certs_path}/ca.crt \
-  --peer-client-cert-auth=true \
-  --client-cert-auth=true \
-  --trusted-ca-file=${certs_path}/ca.crt \
-  --advertise-client-urls=${scheme}://$${MY_NAME}.${discovery_service}:${client_port} \
-  --initial-advertise-peer-urls=${scheme}://$${MY_NAME}.${discovery_service}:${peer_port} \
-  --listen-client-urls=${scheme}://0.0.0.0:${client_port} \
-  --listen-peer-urls=${scheme}://0.0.0.0:${peer_port}
diff --git a/modules/ignitions/etcd/resources/services/etcd.service b/modules/ignitions/etcd/resources/services/etcd.service
new file mode 100644
index 00000000..f71d667e
--- /dev/null
+++ b/modules/ignitions/etcd/resources/services/etcd.service
@@ -0,0 +1,27 @@
+[Unit]
+Description=etcd service
+# Wait for networking
+Requires=network-online.target
+After=network-online.target
+
+[Service]
+Slice=machine.slice
+
+EnvironmentFile=/etc/etcd/etcd.env
+
+ExecStartPre=/usr/bin/sh -c "HOSTNAME=$(curl -s http://169.254.169.254/latest/meta-data/local-hostname | cut -d '.' -f 1); /usr/bin/systemctl set-environment MY_NAME=$HOSTNAME"
+ExecStartPre=/usr/bin/sh -c "HOST_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4); /usr/bin/systemctl set-environment HOST_IP=$HOST_IP"
+
+ExecStartPre=/bin/mkdir -p /var/lib/etcd
+ExecStartPre=/usr/bin/chown $${USER_ID}:$${USER_ID} /var/lib/etcd
+
+ExecStart=/usr/bin/rkt run $RKT_RUN_ARGS $${IMAGE_URL}:$${IMAGE_TAG} \
+  --user=$${ETCD_USER_ID} -- --name=$${MY_NAME} \
+  --advertise-client-urls=$${SCHEME}://$${HOST_IP}:$${CLIENT_PORT} \
+  --initial-advertise-peer-urls=$${SCHEME}://$${HOST_IP}:$${PEER_PORT}
+
+Restart=always
+RestartSec=10
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file
diff --git a/modules/ignitions/etcd/variables.tf b/modules/ignitions/etcd/variables.tf
index 21c2a032..4dae3aa1 100644
--- a/modules/ignitions/etcd/variables.tf
+++ b/modules/ignitions/etcd/variables.tf
@@ -2,6 +2,11 @@ variable "name" {
   type = string
 }
 
+variable "etcd_user_id" {
+  type = number
+  default = 232
+}
+
 variable "discovery_service" {
   type = string
 }
@@ -33,11 +38,16 @@ variable "certs_config" {
   }
 }
 
+variable "data_path" {
+  type    = string
+  default = "/var/lib/etcd"
+}
+
 variable "container" {
   type = map(string)
 
   default = {
     image_path = "quay.io/coreos/etcd"
-    image_tag  = "v3.3.15"
+    image_tag  = "v3.4.0"
   }
 }
diff --git a/modules/ignitions/kube-addon-flannel-vxlan/resources/addon/kube-flannel.yaml b/modules/ignitions/kube-addon-flannel-vxlan/resources/addon/kube-flannel.yaml
index a64b515d..4a9e8ed3 100644
--- a/modules/ignitions/kube-addon-flannel-vxlan/resources/addon/kube-flannel.yaml
+++ b/modules/ignitions/kube-addon-flannel-vxlan/resources/addon/kube-flannel.yaml
@@ -210,7 +210,7 @@ spec:
             path: /run/flannel
         - name: cni
           hostPath:
-            path: /etc/cni/net.d
+            path: /etc/kubernetes/cni/net.d
         - name: flannel-cfg
           configMap:
             name: kube-flannel-cfg
\ No newline at end of file

From 4d84892b5f19c9429eaf331a29d9f8c556eb8c9d Mon Sep 17 00:00:00 2001
From: smalltown <smalltown20110306@gmail.com>
Date: Mon, 9 Sep 2019 18:42:39 +0800
Subject: [PATCH 04/11] bug fix for ign aws-iam-auth-master and kube-audit

---
 modules/ignitions/aws-iam-auth-master/webhook-kubeconfig.tf | 2 +-
 modules/ignitions/kube-audit/policy-yaml.tf                 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/ignitions/aws-iam-auth-master/webhook-kubeconfig.tf b/modules/ignitions/aws-iam-auth-master/webhook-kubeconfig.tf
index 6edcfab0..71a95e56 100644
--- a/modules/ignitions/aws-iam-auth-master/webhook-kubeconfig.tf
+++ b/modules/ignitions/aws-iam-auth-master/webhook-kubeconfig.tf
@@ -1,5 +1,5 @@
 data "template_file" "kubeconfig" {
-  template = file("${path.module}/resources/kubernetes/webhook/kubeconfig")}"
+  template = file("${path.module}/resources/kubernetes/webhook/kubeconfig")
 
   vars = {
     webhook_ca = var.webhook_kubeconfig_ca
diff --git a/modules/ignitions/kube-audit/policy-yaml.tf b/modules/ignitions/kube-audit/policy-yaml.tf
index 3e19d2b2..d9e4ac64 100644
--- a/modules/ignitions/kube-audit/policy-yaml.tf
+++ b/modules/ignitions/kube-audit/policy-yaml.tf
@@ -1,7 +1,7 @@
 data "template_file" "policy_yaml" {
   template = file("${path.module}/resources/kubernetes/policy.yaml")
 
-  vars {
+  vars = {
     audit_policy = var.audit_policy
   }
 }

From 247caa0acb1fa22c79108cf43f903e98850fa954 Mon Sep 17 00:00:00 2001
From: smalltown <smalltown20110306@gmail.com>
Date: Wed, 18 Sep 2019 17:10:38 +0800
Subject: [PATCH 05/11] modify for reviewing feedback

---
 modules/ignitions/etcd/certs.tf     | 28 ++++++++++++++--------------
 modules/ignitions/etcd/variables.tf | 13 ++++++++++---
 2 files changed, 24 insertions(+), 17 deletions(-)

diff --git a/modules/ignitions/etcd/certs.tf b/modules/ignitions/etcd/certs.tf
index 4c9d4f93..912638e9 100644
--- a/modules/ignitions/etcd/certs.tf
+++ b/modules/ignitions/etcd/certs.tf
@@ -1,8 +1,8 @@
 data "ignition_file" "etcd_ca" {
   path       = "${var.certs_path}/ca.crt"
   mode       = 420
-  uid        = var.etcd_user_id
-  gid        = var.etcd_user_id
+  uid        = var.cert_file_owner["uid"]
+  gid        = var.cert_file_owner["gid"]
   filesystem = "root"
 
   content {
@@ -13,8 +13,8 @@ data "ignition_file" "etcd_ca" {
 data "ignition_file" "etcd_client_key" {
   path       = "${var.certs_path}/client.key"
   mode       = 256
-  uid        = var.etcd_user_id
-  gid        = var.etcd_user_id
+  uid        = var.cert_file_owner["uid"]
+  gid        = var.cert_file_owner["gid"]
   filesystem = "root"
 
   content {
@@ -25,8 +25,8 @@ data "ignition_file" "etcd_client_key" {
 data "ignition_file" "etcd_client_cert" {
   path       = "${var.certs_path}/client.crt"
   mode       = 256
-  uid        = var.etcd_user_id
-  gid        = var.etcd_user_id
+  uid        = var.cert_file_owner["uid"]
+  gid        = var.cert_file_owner["gid"]
   filesystem = "root"
 
   content {
@@ -37,8 +37,8 @@ data "ignition_file" "etcd_client_cert" {
 data "ignition_file" "etcd_server_key" {
   path       = "${var.certs_path}/server.key"
   mode       = 256
-  uid        = var.etcd_user_id
-  gid        = var.etcd_user_id
+  uid        = var.cert_file_owner["uid"]
+  gid        = var.cert_file_owner["gid"]
   filesystem = "root"
 
   content {
@@ -49,8 +49,8 @@ data "ignition_file" "etcd_server_key" {
 data "ignition_file" "etcd_server_cert" {
   path       = "${var.certs_path}/server.crt"
   mode       = 256
-  uid        = var.etcd_user_id
-  gid        = var.etcd_user_id
+  uid        = var.cert_file_owner["uid"]
+  gid        = var.cert_file_owner["gid"]
   filesystem = "root"
 
   content {
@@ -61,8 +61,8 @@ data "ignition_file" "etcd_server_cert" {
 data "ignition_file" "etcd_peer_key" {
   path       = "${var.certs_path}/peer.key"
   mode       = 256
-  uid        = var.etcd_user_id
-  gid        = var.etcd_user_id
+  uid        = var.cert_file_owner["uid"]
+  gid        = var.cert_file_owner["gid"]
   filesystem = "root"
 
   content {
@@ -73,8 +73,8 @@ data "ignition_file" "etcd_peer_key" {
 data "ignition_file" "etcd_peer_cert" {
   path       = "${var.certs_path}/peer.crt"
   mode       = 256
-  uid        = var.etcd_user_id
-  gid        = var.etcd_user_id
+  uid        = var.cert_file_owner["uid"]
+  gid        = var.cert_file_owner["gid"]
   filesystem = "root"
 
   content {
diff --git a/modules/ignitions/etcd/variables.tf b/modules/ignitions/etcd/variables.tf
index 4dae3aa1..8c4ea8f7 100644
--- a/modules/ignitions/etcd/variables.tf
+++ b/modules/ignitions/etcd/variables.tf
@@ -2,9 +2,16 @@ variable "name" {
   type = string
 }
 
-variable "etcd_user_id" {
-  type = number
-  default = 232
+variable "cert_file_owner" {
+  type = object({
+    uid = number
+    gid = number
+  })
+
+  default = {
+    uid = 232
+    git = 232
+  }
 }
 
 variable "discovery_service" {

From c29afe918b1204e9a71c6f9c5d4d3203bdbf512c Mon Sep 17 00:00:00 2001
From: smalltown <smalltown20110306@gmail.com>
Date: Wed, 18 Sep 2019 17:10:48 +0800
Subject: [PATCH 06/11] coredns bugfix

---
 modules/aws/elastikube/ign-essential.tf       |  1 -
 .../ignitions/kube-addon-dns/coredns-yaml.tf  |  4 ----
 .../kubernetes/manifests/coredns.yaml         |  2 +-
 modules/ignitions/kube-addon-dns/variables.tf | 23 -------------------
 4 files changed, 1 insertion(+), 29 deletions(-)

diff --git a/modules/aws/elastikube/ign-essential.tf b/modules/aws/elastikube/ign-essential.tf
index 6baa5c00..784482db 100644
--- a/modules/aws/elastikube/ign-essential.tf
+++ b/modules/aws/elastikube/ign-essential.tf
@@ -25,7 +25,6 @@ module "ignition_kube_addon_manager" {
 module "ignition_kube_addon_dns" {
   source = "../../ignitions/kube-addon-dns"
 
-  reverse_cidrs  = var.service_cidr
   cluster_dns_ip = local.cluster_dns_ip
 }
 
diff --git a/modules/ignitions/kube-addon-dns/coredns-yaml.tf b/modules/ignitions/kube-addon-dns/coredns-yaml.tf
index 401af7ce..8bfee9b8 100644
--- a/modules/ignitions/kube-addon-dns/coredns-yaml.tf
+++ b/modules/ignitions/kube-addon-dns/coredns-yaml.tf
@@ -3,12 +3,8 @@ data "template_file" "coredns_yaml" {
 
   vars = {
     image               = var.image
-    reverse_cidrs       = var.reverse_cidrs
     cluster_dns_ip      = var.cluster_dns_ip
     cluster_domain      = var.cluster_domain
-    federations         = var.federations
-    subdomains          = var.subdomains
-    upstream_nameserver = var.upstream_nameserver
   }
 }
 
diff --git a/modules/ignitions/kube-addon-dns/resources/kubernetes/manifests/coredns.yaml b/modules/ignitions/kube-addon-dns/resources/kubernetes/manifests/coredns.yaml
index 25ac6a20..8a65953d 100644
--- a/modules/ignitions/kube-addon-dns/resources/kubernetes/manifests/coredns.yaml
+++ b/modules/ignitions/kube-addon-dns/resources/kubernetes/manifests/coredns.yaml
@@ -64,7 +64,7 @@ data:
         errors
         health
         ready
-        kubernetes {{ pillar['dns_domain'] }} in-addr.arpa ip6.arpa {
+        kubernetes ${cluster_domain} in-addr.arpa ip6.arpa {
             pods insecure
             fallthrough in-addr.arpa ip6.arpa
             ttl 30
diff --git a/modules/ignitions/kube-addon-dns/variables.tf b/modules/ignitions/kube-addon-dns/variables.tf
index 9b304d2f..f271dc4f 100644
--- a/modules/ignitions/kube-addon-dns/variables.tf
+++ b/modules/ignitions/kube-addon-dns/variables.tf
@@ -10,11 +10,6 @@ variable "image" {
   default     = "k8s.gcr.io/coredns:1.6.2"
 }
 
-variable "reverse_cidrs" {
-  description = "CoreDNS reverse cidrs"
-  type        = string
-}
-
 variable "cluster_dns_ip" {
   description = "K8S cluster dns ip"
   type        = string
@@ -24,22 +19,4 @@ variable "cluster_domain" {
   description = "K8S cluster domain"
   type        = string
   default     = "cluster.local."
-}
-
-variable "federations" {
-  description = "federations"
-  type        = string
-  default     = ""
-}
-
-variable "subdomains" {
-  description = "subdomains"
-  type        = string
-  default     = ""
-}
-
-variable "upstream_nameserver" {
-  description = "upstream nameserver"
-  type        = string
-  default     = "/etc/resolv.conf"
 }
\ No newline at end of file

From 05ebd16a6ec6b16e8720c6a14407dab399cb7ed7 Mon Sep 17 00:00:00 2001
From: smalltown <smalltown20110306@gmail.com>
Date: Thu, 19 Sep 2019 11:03:59 +0800
Subject: [PATCH 07/11] variable typo

---
 modules/ignitions/etcd/variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/ignitions/etcd/variables.tf b/modules/ignitions/etcd/variables.tf
index 8c4ea8f7..1cd1519c 100644
--- a/modules/ignitions/etcd/variables.tf
+++ b/modules/ignitions/etcd/variables.tf
@@ -10,7 +10,7 @@ variable "cert_file_owner" {
 
   default = {
     uid = 232
-    git = 232
+    gid = 232
   }
 }
 

From a0c3fdaddb371c23d406dd418597bb318368a1cd Mon Sep 17 00:00:00 2001
From: smalltown <smalltown20110306@gmail.com>
Date: Thu, 19 Sep 2019 11:08:44 +0800
Subject: [PATCH 08/11] fix not exist variable

---
 modules/ignitions/etcd/etcd.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/ignitions/etcd/etcd.tf b/modules/ignitions/etcd/etcd.tf
index 332b679d..50d45f70 100644
--- a/modules/ignitions/etcd/etcd.tf
+++ b/modules/ignitions/etcd/etcd.tf
@@ -4,7 +4,7 @@ data "template_file" "etcd_env" {
   vars = {
     image_url    = var.container["image_path"]
     image_tag    = var.container["image_tag"]
-    user_id      = var.etcd_user_id
+    user_id      = var.cert_file_owner["uid"]
     cluster_name      = var.name
     certs_path        = var.certs_path
     data_path         = var.data_path

From 143ef022988a6c797c4e1284a7edd21e06a703dd Mon Sep 17 00:00:00 2001
From: smalltown <smalltown20110306@gmail.com>
Date: Fri, 27 Sep 2019 13:14:40 +0800
Subject: [PATCH 09/11] support AWS IRSA

---
 .../aws-iam-auth-master.tf                    |  41 -----
 examples/aws-iam-authenticator/main.tf        | 152 ------------------
 examples/aws-iam-authenticator/variables.tf   |  39 -----
 examples/aws-iam/certs.tf                     |  38 +++++
 examples/aws-iam/ign-authenticator.tf         |  37 +++++
 .../k8s/nginx.yml => aws-iam/k8s/nginx.yaml}  |   0
 examples/aws-iam/main.tf                      | 110 +++++++++++++
 examples/aws-iam/oidc.tf                      |  29 ++++
 examples/aws-iam/outputs.tf                   |  23 +++
 examples/aws-iam/providers.tf                 |  32 ++++
 .../resources/kubeconfig.iam                  |   0
 examples/aws-iam/variables.tf                 |  88 ++++++++++
 .../eks-cluster/k8s/{nginx.yml => nginx.yaml} |   0
 .../k8s/{nginx.yml => nginx.yaml}             |   0
 examples/elastikube-cluster/main.tf           |   2 +-
 modules/aws/elastikube/master.tf              |   7 +-
 modules/aws/elastikube/outputs.tf             |   4 +
 modules/aws/elastikube/variables.tf           |  12 ++
 modules/aws/kube-master/ign-control-plane.tf  |   3 +-
 modules/aws/kube-master/outputs.tf            |   4 +
 modules/aws/kube-master/variables.tf          |  12 ++
 .../kube-control-plane/kube-apiserver-yaml.tf |   3 +
 .../ignitions/kube-control-plane/outputs.tf   |   6 +
 .../kubernetes/manifests/kube-apiserver.yaml  |   1 +
 .../ignitions/kube-control-plane/secrets.tf   |  27 ++++
 .../ignitions/kube-control-plane/variables.tf |  12 ++
 26 files changed, 445 insertions(+), 237 deletions(-)
 delete mode 100644 examples/aws-iam-authenticator/aws-iam-auth-master.tf
 delete mode 100644 examples/aws-iam-authenticator/main.tf
 delete mode 100644 examples/aws-iam-authenticator/variables.tf
 create mode 100644 examples/aws-iam/certs.tf
 create mode 100644 examples/aws-iam/ign-authenticator.tf
 rename examples/{aws-iam-authenticator/k8s/nginx.yml => aws-iam/k8s/nginx.yaml} (100%)
 create mode 100644 examples/aws-iam/main.tf
 create mode 100644 examples/aws-iam/oidc.tf
 create mode 100644 examples/aws-iam/outputs.tf
 create mode 100644 examples/aws-iam/providers.tf
 rename examples/{aws-iam-authenticator => aws-iam}/resources/kubeconfig.iam (100%)
 create mode 100644 examples/aws-iam/variables.tf
 rename examples/eks-cluster/k8s/{nginx.yml => nginx.yaml} (100%)
 rename examples/elastikube-cluster/k8s/{nginx.yml => nginx.yaml} (100%)

diff --git a/examples/aws-iam-authenticator/aws-iam-auth-master.tf b/examples/aws-iam-authenticator/aws-iam-auth-master.tf
deleted file mode 100644
index d01d5a83..00000000
--- a/examples/aws-iam-authenticator/aws-iam-auth-master.tf
+++ /dev/null
@@ -1,41 +0,0 @@
-module "ignition_aws_iam_authenticator" {
-  source = "../../modules/ignitions/aws-iam-auth-master"
-
-  webhook_kubeconfig_ca   = "${module.kubernetes.certificate_authority}"
-  webhook_kubeconfig_path = "${var.auth_webhook_path}"
-}
-
-data "aws_route53_zone" "private" {
-  name         = "${local.hostzone}."
-  private_zone = true
-}
-
-data "aws_s3_bucket" "kubernetes" {
-  bucket = "${local.cluster_name}-${md5(data.aws_route53_zone.private.zone_id)}"
-}
-
-data "template_file" "kubeconfig_iam" {
-
-  template = "${file("${path.module}/resources/kubeconfig.iam")}"
-
-  vars {
-    api_server_endpoint = "${module.kubernetes.endpoint}"
-    cluster_name        = "${local.cluster_name}"
-    cluster_ca          = "${module.kubernetes.certificate_authority}"
-  }
-}
-
-resource "aws_s3_bucket_object" "kubeconfig_iam" {
-  bucket  = "${data.aws_s3_bucket.kubernetes.id}"
-  key     = "kubeconfig.iam"
-  content = "${data.template_file.kubeconfig_iam.rendered}"
-  acl     = "private"
-
-  server_side_encryption = "AES256"
-  content_type           = "text/plain"
-
-  tags = "${merge(map(
-      "Name", "kubeconfig.iam",
-      "kubernetes.io/cluster/${local.cluster_name}", "owned",
-    ), var.extra_tags)}"
-}
diff --git a/examples/aws-iam-authenticator/main.tf b/examples/aws-iam-authenticator/main.tf
deleted file mode 100644
index 775dfd1f..00000000
--- a/examples/aws-iam-authenticator/main.tf
+++ /dev/null
@@ -1,152 +0,0 @@
-locals {
-  project      = "elastikube"
-  phase        = "auth"
-  cluster_name = "${local.phase}-${local.project}"
-  hostzone     = "${local.cluster_name}.cluster"
-  kubernetes_version = "v1.13.4"
-}
-
-# ---------------------------------------------------------------------------------------------------------------------
-# SSH
-# ---------------------------------------------------------------------------------------------------------------------
-
-provider "aws" {
-  version = "1.60.0"
-  region  = "${var.aws_region}"
-}
-
-# ---------------------------------------------------------------------------------------------------------------------
-# Network
-# ---------------------------------------------------------------------------------------------------------------------
-
-module "network" {
-  source           = "../../modules/aws/network"
-  aws_region       = "${var.aws_region}"
-  bastion_key_name = "${var.key_pair_name}"
-  project          = "${local.project}"
-  phase            = "${local.phase}"
-  extra_tags       = "${var.extra_tags}"
-}
-
-# ---------------------------------------------------------------------------------------------------------------------
-# ElastiKube
-# ---------------------------------------------------------------------------------------------------------------------
-
-module "kubernetes" {
-  source = "../../modules/aws/elastikube"
-
-  name               = "${local.cluster_name}"
-  aws_region         = "${var.aws_region}"
-  kubernetes_version = "${local.kubernetes_version}"
-  service_cidr       = "${var.service_cidr}"
-  cluster_cidr       = "${var.cluster_cidr}"
-
-  etcd_config = {
-    instance_count   = "3"
-    ec2_type         = "t3.medium"
-    root_volume_iops = "0"
-    root_volume_size = "256"
-    root_volume_type = "gp2"
-  }
-
-  master_config = {
-    instance_count   = "2"
-    ec2_type         = "t3.medium"
-    root_volume_iops = "0"
-    root_volume_size = "256"
-    root_volume_type = "gp2"
-  }
-
-  extra_ignition_file_ids         = "${module.ignition_aws_iam_authenticator.files}"
-  extra_ignition_systemd_unit_ids = "${module.ignition_aws_iam_authenticator.systemd_units}"
-
-  hostzone               = "${local.project}.cluster"
-  endpoint_public_access = "${var.endpoint_public_access}"
-  private_subnet_ids     = ["${module.network.private_subnet_ids}"]
-  public_subnet_ids      = ["${module.network.public_subnet_ids}"]
-  ssh_key                = "${var.key_pair_name}"
-  reboot_strategy        = "off"
-
-  auth_webhook_path = "${var.auth_webhook_path}"
-
-  extra_tags = "${merge(map(
-      "Phase", "${local.phase}",
-      "Project", "${local.project}",
-    ), var.extra_tags)}"
-}
-
-# ---------------------------------------------------------------------------------------------------------------------
-# Worker Node (On Demand Instance)
-# ---------------------------------------------------------------------------------------------------------------------
-
-module "worker_on_demand" {
-  source = "../../modules/aws/kube-worker"
-
-  cluster_name       = "${local.cluster_name}"
-  aws_region         = "${var.aws_region}"
-  kubernetes_version = "${local.kubernetes_version}"
-  kube_service_cidr  = "${var.service_cidr}"
-
-  security_group_ids = ["${module.kubernetes.worker_sg_ids}"]
-  subnet_ids         = ["${module.network.private_subnet_ids}"]
-
-  worker_config = {
-    name             = "on_demand"
-    instance_count   = "2"
-    ec2_type_1       = "t3.medium"
-    ec2_type_2       = "t2.medium"
-    root_volume_iops = "0"
-    root_volume_size = "40"
-    root_volume_type = "gp2"
-
-    on_demand_base_capacity                  = 0
-    on_demand_percentage_above_base_capacity = 100
-    spot_instance_pools                      = 1
-  }
-
-  s3_bucket = "${module.kubernetes.s3_bucket}"
-  ssh_key   = "${var.key_pair_name}"
-
-  extra_tags = "${merge(map(
-      "Phase", "${var.phase}",
-      "Project", "${var.project}",
-    ), var.extra_tags)}"
-}
-
-# ---------------------------------------------------------------------------------------------------------------------
-# Worker Node (On Spot Instance)
-# ---------------------------------------------------------------------------------------------------------------------
-
-module "worker_spot" {
-  source = "../../modules/aws/kube-worker"
-
-  cluster_name       = "${local.cluster_name}"
-  aws_region         = "${var.aws_region}"
-  kubernetes_version = "${local.kubernetes_version}"
-  kube_service_cidr  = "${var.service_cidr}"
-
-  security_group_ids = ["${module.kubernetes.worker_sg_ids}"]
-  subnet_ids         = ["${module.network.private_subnet_ids}"]
-
-  worker_config = {
-    name             = "spot"
-    instance_count   = "2"
-    ec2_type_1       = "m5.large"
-    ec2_type_2       = "m4.large"
-    root_volume_iops = "0"
-    root_volume_size = "40"
-    root_volume_type = "gp2"
-
-    on_demand_base_capacity                  = 0
-    on_demand_percentage_above_base_capacity = 0
-    spot_instance_pools                      = 1
-  }
-
-  s3_bucket = "${module.kubernetes.s3_bucket}"
-  ssh_key   = "${var.key_pair_name}"
-
-  extra_tags = "${merge(map(
-      "Phase", "${local.phase}",
-      "Project", "${local.project}",
-    ), var.extra_tags)}"
-}
diff --git a/examples/aws-iam-authenticator/variables.tf b/examples/aws-iam-authenticator/variables.tf
deleted file mode 100644
index 41d21b01..00000000
--- a/examples/aws-iam-authenticator/variables.tf
+++ /dev/null
@@ -1,39 +0,0 @@
-variable "aws_region" {
-  type        = "string"
-  default     = "ap-southeast-1"
-  description = "(Optional) The AWS region"
-}
-
-variable "service_cidr" {
-  type        = "string"
-  default     = "172.16.0.0/13"
-  description = "(Optional) The Kubernetes service CIDR."
-}
-
-variable "cluster_cidr" {
-  type        = "string"
-  default     = "172.24.0.0/13"
-  description = "(Optional) The Kubernetes cluster CIDR."
-}
-
-variable "key_pair_name" {
-  type        = "string"
-  description = "The ssh key name for all instance, e.g. bastion, master, etcd, worker"
-}
-
-variable "endpoint_public_access" {
-  default = false
-  description = "(Optional) kubernetes apiserver endpoint"
-}
-
-variable "extra_tags" {
-  type        = "map"
-  default     = {}
-  description = "Extra AWS tags to be applied to created resources."
-}
-
-variable "auth_webhook_path" {
-  type        = "string"
-  default     = "/etc/kubernetes/aws-iam-authenticator"
-  description = "(Optional) A path for using customize machine to authenticate to a Kubernetes cluster."
-}
diff --git a/examples/aws-iam/certs.tf b/examples/aws-iam/certs.tf
new file mode 100644
index 00000000..60578c33
--- /dev/null
+++ b/examples/aws-iam/certs.tf
@@ -0,0 +1,38 @@
+module "pod_identity_webhook_root_ca" {
+  source = "../../modules/tls/certificate-authority"
+
+  cert_config = {
+    common_name           = local.cluster_name
+    organization          = local.cluster_name
+    validity_period_hours = var.certs_validity_period_hours
+  }
+
+  rsa_bits    = 2048
+  self_signed = true
+}
+
+module "pod_identity_webhook_cert" {
+  source = "../../modules/tls/certificate"
+
+  ca_config = {
+    algorithm = module.pod_identity_webhook_root_ca.algorithm
+    key_pem   = module.pod_identity_webhook_root_ca.private_key_pem
+    cert_pem  = module.pod_identity_webhook_root_ca.cert_pem
+  }
+
+  cert_config = {
+    common_name           = "pod-identity-webhook"
+    organization          = local.cluster_name
+    validity_period_hours = var.certs_validity_period_hours
+  }
+
+  cert_hostnames = ["${var.pod_identity_webhook_service_name}.${var.pod_identity_webhook_service_namespace}.svc"]
+
+  cert_uses = [
+    "key_encipherment",
+    "digital_signature",
+    "server_auth",
+  ]
+
+  self_signed = true
+}
\ No newline at end of file
diff --git a/examples/aws-iam/ign-authenticator.tf b/examples/aws-iam/ign-authenticator.tf
new file mode 100644
index 00000000..b3195e0b
--- /dev/null
+++ b/examples/aws-iam/ign-authenticator.tf
@@ -0,0 +1,37 @@
+module "ignition_aws_iam_authenticator" {
+  source = "../../modules/ignitions/aws-iam-auth-master"
+
+  webhook_kubeconfig_ca   = module.kubernetes.certificate_authority
+  webhook_kubeconfig_path = var.auth_webhook_path
+}
+
+data "aws_s3_bucket" "kubernetes" {
+  bucket = module.kubernetes.s3_bucket
+}
+
+data "template_file" "kubeconfig_iam" {
+
+  template = file("${path.module}/resources/kubeconfig.iam")
+
+  vars = {
+    api_server_endpoint = module.kubernetes.endpoint
+    cluster_name        = local.cluster_name
+    cluster_ca          = module.kubernetes.certificate_authority
+  }
+}
+
+resource "aws_s3_bucket_object" "kubeconfig_iam" {
+  bucket = data.aws_s3_bucket.kubernetes.id
+
+  key     = "kubeconfig.iam"
+  content = data.template_file.kubeconfig_iam.rendered
+  acl     = "private"
+
+  server_side_encryption = "AES256"
+  content_type           = "text/plain"
+
+  tags = merge(map(
+      "Name", "kubeconfig.iam",
+      "kubernetes.io/cluster/${local.cluster_name}", "owned",
+    ), var.extra_tags)
+}
diff --git a/examples/aws-iam-authenticator/k8s/nginx.yml b/examples/aws-iam/k8s/nginx.yaml
similarity index 100%
rename from examples/aws-iam-authenticator/k8s/nginx.yml
rename to examples/aws-iam/k8s/nginx.yaml
diff --git a/examples/aws-iam/main.tf b/examples/aws-iam/main.tf
new file mode 100644
index 00000000..95efe998
--- /dev/null
+++ b/examples/aws-iam/main.tf
@@ -0,0 +1,110 @@
+locals {
+  cluster_name           = "${var.phase}-${var.project}"
+}
+
+
+
+# ---------------------------------------------------------------------------------------------------------------------
+# Network
+# ---------------------------------------------------------------------------------------------------------------------
+
+module "network" {
+  source           = "../../modules/aws/network"
+  bastion_key_name = var.key_pair_name
+  project          = var.project
+  phase            = var.phase
+  extra_tags       = var.extra_tags
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# ElastiKube
+# ---------------------------------------------------------------------------------------------------------------------
+
+module "kubernetes" {
+  source = "../../modules/aws/elastikube"
+
+  name               = local.cluster_name
+  kubernetes_version = var.kubernetes_version
+  service_cidr       = var.service_cidr
+  cluster_cidr       = var.cluster_cidr
+
+  etcd_config = {
+    instance_count   = "1"
+    ec2_type         = "t3.medium"
+    root_volume_iops = "0"
+    root_volume_size = "100"
+    root_volume_type = "gp2"
+  }
+
+  master_config = {
+    instance_count   = "1"
+    ec2_type_1       = "t3.medium"
+    ec2_type_2       = "t2.medium"
+    root_volume_iops = "100"
+    root_volume_size = "256"
+    root_volume_type = "gp2"
+
+    on_demand_base_capacity                  = 0
+    on_demand_percentage_above_base_capacity = 100
+    spot_instance_pools                      = 1
+  }
+
+  oidc_issuer_confg = {
+    issuer        = "https://s3-${var.aws_region}.amazonaws.com/${aws_s3_bucket.oidc.id}"
+    api_audiences = var.oidc_api_audiences
+  }
+
+  extra_ignition_file_ids         = "${module.ignition_aws_iam_authenticator.files}"
+  extra_ignition_systemd_unit_ids = "${module.ignition_aws_iam_authenticator.systemd_units}"
+
+  hostzone               = "${var.project}.cluster"
+  endpoint_public_access = var.endpoint_public_access
+  private_subnet_ids     = module.network.private_subnet_ids
+  public_subnet_ids      = module.network.public_subnet_ids
+  ssh_key                = var.key_pair_name
+  reboot_strategy        = "off"
+  auth_webhook_path      = var.auth_webhook_path
+
+
+  extra_tags = merge(map(
+      "Phase", var.phase,
+      "Project", var.project,
+    ), var.extra_tags)
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# Worker Node (On Spot Instance)
+# ---------------------------------------------------------------------------------------------------------------------
+
+module "worker_spot" {
+  source = "../../modules/aws/kube-worker"
+
+  cluster_name       = local.cluster_name
+  kubernetes_version = var.kubernetes_version
+  kube_service_cidr  = var.service_cidr
+
+  security_group_ids = module.kubernetes.worker_sg_ids
+  subnet_ids         = module.network.private_subnet_ids
+
+  worker_config = {
+    name             = "spot"
+    instance_count   = "1"
+    ec2_type_1       = "m5.large"
+    ec2_type_2       = "m4.large"
+    root_volume_iops = "0"
+    root_volume_size = "40"
+    root_volume_type = "gp2"
+
+    on_demand_base_capacity                  = 0
+    on_demand_percentage_above_base_capacity = 0
+    spot_instance_pools                      = 1
+  }
+
+  s3_bucket = module.kubernetes.s3_bucket
+  ssh_key   = var.key_pair_name
+
+  extra_tags = merge(map(
+      "Phase", var.phase,
+      "Project", var.project,
+    ), var.extra_tags)
+}
diff --git a/examples/aws-iam/oidc.tf b/examples/aws-iam/oidc.tf
new file mode 100644
index 00000000..12c3628e
--- /dev/null
+++ b/examples/aws-iam/oidc.tf
@@ -0,0 +1,29 @@
+resource "aws_s3_bucket" "oidc" {
+  bucket = "${local.cluster_name}-oidc-${md5("${local.cluster_name}-oidc")}"
+  acl    = "public-read"
+
+  tags = merge(map(
+      "Name", "${local.cluster_name}-oidc-${md5("${local.cluster_name}-oidc")}",
+      "Phase", var.phase,
+      "Project", var.project,
+    ), var.extra_tags)
+}
+
+resource "null_resource" "oidc_thumbprint" {
+  provisioner "local-exec" {
+    command = "openssl s_client -connect s3-${var.aws_region}.amazonaws.com:443 -servername s3-${var.aws_region}.amazonaws.com -showcerts < /dev/null 2>/dev/null  |  openssl x509 -in /dev/stdin -sha1 -noout -fingerprint | cut -d '=' -f 2 | tr -d ':' > ${path.module}/.terraform/oidc_thumbprint"
+  }
+}
+
+data "local_file" "oidc_thumbprint" {
+  filename   = "${path.module}/.terraform/oidc_thumbprint"
+  depends_on = [null_resource.oidc_thumbprint]
+}
+
+resource "aws_iam_openid_connect_provider" "irsa" {
+  url = "https://s3-${var.aws_region}.amazonaws.com/${aws_s3_bucket.oidc.id}"
+
+  client_id_list = [ var.oidc_api_audiences ]
+
+  thumbprint_list = [ chomp(data.local_file.oidc_thumbprint.content) ]
+}
\ No newline at end of file
diff --git a/examples/aws-iam/outputs.tf b/examples/aws-iam/outputs.tf
new file mode 100644
index 00000000..aac73ded
--- /dev/null
+++ b/examples/aws-iam/outputs.tf
@@ -0,0 +1,23 @@
+output "bastion_public_ip" {
+  value = module.network.bastion_public_ip
+}
+
+output "ignition_s3_bucket" {
+  value = module.kubernetes.s3_bucket
+}
+
+output "oidc_s3_bucket" {
+  value = aws_s3_bucket.oidc.id
+}
+
+output "oidc_issuer_pub" {
+  value = module.kubernetes.oidc_issuer_pubkey
+}
+
+output "tls_crt" {
+  value = module.pod_identity_webhook_cert.cert_pem
+}
+
+output "tls_key" {
+  value = module.pod_identity_webhook_cert.private_key_pem
+}
\ No newline at end of file
diff --git a/examples/aws-iam/providers.tf b/examples/aws-iam/providers.tf
new file mode 100644
index 00000000..e5d8b8dc
--- /dev/null
+++ b/examples/aws-iam/providers.tf
@@ -0,0 +1,32 @@
+terraform {
+  required_version = ">= 0.12.0"
+}
+
+provider "aws" {
+  region  = var.aws_region
+  version = "2.26.0"
+}
+
+provider "external" {
+  version = "1.2.0"
+}
+
+provider "ignition" {
+  version = "1.1.0"
+}
+
+provider "null" {
+  version = "2.1.2"
+}
+
+provider "random" {
+  version = "2.2.0"
+}
+
+provider "template" {
+  version = "2.1.2"
+}
+
+provider "tls" {
+  version = "2.1.0"
+}
\ No newline at end of file
diff --git a/examples/aws-iam-authenticator/resources/kubeconfig.iam b/examples/aws-iam/resources/kubeconfig.iam
similarity index 100%
rename from examples/aws-iam-authenticator/resources/kubeconfig.iam
rename to examples/aws-iam/resources/kubeconfig.iam
diff --git a/examples/aws-iam/variables.tf b/examples/aws-iam/variables.tf
new file mode 100644
index 00000000..4f75e582
--- /dev/null
+++ b/examples/aws-iam/variables.tf
@@ -0,0 +1,88 @@
+variable "aws_region" {
+  description = "(Optional) The AWS region"
+  type        = string
+  default     = "us-west-2"
+}
+
+variable "auth_webhook_path" {
+  description = "(Optional) A path for using customize machine to authenticate to a Kubernetes cluster."
+  type        = string
+  default     = "/etc/kubernetes/aws-iam-authenticator"
+}
+
+variable "certs_validity_period_hours" {
+  description = <<EOF
+    Validity period of the self-signed certificates (in hours). Default is 3 years.
+EOF
+  type        = string
+
+  // Default is provided only in this case
+  // bacause *some* of etcd internal certs are still self-generated and need
+  // this variable set
+  default     = 26280
+}
+
+variable "cluster_cidr" {
+  description = "(Optional) The Kubernetes cluster CIDR."
+  type        = string
+  default     = "172.24.0.0/13"
+}
+
+variable "key_pair_name" {
+  description = "The ssh key name for all instance, e.g. bastion, master, etcd, worker"
+  type        = string
+}
+
+variable "kubernetes_version" {
+  description = "(Optional) Desired Kubernetes master version. If you do not specify a value, the latest available version is used."
+  type        = string
+  default     = "v1.14.6"
+}
+
+variable "project" {
+  description = "(Optional) project name, used to compose the resource name"  
+  type = string
+  default = "elastikube"
+}
+
+variable "phase" {
+  description = "(Optional) phase name, used to compose the resource name"
+  type        = string
+  default     = "test"
+}
+
+variable "endpoint_public_access" {
+  description = "(Optional) kubernetes apiserver endpoint"
+  type        = bool
+  default     = false
+}
+
+variable "extra_tags" {
+  description = "Extra AWS tags to be applied to created resources."
+  type        = map(string)
+  default     = {}
+}
+
+variable "pod_identity_webhook_service_name" {
+  description = "The Pod identity service name"
+  type        = string
+  default     = "pod-identity-webhook"
+}
+
+variable "pod_identity_webhook_service_namespace" {
+  description = "The Pod identity service namespace"
+  type        = string
+  default     = "kube-system"
+}
+
+variable "oidc_api_audiences" {
+  description = "the OIDC authenticator pre-introduction of API audiences"
+  type        = string
+  default     = "sts.amazonaws.com"
+}
+
+variable "service_cidr" {
+  description = "(Optional) The Kubernetes service CIDR."
+  type        = string
+  default     = "172.16.0.0/13"
+}
diff --git a/examples/eks-cluster/k8s/nginx.yml b/examples/eks-cluster/k8s/nginx.yaml
similarity index 100%
rename from examples/eks-cluster/k8s/nginx.yml
rename to examples/eks-cluster/k8s/nginx.yaml
diff --git a/examples/elastikube-cluster/k8s/nginx.yml b/examples/elastikube-cluster/k8s/nginx.yaml
similarity index 100%
rename from examples/elastikube-cluster/k8s/nginx.yml
rename to examples/elastikube-cluster/k8s/nginx.yaml
diff --git a/examples/elastikube-cluster/main.tf b/examples/elastikube-cluster/main.tf
index 39a55ef3..b2ecb23f 100644
--- a/examples/elastikube-cluster/main.tf
+++ b/examples/elastikube-cluster/main.tf
@@ -52,7 +52,7 @@ module "kubernetes" {
   private_subnet_ids     = module.network.private_subnet_ids
   public_subnet_ids      = module.network.public_subnet_ids
   ssh_key                = var.key_pair_name
-  reboot_strategy    = "off"
+  reboot_strategy        = "off"
 
   extra_tags = merge(map(
       "Phase", var.phase,
diff --git a/modules/aws/elastikube/master.tf b/modules/aws/elastikube/master.tf
index 1a12e11b..a89fe40a 100644
--- a/modules/aws/elastikube/master.tf
+++ b/modules/aws/elastikube/master.tf
@@ -60,7 +60,8 @@ module "master" {
 
   extra_tags = var.extra_tags
 
-  auth_webhook_path = var.auth_webhook_path
-  audit_policy_path = var.audit_policy_path
-  audit_log_backend = var.audit_log_backend
+  auth_webhook_path     = var.auth_webhook_path
+  audit_policy_path     = var.audit_policy_path
+  audit_log_backend     = var.audit_log_backend
+  oidc_issuer_confg     = var.oidc_issuer_confg
 }
diff --git a/modules/aws/elastikube/outputs.tf b/modules/aws/elastikube/outputs.tf
index 3aefac5b..435b5f35 100644
--- a/modules/aws/elastikube/outputs.tf
+++ b/modules/aws/elastikube/outputs.tf
@@ -37,3 +37,7 @@ output "worker_sg_ids" {
   value       = [aws_security_group.workers.id]
   description = "The security gruop for worker group"
 }
+
+output oidc_issuer_pubkey {
+  value = module.master.oidc_issuer_pubkey
+}
\ No newline at end of file
diff --git a/modules/aws/elastikube/variables.tf b/modules/aws/elastikube/variables.tf
index 6fb80ea3..43b79266 100644
--- a/modules/aws/elastikube/variables.tf
+++ b/modules/aws/elastikube/variables.tf
@@ -217,4 +217,16 @@ EOF
     maxbackup = ""
     maxsize   = ""
   }
+}
+
+variable "oidc_issuer_confg" {
+  description = "The service account config to enable pod identity feature"
+  type        = object({
+    issuer        = string
+    api_audiences = string
+  })
+  default     = {
+    issuer        = ""
+    api_audiences = ""
+  }
 }
\ No newline at end of file
diff --git a/modules/aws/kube-master/ign-control-plane.tf b/modules/aws/kube-master/ign-control-plane.tf
index 1237f1ff..b3e2a287 100644
--- a/modules/aws/kube-master/ign-control-plane.tf
+++ b/modules/aws/kube-master/ign-control-plane.tf
@@ -34,7 +34,8 @@ module "ignition_kube_control_plane" {
     audit_policy_path = var.audit_policy_path
   }
 
-  audit_log_backend = var.audit_log_backend
+  audit_log_backend     = var.audit_log_backend
+  oidc_issuer_confg = var.oidc_issuer_confg
 
   cloud_provider = {
     name   = "aws"
diff --git a/modules/aws/kube-master/outputs.tf b/modules/aws/kube-master/outputs.tf
index 3a9f104f..ffc3934f 100644
--- a/modules/aws/kube-master/outputs.tf
+++ b/modules/aws/kube-master/outputs.tf
@@ -9,3 +9,7 @@ output "endpoint" {
 output "master_sg_id" {
   value = local.master_sg_id
 }
+
+output "oidc_issuer_pubkey" {
+  value = module.ignition_kube_control_plane.oidc_issuer_pubkey
+}
\ No newline at end of file
diff --git a/modules/aws/kube-master/variables.tf b/modules/aws/kube-master/variables.tf
index f72b565a..329d4937 100644
--- a/modules/aws/kube-master/variables.tf
+++ b/modules/aws/kube-master/variables.tf
@@ -197,4 +197,16 @@ EOF
   type            = map(string)
   default         = {}
 
+}
+
+variable "oidc_issuer_confg" {
+  description = "The service account config to enable pod identity feature"
+  type        = object({
+    issuer        = string
+    api_audiences = string
+  })
+  default     = {
+    issuer        = ""
+    api_audiences = ""
+  }
 }
\ No newline at end of file
diff --git a/modules/ignitions/kube-control-plane/kube-apiserver-yaml.tf b/modules/ignitions/kube-control-plane/kube-apiserver-yaml.tf
index 7d0163b0..7b24310e 100644
--- a/modules/ignitions/kube-control-plane/kube-apiserver-yaml.tf
+++ b/modules/ignitions/kube-control-plane/kube-apiserver-yaml.tf
@@ -17,10 +17,13 @@ data "template_file" "kube_apiserver_yaml" {
     auth_webhook_flag        = var.apiserver_config["auth_webhook_path"] != "" ? "- --authentication-token-webhook-config-file=${var.apiserver_config["auth_webhook_path"]}/kubeconfig" : "# no authentication token webhook provider"
     auth_mount_volume_block  = var.apiserver_config["auth_webhook_path"] != "" ? join("\n      ", list(local.auth_volume_mount_name, local.auth_volume_mount_path, local.auth_volume_read_only)) : "# no authentication token webhook provider"
     auth_volume_block        = var.apiserver_config["auth_webhook_path"] != "" ? join("\n    ", list(local.auth_volume_name, local.auth_volume_host_path, local.auth_volume_path)) : "# no authentication token webhook provider"
+
     audit_policy_flag        = var.apiserver_config["audit_policy_path"] != "" ? join("\n    ", list("- --audit-policy-file=${var.apiserver_config["audit_policy_path"]}/policy.yaml", "- --audit-log-path=${var.audit_log_backend["path"]}", "- --audit-log-maxage=${var.audit_log_backend["maxage"]}", "- --audit-log-maxbackup=${var.audit_log_backend["maxbackup"]}", "- --audit-log-maxsize=${var.audit_log_backend["maxsize"]}")) : "# not enable auditing"
     audit_mount_volume_block = var.apiserver_config["audit_policy_path"] != "" ? join("\n      ", list(local.audit_volume_mount_name, local.audit_volume_mount_path, local.audit_volume_read_only)) : "# not enable auditing"
     audit_volume_block       = var.apiserver_config["audit_policy_path"] != "" ? join("\n    ", list(local.audit_volume_name, local.audit_volume_host_path, local.audit_volume_path)) : "# not enable auditing"
 
+    service_account_flag     = var.oidc_issuer_confg["issuer"] != "" ? join("\n    ", list("- --service-account-key-file=/etc/kubernetes/secrets/oidc-issuer.pub", "- --service-account-signing-key-file=/etc/kubernetes/secrets/oidc-issuer.key", "- --api-audiences=${var.oidc_issuer_confg["api_audiences"]}", "- --service-account-issuer=${var.oidc_issuer_confg["issuer"]}")) : "# not enable service account"
+
     cloud_provider             = var.cloud_provider["name"]
     cloud_provider_config_flag = var.cloud_provider["config"] != "" ? "- --cloud-config=/etc/kubernetes/cloud/config" : "# no cloud provider config given"
   }
diff --git a/modules/ignitions/kube-control-plane/outputs.tf b/modules/ignitions/kube-control-plane/outputs.tf
index 48b97e05..ff1a00af 100644
--- a/modules/ignitions/kube-control-plane/outputs.tf
+++ b/modules/ignitions/kube-control-plane/outputs.tf
@@ -13,8 +13,14 @@ output "files" {
     data.ignition_file.apiserver_cert_pem.rendered,
     data.ignition_file.service_account_pub.rendered,
     data.ignition_file.service_account_key.rendered,
+    data.ignition_file.oidc_issuer_pub.rendered,
+    data.ignition_file.oidc_issuer_key.rendered,
     data.ignition_file.etcd_ca_cert_pem.rendered,
     data.ignition_file.etcd_client_cert_pem.rendered,
     data.ignition_file.etcd_client_key_pem.rendered,
   ]
 }
+
+output "oidc_issuer_pubkey" {
+  value = tls_private_key.oidc_issuer.public_key_pem
+}
\ No newline at end of file
diff --git a/modules/ignitions/kube-control-plane/resources/kubernetes/manifests/kube-apiserver.yaml b/modules/ignitions/kube-control-plane/resources/kubernetes/manifests/kube-apiserver.yaml
index 2337e7fb..d4b23f5d 100644
--- a/modules/ignitions/kube-control-plane/resources/kubernetes/manifests/kube-apiserver.yaml
+++ b/modules/ignitions/kube-control-plane/resources/kubernetes/manifests/kube-apiserver.yaml
@@ -39,6 +39,7 @@ spec:
     ${cloud_provider_config_flag}
     ${auth_webhook_flag}
     ${audit_policy_flag}
+    ${service_account_flag}
     volumeMounts:
     - mountPath: /etc/ssl/certs
       name: ssl-certs-host
diff --git a/modules/ignitions/kube-control-plane/secrets.tf b/modules/ignitions/kube-control-plane/secrets.tf
index 2ac72ee8..fe13b838 100644
--- a/modules/ignitions/kube-control-plane/secrets.tf
+++ b/modules/ignitions/kube-control-plane/secrets.tf
@@ -3,6 +3,11 @@ resource "tls_private_key" "service_account" {
   rsa_bits  = "2048"
 }
 
+resource "tls_private_key" "oidc_issuer" {
+  algorithm = "RSA"
+  rsa_bits  = "2048"
+}
+
 data "ignition_file" "kube_ca_cert_pem" {
   filesystem = local.filesystem
   mode       = local.mode
@@ -58,6 +63,28 @@ data "ignition_file" "service_account_key" {
   }
 }
 
+data "ignition_file" "oidc_issuer_pub" {
+  filesystem = local.filesystem
+  mode       = local.mode
+
+  path = "/etc/kubernetes/secrets/oidc-issuer.pub"
+
+  content {
+    content = tls_private_key.oidc_issuer.public_key_pem
+  }
+}
+
+data "ignition_file" "oidc_issuer_key" {
+  filesystem = local.filesystem
+  mode       = local.mode
+
+  path = "/etc/kubernetes/secrets/oidc-issuer.key"
+
+  content {
+    content = tls_private_key.oidc_issuer.private_key_pem
+  }
+}
+
 data "ignition_file" "etcd_ca_cert_pem" {
   filesystem = local.filesystem
   mode       = local.mode
diff --git a/modules/ignitions/kube-control-plane/variables.tf b/modules/ignitions/kube-control-plane/variables.tf
index dabb0b24..0e953399 100644
--- a/modules/ignitions/kube-control-plane/variables.tf
+++ b/modules/ignitions/kube-control-plane/variables.tf
@@ -61,6 +61,18 @@ variable "audit_log_backend" {
   default = {}
 }
 
+variable "oidc_issuer_confg" {
+  description = "The service account config to enable pod identity feature"
+  type        = object({
+    issuer        = string
+    api_audiences = string
+  })
+  default     = {
+    issuer        = ""
+    api_audiences = ""
+  }
+}
+
 variable "cloud_provider" {
   type    = map(string)
   default = {

From 8334ce3b02a34941e7efdb6837ccd3b389df7b9f Mon Sep 17 00:00:00 2001
From: smalltown <smalltown20110306@gmail.com>
Date: Wed, 27 Nov 2019 10:41:23 +0800
Subject: [PATCH 10/11] add workaround method for ignition

---
 README.md | 34 ++++++++++++++++++++++++----------
 1 file changed, 24 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index bf6a7849..915bd5b7 100644
--- a/README.md
+++ b/README.md
@@ -76,10 +76,10 @@ minutes...
 ~$ kubectl get node
 
 NAME                          STATUS    ROLES     AGE       VERSION
-ip-10-0-48-247.ec2.internal   Ready     spot      2m        v1.12.7
-ip-10-0-66-127.ec2.internal   Ready     spot      2m        v1.12.7
-ip-10-0-71-121.ec2.internal   Ready     on-demand 22s       v1.12.7
-ip-10-0-86-182.ec2.internal   Ready     on-demand 2m        v1.12.7
+ip-10-0-48-247.ec2.internal   Ready     spot      2m        v1.14.6
+ip-10-0-66-127.ec2.internal   Ready     spot      2m        v1.14.6
+ip-10-0-71-121.ec2.internal   Ready     on-demand 22s       v1.14.6
+ip-10-0-86-182.ec2.internal   Ready     on-demand 2m        v1.14.6
 ```
 
 ### ElastiKube (Self-Hosted)
@@ -120,12 +120,12 @@ minutes...
 ~$ kubectl get node
 
 NAME                          STATUS    ROLES     AGE       VERSION
-ip-10-0-48-247.ec2.internal   Ready     master    9m        v1.13.4
-ip-10-0-48-117.ec2.internal   Ready     master    9m        v1.13.4
-ip-10-0-66-127.ec2.internal   Ready     on-demand 5m        v1.13.4
-ip-10-0-66-127.ec2.internal   Ready     on-demand 6m        v1.13.4
-ip-10-0-71-121.ec2.internal   Ready     spot      3m        v1.13.4
-ip-10-0-86-182.ec2.internal   Ready     spot      4m        v1.13.4
+ip-10-0-48-247.ec2.internal   Ready     master    9m        v1.14.6
+ip-10-0-48-117.ec2.internal   Ready     master    9m        v1.14.6
+ip-10-0-66-127.ec2.internal   Ready     on-demand 5m        v1.14.6
+ip-10-0-66-127.ec2.internal   Ready     on-demand 6m        v1.14.6
+ip-10-0-71-121.ec2.internal   Ready     spot      3m        v1.14.6
+ip-10-0-86-182.ec2.internal   Ready     spot      4m        v1.14.6
 ```
 
 ## What’s Going On?
@@ -148,6 +148,20 @@ Create a AWS auto-scaling group with CoreOS container linux and leverage ignitio
 
 Due to using AWS launch template, hence, it's up to user to choose spot or on demand instance type by changing the variable, refer [**aws/eks-worker**](VARIABLES.md#aws/eks-worker) and [**aws/kube-worker**](VARIABLES.md#aws/kube-worker) for the detail variable inputs
 
+## Known Issues
+
+### Ignition Provider Issue
+This module leverage provider ignition to provision instance (etcd, master and worker node)，after upgrading Terraform 0.12，there is issue about the ignition provider, althrough community already merge the [PR](https://github.com/terraform-providers/terraform-provider-ignition/pull/56) into master branch, but don't know why not bump a new version yes, hence, there is something to do for workaround this issue (The following steps are running in MacOS, it needs to make some change for running in other platform)
+
+Build the ignition provider from official GitHub master branch
+
+```
+~$ cd $GOPATH/src/github.com/terraform-providers/terraform-provider-ignition
+$ make build
+
+~$ mkdir -p ~/.terraform.d/plugins/darwin_amd64
+~$ cp $GOPATH/bin/terraform-provider-ignition ~/.terraform.d/plugins/darwin_amd64/terraform-provider-ignition_v1.1.0_x4
+```
 
 ## Contributing
 

From 0663e2d1dc37571a4e0dd2dc38c23016baeaaefd Mon Sep 17 00:00:00 2001
From: smalltown <smalltown20110306@gmail.com>
Date: Wed, 27 Nov 2019 10:43:35 +0800
Subject: [PATCH 11/11] fix typo

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 915bd5b7..a96fcc11 100644
--- a/README.md
+++ b/README.md
@@ -151,7 +151,7 @@ Due to using AWS launch template, hence, it's up to user to choose spot or on de
 ## Known Issues
 
 ### Ignition Provider Issue
-This module leverage provider ignition to provision instance (etcd, master and worker node)，after upgrading Terraform 0.12，there is issue about the ignition provider, althrough community already merge the [PR](https://github.com/terraform-providers/terraform-provider-ignition/pull/56) into master branch, but don't know why not bump a new version yes, hence, there is something to do for workaround this issue (The following steps are running in MacOS, it needs to make some change for running in other platform)
+This module leverage provider ignition to provision instance (etcd, master and worker node)，after upgrading Terraform 0.12，there is issue about the ignition provider, althrough community already merge the [**PR**](https://github.com/terraform-providers/terraform-provider-ignition/pull/56) into master branch, but don't know why not bump a new version yet, hence, there is something need to do for workaround this issue (The following steps are running in MacOS, it needs to make some change for running in other platform)
 
 Build the ignition provider from official GitHub master branch