diff --git a/reconcile/external_resources/factories.py b/reconcile/external_resources/factories.py
index 3ca86db498..e511c25df6 100644
--- a/reconcile/external_resources/factories.py
+++ b/reconcile/external_resources/factories.py
@@ -41,13 +41,15 @@
 
 
 class ObjectFactory(Generic[T]):
-    def __init__(self) -> None:
-        self._factories: dict[str, T] = {}
-
-    def register_factory(self, id: str, t: T) -> None:
-        self._factories[id] = t
+    def __init__(
+        self, factories: dict[str, T], default_factory: T | None = None
+    ) -> None:
+        self._factories = factories
+        self._default_factory = default_factory
 
     def get_factory(self, id: str) -> T:
+        if id not in self._factories and self._default_factory:
+            return self._default_factory
         return self._factories[id]
 
 
@@ -94,15 +96,14 @@ def create_provision_data(
 def setup_aws_resource_factories(
     er_inventory: ExternalResourcesInventory, secret_reader: SecretReaderBase
 ) -> ObjectFactory[AWSResourceFactory]:
-    f = ObjectFactory[AWSResourceFactory]()
+    f = ObjectFactory[AWSResourceFactory](
+        default_factory=AWSDefaultResourceFactory(er_inventory, secret_reader)
+    )
     f.register_factory(
         "elasticache", AWSElasticacheFactory(er_inventory, secret_reader)
     )
     f.register_factory("rds", AWSRdsFactory(er_inventory, secret_reader))
     f.register_factory("msk", AWSMskFactory(er_inventory, secret_reader))
-    f.register_factory(
-        "default", AWSDefaultResourceFactory(er_inventory, secret_reader)
-    )
     return f
 
 
diff --git a/reconcile/external_resources/manager.py b/reconcile/external_resources/manager.py
index 6723e6253d..c640f804e5 100644
--- a/reconcile/external_resources/manager.py
+++ b/reconcile/external_resources/manager.py
@@ -55,24 +55,21 @@ def setup_factories(
 ) -> ObjectFactory[ExternalResourceFactory]:
     tf_factory = TerraformModuleProvisionDataFactory(settings=settings)
 
-    aws_provision_factories = ObjectFactory[ModuleProvisionDataFactory]()
-    aws_provision_factories.register_factory("terraform", tf_factory)
-    aws_provision_factories.register_factory("cdktf", tf_factory)
-
-    of = ObjectFactory[ExternalResourceFactory]()
-    of.register_factory(
-        "aws",
-        AWSExternalResourceFactory(
-            module_inventory=module_inventory,
-            er_inventory=er_inventory,
-            secret_reader=secret_reader,
-            provision_factories=aws_provision_factories,
-            resource_factories=setup_aws_resource_factories(
-                er_inventory, secret_reader
-            ),
-        ),
+    return ObjectFactory[ExternalResourceFactory](
+        factories={
+            "aws": AWSExternalResourceFactory(
+                module_inventory=module_inventory,
+                er_inventory=er_inventory,
+                secret_reader=secret_reader,
+                provision_factories=ObjectFactory[ModuleProvisionDataFactory](
+                    factories={"terraform": tf_factory, "cdktf": tf_factory}
+                ),
+                resource_factories=setup_aws_resource_factories(
+                    er_inventory, secret_reader
+                ),
+            )
+        }
     )
-    return of
 
 
 class ExternalResourceDryRunsValidator:
diff --git a/reconcile/external_resources/model.py b/reconcile/external_resources/model.py
index 4aa68c8d56..21f9732e42 100644
--- a/reconcile/external_resources/model.py
+++ b/reconcile/external_resources/model.py
@@ -21,6 +21,7 @@
     ExternalResourcesModuleOverridesV1,
     NamespaceTerraformProviderResourceAWSV1,
     NamespaceTerraformResourceElastiCacheV1,
+    NamespaceTerraformResourceKMSV1,
     NamespaceTerraformResourceMskV1,
     NamespaceTerraformResourceRDSV1,
     NamespaceV1,
@@ -93,6 +94,7 @@ def state_path(self) -> str:
     NamespaceTerraformResourceRDSV1
     | NamespaceTerraformResourceMskV1
     | NamespaceTerraformResourceElastiCacheV1
+    | NamespaceTerraformResourceKMSV1
 )
 
 
diff --git a/reconcile/gql_definitions/external_resources/external_resources_namespaces.gql b/reconcile/gql_definitions/external_resources/external_resources_namespaces.gql
index 1dd5093d2d..229d3920eb 100644
--- a/reconcile/gql_definitions/external_resources/external_resources_namespaces.gql
+++ b/reconcile/gql_definitions/external_resources/external_resources_namespaces.gql
@@ -215,6 +215,16 @@ query ExternalResourcesNamespaces {
                 overrides
                 output_resource_name
                 annotations
+                managed_by_erv2
+                delete
+                module_overrides {
+                  module_type
+                  image
+                  version
+                  reconcile_timeout_minutes
+                  outputs_secret_image
+                  outputs_secret_version
+                }
             }
             ... on NamespaceTerraformResourceElasticSearch_v1 {
                 region
diff --git a/reconcile/gql_definitions/external_resources/external_resources_namespaces.py b/reconcile/gql_definitions/external_resources/external_resources_namespaces.py
index 33a87f0bde..beebf9b9a1 100644
--- a/reconcile/gql_definitions/external_resources/external_resources_namespaces.py
+++ b/reconcile/gql_definitions/external_resources/external_resources_namespaces.py
@@ -272,6 +272,16 @@
                 overrides
                 output_resource_name
                 annotations
+                managed_by_erv2
+                delete
+                module_overrides {
+                  module_type
+                  image
+                  version
+                  reconcile_timeout_minutes
+                  outputs_secret_image
+                  outputs_secret_version
+                }
             }
             ... on NamespaceTerraformResourceElasticSearch_v1 {
                 region
@@ -773,6 +783,15 @@ class NamespaceTerraformResourceCloudWatchV1(NamespaceTerraformResourceAWSV1):
     annotations: Optional[str] = Field(..., alias="annotations")
 
 
+class NamespaceTerraformResourceKMSV1_ExternalResourcesModuleOverridesV1(ConfiguredBaseModel):
+    module_type: Optional[str] = Field(..., alias="module_type")
+    image: Optional[str] = Field(..., alias="image")
+    version: Optional[str] = Field(..., alias="version")
+    reconcile_timeout_minutes: Optional[int] = Field(..., alias="reconcile_timeout_minutes")
+    outputs_secret_image: Optional[str] = Field(..., alias="outputs_secret_image")
+    outputs_secret_version: Optional[str] = Field(..., alias="outputs_secret_version")
+
+
 class NamespaceTerraformResourceKMSV1(NamespaceTerraformResourceAWSV1):
     region: Optional[str] = Field(..., alias="region")
     identifier: str = Field(..., alias="identifier")
@@ -780,6 +799,9 @@ class NamespaceTerraformResourceKMSV1(NamespaceTerraformResourceAWSV1):
     overrides: Optional[str] = Field(..., alias="overrides")
     output_resource_name: Optional[str] = Field(..., alias="output_resource_name")
     annotations: Optional[str] = Field(..., alias="annotations")
+    managed_by_erv2: Optional[bool] = Field(..., alias="managed_by_erv2")
+    delete: Optional[bool] = Field(..., alias="delete")
+    module_overrides: Optional[NamespaceTerraformResourceKMSV1_ExternalResourcesModuleOverridesV1] = Field(..., alias="module_overrides")
 
 
 class NamespaceTerraformResourceElasticSearchV1(NamespaceTerraformResourceAWSV1):
@@ -1044,7 +1066,7 @@ class NamespaceTerraformResourceMskV1(NamespaceTerraformResourceAWSV1):
 
 class NamespaceTerraformProviderResourceAWSV1(NamespaceExternalResourceV1):
     provisioner: AWSAccountV1 = Field(..., alias="provisioner")
-    resources: list[Union[NamespaceTerraformResourceRDSV1, NamespaceTerraformResourceRosaAuthenticatorV1, NamespaceTerraformResourceALBV1, NamespaceTerraformResourceS3V1, NamespaceTerraformResourceElastiCacheV1, NamespaceTerraformResourceASGV1, NamespaceTerraformResourceMskV1, NamespaceTerraformResourceRoleV1, NamespaceTerraformResourceSNSTopicV1, NamespaceTerraformResourceServiceAccountV1, NamespaceTerraformResourceS3SQSV1, NamespaceTerraformResourceCloudWatchV1, NamespaceTerraformResourceRosaAuthenticatorVPCEV1, NamespaceTerraformResourceS3CloudFrontV1, NamespaceTerraformResourceKMSV1, NamespaceTerraformResourceElasticSearchV1, NamespaceTerraformResourceACMV1, NamespaceTerraformResourceKinesisV1, NamespaceTerraformResourceRoute53ZoneV1, NamespaceTerraformResourceSQSV1, NamespaceTerraformResourceDynamoDBV1, NamespaceTerraformResourceECRV1, NamespaceTerraformResourceS3CloudFrontPublicKeyV1, NamespaceTerraformResourceSecretsManagerV1, NamespaceTerraformResourceSecretsManagerServiceAccountV1, NamespaceTerraformResourceAWSV1]] = Field(..., alias="resources")
+    resources: list[Union[NamespaceTerraformResourceRDSV1, NamespaceTerraformResourceRosaAuthenticatorV1, NamespaceTerraformResourceALBV1, NamespaceTerraformResourceS3V1, NamespaceTerraformResourceElastiCacheV1, NamespaceTerraformResourceASGV1, NamespaceTerraformResourceKMSV1, NamespaceTerraformResourceMskV1, NamespaceTerraformResourceRoleV1, NamespaceTerraformResourceSNSTopicV1, NamespaceTerraformResourceServiceAccountV1, NamespaceTerraformResourceS3SQSV1, NamespaceTerraformResourceCloudWatchV1, NamespaceTerraformResourceRosaAuthenticatorVPCEV1, NamespaceTerraformResourceS3CloudFrontV1, NamespaceTerraformResourceElasticSearchV1, NamespaceTerraformResourceACMV1, NamespaceTerraformResourceKinesisV1, NamespaceTerraformResourceRoute53ZoneV1, NamespaceTerraformResourceSQSV1, NamespaceTerraformResourceDynamoDBV1, NamespaceTerraformResourceECRV1, NamespaceTerraformResourceS3CloudFrontPublicKeyV1, NamespaceTerraformResourceSecretsManagerV1, NamespaceTerraformResourceSecretsManagerServiceAccountV1, NamespaceTerraformResourceAWSV1]] = Field(..., alias="resources")
 
 
 class EnvironmentV1(ConfiguredBaseModel):