From df3cca838115ee6fdab71e31d2a8324b91f8f9e4 Mon Sep 17 00:00:00 2001
From: Rodrigo Bersa <rodrigo.bersa@gmail.com>
Date: Wed, 19 Apr 2023 10:18:36 -0700
Subject: [PATCH 01/17] Refactor Fargate Fluentbit

---
 locals.tf    |   3 ++
 main.tf      | 113 +++++++++++++++++++++++++++++++++++++++++++++++----
 variables.tf |  35 ++++++++++------
 3 files changed, 129 insertions(+), 22 deletions(-)

diff --git a/locals.tf b/locals.tf
index 2b989fcb..158ff6aa 100644
--- a/locals.tf
+++ b/locals.tf
@@ -80,6 +80,9 @@ locals {
     gatekeeper = var.enable_gatekeeper && var.enable_gatekeeper_gitops ? {
       enable = true
     } : null
+    fargateFluentbit = var.enable_fargate_fluentbit && var.enable_fargate_fluentbit_gitops ? {
+      enable = true
+    } : null
   }
 
   addon_context = {
diff --git a/main.tf b/main.tf
index ce543ad7..08e20395 100644
--- a/main.tf
+++ b/main.tf
@@ -2556,8 +2556,8 @@ module "gatekeeper" {
   # https://github.com/open-policy-agent/gatekeeper/blob/master/charts/gatekeeper/Chart.yaml
   name             = try(var.gatekeeper.name, local.cluster_proportional_autoscaler_name)
   description      = try(var.gatekeeper.description, "A Helm chart to install Gatekeeper")
-  namespace        = try(var.gatekeeper.namespace, "gatekeeper-system")
-  create_namespace = try(var.gatekeeper.create_namespace, true)
+  namespace        = try(var.gatekeeper.namespace, "kube-system")
+  create_namespace = try(var.gatekeeper.create_namespace, false)
   chart            = local.gatekeeper_name
   chart_version    = try(var.gatekeeper.chart_version, "3.12.0")
   repository       = try(var.gatekeeper.repository, "https://open-policy-agent.github.io/gatekeeper/charts")
@@ -2653,6 +2653,87 @@ module "vpa" {
   tags = var.tags
 }
 
+
+################################################################################
+# Fargate Fluentbit
+################################################################################
+# Help on Fargate Logging with Fluentbit and CloudWatch
+# https://docs.aws.amazon.com/eks/latest/userguide/fargate-logging.html
+locals {
+  fargate_fluentbit_name                 = "fargate_fluentbit"
+  fargate_fluentbit_cwlog_group          = "/${var.cluster_name}/fargate-fluentbit-logs"
+  fargate_fluentebit_cwlog_stream_prefix = "fargate-logs-"
+  default_config = {
+    output_conf  = <<-EOF
+    [OUTPUT]
+      Name cloudwatch_logs
+      Match *
+      region ${local.region}
+      log_group_name ${local.fargate_fluentbit_cwlog_group}
+      log_stream_prefix ${local.fargate_fluentbit_cwlog_stream_prefix}
+      auto_create_group true
+    EOF
+    filters_conf = <<-EOF
+    [FILTER]
+      Name parser
+      Match *
+      Key_Name log
+      Parser regex
+      Preserve_Key True
+      Reserve_Data True
+    EOF
+    parsers_conf = <<-EOF
+    [PARSER]
+      Name regex
+      Format regex
+      Regex ^(?<time>[^ ]+) (?<stream>[^ ]+) (?<logtag>[^ ]+) (?<message>.+)$
+      Time_Key time
+      Time_Format %Y-%m-%dT%H:%M:%S.%L%z
+      Time_Keep On
+      Decode_Field_As json message
+    EOF
+    flb_log_cw   = false
+  }
+
+  config = merge(
+    local.default_config,
+    var.fargate_fluentbit_config
+  )
+}
+
+resource "kubernetes_namespace" "aws_observability" {
+  count = var.enable_fargate_fluentbit ? 1 : 0
+  metadata {
+    name = "aws-observability"
+
+    labels = {
+      aws-observability = "enabled"
+    }
+  }
+  tags = var.tags
+}
+
+# fluent-bit-cloudwatch value as the name of the CloudWatch log group that is automatically created as soon as your apps start logging
+resource "kubernetes_config_map" "aws_logging" {
+  count = var.enable_fargate_fluentbit ? 1 : 0
+  metadata {
+    name      = "aws-logging"
+    namespace = kubernetes_namespace.aws_observability.id
+  }
+
+  data = {
+    "parsers.conf" = local.config["parsers_conf"]
+    "filters.conf" = local.config["filters_conf"]
+    "output.conf"  = local.config["output_conf"]
+    "flb_log_cw"   = local.config["flb_log_cw"]
+  }
+
+  tags = var.tags
+}
+
+addon_config  = var.fargate_fluentbit_addon_config
+addon_context = local.addon_context
+
 #-----------------Kubernetes Add-ons----------------------
 
 module "argocd" {
@@ -2665,13 +2746,6 @@ module "argocd" {
   addon_context = local.addon_context
 }
 
-module "fargate_fluentbit" {
-  count         = var.enable_fargate_fluentbit ? 1 : 0
-  source        = "./modules/fargate-fluentbit"
-  addon_config  = var.fargate_fluentbit_addon_config
-  addon_context = local.addon_context
-}
-
 module "csi_secrets_store_provider_aws" {
   count             = var.enable_secrets_store_csi_driver_provider_aws ? 1 : 0
   source            = "./modules/csi-secrets-store-provider-aws"
@@ -2689,3 +2763,24 @@ module "velero" {
   irsa_policies     = var.velero_irsa_policies
   backup_s3_bucket  = var.velero_backup_s3_bucket
 }
+
+module "opentelemetry_operator" {
+  source = "./modules/opentelemetry-operator"
+
+  count = var.enable_amazon_eks_adot || var.enable_opentelemetry_operator ? 1 : 0
+
+  # Amazon EKS ADOT addon
+  enable_amazon_eks_adot = var.enable_amazon_eks_adot
+  addon_config = merge(
+    {
+      kubernetes_version = var.cluster_version
+    },
+    var.amazon_eks_adot_config,
+  )
+
+  # Self-managed OpenTelemetry Operator via Helm chart
+  enable_opentelemetry_operator = var.enable_opentelemetry_operator
+  helm_config                   = var.opentelemetry_operator_helm_config
+
+  addon_context = local.addon_context
+}
diff --git a/variables.tf b/variables.tf
index 45ed35ad..0b3afd90 100644
--- a/variables.tf
+++ b/variables.tf
@@ -598,6 +598,28 @@ variable "vpa" {
   default     = {}
 }
 
+################################################################################
+# Fargate Fluentbit
+################################################################################
+
+variable "enable_fargate_fluentbit" {
+  description = "Enable Fargate FluentBit add-on"
+  type        = bool
+  default     = false
+}
+
+variable "enable_fargate_fluentbit_gitops" {
+  description = "Enable Fargate FluentBit GitOps add-on"
+  type        = bool
+  default     = false
+}
+
+variable "fargate_fluentbit" {
+  description = "Fargate fluentbit add-on config"
+  type        = any
+  default     = {}
+}
+
 #-------------------------------------------------------------------------------
 variable "irsa_iam_role_path" {
   description = "IAM role path for IRSA roles"
@@ -611,19 +633,6 @@ variable "irsa_iam_permissions_boundary" {
   default     = ""
 }
 
-#-----------FARGATE FLUENT BIT-------------
-variable "enable_fargate_fluentbit" {
-  description = "Enable Fargate FluentBit add-on"
-  type        = bool
-  default     = false
-}
-
-variable "fargate_fluentbit_addon_config" {
-  description = "Fargate fluentbit add-on config"
-  type        = any
-  default     = {}
-}
-
 #-----------Kubernetes Velero ADDON-------------
 variable "enable_velero" {
   description = "Enable Kubernetes Dashboard add-on"

From f1f05d917ba86a91cdfe0b9239e3db684f0b6abf Mon Sep 17 00:00:00 2001
From: Rodrigo Bersa <rodrigo.bersa@gmail.com>
Date: Thu, 20 Apr 2023 14:02:05 -0400
Subject: [PATCH 02/17] Rename `locals`, remove old module from
 `modules/fargate-fluentbit`

---
 README.md                              |  8 ++-
 main.tf                                | 48 +++----------
 modules/fargate-fluentbit/README.md    | 98 --------------------------
 modules/fargate-fluentbit/locals.tf    | 42 -----------
 modules/fargate-fluentbit/main.tf      | 27 -------
 modules/fargate-fluentbit/outputs.tf   |  0
 modules/fargate-fluentbit/variables.tf | 20 ------
 modules/fargate-fluentbit/versions.tf  | 10 ---
 outputs.tf                             |  2 +-
 tests/complete/main.tf                 |  1 +
 variables.tf                           |  2 +-
 versions.tf                            |  4 ++
 12 files changed, 23 insertions(+), 239 deletions(-)
 delete mode 100644 modules/fargate-fluentbit/README.md
 delete mode 100644 modules/fargate-fluentbit/locals.tf
 delete mode 100755 modules/fargate-fluentbit/main.tf
 delete mode 100644 modules/fargate-fluentbit/outputs.tf
 delete mode 100644 modules/fargate-fluentbit/variables.tf
 delete mode 100644 modules/fargate-fluentbit/versions.tf

diff --git a/README.md b/README.md
index 4f03f3e7..e5325536 100644
--- a/README.md
+++ b/README.md
@@ -13,12 +13,14 @@ Please note: not all addons will be supported as they are today in the main EKS
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.47 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.10 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.47 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | >= 2.10 |
 
 ## Modules
 
@@ -40,7 +42,6 @@ Please note: not all addons will be supported as they are today in the main EKS
 | <a name="module_efs_csi_driver"></a> [efs\_csi\_driver](#module\_efs\_csi\_driver) | ./modules/eks-blueprints-addon | n/a |
 | <a name="module_external_dns"></a> [external\_dns](#module\_external\_dns) | ./modules/eks-blueprints-addon | n/a |
 | <a name="module_external_secrets"></a> [external\_secrets](#module\_external\_secrets) | ./modules/eks-blueprints-addon | n/a |
-| <a name="module_fargate_fluentbit"></a> [fargate\_fluentbit](#module\_fargate\_fluentbit) | ./modules/fargate-fluentbit | n/a |
 | <a name="module_fsx_csi_driver"></a> [fsx\_csi\_driver](#module\_fsx\_csi\_driver) | ./modules/eks-blueprints-addon | n/a |
 | <a name="module_gatekeeper"></a> [gatekeeper](#module\_gatekeeper) | ./modules/eks-blueprints-addon | n/a |
 | <a name="module_ingress_nginx"></a> [ingress\_nginx](#module\_ingress\_nginx) | ./modules/eks-blueprints-addon | n/a |
@@ -65,6 +66,8 @@ Please note: not all addons will be supported as they are today in the main EKS
 | [aws_cloudwatch_log_group.aws_for_fluentbit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_eks_addon.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) | resource |
 | [aws_iam_instance_profile.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
+| [kubernetes_config_map.aws_logging](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |
+| [kubernetes_namespace.aws_observability](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_eks_addon_version.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_addon_version) | data source |
 | [aws_iam_policy_document.aws_for_fluentbit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -138,6 +141,7 @@ Please note: not all addons will be supported as they are today in the main EKS
 | <a name="input_enable_external_dns_gitops"></a> [enable\_external\_dns\_gitops](#input\_enable\_external\_dns\_gitops) | Enable external-dns using GitOps add-on | `bool` | `false` | no |
 | <a name="input_enable_external_secrets"></a> [enable\_external\_secrets](#input\_enable\_external\_secrets) | Enable External Secrets operator add-on | `bool` | `false` | no |
 | <a name="input_enable_fargate_fluentbit"></a> [enable\_fargate\_fluentbit](#input\_enable\_fargate\_fluentbit) | Enable Fargate FluentBit add-on | `bool` | `false` | no |
+| <a name="input_enable_fargate_fluentbit_gitops"></a> [enable\_fargate\_fluentbit\_gitops](#input\_enable\_fargate\_fluentbit\_gitops) | Enable Fargate FluentBit GitOps add-on | `bool` | `false` | no |
 | <a name="input_enable_fsx_csi_driver"></a> [enable\_fsx\_csi\_driver](#input\_enable\_fsx\_csi\_driver) | Enable AWS FSX CSI Driver add-on | `bool` | `false` | no |
 | <a name="input_enable_fsx_csi_driver_gitops"></a> [enable\_fsx\_csi\_driver\_gitops](#input\_enable\_fsx\_csi\_driver\_gitops) | Enable FSX CSI Driver using GitOps add-on | `bool` | `false` | no |
 | <a name="input_enable_gatekeeper"></a> [enable\_gatekeeper](#input\_enable\_gatekeeper) | Enable Gatekeeper add-on | `bool` | `false` | no |
@@ -162,7 +166,7 @@ Please note: not all addons will be supported as they are today in the main EKS
 | <a name="input_external_secrets_kms_key_arns"></a> [external\_secrets\_kms\_key\_arns](#input\_external\_secrets\_kms\_key\_arns) | List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br>  "arn:aws:kms:*:*:key/*"<br>]</pre> | no |
 | <a name="input_external_secrets_secrets_manager_arns"></a> [external\_secrets\_secrets\_manager\_arns](#input\_external\_secrets\_secrets\_manager\_arns) | List of Secrets Manager ARNs that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br>  "arn:aws:secretsmanager:*:*:secret:*"<br>]</pre> | no |
 | <a name="input_external_secrets_ssm_parameter_arns"></a> [external\_secrets\_ssm\_parameter\_arns](#input\_external\_secrets\_ssm\_parameter\_arns) | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br>  "arn:aws:ssm:*:*:parameter/*"<br>]</pre> | no |
-| <a name="input_fargate_fluentbit_addon_config"></a> [fargate\_fluentbit\_addon\_config](#input\_fargate\_fluentbit\_addon\_config) | Fargate fluentbit add-on config | `any` | `{}` | no |
+| <a name="input_fargate_fluentbit_config"></a> [fargate\_fluentbit\_config](#input\_fargate\_fluentbit\_config) | Fargate fluentbit add-on config | `any` | `{}` | no |
 | <a name="input_fsx_csi_driver"></a> [fsx\_csi\_driver](#input\_fsx\_csi\_driver) | FSX CSI Driver addon configuration values | `any` | `{}` | no |
 | <a name="input_gatekeeper"></a> [gatekeeper](#input\_gatekeeper) | Gatekeeper add-on configuration | `bool` | `false` | no |
 | <a name="input_ingress_nginx"></a> [ingress\_nginx](#input\_ingress\_nginx) | Ingress Nginx add-on configurations | `any` | `{}` | no |
diff --git a/main.tf b/main.tf
index 08e20395..abd031bb 100644
--- a/main.tf
+++ b/main.tf
@@ -2660,10 +2660,9 @@ module "vpa" {
 # Help on Fargate Logging with Fluentbit and CloudWatch
 # https://docs.aws.amazon.com/eks/latest/userguide/fargate-logging.html
 locals {
-  fargate_fluentbit_name                 = "fargate_fluentbit"
-  fargate_fluentbit_cwlog_group          = "/${var.cluster_name}/fargate-fluentbit-logs"
-  fargate_fluentebit_cwlog_stream_prefix = "fargate-logs-"
-  default_config = {
+  fargate_fluentbit_cwlog_group         = "/${var.cluster_name}/fargate-fluentbit-logs"
+  fargate_fluentbit_cwlog_stream_prefix = "fargate-logs-"
+  fargate_fluentbit_default_config = {
     output_conf  = <<-EOF
     [OUTPUT]
       Name cloudwatch_logs
@@ -2695,8 +2694,8 @@ locals {
     flb_log_cw   = false
   }
 
-  config = merge(
-    local.default_config,
+  fargate_fluentbit_config = merge(
+    local.fargate_fluentbit_default_config,
     var.fargate_fluentbit_config
   )
 }
@@ -2710,7 +2709,6 @@ resource "kubernetes_namespace" "aws_observability" {
       aws-observability = "enabled"
     }
   }
-  tags = var.tags
 }
 
 # fluent-bit-cloudwatch value as the name of the CloudWatch log group that is automatically created as soon as your apps start logging
@@ -2718,22 +2716,17 @@ resource "kubernetes_config_map" "aws_logging" {
   count = var.enable_fargate_fluentbit ? 1 : 0
   metadata {
     name      = "aws-logging"
-    namespace = kubernetes_namespace.aws_observability.id
+    namespace = kubernetes_namespace.aws_observability[0].id
   }
 
   data = {
-    "parsers.conf" = local.config["parsers_conf"]
-    "filters.conf" = local.config["filters_conf"]
-    "output.conf"  = local.config["output_conf"]
-    "flb_log_cw"   = local.config["flb_log_cw"]
+    "parsers.conf" = local.fargate_fluentbit_config["parsers_conf"]
+    "filters.conf" = local.fargate_fluentbit_config["filters_conf"]
+    "output.conf"  = local.fargate_fluentbit_config["output_conf"]
+    "flb_log_cw"   = local.fargate_fluentbit_config["flb_log_cw"]
   }
-
-  tags = var.tags
 }
 
-addon_config  = var.fargate_fluentbit_addon_config
-addon_context = local.addon_context
-
 #-----------------Kubernetes Add-ons----------------------
 
 module "argocd" {
@@ -2763,24 +2756,3 @@ module "velero" {
   irsa_policies     = var.velero_irsa_policies
   backup_s3_bucket  = var.velero_backup_s3_bucket
 }
-
-module "opentelemetry_operator" {
-  source = "./modules/opentelemetry-operator"
-
-  count = var.enable_amazon_eks_adot || var.enable_opentelemetry_operator ? 1 : 0
-
-  # Amazon EKS ADOT addon
-  enable_amazon_eks_adot = var.enable_amazon_eks_adot
-  addon_config = merge(
-    {
-      kubernetes_version = var.cluster_version
-    },
-    var.amazon_eks_adot_config,
-  )
-
-  # Self-managed OpenTelemetry Operator via Helm chart
-  enable_opentelemetry_operator = var.enable_opentelemetry_operator
-  helm_config                   = var.opentelemetry_operator_helm_config
-
-  addon_context = local.addon_context
-}
diff --git a/modules/fargate-fluentbit/README.md b/modules/fargate-fluentbit/README.md
deleted file mode 100644
index 4240de06..00000000
--- a/modules/fargate-fluentbit/README.md
+++ /dev/null
@@ -1,98 +0,0 @@
-# Fargate Fluent Bit Logger
-
-Amazon EKS on Fargate offers a built-in log router based on Fluent Bit.
-This means that you don't explicitly run a Fluent Bit container as a sidecar, but Amazon runs it for you.
-All that you have to do is configure the log router.
-The configuration happens through a dedicated ConfigMap that must meet the following criteria:
-
-Named `aws-logging`
-
-Created in a dedicated namespace called `aws-observability`
-
-Once you've created the ConfigMap, Amazon EKS on Fargate automatically detects it and configures the log router with it.
-Fargate uses a version of AWS for Fluent Bit, an upstream compliant distribution of Fluent Bit managed by AWS.
-For more information, see AWS for Fluent Bit on GitHub.
-
-The log router allows you to use the breadth of services at AWS for log analytics and storage.
-You can stream logs from Fargate directly to `Amazon CloudWatch`, `Amazon OpenSearch Service`.
-You can also stream logs to destinations such as `Amazon S3`, `Amazon Kinesis Data Streams`, and partner tools through Amazon Kinesis Data Firehose.
-
-## Fluent Bit CloudWatch Config
-
-Please find the updated configuration from [AWS Docs](https://docs.aws.amazon.com/eks/latest/userguide/fargate-logging.html)
-
-```hcl
-  #---------------------------------------
-  # FARGATE FLUENTBIT
-  #---------------------------------------
-  fargate_fluentbit_enable = true
-
-  fargate_fluentbit_config = {
-      output_conf  = <<EOF
-[OUTPUT]
-  Name cloudwatch_logs
-  Match *
-  region eu-west-1
-  log_group_name /${local.eks_cluster_id}/fargate-fluentbit-logs
-  log_stream_prefix "fargate-logs-"
-  auto_create_group true
-    EOF
-      filters_conf = <<EOF
-[FILTER]
-  Name parser
-  Match *
-  Key_Name log
-  Parser regex
-  Preserve_Key True
-  Reserve_Data True
-    EOF
-      parsers_conf = <<EOF
-[PARSER]
-  Name regex
-  Format regex
-  Regex ^(?<time>[^ ]+) (?<stream>[^ ]+) (?<logtag>[^ ]+) (?<message>.+)$
-  Time_Key time
-  Time_Format %Y-%m-%dT%H:%M:%S.%L%z
-  Time_Keep On
-  Decode_Field_As json message
-    EOF
-  flb_log_cw: true
-  }
-```
-
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-## Requirements
-
-| Name | Version |
-|------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
-| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.10 |
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | >= 2.10 |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [kubernetes_config_map.aws_logging](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |
-| [kubernetes_namespace.aws_observability](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| <a name="input_addon_config"></a> [addon\_config](#input\_addon\_config) | Fargate fluentbit configuration | `any` | `{}` | no |
-| <a name="input_addon_context"></a> [addon\_context](#input\_addon\_context) | Input configuration for the addon | <pre>object({<br>    aws_caller_identity_account_id = string<br>    aws_caller_identity_arn        = string<br>    aws_eks_cluster_endpoint       = string<br>    aws_partition_id               = string<br>    aws_region_name                = string<br>    eks_cluster_id                 = string<br>    eks_oidc_issuer_url            = string<br>    eks_oidc_provider_arn          = string<br>    tags                           = map(string)<br>  })</pre> | n/a | yes |
-
-## Outputs
-
-No outputs.
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/fargate-fluentbit/locals.tf b/modules/fargate-fluentbit/locals.tf
deleted file mode 100644
index 281f71cc..00000000
--- a/modules/fargate-fluentbit/locals.tf
+++ /dev/null
@@ -1,42 +0,0 @@
-locals {
-
-  cwlog_group         = "/${var.addon_context.eks_cluster_id}/fargate-fluentbit-logs"
-  cwlog_stream_prefix = "fargate-logs-"
-
-  default_config = {
-    output_conf  = <<-EOF
-    [OUTPUT]
-      Name cloudwatch_logs
-      Match *
-      region ${var.addon_context.aws_region_name}
-      log_group_name ${local.cwlog_group}
-      log_stream_prefix ${local.cwlog_stream_prefix}
-      auto_create_group true
-    EOF
-    filters_conf = <<-EOF
-    [FILTER]
-      Name parser
-      Match *
-      Key_Name log
-      Parser regex
-      Preserve_Key True
-      Reserve_Data True
-    EOF
-    parsers_conf = <<-EOF
-    [PARSER]
-      Name regex
-      Format regex
-      Regex ^(?<time>[^ ]+) (?<stream>[^ ]+) (?<logtag>[^ ]+) (?<message>.+)$
-      Time_Key time
-      Time_Format %Y-%m-%dT%H:%M:%S.%L%z
-      Time_Keep On
-      Decode_Field_As json message
-    EOF
-    flb_log_cw   = false
-  }
-
-  config = merge(
-    local.default_config,
-    var.addon_config
-  )
-}
diff --git a/modules/fargate-fluentbit/main.tf b/modules/fargate-fluentbit/main.tf
deleted file mode 100755
index 4f3e9e85..00000000
--- a/modules/fargate-fluentbit/main.tf
+++ /dev/null
@@ -1,27 +0,0 @@
-# Help on Fargate Logging with Fluentbit and CloudWatch
-# https://docs.aws.amazon.com/eks/latest/userguide/fargate-logging.html
-
-resource "kubernetes_namespace" "aws_observability" {
-  metadata {
-    name = "aws-observability"
-
-    labels = {
-      aws-observability = "enabled"
-    }
-  }
-}
-
-# fluent-bit-cloudwatch value as the name of the CloudWatch log group that is automatically created as soon as your apps start logging
-resource "kubernetes_config_map" "aws_logging" {
-  metadata {
-    name      = "aws-logging"
-    namespace = kubernetes_namespace.aws_observability.id
-  }
-
-  data = {
-    "parsers.conf" = local.config["parsers_conf"]
-    "filters.conf" = local.config["filters_conf"]
-    "output.conf"  = local.config["output_conf"]
-    "flb_log_cw"   = local.config["flb_log_cw"]
-  }
-}
diff --git a/modules/fargate-fluentbit/outputs.tf b/modules/fargate-fluentbit/outputs.tf
deleted file mode 100644
index e69de29b..00000000
diff --git a/modules/fargate-fluentbit/variables.tf b/modules/fargate-fluentbit/variables.tf
deleted file mode 100644
index fa11b174..00000000
--- a/modules/fargate-fluentbit/variables.tf
+++ /dev/null
@@ -1,20 +0,0 @@
-variable "addon_config" {
-  description = "Fargate fluentbit configuration"
-  type        = any
-  default     = {}
-}
-
-variable "addon_context" {
-  description = "Input configuration for the addon"
-  type = object({
-    aws_caller_identity_account_id = string
-    aws_caller_identity_arn        = string
-    aws_eks_cluster_endpoint       = string
-    aws_partition_id               = string
-    aws_region_name                = string
-    eks_cluster_id                 = string
-    eks_oidc_issuer_url            = string
-    eks_oidc_provider_arn          = string
-    tags                           = map(string)
-  })
-}
diff --git a/modules/fargate-fluentbit/versions.tf b/modules/fargate-fluentbit/versions.tf
deleted file mode 100644
index 55fba733..00000000
--- a/modules/fargate-fluentbit/versions.tf
+++ /dev/null
@@ -1,10 +0,0 @@
-terraform {
-  required_version = ">= 1.0.0"
-
-  required_providers {
-    kubernetes = {
-      source  = "hashicorp/kubernetes"
-      version = ">= 2.10"
-    }
-  }
-}
diff --git a/outputs.tf b/outputs.tf
index 0b2ca839..bededa27 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -100,7 +100,7 @@ output "cluster_proportional_autoscaler" {
 
 output "fargate_fluentbit" {
   description = "Map of attributes of the Helm release and IRSA created"
-  value       = try(module.fargate_fluentbit[0], null)
+  value       = local.fargate_fluentbit_config
 }
 
 output "gatekeeper" {
diff --git a/tests/complete/main.tf b/tests/complete/main.tf
index 01c67837..61929a77 100644
--- a/tests/complete/main.tf
+++ b/tests/complete/main.tf
@@ -150,6 +150,7 @@ module "eks_blueprints_addons" {
   enable_metrics_server                        = true
   enable_vpa                                   = true
   enable_aws_for_fluentbit                     = true
+  enable_fargate_fluentbit                     = true
 
   enable_aws_node_termination_handler   = true
   aws_node_termination_handler_asg_arns = [for asg in module.eks.self_managed_node_groups : asg.autoscaling_group_arn]
diff --git a/variables.tf b/variables.tf
index 0b3afd90..061a45bd 100644
--- a/variables.tf
+++ b/variables.tf
@@ -614,7 +614,7 @@ variable "enable_fargate_fluentbit_gitops" {
   default     = false
 }
 
-variable "fargate_fluentbit" {
+variable "fargate_fluentbit_config" {
   description = "Fargate fluentbit add-on config"
   type        = any
   default     = {}
diff --git a/versions.tf b/versions.tf
index 55eff62b..aeb892f3 100644
--- a/versions.tf
+++ b/versions.tf
@@ -6,5 +6,9 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 4.47"
     }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.10"
+    }
   }
 }

From 8c48b49041d2e81f352cc602252dc6bcf095530c Mon Sep 17 00:00:00 2001
From: Rodrigo Bersa <rodrigo.bersa@gmail.com>
Date: Thu, 20 Apr 2023 19:06:52 -0400
Subject: [PATCH 03/17] PR review fixes

---
 README.md    |  6 ++--
 main.tf      | 83 ++++++++++++++++++++++------------------------------
 outputs.tf   |  2 +-
 variables.tf |  2 +-
 4 files changed, 40 insertions(+), 53 deletions(-)

diff --git a/README.md b/README.md
index e5325536..be729436 100644
--- a/README.md
+++ b/README.md
@@ -66,8 +66,8 @@ Please note: not all addons will be supported as they are today in the main EKS
 | [aws_cloudwatch_log_group.aws_for_fluentbit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_eks_addon.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) | resource |
 | [aws_iam_instance_profile.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
-| [kubernetes_config_map.aws_logging](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |
-| [kubernetes_namespace.aws_observability](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_config_map_v1.aws_logging](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1) | resource |
+| [kubernetes_namespace_v1.aws_observability](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_eks_addon_version.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_addon_version) | data source |
 | [aws_iam_policy_document.aws_for_fluentbit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -166,7 +166,7 @@ Please note: not all addons will be supported as they are today in the main EKS
 | <a name="input_external_secrets_kms_key_arns"></a> [external\_secrets\_kms\_key\_arns](#input\_external\_secrets\_kms\_key\_arns) | List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br>  "arn:aws:kms:*:*:key/*"<br>]</pre> | no |
 | <a name="input_external_secrets_secrets_manager_arns"></a> [external\_secrets\_secrets\_manager\_arns](#input\_external\_secrets\_secrets\_manager\_arns) | List of Secrets Manager ARNs that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br>  "arn:aws:secretsmanager:*:*:secret:*"<br>]</pre> | no |
 | <a name="input_external_secrets_ssm_parameter_arns"></a> [external\_secrets\_ssm\_parameter\_arns](#input\_external\_secrets\_ssm\_parameter\_arns) | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br>  "arn:aws:ssm:*:*:parameter/*"<br>]</pre> | no |
-| <a name="input_fargate_fluentbit_config"></a> [fargate\_fluentbit\_config](#input\_fargate\_fluentbit\_config) | Fargate fluentbit add-on config | `any` | `{}` | no |
+| <a name="input_fargate_fluentbit"></a> [fargate\_fluentbit](#input\_fargate\_fluentbit) | Fargate fluentbit add-on config | `any` | `{}` | no |
 | <a name="input_fsx_csi_driver"></a> [fsx\_csi\_driver](#input\_fsx\_csi\_driver) | FSX CSI Driver addon configuration values | `any` | `{}` | no |
 | <a name="input_gatekeeper"></a> [gatekeeper](#input\_gatekeeper) | Gatekeeper add-on configuration | `bool` | `false` | no |
 | <a name="input_ingress_nginx"></a> [ingress\_nginx](#input\_ingress\_nginx) | Ingress Nginx add-on configurations | `any` | `{}` | no |
diff --git a/main.tf b/main.tf
index abd031bb..07d050fe 100644
--- a/main.tf
+++ b/main.tf
@@ -2659,48 +2659,7 @@ module "vpa" {
 ################################################################################
 # Help on Fargate Logging with Fluentbit and CloudWatch
 # https://docs.aws.amazon.com/eks/latest/userguide/fargate-logging.html
-locals {
-  fargate_fluentbit_cwlog_group         = "/${var.cluster_name}/fargate-fluentbit-logs"
-  fargate_fluentbit_cwlog_stream_prefix = "fargate-logs-"
-  fargate_fluentbit_default_config = {
-    output_conf  = <<-EOF
-    [OUTPUT]
-      Name cloudwatch_logs
-      Match *
-      region ${local.region}
-      log_group_name ${local.fargate_fluentbit_cwlog_group}
-      log_stream_prefix ${local.fargate_fluentbit_cwlog_stream_prefix}
-      auto_create_group true
-    EOF
-    filters_conf = <<-EOF
-    [FILTER]
-      Name parser
-      Match *
-      Key_Name log
-      Parser regex
-      Preserve_Key True
-      Reserve_Data True
-    EOF
-    parsers_conf = <<-EOF
-    [PARSER]
-      Name regex
-      Format regex
-      Regex ^(?<time>[^ ]+) (?<stream>[^ ]+) (?<logtag>[^ ]+) (?<message>.+)$
-      Time_Key time
-      Time_Format %Y-%m-%dT%H:%M:%S.%L%z
-      Time_Keep On
-      Decode_Field_As json message
-    EOF
-    flb_log_cw   = false
-  }
-
-  fargate_fluentbit_config = merge(
-    local.fargate_fluentbit_default_config,
-    var.fargate_fluentbit_config
-  )
-}
-
-resource "kubernetes_namespace" "aws_observability" {
+resource "kubernetes_namespace_v1" "aws_observability" {
   count = var.enable_fargate_fluentbit ? 1 : 0
   metadata {
     name = "aws-observability"
@@ -2712,18 +2671,46 @@ resource "kubernetes_namespace" "aws_observability" {
 }
 
 # fluent-bit-cloudwatch value as the name of the CloudWatch log group that is automatically created as soon as your apps start logging
-resource "kubernetes_config_map" "aws_logging" {
+resource "kubernetes_config_map_v1" "aws_logging" {
   count = var.enable_fargate_fluentbit ? 1 : 0
   metadata {
     name      = "aws-logging"
-    namespace = kubernetes_namespace.aws_observability[0].id
+    namespace = kubernetes_namespace_v1.aws_observability[0].id
   }
 
   data = {
-    "parsers.conf" = local.fargate_fluentbit_config["parsers_conf"]
-    "filters.conf" = local.fargate_fluentbit_config["filters_conf"]
-    "output.conf"  = local.fargate_fluentbit_config["output_conf"]
-    "flb_log_cw"   = local.fargate_fluentbit_config["flb_log_cw"]
+    "parsers.conf" = try(var.fargate_fluentbit.parsers_conf, <<-EOT
+    [PARSER]
+      Name regex
+      Format regex
+      Regex ^(?<time>[^ ]+) (?<stream>[^ ]+) (?<logtag>[^ ]+) (?<message>.+)$
+      Time_Key time
+      Time_Format %Y-%m-%dT%H:%M:%S.%L%z
+      Time_Keep On
+      Decode_Field_As json message
+    EOT
+    )
+    "filters.conf" = try(var.fargate_fluentbit.filters_conf, <<-EOT
+      [FILTER]
+      Name parser
+      Match *
+      Key_Name log
+      Parser regex
+      Preserve_Key True
+      Reserve_Data True
+    EOT
+    )
+    "output.conf" = try(var.fargate_fluentbit.output_conf, <<-EOT
+    [OUTPUT]
+      Name cloudwatch_logs
+      Match *
+      region ${local.region}
+      log_group_name ${try(var.fargate_fluentbit.cwlog_group, "/${var.cluster_name}/fargate-fluentbit-logs")}
+      log_stream_prefix ${try(var.fargate_fluentbit.cwlog_stream_prefix, "fargate-logs-")}
+      auto_create_group true
+    EOT
+    )
+    "flb_log_cw" = try(var.fargate_fluentbit.flb_log_cw, false)
   }
 }
 
diff --git a/outputs.tf b/outputs.tf
index bededa27..55c8baff 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -100,7 +100,7 @@ output "cluster_proportional_autoscaler" {
 
 output "fargate_fluentbit" {
   description = "Map of attributes of the Helm release and IRSA created"
-  value       = local.fargate_fluentbit_config
+  value       = kubernetes_config_map_v1.aws_logging
 }
 
 output "gatekeeper" {
diff --git a/variables.tf b/variables.tf
index 061a45bd..0b3afd90 100644
--- a/variables.tf
+++ b/variables.tf
@@ -614,7 +614,7 @@ variable "enable_fargate_fluentbit_gitops" {
   default     = false
 }
 
-variable "fargate_fluentbit_config" {
+variable "fargate_fluentbit" {
   description = "Fargate fluentbit add-on config"
   type        = any
   default     = {}

From 3021642e9b3fbc703f0b795d8275fed2dac66454 Mon Sep 17 00:00:00 2001
From: Rodrigo Bersa <rodrigo.bersa@gmail.com>
Date: Thu, 20 Apr 2023 19:17:36 -0400
Subject: [PATCH 04/17] Fixing `gatekeeper` Namespace

---
 main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 07d050fe..fca17da4 100644
--- a/main.tf
+++ b/main.tf
@@ -2556,7 +2556,7 @@ module "gatekeeper" {
   # https://github.com/open-policy-agent/gatekeeper/blob/master/charts/gatekeeper/Chart.yaml
   name             = try(var.gatekeeper.name, local.cluster_proportional_autoscaler_name)
   description      = try(var.gatekeeper.description, "A Helm chart to install Gatekeeper")
-  namespace        = try(var.gatekeeper.namespace, "kube-system")
+  namespace        = try(var.gatekeeper.namespace, "gatekeeper-system")
   create_namespace = try(var.gatekeeper.create_namespace, false)
   chart            = local.gatekeeper_name
   chart_version    = try(var.gatekeeper.chart_version, "3.12.0")

From 07fd6dc56e7cccd267087e758dcbd34e42db0159 Mon Sep 17 00:00:00 2001
From: Rodrigo Bersa <rodrigo.bersa@gmail.com>
Date: Thu, 20 Apr 2023 19:18:38 -0400
Subject: [PATCH 05/17] Fixing `gatekeeper` Namespace

---
 main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index fca17da4..997df0ae 100644
--- a/main.tf
+++ b/main.tf
@@ -2557,7 +2557,7 @@ module "gatekeeper" {
   name             = try(var.gatekeeper.name, local.cluster_proportional_autoscaler_name)
   description      = try(var.gatekeeper.description, "A Helm chart to install Gatekeeper")
   namespace        = try(var.gatekeeper.namespace, "gatekeeper-system")
-  create_namespace = try(var.gatekeeper.create_namespace, false)
+  create_namespace = try(var.gatekeeper.create_namespace, true)
   chart            = local.gatekeeper_name
   chart_version    = try(var.gatekeeper.chart_version, "3.12.0")
   repository       = try(var.gatekeeper.repository, "https://open-policy-agent.github.io/gatekeeper/charts")

From 11b77008335b0e1bd612bf12398bb4a7c797ef8c Mon Sep 17 00:00:00 2001
From: Rodrigo Bersa <rodrigo.bersa@gmail.com>
Date: Thu, 20 Apr 2023 20:21:46 -0400
Subject: [PATCH 06/17] Refactor `velero` addon

---
 main.tf      | 176 ++++++++++++++++++++++++++++++++++++++++++++++++---
 outputs.tf   |   2 +-
 variables.tf |  41 +++++-------
 3 files changed, 183 insertions(+), 36 deletions(-)

diff --git a/main.tf b/main.tf
index a5987559..7db86e65 100644
--- a/main.tf
+++ b/main.tf
@@ -2710,6 +2710,173 @@ module "vpa" {
 }
 
 
+################################################################################
+# Velero
+################################################################################
+locals {
+  velero_name            = "velero"
+  velero_service_account = try(var.velero.service_account_name, "${local.velero_name}-sa")
+}
+
+# https://github.com/vmware-tanzu/velero-plugin-for-aws#option-1-set-permissions-with-an-iam-user
+data "aws_iam_policy_document" "velero" {
+  statement {
+    actions = [
+      "ec2:CreateSnapshot",
+      "ec2:CreateSnapshots",
+      "ec2:CreateTags",
+      "ec2:CreateVolume",
+      "ec2:DeleteSnapshot"
+    ]
+    resources = [
+      "arn:${local.partition}:ec2:${local.region}:${local.account_id}:instance/*",
+      "arn:${local.partition}:ec2:${local.region}::snapshot/*",
+      "arn:${local.partition}:ec2:${local.region}:${local.account_id}:volume/*"
+    ]
+  }
+
+  statement {
+    actions = [
+      "ec2:DescribeSnapshots",
+      "ec2:DescribeVolumes"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    actions = [
+      "s3:AbortMultipartUpload",
+      "s3:DeleteObject",
+      "s3:GetObject",
+      "s3:ListMultipartUploadParts",
+      "s3:PutObject",
+    ]
+    resources = [
+      try("arn:${local.partition}:s3:::${var.velero.s3_bucket}/*",
+        module.velero_s3_bucket.s3_bucket_arn
+
+    )]
+  }
+
+  statement {
+    actions = ["s3:ListBucket"]
+    resources = [
+      try("arn:${local.parition}:s3:::${var.velero.s3_bucket}",
+        module.velero_s3_bucket.s3_bucket_arn
+    )]
+  }
+}
+
+module "velero_s3_bucket" {
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = "3.8.2"
+
+  bucket = try(var.velero.bucket_name, "${local.velero_name}-${local.account_id}-s3")
+}
+
+module "velero" {
+  # source = "aws-ia/eks-blueprints-addon/aws"
+  source = "./modules/eks-blueprints-addon"
+
+  create = var.enable_velero
+
+  # https://github.com/vmware-tanzu/helm-charts/blob/main/charts/velero/Chart.yaml
+  name             = try(var.velero.name, local.velero_name)
+  description      = try(var.velero.description, "A Helm chart to install the Velero")
+  namespace        = try(var.velero.namespace, "velero")
+  create_namespace = try(var.velero.create_namespace, true)
+  chart            = "velero"
+  chart_version    = try(var.velero.chart_version, "3.1.6")
+  repository       = try(var.velero.repository, "https://vmware-tanzu.github.io/helm-charts/")
+  values = try(var.velero.values, [<<-EOT
+  initContainers:
+  - name: velero-plugin-for-aws
+    image: velero/velero-plugin-for-aws:v1.5.0
+    volumeMounts:
+      - mountPath: /target
+        name: plugins
+
+  configuration:
+    provider: aws
+    backupStorageLocation:
+      bucket: ${try(var.velero.s3_bucket, module.velero_s3_bucket.s3_bucket_arn)}
+    volumeSnapshotLocation:
+      config:
+        region: ${local.region}
+
+  credentials:
+    useSecret: false
+    EOT
+  ])
+
+  timeout                    = try(var.velero.timeout, null)
+  repository_key_file        = try(var.velero.repository_key_file, null)
+  repository_cert_file       = try(var.velero.repository_cert_file, null)
+  repository_ca_file         = try(var.velero.repository_ca_file, null)
+  repository_username        = try(var.velero.repository_username, null)
+  repository_password        = try(var.velero.repository_password, null)
+  devel                      = try(var.velero.devel, null)
+  verify                     = try(var.velero.verify, null)
+  keyring                    = try(var.velero.keyring, null)
+  disable_webhooks           = try(var.velero.disable_webhooks, null)
+  reuse_values               = try(var.velero.reuse_values, null)
+  reset_values               = try(var.velero.reset_values, null)
+  force_update               = try(var.velero.force_update, null)
+  recreate_pods              = try(var.velero.recreate_pods, null)
+  cleanup_on_fail            = try(var.velero.cleanup_on_fail, null)
+  max_history                = try(var.velero.max_history, null)
+  atomic                     = try(var.velero.atomic, null)
+  skip_crds                  = try(var.velero.skip_crds, null)
+  render_subchart_notes      = try(var.velero.render_subchart_notes, null)
+  disable_openapi_validation = try(var.velero.disable_openapi_validation, null)
+  wait                       = try(var.velero.wait, null)
+  wait_for_jobs              = try(var.velero.wait_for_jobs, null)
+  dependency_update          = try(var.velero.dependency_update, null)
+  replace                    = try(var.velero.replace, null)
+  lint                       = try(var.velero.lint, null)
+
+  postrender = try(var.velero.postrender, [])
+  set = concat([
+    {
+      name  = "serviceAccount.name"
+      value = local.velero_service_account
+    }],
+    try(var.velero.set, [])
+  )
+  set_sensitive = try(var.velero.set_sensitive, [])
+
+  # IAM role for service account (IRSA)
+  set_irsa_names                = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"]
+  create_role                   = try(var.velero.create_role, true)
+  role_name                     = try(var.velero.role_name, "velero")
+  role_name_use_prefix          = try(var.velero.role_name_use_prefix, true)
+  role_path                     = try(var.velero.role_path, "/")
+  role_permissions_boundary_arn = lookup(var.velero, "role_permissions_boundary_arn", null)
+  role_description              = try(var.velero.role_description, "IRSA for Velero")
+  role_policies                 = lookup(var.velero, "role_policies", {})
+
+  source_policy_documents = compact(concat(
+    data.aws_iam_policy_document.velero[*].json,
+    lookup(var.velero, "source_policy_documents", [])
+  ))
+  override_policy_documents = lookup(var.velero, "override_policy_documents", [])
+  policy_statements         = lookup(var.velero, "policy_statements", [])
+  policy_name               = try(var.velero.policy_name, "velero")
+  policy_name_use_prefix    = try(var.velero.policy_name_use_prefix, true)
+  policy_path               = try(var.velero.policy_path, null)
+  policy_description        = try(var.velero.policy_description, "IAM Policy for Velero")
+
+  oidc_providers = {
+    controller = {
+      provider_arn = var.oidc_provider_arn
+      # namespace is inherited from chart
+      service_account = local.velero_service_account
+    }
+  }
+
+  tags = var.tags
+}
+
 ################################################################################
 # Fargate Fluentbit
 ################################################################################
@@ -2778,12 +2945,3 @@ module "csi_secrets_store_provider_aws" {
   helm_config   = var.csi_secrets_store_provider_aws_helm_config
   addon_context = local.addon_context
 }
-
-module "velero" {
-  count            = var.enable_velero ? 1 : 0
-  source           = "./modules/velero"
-  helm_config      = var.velero_helm_config
-  addon_context    = local.addon_context
-  irsa_policies    = var.velero_irsa_policies
-  backup_s3_bucket = var.velero_backup_s3_bucket
-}
diff --git a/outputs.tf b/outputs.tf
index 85f29d2a..7853abd3 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -120,7 +120,7 @@ output "secrets_store_csi_driver" {
 
 output "velero" {
   description = "Map of attributes of the Helm release and IRSA created"
-  value       = try(module.velero[0], null)
+  value       = module.velero
 }
 
 output "vpa" {
diff --git a/variables.tf b/variables.tf
index 973988d7..e67a2723 100644
--- a/variables.tf
+++ b/variables.tf
@@ -461,9 +461,23 @@ variable "vpa" {
 }
 
 ################################################################################
-# Fargate Fluentbit
+# Velero
 ################################################################################
+variable "enable_velero" {
+  description = "Enable Kubernetes Dashboard add-on"
+  type        = bool
+  default     = false
+}
+
+variable "velerot" {
+  description = "Velero addon configuration values"
+  type        = any
+  default     = {}
+}
 
+################################################################################
+# Fargate Fluentbit
+################################################################################
 variable "enable_fargate_fluentbit" {
   description = "Enable Fargate FluentBit add-on"
   type        = bool
@@ -489,31 +503,6 @@ variable "irsa_iam_permissions_boundary" {
   default     = ""
 }
 
-#-----------Kubernetes Velero ADDON-------------
-variable "enable_velero" {
-  description = "Enable Kubernetes Dashboard add-on"
-  type        = bool
-  default     = false
-}
-
-variable "velero_helm_config" {
-  description = "Kubernetes Velero Helm Chart config"
-  type        = any
-  default     = null
-}
-
-variable "velero_irsa_policies" {
-  description = "IAM policy ARNs for velero IRSA"
-  type        = list(string)
-  default     = []
-}
-
-variable "velero_backup_s3_bucket" {
-  description = "Bucket name for velero bucket"
-  type        = string
-  default     = ""
-}
-
 #-----------AWS CSI Secrets Store Provider-------------
 variable "enable_secrets_store_csi_driver_provider_aws" {
   type        = bool

From d2a13bef6aef6007611854faa0df7de7c8ac199d Mon Sep 17 00:00:00 2001
From: Rodrigo Bersa <rodrigo.bersa@gmail.com>
Date: Fri, 21 Apr 2023 16:03:54 -0400
Subject: [PATCH 07/17] Refactor `velero` addon

---
 README.md              |  7 +++----
 main.tf                | 22 ++++------------------
 tests/complete/main.tf |  4 +++-
 variables.tf           |  2 +-
 4 files changed, 11 insertions(+), 24 deletions(-)

diff --git a/README.md b/README.md
index 93708688..9e506c91 100644
--- a/README.md
+++ b/README.md
@@ -50,7 +50,7 @@ Please note: not all addons will be supported as they are today in the main EKS
 | <a name="module_kube_prometheus_stack"></a> [kube\_prometheus\_stack](#module\_kube\_prometheus\_stack) | ./modules/eks-blueprints-addon | n/a |
 | <a name="module_metrics_server"></a> [metrics\_server](#module\_metrics\_server) | ./modules/eks-blueprints-addon | n/a |
 | <a name="module_secrets_store_csi_driver"></a> [secrets\_store\_csi\_driver](#module\_secrets\_store\_csi\_driver) | ./modules/eks-blueprints-addon | n/a |
-| <a name="module_velero"></a> [velero](#module\_velero) | ./modules/velero | n/a |
+| <a name="module_velero"></a> [velero](#module\_velero) | ./modules/eks-blueprints-addon | n/a |
 | <a name="module_vpa"></a> [vpa](#module\_vpa) | ./modules/eks-blueprints-addon | n/a |
 
 ## Resources
@@ -81,6 +81,7 @@ Please note: not all addons will be supported as they are today in the main EKS
 | [aws_iam_policy_document.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.fsx_csi_driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_role.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
@@ -158,9 +159,7 @@ Please note: not all addons will be supported as they are today in the main EKS
 | <a name="input_oidc_provider_arn"></a> [oidc\_provider\_arn](#input\_oidc\_provider\_arn) | The ARN of the cluster OIDC Provider | `string` | n/a | yes |
 | <a name="input_secrets_store_csi_driver"></a> [secrets\_store\_csi\_driver](#input\_secrets\_store\_csi\_driver) | CSI Secrets Store Provider add-on configurations | `any` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
-| <a name="input_velero_backup_s3_bucket"></a> [velero\_backup\_s3\_bucket](#input\_velero\_backup\_s3\_bucket) | Bucket name for velero bucket | `string` | `""` | no |
-| <a name="input_velero_helm_config"></a> [velero\_helm\_config](#input\_velero\_helm\_config) | Kubernetes Velero Helm Chart config | `any` | `null` | no |
-| <a name="input_velero_irsa_policies"></a> [velero\_irsa\_policies](#input\_velero\_irsa\_policies) | IAM policy ARNs for velero IRSA | `list(string)` | `[]` | no |
+| <a name="input_velero"></a> [velero](#input\_velero) | Velero addon configuration values | `any` | `{}` | no |
 | <a name="input_vpa"></a> [vpa](#input\_vpa) | Vertical Pod Autoscaler addon configuration values | `any` | `{}` | no |
 
 ## Outputs
diff --git a/main.tf b/main.tf
index 7db86e65..00a2d543 100644
--- a/main.tf
+++ b/main.tf
@@ -2751,29 +2751,15 @@ data "aws_iam_policy_document" "velero" {
       "s3:ListMultipartUploadParts",
       "s3:PutObject",
     ]
-    resources = [
-      try("arn:${local.partition}:s3:::${var.velero.s3_bucket}/*",
-        module.velero_s3_bucket.s3_bucket_arn
-
-    )]
+    resources = ["arn:${local.partition}:s3:::${var.velero.backup_s3_bucket}/*"]
   }
 
   statement {
-    actions = ["s3:ListBucket"]
-    resources = [
-      try("arn:${local.parition}:s3:::${var.velero.s3_bucket}",
-        module.velero_s3_bucket.s3_bucket_arn
-    )]
+    actions   = ["s3:ListBucket"]
+    resources = ["arn:${local.partition}:s3:::${var.velero.backup_s3_bucket}"]
   }
 }
 
-module "velero_s3_bucket" {
-  source  = "terraform-aws-modules/s3-bucket/aws"
-  version = "3.8.2"
-
-  bucket = try(var.velero.bucket_name, "${local.velero_name}-${local.account_id}-s3")
-}
-
 module "velero" {
   # source = "aws-ia/eks-blueprints-addon/aws"
   source = "./modules/eks-blueprints-addon"
@@ -2799,7 +2785,7 @@ module "velero" {
   configuration:
     provider: aws
     backupStorageLocation:
-      bucket: ${try(var.velero.s3_bucket, module.velero_s3_bucket.s3_bucket_arn)}
+      bucket: ${var.velero.backup_s3_bucket}
     volumeSnapshotLocation:
       config:
         region: ${local.region}
diff --git a/tests/complete/main.tf b/tests/complete/main.tf
index 61929a77..3ba18c4f 100644
--- a/tests/complete/main.tf
+++ b/tests/complete/main.tf
@@ -168,7 +168,9 @@ module "eks_blueprints_addons" {
 
   enable_velero = true
   # bucket is required
-  velero_backup_s3_bucket = module.velero_backup_s3_bucket.s3_bucket_id
+  velero = {
+    backup_s3_bucket = module.velero_backup_s3_bucket.s3_bucket_id
+  }
 
   tags = local.tags
 }
diff --git a/variables.tf b/variables.tf
index e67a2723..e7f14316 100644
--- a/variables.tf
+++ b/variables.tf
@@ -469,7 +469,7 @@ variable "enable_velero" {
   default     = false
 }
 
-variable "velerot" {
+variable "velero" {
   description = "Velero addon configuration values"
   type        = any
   default     = {}

From aaadfbdd3c6ae9b2bb4a9a92f5d8446f2e13e0dd Mon Sep 17 00:00:00 2001
From: Rodrigo Bersa <rodrigo.bersa@gmail.com>
Date: Fri, 21 Apr 2023 16:23:31 -0400
Subject: [PATCH 08/17] Adding `aws_cloudwatch_log_group.fargate_fluentbit`
 creation.

---
 README.md    |  2 ++
 main.tf      | 13 ++++++++++++-
 variables.tf |  6 ++++++
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 93708688..f036af56 100644
--- a/README.md
+++ b/README.md
@@ -64,6 +64,7 @@ Please note: not all addons will be supported as they are today in the main EKS
 | [aws_cloudwatch_event_target.aws_node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_event_target.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_log_group.aws_for_fluentbit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.fargate_fluentbit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_eks_addon.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) | resource |
 | [aws_iam_instance_profile.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
 | [kubernetes_config_map_v1.aws_logging](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1) | resource |
@@ -143,6 +144,7 @@ Please note: not all addons will be supported as they are today in the main EKS
 | <a name="input_external_secrets_secrets_manager_arns"></a> [external\_secrets\_secrets\_manager\_arns](#input\_external\_secrets\_secrets\_manager\_arns) | List of Secrets Manager ARNs that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br>  "arn:aws:secretsmanager:*:*:secret:*"<br>]</pre> | no |
 | <a name="input_external_secrets_ssm_parameter_arns"></a> [external\_secrets\_ssm\_parameter\_arns](#input\_external\_secrets\_ssm\_parameter\_arns) | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br>  "arn:aws:ssm:*:*:parameter/*"<br>]</pre> | no |
 | <a name="input_fargate_fluentbit"></a> [fargate\_fluentbit](#input\_fargate\_fluentbit) | Fargate fluentbit add-on config | `any` | `{}` | no |
+| <a name="input_fargate_fluentbit_cw_log_group"></a> [fargate\_fluentbit\_cw\_log\_group](#input\_fargate\_fluentbit\_cw\_log\_group) | AWS Fargate Fluentbit CloudWatch Log Group configurations | `any` | `{}` | no |
 | <a name="input_fsx_csi_driver"></a> [fsx\_csi\_driver](#input\_fsx\_csi\_driver) | FSX CSI Driver addon configuration values | `any` | `{}` | no |
 | <a name="input_gatekeeper"></a> [gatekeeper](#input\_gatekeeper) | Gatekeeper add-on configuration | `bool` | `false` | no |
 | <a name="input_ingress_nginx"></a> [ingress\_nginx](#input\_ingress\_nginx) | Ingress Nginx add-on configurations | `any` | `{}` | no |
diff --git a/main.tf b/main.tf
index a5987559..2a2e830d 100644
--- a/main.tf
+++ b/main.tf
@@ -2713,6 +2713,17 @@ module "vpa" {
 ################################################################################
 # Fargate Fluentbit
 ################################################################################
+resource "aws_cloudwatch_log_group" "fargate_fluentbit" {
+  count = try(var.fargate_fluentbit_cw_log_group.create, true) && var.enable_fargate_fluentbit ? 1 : 0
+
+  name              = try(var.fargate_fluentbit_cw_log_group.name, null)
+  name_prefix       = try(var.fargate_fluentbit_cw_log_group.name_prefix, "/${var.cluster_name}/fargate-fluentbit-logs")
+  retention_in_days = try(var.fargate_fluentbit_cw_log_group.retention, 90)
+  kms_key_id        = try(var.fargate_fluentbit_cw_log_group.kms_key_arn, null)
+  skip_destroy      = try(var.fargate_fluentbit_cw_log_group.skip_destroy, false)
+  tags              = merge(var.tags, try(var.fargate_fluentbit_cw_log_group.tags, {}))
+}
+
 # Help on Fargate Logging with Fluentbit and CloudWatch
 # https://docs.aws.amazon.com/eks/latest/userguide/fargate-logging.html
 resource "kubernetes_namespace_v1" "aws_observability" {
@@ -2761,7 +2772,7 @@ resource "kubernetes_config_map_v1" "aws_logging" {
       Name cloudwatch_logs
       Match *
       region ${local.region}
-      log_group_name ${try(var.fargate_fluentbit.cwlog_group, "/${var.cluster_name}/fargate-fluentbit-logs")}
+      log_group_name ${try(var.fargate_fluentbit.cwlog_group, aws_cloudwatch_log_group.fargate_fluentbit[0].name)}
       log_stream_prefix ${try(var.fargate_fluentbit.cwlog_stream_prefix, "fargate-logs-")}
       auto_create_group true
     EOT
diff --git a/variables.tf b/variables.tf
index 973988d7..258d5caf 100644
--- a/variables.tf
+++ b/variables.tf
@@ -470,6 +470,12 @@ variable "enable_fargate_fluentbit" {
   default     = false
 }
 
+variable "fargate_fluentbit_cw_log_group" {
+  description = "AWS Fargate Fluentbit CloudWatch Log Group configurations"
+  type        = any
+  default     = {}
+}
+
 variable "fargate_fluentbit" {
   description = "Fargate fluentbit add-on config"
   type        = any

From 134c4d1c2d2627b14bdb0668d133ac063e7875c7 Mon Sep 17 00:00:00 2001
From: Rodrigo Bersa <rodrigo.bersa@gmail.com>
Date: Fri, 21 Apr 2023 17:58:02 -0400
Subject: [PATCH 09/17] Velero validation tests

---
 README.md                              |   9 +-
 main.tf                                |  76 +---------
 modules/fargate-fluentbit/README.md    |  98 +++++++++++++
 modules/fargate-fluentbit/locals.tf    |  42 ++++++
 modules/fargate-fluentbit/main.tf      |  27 ++++
 modules/fargate-fluentbit/outputs.tf   |   0
 modules/fargate-fluentbit/variables.tf |  20 +++
 modules/fargate-fluentbit/versions.tf  |  10 ++
 modules/velero/README.md               | 183 -------------------------
 modules/velero/data.tf                 |  41 ------
 modules/velero/main.tf                 |  64 ---------
 modules/velero/outputs.tf              |  24 ----
 modules/velero/values.yaml             |  17 ---
 modules/velero/variables.tf            |  40 ------
 modules/velero/versions.tf             |  10 --
 outputs.tf                             |   4 +-
 variables.tf                           |  34 ++---
 versions.tf                            |   4 -
 18 files changed, 220 insertions(+), 483 deletions(-)
 create mode 100644 modules/fargate-fluentbit/README.md
 create mode 100644 modules/fargate-fluentbit/locals.tf
 create mode 100755 modules/fargate-fluentbit/main.tf
 create mode 100644 modules/fargate-fluentbit/outputs.tf
 create mode 100644 modules/fargate-fluentbit/variables.tf
 create mode 100644 modules/fargate-fluentbit/versions.tf
 delete mode 100644 modules/velero/README.md
 delete mode 100644 modules/velero/data.tf
 delete mode 100644 modules/velero/main.tf
 delete mode 100644 modules/velero/outputs.tf
 delete mode 100644 modules/velero/values.yaml
 delete mode 100644 modules/velero/variables.tf
 delete mode 100644 modules/velero/versions.tf

diff --git a/README.md b/README.md
index f431d0b8..0bf2be54 100644
--- a/README.md
+++ b/README.md
@@ -13,14 +13,12 @@ Please note: not all addons will be supported as they are today in the main EKS
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.47 |
-| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.10 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.47 |
-| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | >= 2.10 |
 
 ## Modules
 
@@ -42,6 +40,7 @@ Please note: not all addons will be supported as they are today in the main EKS
 | <a name="module_efs_csi_driver"></a> [efs\_csi\_driver](#module\_efs\_csi\_driver) | ./modules/eks-blueprints-addon | n/a |
 | <a name="module_external_dns"></a> [external\_dns](#module\_external\_dns) | ./modules/eks-blueprints-addon | n/a |
 | <a name="module_external_secrets"></a> [external\_secrets](#module\_external\_secrets) | ./modules/eks-blueprints-addon | n/a |
+| <a name="module_fargate_fluentbit"></a> [fargate\_fluentbit](#module\_fargate\_fluentbit) | ./modules/fargate-fluentbit | n/a |
 | <a name="module_fsx_csi_driver"></a> [fsx\_csi\_driver](#module\_fsx\_csi\_driver) | ./modules/eks-blueprints-addon | n/a |
 | <a name="module_gatekeeper"></a> [gatekeeper](#module\_gatekeeper) | ./modules/eks-blueprints-addon | n/a |
 | <a name="module_ingress_nginx"></a> [ingress\_nginx](#module\_ingress\_nginx) | ./modules/eks-blueprints-addon | n/a |
@@ -64,11 +63,8 @@ Please note: not all addons will be supported as they are today in the main EKS
 | [aws_cloudwatch_event_target.aws_node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_event_target.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_log_group.aws_for_fluentbit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
-| [aws_cloudwatch_log_group.fargate_fluentbit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_eks_addon.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) | resource |
 | [aws_iam_instance_profile.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
-| [kubernetes_config_map_v1.aws_logging](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1) | resource |
-| [kubernetes_namespace_v1.aws_observability](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_eks_addon_version.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_addon_version) | data source |
 | [aws_iam_policy_document.aws_for_fluentbit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -144,8 +140,7 @@ Please note: not all addons will be supported as they are today in the main EKS
 | <a name="input_external_secrets_kms_key_arns"></a> [external\_secrets\_kms\_key\_arns](#input\_external\_secrets\_kms\_key\_arns) | List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br>  "arn:aws:kms:*:*:key/*"<br>]</pre> | no |
 | <a name="input_external_secrets_secrets_manager_arns"></a> [external\_secrets\_secrets\_manager\_arns](#input\_external\_secrets\_secrets\_manager\_arns) | List of Secrets Manager ARNs that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br>  "arn:aws:secretsmanager:*:*:secret:*"<br>]</pre> | no |
 | <a name="input_external_secrets_ssm_parameter_arns"></a> [external\_secrets\_ssm\_parameter\_arns](#input\_external\_secrets\_ssm\_parameter\_arns) | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | `list(string)` | <pre>[<br>  "arn:aws:ssm:*:*:parameter/*"<br>]</pre> | no |
-| <a name="input_fargate_fluentbit"></a> [fargate\_fluentbit](#input\_fargate\_fluentbit) | Fargate fluentbit add-on config | `any` | `{}` | no |
-| <a name="input_fargate_fluentbit_cw_log_group"></a> [fargate\_fluentbit\_cw\_log\_group](#input\_fargate\_fluentbit\_cw\_log\_group) | AWS Fargate Fluentbit CloudWatch Log Group configurations | `any` | `{}` | no |
+| <a name="input_fargate_fluentbit_addon_config"></a> [fargate\_fluentbit\_addon\_config](#input\_fargate\_fluentbit\_addon\_config) | Fargate fluentbit add-on config | `any` | `{}` | no |
 | <a name="input_fsx_csi_driver"></a> [fsx\_csi\_driver](#input\_fsx\_csi\_driver) | FSX CSI Driver addon configuration values | `any` | `{}` | no |
 | <a name="input_gatekeeper"></a> [gatekeeper](#input\_gatekeeper) | Gatekeeper add-on configuration | `bool` | `false` | no |
 | <a name="input_ingress_nginx"></a> [ingress\_nginx](#input\_ingress\_nginx) | Ingress Nginx add-on configurations | `any` | `{}` | no |
diff --git a/main.tf b/main.tf
index 9dd882ea..8881f712 100644
--- a/main.tf
+++ b/main.tf
@@ -2863,79 +2863,15 @@ module "velero" {
   tags = var.tags
 }
 
-################################################################################
-# Fargate Fluentbit
-################################################################################
-resource "aws_cloudwatch_log_group" "fargate_fluentbit" {
-  count = try(var.fargate_fluentbit_cw_log_group.create, true) && var.enable_fargate_fluentbit ? 1 : 0
-
-  name              = try(var.fargate_fluentbit_cw_log_group.name, null)
-  name_prefix       = try(var.fargate_fluentbit_cw_log_group.name_prefix, "/${var.cluster_name}/fargate-fluentbit-logs")
-  retention_in_days = try(var.fargate_fluentbit_cw_log_group.retention, 90)
-  kms_key_id        = try(var.fargate_fluentbit_cw_log_group.kms_key_arn, null)
-  skip_destroy      = try(var.fargate_fluentbit_cw_log_group.skip_destroy, false)
-  tags              = merge(var.tags, try(var.fargate_fluentbit_cw_log_group.tags, {}))
-}
-
-# Help on Fargate Logging with Fluentbit and CloudWatch
-# https://docs.aws.amazon.com/eks/latest/userguide/fargate-logging.html
-resource "kubernetes_namespace_v1" "aws_observability" {
-  count = var.enable_fargate_fluentbit ? 1 : 0
-  metadata {
-    name = "aws-observability"
-
-    labels = {
-      aws-observability = "enabled"
-    }
-  }
-}
-
-# fluent-bit-cloudwatch value as the name of the CloudWatch log group that is automatically created as soon as your apps start logging
-resource "kubernetes_config_map_v1" "aws_logging" {
-  count = var.enable_fargate_fluentbit ? 1 : 0
-  metadata {
-    name      = "aws-logging"
-    namespace = kubernetes_namespace_v1.aws_observability[0].id
-  }
+#-----------------Kubernetes Add-ons----------------------
 
-  data = {
-    "parsers.conf" = try(var.fargate_fluentbit.parsers_conf, <<-EOT
-    [PARSER]
-      Name regex
-      Format regex
-      Regex ^(?<time>[^ ]+) (?<stream>[^ ]+) (?<logtag>[^ ]+) (?<message>.+)$
-      Time_Key time
-      Time_Format %Y-%m-%dT%H:%M:%S.%L%z
-      Time_Keep On
-      Decode_Field_As json message
-    EOT
-    )
-    "filters.conf" = try(var.fargate_fluentbit.filters_conf, <<-EOT
-      [FILTER]
-      Name parser
-      Match *
-      Key_Name log
-      Parser regex
-      Preserve_Key True
-      Reserve_Data True
-    EOT
-    )
-    "output.conf" = try(var.fargate_fluentbit.output_conf, <<-EOT
-    [OUTPUT]
-      Name cloudwatch_logs
-      Match *
-      region ${local.region}
-      log_group_name ${try(var.fargate_fluentbit.cwlog_group, aws_cloudwatch_log_group.fargate_fluentbit[0].name)}
-      log_stream_prefix ${try(var.fargate_fluentbit.cwlog_stream_prefix, "fargate-logs-")}
-      auto_create_group true
-    EOT
-    )
-    "flb_log_cw" = try(var.fargate_fluentbit.flb_log_cw, false)
-  }
+module "fargate_fluentbit" {
+  count         = var.enable_fargate_fluentbit ? 1 : 0
+  source        = "./modules/fargate-fluentbit"
+  addon_config  = var.fargate_fluentbit_addon_config
+  addon_context = local.addon_context
 }
 
-#-----------------Kubernetes Add-ons----------------------
-
 module "csi_secrets_store_provider_aws" {
   count         = var.enable_secrets_store_csi_driver_provider_aws ? 1 : 0
   source        = "./modules/csi-secrets-store-provider-aws"
diff --git a/modules/fargate-fluentbit/README.md b/modules/fargate-fluentbit/README.md
new file mode 100644
index 00000000..4240de06
--- /dev/null
+++ b/modules/fargate-fluentbit/README.md
@@ -0,0 +1,98 @@
+# Fargate Fluent Bit Logger
+
+Amazon EKS on Fargate offers a built-in log router based on Fluent Bit.
+This means that you don't explicitly run a Fluent Bit container as a sidecar, but Amazon runs it for you.
+All that you have to do is configure the log router.
+The configuration happens through a dedicated ConfigMap that must meet the following criteria:
+
+Named `aws-logging`
+
+Created in a dedicated namespace called `aws-observability`
+
+Once you've created the ConfigMap, Amazon EKS on Fargate automatically detects it and configures the log router with it.
+Fargate uses a version of AWS for Fluent Bit, an upstream compliant distribution of Fluent Bit managed by AWS.
+For more information, see AWS for Fluent Bit on GitHub.
+
+The log router allows you to use the breadth of services at AWS for log analytics and storage.
+You can stream logs from Fargate directly to `Amazon CloudWatch`, `Amazon OpenSearch Service`.
+You can also stream logs to destinations such as `Amazon S3`, `Amazon Kinesis Data Streams`, and partner tools through Amazon Kinesis Data Firehose.
+
+## Fluent Bit CloudWatch Config
+
+Please find the updated configuration from [AWS Docs](https://docs.aws.amazon.com/eks/latest/userguide/fargate-logging.html)
+
+```hcl
+  #---------------------------------------
+  # FARGATE FLUENTBIT
+  #---------------------------------------
+  fargate_fluentbit_enable = true
+
+  fargate_fluentbit_config = {
+      output_conf  = <<EOF
+[OUTPUT]
+  Name cloudwatch_logs
+  Match *
+  region eu-west-1
+  log_group_name /${local.eks_cluster_id}/fargate-fluentbit-logs
+  log_stream_prefix "fargate-logs-"
+  auto_create_group true
+    EOF
+      filters_conf = <<EOF
+[FILTER]
+  Name parser
+  Match *
+  Key_Name log
+  Parser regex
+  Preserve_Key True
+  Reserve_Data True
+    EOF
+      parsers_conf = <<EOF
+[PARSER]
+  Name regex
+  Format regex
+  Regex ^(?<time>[^ ]+) (?<stream>[^ ]+) (?<logtag>[^ ]+) (?<message>.+)$
+  Time_Key time
+  Time_Format %Y-%m-%dT%H:%M:%S.%L%z
+  Time_Keep On
+  Decode_Field_As json message
+    EOF
+  flb_log_cw: true
+  }
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.10 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | >= 2.10 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [kubernetes_config_map.aws_logging](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |
+| [kubernetes_namespace.aws_observability](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_addon_config"></a> [addon\_config](#input\_addon\_config) | Fargate fluentbit configuration | `any` | `{}` | no |
+| <a name="input_addon_context"></a> [addon\_context](#input\_addon\_context) | Input configuration for the addon | <pre>object({<br>    aws_caller_identity_account_id = string<br>    aws_caller_identity_arn        = string<br>    aws_eks_cluster_endpoint       = string<br>    aws_partition_id               = string<br>    aws_region_name                = string<br>    eks_cluster_id                 = string<br>    eks_oidc_issuer_url            = string<br>    eks_oidc_provider_arn          = string<br>    tags                           = map(string)<br>  })</pre> | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/fargate-fluentbit/locals.tf b/modules/fargate-fluentbit/locals.tf
new file mode 100644
index 00000000..281f71cc
--- /dev/null
+++ b/modules/fargate-fluentbit/locals.tf
@@ -0,0 +1,42 @@
+locals {
+
+  cwlog_group         = "/${var.addon_context.eks_cluster_id}/fargate-fluentbit-logs"
+  cwlog_stream_prefix = "fargate-logs-"
+
+  default_config = {
+    output_conf  = <<-EOF
+    [OUTPUT]
+      Name cloudwatch_logs
+      Match *
+      region ${var.addon_context.aws_region_name}
+      log_group_name ${local.cwlog_group}
+      log_stream_prefix ${local.cwlog_stream_prefix}
+      auto_create_group true
+    EOF
+    filters_conf = <<-EOF
+    [FILTER]
+      Name parser
+      Match *
+      Key_Name log
+      Parser regex
+      Preserve_Key True
+      Reserve_Data True
+    EOF
+    parsers_conf = <<-EOF
+    [PARSER]
+      Name regex
+      Format regex
+      Regex ^(?<time>[^ ]+) (?<stream>[^ ]+) (?<logtag>[^ ]+) (?<message>.+)$
+      Time_Key time
+      Time_Format %Y-%m-%dT%H:%M:%S.%L%z
+      Time_Keep On
+      Decode_Field_As json message
+    EOF
+    flb_log_cw   = false
+  }
+
+  config = merge(
+    local.default_config,
+    var.addon_config
+  )
+}
diff --git a/modules/fargate-fluentbit/main.tf b/modules/fargate-fluentbit/main.tf
new file mode 100755
index 00000000..4f3e9e85
--- /dev/null
+++ b/modules/fargate-fluentbit/main.tf
@@ -0,0 +1,27 @@
+# Help on Fargate Logging with Fluentbit and CloudWatch
+# https://docs.aws.amazon.com/eks/latest/userguide/fargate-logging.html
+
+resource "kubernetes_namespace" "aws_observability" {
+  metadata {
+    name = "aws-observability"
+
+    labels = {
+      aws-observability = "enabled"
+    }
+  }
+}
+
+# fluent-bit-cloudwatch value as the name of the CloudWatch log group that is automatically created as soon as your apps start logging
+resource "kubernetes_config_map" "aws_logging" {
+  metadata {
+    name      = "aws-logging"
+    namespace = kubernetes_namespace.aws_observability.id
+  }
+
+  data = {
+    "parsers.conf" = local.config["parsers_conf"]
+    "filters.conf" = local.config["filters_conf"]
+    "output.conf"  = local.config["output_conf"]
+    "flb_log_cw"   = local.config["flb_log_cw"]
+  }
+}
diff --git a/modules/fargate-fluentbit/outputs.tf b/modules/fargate-fluentbit/outputs.tf
new file mode 100644
index 00000000..e69de29b
diff --git a/modules/fargate-fluentbit/variables.tf b/modules/fargate-fluentbit/variables.tf
new file mode 100644
index 00000000..fa11b174
--- /dev/null
+++ b/modules/fargate-fluentbit/variables.tf
@@ -0,0 +1,20 @@
+variable "addon_config" {
+  description = "Fargate fluentbit configuration"
+  type        = any
+  default     = {}
+}
+
+variable "addon_context" {
+  description = "Input configuration for the addon"
+  type = object({
+    aws_caller_identity_account_id = string
+    aws_caller_identity_arn        = string
+    aws_eks_cluster_endpoint       = string
+    aws_partition_id               = string
+    aws_region_name                = string
+    eks_cluster_id                 = string
+    eks_oidc_issuer_url            = string
+    eks_oidc_provider_arn          = string
+    tags                           = map(string)
+  })
+}
diff --git a/modules/fargate-fluentbit/versions.tf b/modules/fargate-fluentbit/versions.tf
new file mode 100644
index 00000000..55fba733
--- /dev/null
+++ b/modules/fargate-fluentbit/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.10"
+    }
+  }
+}
diff --git a/modules/velero/README.md b/modules/velero/README.md
deleted file mode 100644
index b3bef00d..00000000
--- a/modules/velero/README.md
+++ /dev/null
@@ -1,183 +0,0 @@
-# [Velero](https://velero.io/)
-
-Velero is an open source tool to safely backup and restore, perform disaster recovery, and migrate Kubernetes cluster resources and persistent volumes.
-
-- [Helm chart](https://github.com/vmware-tanzu/helm-charts/tree/main/charts/velero)
-- [Plugin for AWS](https://github.com/vmware-tanzu/velero-plugin-for-aws)
-
-## Validate
-
-The following command will update the `kubeconfig` on your local machine and allow you to interact with your EKS Cluster using `kubectl` to validate the Velero deployment.
-
-1. Run `update-kubeconfig` command:
-
-```bash
-aws eks --region <REGION> update-kubeconfig --name <CLUSTER_NAME>
-```
-
-2. Test by listing velero resources provisioned:
-
-```bash
-kubectl get all -n velero
-
-# Output should look similar to below
-NAME                         READY   STATUS    RESTARTS   AGE
-pod/velero-b4d8fd5c7-5smp6   1/1     Running   0          112s
-
-NAME             TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
-service/velero   ClusterIP   172.20.217.203   <none>        8085/TCP   114s
-
-NAME                     READY   UP-TO-DATE   AVAILABLE   AGE
-deployment.apps/velero   1/1     1            1           114s
-
-NAME                               DESIRED   CURRENT   READY   AGE
-replicaset.apps/velero-b4d8fd5c7   1         1         1       114s
-```
-
-3. Get backup location using velero [CLI](https://velero.io/docs/v1.8/basic-install/#install-the-cli)
-
-```bash
-velero backup-location get
-
-# Output should look similar to below
-NAME      PROVIDER   BUCKET/PREFIX             PHASE       LAST VALIDATED                  ACCESS MODE   DEFAULT
-default   aws        velero-ssqwm44hvofzb32d   Available   2022-05-22 10:53:26 -0400 EDT   ReadWrite     true
-```
-
-4. To demonstrate creating a backup and restoring, create a new namespace and run nginx using below commands:
-
-```bash
-kubectl create namespace backupdemo
-kubectl run nginx --image=nginx -n backupdemo
-```
-
-5. Create backup of this namespace using velero
-
-```bash
-velero backup create backup1 --include-namespaces backupdemo
-
-# Output should look similar to below
-Backup request "backup1" submitted successfully.
-Run `velero backup describe backup1` or `velero backup logs backup1` for more details.
-```
-
-6. Describe the backup to check the backup status
-
-```bash
-velero backup describe backup1
-
-# Output should look similar to below
-Name:         backup1
-Namespace:    velero
-Labels:       velero.io/storage-location=default
-Annotations:  velero.io/source-cluster-k8s-gitversion=v1.21.9-eks-14c7a48
-              velero.io/source-cluster-k8s-major-version=1
-              velero.io/source-cluster-k8s-minor-version=21+
-
-Phase:  Completed
-
-Errors:    0
-Warnings:  0
-
-Namespaces:
-  Included:  backupdemo
-  Excluded:  <none>
-
-Resources:
-  Included:        *
-  Excluded:        <none>
-  Cluster-scoped:  auto
-
-Label selector:  <none>
-
-Storage Location:  default
-
-Velero-Native Snapshot PVs:  auto
-
-TTL:  720h0m0s
-
-Hooks:  <none>
-
-Backup Format Version:  1.1.0
-
-Started:    2022-05-22 10:54:32 -0400 EDT
-Completed:  2022-05-22 10:54:35 -0400 EDT
-
-Expiration:  2022-06-21 10:54:32 -0400 EDT
-
-Total items to be backed up:  10
-Items backed up:              10
-
-Velero-Native Snapshots: <none included>
-```
-
-7. Delete the namespace - this will be restored using the backup created
-
-```bash
-kubectl delete namespace backupdemo
-```
-
-8. Restore the namespace from your backup
-
-```bash
-velero restore create --from-backup backup1
-```
-
-9. Verify that the namespace is restored
-
-```bash
-kubectl get all -n backupdemo
-
-# Output should look similar to below
-NAME        READY   STATUS    RESTARTS   AGE
-pod/nginx   1/1     Running   0          21s
-```
-
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-## Requirements
-
-| Name | Version |
-|------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.72 |
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.72 |
-
-## Modules
-
-| Name | Source | Version |
-|------|--------|---------|
-| <a name="module_helm_addon"></a> [helm\_addon](#module\_helm\_addon) | ../helm-addon | n/a |
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_iam_policy.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy_document.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| <a name="input_addon_context"></a> [addon\_context](#input\_addon\_context) | Input configuration for the addon | <pre>object({<br>    aws_caller_identity_account_id = string<br>    aws_caller_identity_arn        = string<br>    aws_eks_cluster_endpoint       = string<br>    aws_partition_id               = string<br>    aws_region_name                = string<br>    eks_cluster_id                 = string<br>    eks_oidc_issuer_url            = string<br>    eks_oidc_provider_arn          = string<br>    irsa_iam_role_path             = string<br>    irsa_iam_permissions_boundary  = string<br>    tags                           = map(string)<br>  })</pre> | n/a | yes |
-| <a name="input_backup_s3_bucket"></a> [backup\_s3\_bucket](#input\_backup\_s3\_bucket) | Bucket name for velero bucket | `string` | `""` | no |
-| <a name="input_helm_config"></a> [helm\_config](#input\_helm\_config) | Helm provider config for velero | `any` | `{}` | no |
-| <a name="input_irsa_policies"></a> [irsa\_policies](#input\_irsa\_policies) | Additional IAM policy ARNs for Velero IRSA | `list(string)` | `[]` | no |
-| <a name="input_manage_via_gitops"></a> [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps | `bool` | `false` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| <a name="output_argocd_gitops_config"></a> [argocd\_gitops\_config](#output\_argocd\_gitops\_config) | Configuration used for managing the add-on with ArgoCD |
-| <a name="output_irsa_arn"></a> [irsa\_arn](#output\_irsa\_arn) | IAM role ARN for the service account |
-| <a name="output_irsa_name"></a> [irsa\_name](#output\_irsa\_name) | IAM role name for the service account |
-| <a name="output_release_metadata"></a> [release\_metadata](#output\_release\_metadata) | Map of attributes of the Helm release metadata |
-| <a name="output_service_account"></a> [service\_account](#output\_service\_account) | Name of Kubernetes service account |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/velero/data.tf b/modules/velero/data.tf
deleted file mode 100644
index 75f76602..00000000
--- a/modules/velero/data.tf
+++ /dev/null
@@ -1,41 +0,0 @@
-# https://github.com/vmware-tanzu/velero-plugin-for-aws#option-1-set-permissions-with-an-iam-user
-data "aws_iam_policy_document" "velero" {
-  statement {
-    actions = [
-      "ec2:CreateSnapshot",
-      "ec2:CreateSnapshots",
-      "ec2:CreateTags",
-      "ec2:CreateVolume",
-      "ec2:DeleteSnapshot"
-    ]
-    resources = [
-      "arn:${var.addon_context.aws_partition_id}:ec2:${var.addon_context.aws_region_name}:${var.addon_context.aws_caller_identity_account_id}:instance/*",
-      "arn:${var.addon_context.aws_partition_id}:ec2:${var.addon_context.aws_region_name}::snapshot/*",
-      "arn:${var.addon_context.aws_partition_id}:ec2:${var.addon_context.aws_region_name}:${var.addon_context.aws_caller_identity_account_id}:volume/*"
-    ]
-  }
-
-  statement {
-    actions = [
-      "ec2:DescribeSnapshots",
-      "ec2:DescribeVolumes"
-    ]
-    resources = ["*"]
-  }
-
-  statement {
-    actions = [
-      "s3:AbortMultipartUpload",
-      "s3:DeleteObject",
-      "s3:GetObject",
-      "s3:ListMultipartUploadParts",
-      "s3:PutObject",
-    ]
-    resources = ["arn:${var.addon_context.aws_partition_id}:s3:::${var.backup_s3_bucket}/*"]
-  }
-
-  statement {
-    actions   = ["s3:ListBucket"]
-    resources = ["arn:${var.addon_context.aws_partition_id}:s3:::${var.backup_s3_bucket}"]
-  }
-}
diff --git a/modules/velero/main.tf b/modules/velero/main.tf
deleted file mode 100644
index 25cc0637..00000000
--- a/modules/velero/main.tf
+++ /dev/null
@@ -1,64 +0,0 @@
-data "aws_region" "current" {}
-
-locals {
-  name      = "velero"
-  namespace = try(var.helm_config.namespace, local.name)
-
-  argocd_gitops_config = {
-    enable             = true
-    serviceAccountName = local.name
-  }
-}
-
-module "helm_addon" {
-  source = "../helm-addon"
-
-  # https://github.com/vmware-tanzu/helm-charts/blob/main/charts/velero/Chart.yaml
-  helm_config = merge({
-    name        = local.name
-    description = "A Helm chart for velero"
-    chart       = local.name
-    version     = "3.1.4"
-    repository  = "https://vmware-tanzu.github.io/helm-charts/"
-    namespace   = local.namespace
-    values = [templatefile("${path.module}/values.yaml", {
-      bucket = var.backup_s3_bucket,
-      region = data.aws_region.current.name
-    })]
-    },
-    var.helm_config
-  )
-
-  set_values = [
-    {
-      name  = "serviceAccount.server.name"
-      value = local.name
-    },
-    {
-      name  = "serviceAccount.server.create"
-      value = false
-    }
-  ]
-
-  irsa_config = {
-    create_kubernetes_namespace = try(var.helm_config["create_namespace"], true)
-    kubernetes_namespace        = local.namespace
-
-    create_kubernetes_service_account   = true
-    create_service_account_secret_token = try(var.helm_config["create_service_account_secret_token"], false)
-    kubernetes_service_account          = try(var.helm_config.service_account, local.name)
-
-    irsa_iam_policies = concat([aws_iam_policy.velero.arn], var.irsa_policies)
-  }
-
-  # Blueprints
-  addon_context = var.addon_context
-}
-
-resource "aws_iam_policy" "velero" {
-  name        = "${var.addon_context.eks_cluster_id}-velero"
-  description = "Provides Velero permissions to backup and restore cluster resources"
-  policy      = data.aws_iam_policy_document.velero.json
-
-  tags = var.addon_context.tags
-}
diff --git a/modules/velero/outputs.tf b/modules/velero/outputs.tf
deleted file mode 100644
index 0776dcd7..00000000
--- a/modules/velero/outputs.tf
+++ /dev/null
@@ -1,24 +0,0 @@
-output "argocd_gitops_config" {
-  description = "Configuration used for managing the add-on with ArgoCD"
-  value       = var.manage_via_gitops ? local.argocd_gitops_config : null
-}
-
-output "release_metadata" {
-  description = "Map of attributes of the Helm release metadata"
-  value       = module.helm_addon.release_metadata
-}
-
-output "irsa_arn" {
-  description = "IAM role ARN for the service account"
-  value       = module.helm_addon.irsa_arn
-}
-
-output "irsa_name" {
-  description = "IAM role name for the service account"
-  value       = module.helm_addon.irsa_name
-}
-
-output "service_account" {
-  description = "Name of Kubernetes service account"
-  value       = module.helm_addon.service_account
-}
diff --git a/modules/velero/values.yaml b/modules/velero/values.yaml
deleted file mode 100644
index ed63b27d..00000000
--- a/modules/velero/values.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-initContainers:
-  - name: velero-plugin-for-aws
-    image: velero/velero-plugin-for-aws:v1.5.0
-    volumeMounts:
-      - mountPath: /target
-        name: plugins
-
-configuration:
-  provider: aws
-  backupStorageLocation:
-    bucket: ${bucket}
-  volumeSnapshotLocation:
-    config:
-      region: ${region}
-
-credentials:
-  useSecret: false
diff --git a/modules/velero/variables.tf b/modules/velero/variables.tf
deleted file mode 100644
index 300bb3ca..00000000
--- a/modules/velero/variables.tf
+++ /dev/null
@@ -1,40 +0,0 @@
-variable "helm_config" {
-  description = "Helm provider config for velero"
-  type        = any
-  default     = {}
-}
-
-variable "manage_via_gitops" {
-  description = "Determines if the add-on should be managed via GitOps"
-  type        = bool
-  default     = false
-}
-
-variable "irsa_policies" {
-  description = "Additional IAM policy ARNs for Velero IRSA"
-  type        = list(string)
-  default     = []
-}
-
-variable "backup_s3_bucket" {
-  description = "Bucket name for velero bucket"
-  type        = string
-  default     = ""
-}
-
-variable "addon_context" {
-  description = "Input configuration for the addon"
-  type = object({
-    aws_caller_identity_account_id = string
-    aws_caller_identity_arn        = string
-    aws_eks_cluster_endpoint       = string
-    aws_partition_id               = string
-    aws_region_name                = string
-    eks_cluster_id                 = string
-    eks_oidc_issuer_url            = string
-    eks_oidc_provider_arn          = string
-    irsa_iam_role_path             = string
-    irsa_iam_permissions_boundary  = string
-    tags                           = map(string)
-  })
-}
diff --git a/modules/velero/versions.tf b/modules/velero/versions.tf
deleted file mode 100644
index f92f41b9..00000000
--- a/modules/velero/versions.tf
+++ /dev/null
@@ -1,10 +0,0 @@
-terraform {
-  required_version = ">= 1.0.0"
-
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = ">= 3.72"
-    }
-  }
-}
diff --git a/outputs.tf b/outputs.tf
index 7853abd3..233c536c 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -95,12 +95,12 @@ output "cluster_proportional_autoscaler" {
 
 output "fargate_fluentbit" {
   description = "Map of attributes of the Helm release and IRSA created"
-  value       = kubernetes_config_map_v1.aws_logging
+  value       = try(module.fargate_fluentbit[0], null)
 }
 
 output "gatekeeper" {
   description = "Map of attributes of the Helm release and IRSA created"
-  value       = try(module.gatekeeper[0], null)
+  value       = module.gatekeeper
 }
 
 output "karpenter" {
diff --git a/variables.tf b/variables.tf
index d13791aa..38fbdaee 100644
--- a/variables.tf
+++ b/variables.tf
@@ -475,27 +475,6 @@ variable "velero" {
   default     = {}
 }
 
-################################################################################
-# Fargate Fluentbit
-################################################################################
-variable "enable_fargate_fluentbit" {
-  description = "Enable Fargate FluentBit add-on"
-  type        = bool
-  default     = false
-}
-
-variable "fargate_fluentbit_cw_log_group" {
-  description = "AWS Fargate Fluentbit CloudWatch Log Group configurations"
-  type        = any
-  default     = {}
-}
-
-variable "fargate_fluentbit" {
-  description = "Fargate fluentbit add-on config"
-  type        = any
-  default     = {}
-}
-
 #-------------------------------------------------------------------------------
 variable "irsa_iam_role_path" {
   description = "IAM role path for IRSA roles"
@@ -509,6 +488,19 @@ variable "irsa_iam_permissions_boundary" {
   default     = ""
 }
 
+#-----------FARGATE FLUENT BIT-------------
+variable "enable_fargate_fluentbit" {
+  description = "Enable Fargate FluentBit add-on"
+  type        = bool
+  default     = false
+}
+
+variable "fargate_fluentbit_addon_config" {
+  description = "Fargate fluentbit add-on config"
+  type        = any
+  default     = {}
+}
+
 #-----------AWS CSI Secrets Store Provider-------------
 variable "enable_secrets_store_csi_driver_provider_aws" {
   type        = bool
diff --git a/versions.tf b/versions.tf
index aeb892f3..55eff62b 100644
--- a/versions.tf
+++ b/versions.tf
@@ -6,9 +6,5 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 4.47"
     }
-    kubernetes = {
-      source  = "hashicorp/kubernetes"
-      version = ">= 2.10"
-    }
   }
 }

From 4c23ed708f6a7fc6ce331be5216a21dcea99f7e8 Mon Sep 17 00:00:00 2001
From: Rodrigo Bersa <rodrigo.bersa@gmail.com>
Date: Fri, 21 Apr 2023 17:59:31 -0400
Subject: [PATCH 10/17] Fixing `gatekeeper`output

---
 tests/complete/main.tf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tests/complete/main.tf b/tests/complete/main.tf
index 3ba18c4f..8edfbc0e 100644
--- a/tests/complete/main.tf
+++ b/tests/complete/main.tf
@@ -150,7 +150,6 @@ module "eks_blueprints_addons" {
   enable_metrics_server                        = true
   enable_vpa                                   = true
   enable_aws_for_fluentbit                     = true
-  enable_fargate_fluentbit                     = true
 
   enable_aws_node_termination_handler   = true
   aws_node_termination_handler_asg_arns = [for asg in module.eks.self_managed_node_groups : asg.autoscaling_group_arn]

From befd80258ef6a1f7a6ef9f567c0c7b22941283ce Mon Sep 17 00:00:00 2001
From: Rodrigo Bersa <rodrigo.bersa@gmail.com>
Date: Sat, 22 Apr 2023 12:10:10 -0400
Subject: [PATCH 11/17] Fixing Velero `values` content to `set`

---
 main.tf | 29 +++++++++--------------------
 1 file changed, 9 insertions(+), 20 deletions(-)

diff --git a/main.tf b/main.tf
index 8881f712..f07a4625 100644
--- a/main.tf
+++ b/main.tf
@@ -2774,26 +2774,7 @@ module "velero" {
   chart            = "velero"
   chart_version    = try(var.velero.chart_version, "3.1.6")
   repository       = try(var.velero.repository, "https://vmware-tanzu.github.io/helm-charts/")
-  values = try(var.velero.values, [<<-EOT
-  initContainers:
-  - name: velero-plugin-for-aws
-    image: velero/velero-plugin-for-aws:v1.5.0
-    volumeMounts:
-      - mountPath: /target
-        name: plugins
-
-  configuration:
-    provider: aws
-    backupStorageLocation:
-      bucket: ${var.velero.backup_s3_bucket}
-    volumeSnapshotLocation:
-      config:
-        region: ${local.region}
-
-  credentials:
-    useSecret: false
-    EOT
-  ])
+  values           = try(var.velero.values, [])
 
   timeout                    = try(var.velero.timeout, null)
   repository_key_file        = try(var.velero.repository_key_file, null)
@@ -2826,6 +2807,14 @@ module "velero" {
     {
       name  = "serviceAccount.name"
       value = local.velero_service_account
+    },
+    {
+      name  = "configuration.backupStorageLocation.bucket"
+      value = var.velero.backup_s3_bucket
+    },
+    {
+      name  = "configuration.volumeSnapshotLocation.config.region"
+      value = local.region
     }],
     try(var.velero.set, [])
   )

From e7577e0f038bbedce5467865ef7d2437be9a52b1 Mon Sep 17 00:00:00 2001
From: Rodrigo Bersa <rodrigo.bersa@gmail.com>
Date: Wed, 26 Apr 2023 13:32:48 -0400
Subject: [PATCH 12/17] Adding pluto validation on module 4

---
 main.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/main.tf b/main.tf
index 2324f898..f1f030c8 100644
--- a/main.tf
+++ b/main.tf
@@ -2719,6 +2719,7 @@ locals {
 
 # https://github.com/vmware-tanzu/velero-plugin-for-aws#option-1-set-permissions-with-an-iam-user
 data "aws_iam_policy_document" "velero" {
+  count = var.enable_velero ? 1 : 0
   statement {
     actions = [
       "ec2:CreateSnapshot",

From ff64d50a64591fd008ec27bbc510565f519900dc Mon Sep 17 00:00:00 2001
From: Rodrigo Bersa <rodrigo.bersa@gmail.com>
Date: Wed, 26 Apr 2023 20:23:03 -0400
Subject: [PATCH 13/17] Adjusting S3 variables

---
 main.tf                | 37 ++++++++++++++++++++++++++++++++-----
 tests/complete/main.tf |  2 +-
 2 files changed, 33 insertions(+), 6 deletions(-)

diff --git a/main.tf b/main.tf
index f1f030c8..b3be5394 100644
--- a/main.tf
+++ b/main.tf
@@ -2713,8 +2713,11 @@ module "vpa" {
 # Velero
 ################################################################################
 locals {
-  velero_name            = "velero"
-  velero_service_account = try(var.velero.service_account_name, "${local.velero_name}-sa")
+  velero_name                    = "velero"
+  velero_service_account         = try(var.velero.service_account_name, "${local.velero_name}-sa")
+  velero_backup_s3_bucket        = split(":", var.velero.s3_bucket_arn)
+  velero_backup_s3_bucket_name   = split("/", local.velero_backup_s3_bucket[5])
+  velero_backup_s3_bucket_prefix = split("/", var.velero.s3_bucket_arn)
 }
 
 # https://github.com/vmware-tanzu/velero-plugin-for-aws#option-1-set-permissions-with-an-iam-user
@@ -2751,12 +2754,12 @@ data "aws_iam_policy_document" "velero" {
       "s3:ListMultipartUploadParts",
       "s3:PutObject",
     ]
-    resources = ["arn:${local.partition}:s3:::${var.velero.backup_s3_bucket}/*"]
+    resources = [var.velero.s3_bucket_arn]
   }
 
   statement {
     actions   = ["s3:ListBucket"]
-    resources = ["arn:${local.partition}:s3:::${var.velero.backup_s3_bucket}"]
+    resources = [local.velero_backup_s3_bucket_prefix[0]]
   }
 }
 
@@ -2804,17 +2807,41 @@ module "velero" {
 
   postrender = try(var.velero.postrender, [])
   set = concat([
+    {
+      name = "initContainers"
+      value = yamlencode({
+        "name" : "velero-plugin-for-aws"
+        "image" : "velero/velero-plugin-for-aws:v1.7.0"
+        "imagePullPolicy" : "IfNotPresent"
+        "volumeMounts" : {
+          "mountPath" : "/target"
+          "name" : "plugins"
+        }
+      })
+    },
     {
       name  = "serviceAccount.name"
       value = local.velero_service_account
     },
+    {
+      name  = "configuration.provider"
+      value = "aws"
+    },
+    {
+      name  = "configuration.backupStorageLocation.prefix"
+      value = local.velero_backup_s3_bucket_prefix[1]
+    },
     {
       name  = "configuration.backupStorageLocation.bucket"
-      value = var.velero.backup_s3_bucket
+      value = local.velero_backup_s3_bucket_name[0]
     },
     {
       name  = "configuration.volumeSnapshotLocation.config.region"
       value = local.region
+    },
+    {
+      name  = "credentials.useSecret"
+      value = false
     }],
     try(var.velero.set, [])
   )
diff --git a/tests/complete/main.tf b/tests/complete/main.tf
index 3ba18c4f..2bf7ccc8 100644
--- a/tests/complete/main.tf
+++ b/tests/complete/main.tf
@@ -169,7 +169,7 @@ module "eks_blueprints_addons" {
   enable_velero = true
   # bucket is required
   velero = {
-    backup_s3_bucket = module.velero_backup_s3_bucket.s3_bucket_id
+    s3_bucket_arn = module.velero_backup_s3_bucket.s3_bucket_arn
   }
 
   tags = local.tags

From 1851c492619ce175afca520a7a5d0d09ddc634af Mon Sep 17 00:00:00 2001
From: Rodrigo Bersa <rodrigo.bersa@gmail.com>
Date: Wed, 26 Apr 2023 22:43:21 -0400
Subject: [PATCH 14/17] Adjusting velero set configs.

---
 main.tf | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/main.tf b/main.tf
index b3be5394..e0102f73 100644
--- a/main.tf
+++ b/main.tf
@@ -2808,16 +2808,15 @@ module "velero" {
   postrender = try(var.velero.postrender, [])
   set = concat([
     {
-      name = "initContainers"
-      value = yamlencode({
-        "name" : "velero-plugin-for-aws"
-        "image" : "velero/velero-plugin-for-aws:v1.7.0"
-        "imagePullPolicy" : "IfNotPresent"
-        "volumeMounts" : {
-          "mountPath" : "/target"
-          "name" : "plugins"
-        }
-      })
+      name  = "initContainers"
+      value = <<-EOT
+   - name: velero-plugin-for-aws
+     image: velero/velero-plugin-for-aws:v1.7.0
+     imagePullPolicy: IfNotPresent
+     volumeMounts:
+       - mountPath: /target
+         name: plugins
+            EOT
     },
     {
       name  = "serviceAccount.name"

From 25ce92664bfaa3851089b9343c0b127c497bbeb7 Mon Sep 17 00:00:00 2001
From: Rodrigo Bersa <rodrigo.bersa@gmail.com>
Date: Thu, 27 Apr 2023 11:15:12 -0400
Subject: [PATCH 15/17] Refactoring Velero `locals`

---
 main.tf                | 15 +++++-----
 tests/complete/main.tf | 66 ++++++++++++++++++++++--------------------
 2 files changed, 43 insertions(+), 38 deletions(-)

diff --git a/main.tf b/main.tf
index e0102f73..fd3c8b74 100644
--- a/main.tf
+++ b/main.tf
@@ -2715,9 +2715,10 @@ module "vpa" {
 locals {
   velero_name                    = "velero"
   velero_service_account         = try(var.velero.service_account_name, "${local.velero_name}-sa")
-  velero_backup_s3_bucket        = split(":", var.velero.s3_bucket_arn)
-  velero_backup_s3_bucket_name   = split("/", local.velero_backup_s3_bucket[5])
-  velero_backup_s3_bucket_prefix = split("/", var.velero.s3_bucket_arn)
+  velero_backup_s3_bucket        = split(":", var.velero.backup_location)
+  velero_backup_s3_bucket_arn    = try(split("/", var.velero.backup_location)[0], var.velero.backup_location)
+  velero_backup_s3_bucket_name   = try(split("/", local.velero_backup_s3_bucket[5])[1], local.velero_backup_s3_bucket[5])
+  velero_backup_s3_bucket_prefix = try(split("/", var.velero.backup_location)[1], "")
 }
 
 # https://github.com/vmware-tanzu/velero-plugin-for-aws#option-1-set-permissions-with-an-iam-user
@@ -2754,12 +2755,12 @@ data "aws_iam_policy_document" "velero" {
       "s3:ListMultipartUploadParts",
       "s3:PutObject",
     ]
-    resources = [var.velero.s3_bucket_arn]
+    resources = [local.velero_backup_s3_bucket_prefix == "" ? "${var.velero.backup_location}/*" : var.velero.backup_location]
   }
 
   statement {
     actions   = ["s3:ListBucket"]
-    resources = [local.velero_backup_s3_bucket_prefix[0]]
+    resources = [local.velero_backup_s3_bucket_arn]
   }
 }
 
@@ -2828,11 +2829,11 @@ module "velero" {
     },
     {
       name  = "configuration.backupStorageLocation.prefix"
-      value = local.velero_backup_s3_bucket_prefix[1]
+      value = local.velero_backup_s3_bucket_prefix
     },
     {
       name  = "configuration.backupStorageLocation.bucket"
-      value = local.velero_backup_s3_bucket_name[0]
+      value = local.velero_backup_s3_bucket_name
     },
     {
       name  = "configuration.volumeSnapshotLocation.config.region"
diff --git a/tests/complete/main.tf b/tests/complete/main.tf
index 2bf7ccc8..34a42aba 100644
--- a/tests/complete/main.tf
+++ b/tests/complete/main.tf
@@ -167,9 +167,12 @@ module "eks_blueprints_addons" {
   }
 
   enable_velero = true
-  # bucket is required
+  # An S3 Bucket ARN is required. This can be declared with or without a Prefix.
   velero = {
-    s3_bucket_arn = module.velero_backup_s3_bucket.s3_bucket_arn
+    # S3 Bucket ARN provided by an S3 Module (module.velero_backup_s3_bucket declared below), without prefix.
+    #backup_location = module.velero_backup_s3_bucket.s3_bucket_arn
+    # S3 Bucket ARN for an already existing Bucket provided with prefix.
+    backup_location = "arn:aws:s3:::backup/dev"
   }
 
   tags = local.tags
@@ -204,44 +207,45 @@ module "vpc" {
   tags = local.tags
 }
 
-module "velero_backup_s3_bucket" {
-  source  = "terraform-aws-modules/s3-bucket/aws"
-  version = "~> 3.0"
 
-  bucket_prefix = "${local.name}-"
+# module "velero_backup_s3_bucket" {
+#   source  = "terraform-aws-modules/s3-bucket/aws"
+#   version = "~> 3.0"
 
-  # Allow deletion of non-empty bucket
-  # NOTE: This is enabled for example usage only, you should not enable this for production workloads
-  force_destroy = true
+#   bucket_prefix = "${local.name}-"
 
-  attach_deny_insecure_transport_policy = true
-  attach_require_latest_tls_policy      = true
+#   # Allow deletion of non-empty bucket
+#   # NOTE: This is enabled for example usage only, you should not enable this for production workloads
+#   force_destroy = true
 
-  acl = "private"
+#   attach_deny_insecure_transport_policy = true
+#   attach_require_latest_tls_policy      = true
 
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
+#   acl = "private"
 
-  control_object_ownership = true
-  object_ownership         = "BucketOwnerPreferred"
+#   block_public_acls       = true
+#   block_public_policy     = true
+#   ignore_public_acls      = true
+#   restrict_public_buckets = true
 
-  versioning = {
-    status     = true
-    mfa_delete = false
-  }
+#   control_object_ownership = true
+#   object_ownership         = "BucketOwnerPreferred"
 
-  server_side_encryption_configuration = {
-    rule = {
-      apply_server_side_encryption_by_default = {
-        sse_algorithm = "AES256"
-      }
-    }
-  }
+#   versioning = {
+#     status     = true
+#     mfa_delete = false
+#   }
 
-  tags = local.tags
-}
+#   server_side_encryption_configuration = {
+#     rule = {
+#       apply_server_side_encryption_by_default = {
+#         sse_algorithm = "AES256"
+#       }
+#     }
+#   }
+
+#   tags = local.tags
+# }
 
 module "ebs_csi_driver_irsa" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"

From e592dec3dcf11b95c6f3292190e348b37aa0afc4 Mon Sep 17 00:00:00 2001
From: Rodrigo Bersa <rodrigo.bersa@gmail.com>
Date: Thu, 27 Apr 2023 12:14:02 -0400
Subject: [PATCH 16/17] Tests

---
 main.tf                | 8 ++++----
 tests/complete/main.tf | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/main.tf b/main.tf
index 1edceebc..a547329d 100644
--- a/main.tf
+++ b/main.tf
@@ -2734,10 +2734,10 @@ module "vpa" {
 locals {
   velero_name                    = "velero"
   velero_service_account         = try(var.velero.service_account_name, "${local.velero_name}-sa")
-  velero_backup_s3_bucket        = split(":", var.velero.backup_location)
-  velero_backup_s3_bucket_arn    = try(split("/", var.velero.backup_location)[0], var.velero.backup_location)
+  velero_backup_s3_bucket        = split(":", var.velero.s3_backup_location)
+  velero_backup_s3_bucket_arn    = try(split("/", var.velero.s3_backup_location)[0], var.velero.s3_backup_location)
   velero_backup_s3_bucket_name   = try(split("/", local.velero_backup_s3_bucket[5])[1], local.velero_backup_s3_bucket[5])
-  velero_backup_s3_bucket_prefix = try(split("/", var.velero.backup_location)[1], "")
+  velero_backup_s3_bucket_prefix = try(split("/", var.velero.s3_backup_location)[1], "")
 }
 
 # https://github.com/vmware-tanzu/velero-plugin-for-aws#option-1-set-permissions-with-an-iam-user
@@ -2774,7 +2774,7 @@ data "aws_iam_policy_document" "velero" {
       "s3:ListMultipartUploadParts",
       "s3:PutObject",
     ]
-    resources = [local.velero_backup_s3_bucket_prefix == "" ? "${var.velero.backup_location}/*" : var.velero.backup_location]
+    resources = [local.velero_backup_s3_bucket_prefix == "" ? "${var.velero.s3_backup_location}/*" : var.velero.s3_backup_location]
   }
 
   statement {
diff --git a/tests/complete/main.tf b/tests/complete/main.tf
index 51fd1b58..d3143992 100644
--- a/tests/complete/main.tf
+++ b/tests/complete/main.tf
@@ -169,9 +169,9 @@ module "eks_blueprints_addons" {
   # An S3 Bucket ARN is required. This can be declared with or without a Prefix.
   velero = {
     # S3 Bucket ARN provided by an S3 Module (module.velero_backup_s3_bucket declared below), without prefix.
-    #backup_location = module.velero_backup_s3_bucket.s3_bucket_arn
+    #s3_backup_location = module.velero_backup_s3_bucket.s3_bucket_arn
     # S3 Bucket ARN for an already existing Bucket provided with prefix.
-    backup_location = "arn:aws:s3:::backup/dev"
+    s3_backup_location = "arn:aws:s3:::backup/dev"
   }
 
   tags = local.tags

From 9b0d472a5db12604f521b5835eaf01c377784d29 Mon Sep 17 00:00:00 2001
From: Rodrigo Bersa <rodrigo.bersa@gmail.com>
Date: Thu, 27 Apr 2023 19:20:08 -0400
Subject: [PATCH 17/17] Fix IRSA and ServiceAccount creation.

---
 main.tf                | 14 +++++++++-----
 tests/complete/main.tf |  2 +-
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/main.tf b/main.tf
index a547329d..68090dc4 100644
--- a/main.tf
+++ b/main.tf
@@ -2733,10 +2733,10 @@ module "vpa" {
 ################################################################################
 locals {
   velero_name                    = "velero"
-  velero_service_account         = try(var.velero.service_account_name, "${local.velero_name}-sa")
+  velero_service_account         = try(var.velero.service_account_name, "${local.velero_name}-server")
   velero_backup_s3_bucket        = split(":", var.velero.s3_backup_location)
   velero_backup_s3_bucket_arn    = try(split("/", var.velero.s3_backup_location)[0], var.velero.s3_backup_location)
-  velero_backup_s3_bucket_name   = try(split("/", local.velero_backup_s3_bucket[5])[1], local.velero_backup_s3_bucket[5])
+  velero_backup_s3_bucket_name   = try(split("/", local.velero_backup_s3_bucket[5])[0], local.velero_backup_s3_bucket[5])
   velero_backup_s3_bucket_prefix = try(split("/", var.velero.s3_backup_location)[1], "")
 }
 
@@ -2774,7 +2774,7 @@ data "aws_iam_policy_document" "velero" {
       "s3:ListMultipartUploadParts",
       "s3:PutObject",
     ]
-    resources = [local.velero_backup_s3_bucket_prefix == "" ? "${var.velero.s3_backup_location}/*" : var.velero.s3_backup_location]
+    resources = ["${var.velero.s3_backup_location}/*"]
   }
 
   statement {
@@ -2839,7 +2839,7 @@ module "velero" {
             EOT
     },
     {
-      name  = "serviceAccount.name"
+      name  = "serviceAccount.server.name"
       value = local.velero_service_account
     },
     {
@@ -2854,6 +2854,10 @@ module "velero" {
       name  = "configuration.backupStorageLocation.bucket"
       value = local.velero_backup_s3_bucket_name
     },
+    {
+      name  = "configuration.backupStorageLocation.config.region"
+      value = local.region
+    },
     {
       name  = "configuration.volumeSnapshotLocation.config.region"
       value = local.region
@@ -2867,7 +2871,7 @@ module "velero" {
   set_sensitive = try(var.velero.set_sensitive, [])
 
   # IAM role for service account (IRSA)
-  set_irsa_names                = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"]
+  set_irsa_names                = ["serviceAccount.server.annotations.eks\\.amazonaws\\.com/role-arn"]
   create_role                   = try(var.velero.create_role, true)
   role_name                     = try(var.velero.role_name, "velero")
   role_name_use_prefix          = try(var.velero.role_name_use_prefix, true)
diff --git a/tests/complete/main.tf b/tests/complete/main.tf
index d3143992..d409fb4f 100644
--- a/tests/complete/main.tf
+++ b/tests/complete/main.tf
@@ -171,7 +171,7 @@ module "eks_blueprints_addons" {
     # S3 Bucket ARN provided by an S3 Module (module.velero_backup_s3_bucket declared below), without prefix.
     #s3_backup_location = module.velero_backup_s3_bucket.s3_bucket_arn
     # S3 Bucket ARN for an already existing Bucket provided with prefix.
-    s3_backup_location = "arn:aws:s3:::backup/dev"
+    s3_backup_location = "arn:aws:s3:::bersr-test-velero-20230105/dev"
   }
 
   tags = local.tags