From 19c5d81a3a23e29ebffb8612b86f705f73df82cf Mon Sep 17 00:00:00 2001
From: miguelhar <98769216+miguelhar@users.noreply.github.com>
Date: Wed, 3 Apr 2024 11:38:06 -0400
Subject: [PATCH] PLAT-8122 Adds use_fips_endpoint var. (#233)

---
 .pre-commit-config.yaml                       | 64 +++++++++---------
 examples/deploy/terraform/cluster.tfvars      |  2 +
 examples/deploy/terraform/cluster/README.md   |  3 +-
 examples/deploy/terraform/cluster/main.tf     | 15 ++++-
 .../deploy/terraform/cluster/variables.tf     | 11 ++++
 examples/deploy/terraform/infra.tfvars        |  2 +
 examples/deploy/terraform/infra/README.md     |  1 +
 examples/deploy/terraform/infra/main.tf       | 20 +++---
 examples/deploy/terraform/infra/variables.tf  |  6 ++
 examples/deploy/terraform/nodes.tfvars        |  2 +
 examples/deploy/terraform/nodes/README.md     |  2 +
 examples/deploy/terraform/nodes/main.tf       | 12 ++++
 examples/deploy/terraform/nodes/variables.tf  |  7 ++
 examples/tfvars/fips-on.tfvars                | 29 ++++++++
 modules/eks/README.md                         |  1 +
 modules/eks/cluster.tf                        |  3 +
 modules/eks/k8s.tf                            |  9 +--
 modules/eks/submodules/k8s/README.md          |  1 +
 modules/eks/submodules/k8s/main.tf            |  1 +
 .../k8s/templates/k8s-pre-setup.sh.tftpl      |  1 +
 modules/eks/submodules/k8s/variables.tf       |  6 ++
 modules/eks/variables.tf                      |  6 ++
 modules/eks/versions.tf                       |  3 +
 modules/flyte/README.md                       |  1 +
 modules/flyte/variables.tf                    |  7 ++
 modules/flyte/versions.tf                     |  5 ++
 modules/iam-bootstrap/README.md               |  1 +
 modules/iam-bootstrap/variables.tf            |  6 ++
 modules/iam-bootstrap/versions.tf             |  2 +
 modules/infra/README.md                       |  1 +
 modules/infra/main.tf                         | 23 ++-----
 modules/infra/submodules/bastion/README.md    |  1 +
 modules/infra/submodules/bastion/main.tf      |  3 +
 modules/infra/submodules/bastion/variables.tf |  6 ++
 modules/infra/submodules/storage/README.md    |  1 +
 .../submodules/storage/efs_backup_vault.tf    |  4 ++
 modules/infra/submodules/storage/main.tf      | 66 ++++++++++++-------
 modules/infra/submodules/storage/outputs.tf   | 10 ++-
 modules/infra/submodules/storage/s3.tf        |  4 +-
 modules/infra/submodules/storage/variables.tf |  6 ++
 modules/infra/variables.tf                    |  6 ++
 modules/infra/versions.tf                     | 15 +++++
 modules/irsa/README.md                        |  1 +
 modules/irsa/external-dns.tf                  |  5 +-
 modules/irsa/variables.tf                     | 10 +++
 modules/nodes/README.md                       |  1 +
 modules/nodes/variables.tf                    |  6 ++
 modules/nodes/versions.tf                     |  2 +
 tests/deploy/ci-deploy.sh                     | 14 ++--
 tests/deploy/cluster-ci.tfvars.tftpl          |  2 +
 tests/deploy/infra-ci.tfvars.tftpl            |  3 +-
 tests/deploy/meta.sh                          |  2 +
 tests/deploy/nodes-ci.tfvars.tftpl            |  2 +
 tests/plan/terraform/README.md                |  1 +
 tests/plan/terraform/main.tf                  |  8 ++-
 tests/plan/terraform/variables.tf             |  6 ++
 tests/plan/terraform/versions.tf              |  2 +
 57 files changed, 339 insertions(+), 101 deletions(-)
 create mode 100644 examples/tfvars/fips-on.tfvars
 create mode 100644 tests/deploy/nodes-ci.tfvars.tftpl

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index c445a90a..1cb2375d 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -19,58 +19,58 @@ repos:
       - id: check-dependabot
       - id: check-github-actions
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.86.0
+    rev: v1.88.4
     hooks:
       - id: terraform_validate
         # See #4 on https://github.com/antonbabenko/pre-commit-terraform#terraform_validate
         exclude: (modules/eks/[^/]+$|modules/infra/submodules/cost-usage-report)
         args:
-          - "--hook-config=--retry-once-with-cleanup=true"
+          - '--hook-config=--retry-once-with-cleanup=true'
       - id: terraform_providers_lock
         args:
           - --tf-init-args=-upgrade
       - id: terraform_docs
         args:
-          - "--args=--lockfile=false"
-          - "--hook-config=--path-to-file=README.md"
-          - "--hook-config=--add-to-existing-file=true"
-          - "--hook-config=--create-file-if-not-exist=true"
-          - "--hook-config=--recursive.enabled=true"
-          - "--hook-config=--recursive.path=submodules"
+          - '--args=--lockfile=false'
+          - '--hook-config=--path-to-file=README.md'
+          - '--hook-config=--add-to-existing-file=true'
+          - '--hook-config=--create-file-if-not-exist=true'
+          - '--hook-config=--recursive.enabled=true'
+          - '--hook-config=--recursive.path=submodules'
       - id: terraform_fmt
       - id: terraform_tflint
         args:
-          - "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"
-          - "--args=--only=terraform_deprecated_interpolation"
-          - "--args=--only=terraform_deprecated_index"
-          - "--args=--only=terraform_unused_declarations"
-          - "--args=--only=terraform_comment_syntax"
-          - "--args=--only=terraform_documented_outputs"
-          - "--args=--only=terraform_documented_variables"
-          - "--args=--only=terraform_typed_variables"
-          - "--args=--only=terraform_module_pinned_source"
-          - "--args=--only=terraform_naming_convention"
-          - "--args=--only=terraform_required_version"
-          - "--args=--only=terraform_required_providers"
-          - "--args=--only=terraform_standard_module_structure"
-          - "--args=--only=terraform_workspace_remote"
-          - "--args=--enable-rule=aws_iam_policy_document_gov_friendly_arns"
-          - "--args=--enable-rule=aws_iam_policy_gov_friendly_arns"
-          - "--args=--enable-rule=aws_iam_role_policy_gov_friendly_arns"
+          - '--args=--config=__GIT_WORKING_DIR__/.tflint.hcl'
+          - '--args=--only=terraform_deprecated_interpolation'
+          - '--args=--only=terraform_deprecated_index'
+          - '--args=--only=terraform_unused_declarations'
+          - '--args=--only=terraform_comment_syntax'
+          - '--args=--only=terraform_documented_outputs'
+          - '--args=--only=terraform_documented_variables'
+          - '--args=--only=terraform_typed_variables'
+          - '--args=--only=terraform_module_pinned_source'
+          - '--args=--only=terraform_naming_convention'
+          - '--args=--only=terraform_required_version'
+          - '--args=--only=terraform_required_providers'
+          - '--args=--only=terraform_standard_module_structure'
+          - '--args=--only=terraform_workspace_remote'
+          - '--args=--enable-rule=aws_iam_policy_document_gov_friendly_arns'
+          - '--args=--enable-rule=aws_iam_policy_gov_friendly_arns'
+          - '--args=--enable-rule=aws_iam_role_policy_gov_friendly_arns'
       - id: terraform_checkov
         args:
-          - "--args=--compact"
-          - "--args=--quiet"
-          - "--args=--skip-check CKV_CIRCLECIPIPELINES_2,CKV_CIRCLECIPIPELINES_6,CKV2_AWS_11,CKV2_AWS_12,CKV2_AWS_6,CKV_AWS_109,CKV_AWS_111,CKV_AWS_135,CKV_AWS_144,CKV_AWS_145,CKV_AWS_158,CKV_AWS_18,CKV_AWS_184,CKV_AWS_19,CKV_AWS_21,CKV_AWS_66,CKV_AWS_88,CKV2_GHA_1,CKV_AWS_163,CKV_AWS_39,CKV_AWS_38,CKV2_AWS_61,CKV2_AWS_62,CKV_AWS_136,CKV_AWS_329,CKV_AWS_338,CKV_AWS_339,CKV_AWS_341,CKV_AWS_356,CKV2_AWS_19,CKV2_AWS_5,CKV_AWS_150,CKV_AWS_123,CKV2_AWS_65"
+          - '--args=--compact'
+          - '--args=--quiet'
+          - '--args=--skip-check CKV_CIRCLECIPIPELINES_2,CKV_CIRCLECIPIPELINES_6,CKV2_AWS_11,CKV2_AWS_12,CKV2_AWS_6,CKV_AWS_109,CKV_AWS_111,CKV_AWS_135,CKV_AWS_144,CKV_AWS_145,CKV_AWS_158,CKV_AWS_18,CKV_AWS_184,CKV_AWS_19,CKV_AWS_21,CKV_AWS_66,CKV_AWS_88,CKV2_GHA_1,CKV_AWS_163,CKV_AWS_39,CKV_AWS_38,CKV2_AWS_61,CKV2_AWS_62,CKV_AWS_136,CKV_AWS_329,CKV_AWS_338,CKV_AWS_339,CKV_AWS_341,CKV_AWS_356,CKV2_AWS_19,CKV2_AWS_5,CKV_AWS_150,CKV_AWS_123,CKV2_AWS_65'
       - id: terraform_trivy
         args:
-          - "--args=--severity=HIGH,CRITICAL"
-          - "--args=--ignorefile=__GIT_WORKING_DIR__/.trivyignore"
-          - "--args=--exit-code=1"
+          - '--args=--severity=HIGH,CRITICAL'
+          - '--args=--ignorefile=__GIT_WORKING_DIR__/.trivyignore'
+          - '--args=--exit-code=1'
   - repo: local
     hooks:
       - id: check_aws_partition
         name: Check for hard coded AWS partition
         entry: ./bin/pre-commit/check-aws-partition.sh
         language: script
-        exclude: "^(bin|examples)"
+        exclude: '^(bin|examples)'
diff --git a/examples/deploy/terraform/cluster.tfvars b/examples/deploy/terraform/cluster.tfvars
index f14014f3..8e183888 100644
--- a/examples/deploy/terraform/cluster.tfvars
+++ b/examples/deploy/terraform/cluster.tfvars
@@ -18,3 +18,5 @@ eks = {
   vpc_cni            = null
 }
 kms_info = null
+
+use_fips_endpoint = false
diff --git a/examples/deploy/terraform/cluster/README.md b/examples/deploy/terraform/cluster/README.md
index b96ca44b..b200df3c 100644
--- a/examples/deploy/terraform/cluster/README.md
+++ b/examples/deploy/terraform/cluster/README.md
@@ -37,9 +37,10 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_eks"></a> [eks](#input\_eks) | service\_ipv4\_cidr = CIDR for EKS cluster kubernetes\_network\_config.<br>    creation\_role\_name = Name of the role to import.<br>    k8s\_version = EKS cluster k8s version.<br>    kubeconfig = {<br>      extra\_args = Optional extra args when generating kubeconfig.<br>      path       = Fully qualified path name to write the kubeconfig file.<br>    }<br>    public\_access = {<br>      enabled = Enable EKS API public endpoint.<br>      cidrs   = List of CIDR ranges permitted for accessing the EKS public endpoint.<br>    }<br>    Custom role maps for aws auth configmap<br>    custom\_role\_maps = {<br>      rolearn  = string<br>      username = string<br>      groups   = list(string)<br>    }<br>    master\_role\_names  = IAM role names to be added as masters in eks.<br>    cluster\_addons     = EKS cluster addons. vpc-cni is installed separately.<br>    vpc\_cni            = Configuration for AWS VPC CNI<br>    ssm\_log\_group\_name = CloudWatch log group to send the SSM session logs to.<br>    identity\_providers = Configuration for IDP(Identity Provider).<br>  } | <pre>object({<br>    service_ipv4_cidr  = optional(string)<br>    creation_role_name = optional(string, null)<br>    k8s_version        = optional(string)<br>    kubeconfig = optional(object({<br>      extra_args = optional(string)<br>      path       = optional(string)<br>    }), {})<br>    public_access = optional(object({<br>      enabled = optional(bool)<br>      cidrs   = optional(list(string))<br>    }), {})<br>    custom_role_maps = optional(list(object({<br>      rolearn  = string<br>      username = string<br>      groups   = list(string)<br>    })))<br>    master_role_names  = optional(list(string))<br>    cluster_addons     = optional(list(string))<br>    ssm_log_group_name = optional(string)<br>    vpc_cni = optional(object({<br>      prefix_delegation = optional(bool)<br>      annotate_pod_ip   = optional(bool)<br>    }))<br>    identity_providers = optional(list(object({<br>      client_id                     = string<br>      groups_claim                  = optional(string)<br>      groups_prefix                 = optional(string)<br>      identity_provider_config_name = string<br>      issuer_url                    = optional(string)<br>      required_claims               = optional(string)<br>      username_claim                = optional(string)<br>      username_prefix               = optional(string)<br>    })))<br>  })</pre> | `{}` | no |
-| <a name="input_irsa_external_dns"></a> [irsa\_external\_dns](#input\_irsa\_external\_dns) | Mappings for custom IRSA configurations. | <pre>object({<br>    enabled             = optional(bool, false)<br>    hosted_zone_name    = optional(string, null)<br>    namespace           = optional(string, null)<br>    serviceaccount_name = optional(string, null)<br>  })</pre> | `{}` | no |
+| <a name="input_irsa_external_dns"></a> [irsa\_external\_dns](#input\_irsa\_external\_dns) | Mappings for custom IRSA configurations. | <pre>object({<br>    enabled             = optional(bool, false)<br>    hosted_zone_name    = optional(string, null)<br>    namespace           = optional(string, null)<br>    serviceaccount_name = optional(string, null)<br>    rm_role_policy = optional(object({<br>      remove           = optional(bool, false)<br>      detach_from_role = optional(bool, false)<br>      policy_name      = optional(string, "")<br>    }), {})<br>  })</pre> | `{}` | no |
 | <a name="input_irsa_policies"></a> [irsa\_policies](#input\_irsa\_policies) | Mappings for custom IRSA configurations. | <pre>list(object({<br>    name                = string<br>    namespace           = string<br>    serviceaccount_name = string<br>    policy              = string #json<br>  }))</pre> | `[]` | no |
 | <a name="input_kms_info"></a> [kms\_info](#input\_kms\_info) | Overrides the KMS key information. Meant for migrated configurations.<br>    {<br>      key\_id  = KMS key id.<br>      key\_arn = KMS key arn.<br>      enabled = KMS key is enabled.<br>    } | <pre>object({<br>    key_id  = string<br>    key_arn = string<br>    enabled = bool<br>  })</pre> | `null` | no |
+| <a name="input_use_fips_endpoint"></a> [use\_fips\_endpoint](#input\_use\_fips\_endpoint) | Use aws FIPS endpoints | `bool` | `false` | no |
 
 ## Outputs
 
diff --git a/examples/deploy/terraform/cluster/main.tf b/examples/deploy/terraform/cluster/main.tf
index cb35f2a0..d11daa84 100644
--- a/examples/deploy/terraform/cluster/main.tf
+++ b/examples/deploy/terraform/cluster/main.tf
@@ -26,6 +26,7 @@ module "eks" {
   create_eks_role_arn = local.infra.create_eks_role_arn
   tags                = local.infra.tags
   ignore_tags         = local.infra.ignore_tags
+  use_fips_endpoint   = var.use_fips_endpoint
 }
 
 data "aws_caller_identity" "global" {
@@ -39,12 +40,16 @@ locals {
   is_eks_account_same = data.aws_caller_identity.this.account_id == data.aws_caller_identity.global.account_id
 }
 
+moved {
+  from = module.irsa_external_dns[0]
+  to   = module.irsa_external_dns
+}
+
 # If you are enabling the IRSA configuration for external-dns.
 # You will need to add the role created(module.irsa_external_dns.irsa_role) to
 # the following annotation to the `external-dns` service account:
 # `eks.amazonaws.com/role-arn: <<module.irsa_external_dns.irsa_role>>`
 module "irsa_external_dns" {
-  count               = var.irsa_external_dns != null && var.irsa_external_dns.enabled ? 1 : 0
   source              = "./../../../../modules/irsa"
   use_cluster_odc_idp = local.is_eks_account_same
   eks_info            = module.eks.info
@@ -55,8 +60,12 @@ module "irsa_external_dns" {
   }
 }
 
+moved {
+  from = module.irsa_policies[0]
+  to   = module.irsa_policies
+}
+
 module "irsa_policies" {
-  count                   = var.irsa_policies != null ? 1 : 0
   source                  = "./../../../../modules/irsa"
   use_cluster_odc_idp     = true
   eks_info                = module.eks.info
@@ -73,6 +82,7 @@ provider "aws" {
   ignore_tags {
     keys = local.infra.ignore_tags
   }
+  use_fips_endpoint = var.use_fips_endpoint
 }
 
 provider "aws" {
@@ -80,6 +90,7 @@ provider "aws" {
   ignore_tags {
     keys = local.infra.ignore_tags
   }
+  use_fips_endpoint = var.use_fips_endpoint
 }
 terraform {
   required_version = ">= 1.4.0"
diff --git a/examples/deploy/terraform/cluster/variables.tf b/examples/deploy/terraform/cluster/variables.tf
index 581fea2f..b6f08b2b 100644
--- a/examples/deploy/terraform/cluster/variables.tf
+++ b/examples/deploy/terraform/cluster/variables.tf
@@ -102,7 +102,18 @@ variable "irsa_external_dns" {
     hosted_zone_name    = optional(string, null)
     namespace           = optional(string, null)
     serviceaccount_name = optional(string, null)
+    rm_role_policy = optional(object({
+      remove           = optional(bool, false)
+      detach_from_role = optional(bool, false)
+      policy_name      = optional(string, "")
+    }), {})
   })
 
   default = {}
 }
+
+variable "use_fips_endpoint" {
+  description = "Use aws FIPS endpoints"
+  type        = bool
+  default     = false
+}
diff --git a/examples/deploy/terraform/infra.tfvars b/examples/deploy/terraform/infra.tfvars
index d15ac39e..f86ec0e9 100644
--- a/examples/deploy/terraform/infra.tfvars
+++ b/examples/deploy/terraform/infra.tfvars
@@ -69,3 +69,5 @@ tags = null
 domino_cur = {
   provision_cost_usage_report = false
 }
+
+use_fips_endpoint = false
diff --git a/examples/deploy/terraform/infra/README.md b/examples/deploy/terraform/infra/README.md
index 2488bee2..320771d6 100644
--- a/examples/deploy/terraform/infra/README.md
+++ b/examples/deploy/terraform/infra/README.md
@@ -39,6 +39,7 @@ No resources.
 | <a name="input_ssh_pvt_key_path"></a> [ssh\_pvt\_key\_path](#input\_ssh\_pvt\_key\_path) | SSH private key filepath. | `string` | n/a | yes |
 | <a name="input_storage"></a> [storage](#input\_storage) | storage = {<br>      efs = {<br>        access\_point\_path = Filesystem path for efs.<br>        backup\_vault = {<br>          create        = Create backup vault for EFS toggle.<br>          force\_destroy = Toggle to allow automatic destruction of all backups when destroying.<br>          backup = {<br>            schedule           = Cron-style schedule for EFS backup vault (default: once a day at 12pm).<br>            cold\_storage\_after = Move backup data to cold storage after this many days.<br>            delete\_after       = Delete backup data after this many days.<br>          }<br>        }<br>      }<br>      s3 = {<br>        force\_destroy\_on\_deletion = Toogle to allow recursive deletion of all objects in the s3 buckets. if 'false' terraform will NOT be able to delete non-empty buckets.<br>      }<br>      ecr = {<br>        force\_destroy\_on\_deletion = Toogle to allow recursive deletion of all objects in the ECR repositories. if 'false' terraform will NOT be able to delete non-empty repositories.<br>      }<br>    }<br>  } | <pre>object({<br>    efs = optional(object({<br>      access_point_path = optional(string, "/domino")<br>      backup_vault = optional(object({<br>        create        = optional(bool, true)<br>        force_destroy = optional(bool, true)<br>        backup = optional(object({<br>          schedule           = optional(string, "0 12 * * ? *")<br>          cold_storage_after = optional(number, 35)<br>          delete_after       = optional(number, 125)<br>        }), {})<br>      }), {})<br>    }), {})<br>    s3 = optional(object({<br>      force_destroy_on_deletion = optional(bool, true)<br>    }), {})<br>    ecr = optional(object({<br>      force_destroy_on_deletion = optional(bool, true)<br>    }), {})<br>  })</pre> | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Deployment tags. | `map(string)` | n/a | yes |
+| <a name="input_use_fips_endpoint"></a> [use\_fips\_endpoint](#input\_use\_fips\_endpoint) | Use aws FIPS endpoints | `bool` | `false` | no |
 
 ## Outputs
 
diff --git a/examples/deploy/terraform/infra/main.tf b/examples/deploy/terraform/infra/main.tf
index a3529c40..d02a6c30 100644
--- a/examples/deploy/terraform/infra/main.tf
+++ b/examples/deploy/terraform/infra/main.tf
@@ -6,15 +6,16 @@ module "infra" {
   bastion                = var.bastion
   default_node_groups    = var.default_node_groups
 
-  network          = var.network
-  eks              = var.eks
-  kms              = var.kms
-  storage          = var.storage
-  region           = var.region
-  ssh_pvt_key_path = var.ssh_pvt_key_path
-  tags             = var.tags
-  ignore_tags      = var.ignore_tags
-  domino_cur       = var.domino_cur
+  network           = var.network
+  eks               = var.eks
+  kms               = var.kms
+  storage           = var.storage
+  region            = var.region
+  ssh_pvt_key_path  = var.ssh_pvt_key_path
+  tags              = var.tags
+  ignore_tags       = var.ignore_tags
+  domino_cur        = var.domino_cur
+  use_fips_endpoint = var.use_fips_endpoint
 }
 
 
@@ -24,6 +25,7 @@ provider "aws" {
   ignore_tags {
     keys = var.ignore_tags
   }
+  use_fips_endpoint = var.use_fips_endpoint
 }
 
 terraform {
diff --git a/examples/deploy/terraform/infra/variables.tf b/examples/deploy/terraform/infra/variables.tf
index f7aeab41..bbcd2a69 100644
--- a/examples/deploy/terraform/infra/variables.tf
+++ b/examples/deploy/terraform/infra/variables.tf
@@ -361,3 +361,9 @@ variable "domino_cur" {
 
   default = {}
 }
+
+variable "use_fips_endpoint" {
+  description = "Use aws FIPS endpoints"
+  type        = bool
+  default     = false
+}
diff --git a/examples/deploy/terraform/nodes.tfvars b/examples/deploy/terraform/nodes.tfvars
index 18a039c6..b7c89fc6 100644
--- a/examples/deploy/terraform/nodes.tfvars
+++ b/examples/deploy/terraform/nodes.tfvars
@@ -11,3 +11,5 @@ default_node_groups = {
     availability_zone_ids = ["usw2-az1", "usw2-az2"]
   }
 }
+
+use_fips_endpoint = false
diff --git a/examples/deploy/terraform/nodes/README.md b/examples/deploy/terraform/nodes/README.md
index bed39f53..705c38e0 100644
--- a/examples/deploy/terraform/nodes/README.md
+++ b/examples/deploy/terraform/nodes/README.md
@@ -6,6 +6,7 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.4.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
 
 ## Providers
 
@@ -32,6 +33,7 @@
 |------|-------------|------|---------|:--------:|
 | <a name="input_additional_node_groups"></a> [additional\_node\_groups](#input\_additional\_node\_groups) | Additional EKS managed node groups definition. | <pre>map(object({<br>    ami                        = optional(string)<br>    bootstrap_extra_args       = optional(string)<br>    instance_types             = list(string)<br>    spot                       = optional(bool)<br>    min_per_az                 = number<br>    max_per_az                 = number<br>    max_unavailable_percentage = optional(number)<br>    max_unavailable            = optional(number)<br>    desired_per_az             = number<br>    availability_zone_ids      = list(string)<br>    labels                     = map(string)<br>    taints = optional(list(object({<br>      key    = string<br>      value  = optional(string)<br>      effect = string<br>    })))<br>    tags = optional(map(string), {})<br>    gpu  = optional(bool)<br>    volume = object({<br>      size = string<br>      type = string<br>    })<br>  }))</pre> | `null` | no |
 | <a name="input_default_node_groups"></a> [default\_node\_groups](#input\_default\_node\_groups) | EKS managed node groups definition. | <pre>object(<br>    {<br>      compute = object(<br>        {<br>          ami                        = optional(string)<br>          bootstrap_extra_args       = optional(string)<br>          instance_types             = optional(list(string))<br>          spot                       = optional(bool)<br>          min_per_az                 = optional(number)<br>          max_per_az                 = optional(number)<br>          max_unavailable_percentage = optional(number)<br>          max_unavailable            = optional(number)<br>          desired_per_az             = optional(number)<br>          availability_zone_ids      = list(string)<br>          labels                     = optional(map(string))<br>          taints = optional(list(object({<br>            key    = string<br>            value  = optional(string)<br>            effect = string<br>          })))<br>          tags = optional(map(string))<br>          gpu  = optional(bool)<br>          volume = optional(object({<br>            size = optional(number)<br>            type = optional(string)<br>            })<br>          )<br>      }),<br>      platform = object(<br>        {<br>          ami                        = optional(string)<br>          bootstrap_extra_args       = optional(string)<br>          instance_types             = optional(list(string))<br>          spot                       = optional(bool)<br>          min_per_az                 = optional(number)<br>          max_per_az                 = optional(number)<br>          max_unavailable_percentage = optional(number)<br>          max_unavailable            = optional(number)<br>          desired_per_az             = optional(number)<br>          availability_zone_ids      = list(string)<br>          labels                     = optional(map(string))<br>          taints = optional(list(object({<br>            key    = string<br>            value  = optional(string)<br>            effect = string<br>          })))<br>          tags = optional(map(string))<br>          gpu  = optional(bool)<br>          volume = optional(object({<br>            size = optional(number)<br>            type = optional(string)<br>          }))<br>      }),<br>      gpu = object(<br>        {<br>          ami                        = optional(string)<br>          bootstrap_extra_args       = optional(string)<br>          instance_types             = optional(list(string))<br>          spot                       = optional(bool)<br>          min_per_az                 = optional(number)<br>          max_per_az                 = optional(number)<br>          max_unavailable_percentage = optional(number)<br>          max_unavailable            = optional(number)<br>          desired_per_az             = optional(number)<br>          availability_zone_ids      = list(string)<br>          labels                     = optional(map(string))<br>          taints = optional(list(object({<br>            key    = string<br>            value  = optional(string)<br>            effect = string<br>          })))<br>          tags = optional(map(string), {})<br>          gpu  = optional(bool, null)<br>          volume = optional(object({<br>            size = optional(number)<br>            type = optional(string)<br>          }))<br>      })<br>  })</pre> | `null` | no |
+| <a name="input_use_fips_endpoint"></a> [use\_fips\_endpoint](#input\_use\_fips\_endpoint) | Use aws FIPS endpoints | `bool` | `false` | no |
 
 ## Outputs
 
diff --git a/examples/deploy/terraform/nodes/main.tf b/examples/deploy/terraform/nodes/main.tf
index 3d4248ba..355a1aa3 100644
--- a/examples/deploy/terraform/nodes/main.tf
+++ b/examples/deploy/terraform/nodes/main.tf
@@ -34,8 +34,20 @@ module "nodes" {
   kms_info               = local.infra.kms
   tags                   = local.infra.tags
   ignore_tags            = local.infra.ignore_tags
+  use_fips_endpoint      = var.use_fips_endpoint
+}
+
+provider "aws" {
+  region            = local.infra.region
+  use_fips_endpoint = var.use_fips_endpoint
 }
 
 terraform {
   required_version = ">= 1.4.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
 }
diff --git a/examples/deploy/terraform/nodes/variables.tf b/examples/deploy/terraform/nodes/variables.tf
index b573a771..a0fd310f 100644
--- a/examples/deploy/terraform/nodes/variables.tf
+++ b/examples/deploy/terraform/nodes/variables.tf
@@ -112,3 +112,10 @@ variable "additional_node_groups" {
   }))
   default = null
 }
+
+
+variable "use_fips_endpoint" {
+  description = "Use aws FIPS endpoints"
+  type        = bool
+  default     = false
+}
diff --git a/examples/tfvars/fips-on.tfvars b/examples/tfvars/fips-on.tfvars
new file mode 100644
index 00000000..bd237345
--- /dev/null
+++ b/examples/tfvars/fips-on.tfvars
@@ -0,0 +1,29 @@
+deploy_id        = "plantest003"
+region           = "us-west-2"
+ssh_pvt_key_path = "domino.pem"
+
+default_node_groups = {
+  compute = {
+    availability_zone_ids = ["usw2-az1", "usw2-az2"]
+  }
+  gpu = {
+    availability_zone_ids = ["usw2-az1", "usw2-az2"]
+  }
+  platform = {
+    "availability_zone_ids" = ["usw2-az1", "usw2-az2"]
+  }
+
+  eks = {
+    public_access = {
+      enabled = true
+      cidrs   = ["108.214.49.0/24"] # Replace this with the desired CIDR range
+
+    }
+  }
+}
+
+bastion = {
+  enabled = false
+}
+
+use_fips_endpoint = true
diff --git a/modules/eks/README.md b/modules/eks/README.md
index 5f56c9a6..3e10a3c3 100644
--- a/modules/eks/README.md
+++ b/modules/eks/README.md
@@ -81,6 +81,7 @@
 | <a name="input_region"></a> [region](#input\_region) | AWS region for the deployment | `string` | n/a | yes |
 | <a name="input_ssh_key"></a> [ssh\_key](#input\_ssh\_key) | path          = SSH private key filepath.<br>    key\_pair\_name = AWS key\_pair name. | <pre>object({<br>    path          = string<br>    key_pair_name = string<br>  })</pre> | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Deployment tags. | `map(string)` | `{}` | no |
+| <a name="input_use_fips_endpoint"></a> [use\_fips\_endpoint](#input\_use\_fips\_endpoint) | Use aws FIPS endpoints | `bool` | `false` | no |
 
 ## Outputs
 
diff --git a/modules/eks/cluster.tf b/modules/eks/cluster.tf
index aaf1d21a..d082b971 100644
--- a/modules/eks/cluster.tf
+++ b/modules/eks/cluster.tf
@@ -104,6 +104,9 @@ resource "null_resource" "kubeconfig" {
   provisioner "local-exec" {
     when    = create
     command = "aws eks update-kubeconfig --kubeconfig ${self.triggers.kubeconfig_file} --region ${self.triggers.region} --name ${self.triggers.cluster_name} --alias ${self.triggers.cluster_name} ${local.kubeconfig.extra_args}"
+    environment = {
+      AWS_USE_FIPS_ENDPOINT = tostring(var.use_fips_endpoint)
+    }
   }
   provisioner "local-exec" {
     when    = destroy
diff --git a/modules/eks/k8s.tf b/modules/eks/k8s.tf
index 6fac8234..fe856227 100644
--- a/modules/eks/k8s.tf
+++ b/modules/eks/k8s.tf
@@ -6,10 +6,11 @@ locals {
 module "k8s_setup" {
   count = local.run_setup
 
-  source       = "./submodules/k8s"
-  ssh_key      = var.ssh_key
-  bastion_info = var.bastion_info
-  eks_info     = local.eks_info
+  source            = "./submodules/k8s"
+  ssh_key           = var.ssh_key
+  bastion_info      = var.bastion_info
+  eks_info          = local.eks_info
+  use_fips_endpoint = var.use_fips_endpoint
 
   depends_on = [null_resource.kubeconfig]
 }
diff --git a/modules/eks/submodules/k8s/README.md b/modules/eks/submodules/k8s/README.md
index 0830b8b9..8d9c6263 100644
--- a/modules/eks/submodules/k8s/README.md
+++ b/modules/eks/submodules/k8s/README.md
@@ -36,6 +36,7 @@ No modules.
 | <a name="input_calico_version"></a> [calico\_version](#input\_calico\_version) | Calico operator version. | `string` | `"v3.25.0"` | no |
 | <a name="input_eks_info"></a> [eks\_info](#input\_eks\_info) | cluster = {<br>      version           = K8s version.<br>      arn               = EKS Cluster arn.<br>      security\_group\_id = EKS Cluster security group id.<br>      endpoint          = EKS Cluster API endpoint.<br>      roles             = Default IAM Roles associated with the EKS cluster. {<br>        name = string<br>        arn = string<br>      }<br>      custom\_roles      = Custom IAM Roles associated with the EKS cluster. {<br>        rolearn  = string<br>        username = string<br>        groups   = list(string)<br>      }<br>      oidc = {<br>        arn = OIDC provider ARN.<br>        url = OIDC provider url.<br>      }<br>    }<br>    nodes = {<br>      security\_group\_id = EKS Nodes security group id.<br>      roles = IAM Roles associated with the EKS Nodes.{<br>        name = string<br>        arn  = string<br>      }<br>    }<br>    kubeconfig = Kubeconfig details.{<br>      path       = string<br>      extra\_args = string<br>    } | <pre>object({<br>    cluster = object({<br>      version           = string<br>      arn               = string<br>      security_group_id = string<br>      endpoint          = string<br>      roles = list(object({<br>        name = string<br>        arn  = string<br>      }))<br>      custom_roles = list(object({<br>        rolearn  = string<br>        username = string<br>        groups   = list(string)<br>      }))<br>      oidc = object({<br>        arn = string<br>        url = string<br>      })<br>    })<br>    nodes = object({<br>      nodes_master      = bool<br>      security_group_id = string<br>      roles = list(object({<br>        name = string<br>        arn  = string<br>      }))<br>    })<br>    kubeconfig = object({<br>      path       = string<br>      extra_args = string<br>    })<br>  })</pre> | n/a | yes |
 | <a name="input_ssh_key"></a> [ssh\_key](#input\_ssh\_key) | path          = SSH private key filepath.<br>    key\_pair\_name = AWS key\_pair name. | <pre>object({<br>    path          = string<br>    key_pair_name = string<br>  })</pre> | n/a | yes |
+| <a name="input_use_fips_endpoint"></a> [use\_fips\_endpoint](#input\_use\_fips\_endpoint) | Use aws FIPS endpoints | `bool` | `false` | no |
 
 ## Outputs
 
diff --git a/modules/eks/submodules/k8s/main.tf b/modules/eks/submodules/k8s/main.tf
index 591dbdff..b4370e63 100644
--- a/modules/eks/submodules/k8s/main.tf
+++ b/modules/eks/submodules/k8s/main.tf
@@ -32,6 +32,7 @@ locals {
       filename = local.k8s_pre_setup_sh_file
       content = templatefile("${local.templates_dir}/${local.k8s_pre_setup_sh_template}", {
         k8s_functions_sh_filename = local.k8s_functions_sh_filename
+        use_fips_endpoint         = tostring(var.use_fips_endpoint)
       })
     }
 
diff --git a/modules/eks/submodules/k8s/templates/k8s-pre-setup.sh.tftpl b/modules/eks/submodules/k8s/templates/k8s-pre-setup.sh.tftpl
index 90510656..d8d2d67f 100644
--- a/modules/eks/submodules/k8s/templates/k8s-pre-setup.sh.tftpl
+++ b/modules/eks/submodules/k8s/templates/k8s-pre-setup.sh.tftpl
@@ -2,6 +2,7 @@
 set -euo pipefail
 
 source ${k8s_functions_sh_filename}
+export AWS_USE_FIPS_ENDPOINT=${use_fips_endpoint}
 
 open_ssh_tunnel() {
   local max_retries=5
diff --git a/modules/eks/submodules/k8s/variables.tf b/modules/eks/submodules/k8s/variables.tf
index bb9d8faf..c5f57901 100644
--- a/modules/eks/submodules/k8s/variables.tf
+++ b/modules/eks/submodules/k8s/variables.tf
@@ -97,3 +97,9 @@ variable "eks_info" {
     })
   })
 }
+
+variable "use_fips_endpoint" {
+  description = "Use aws FIPS endpoints"
+  type        = bool
+  default     = false
+}
diff --git a/modules/eks/variables.tf b/modules/eks/variables.tf
index f6fffd43..4f812c65 100644
--- a/modules/eks/variables.tf
+++ b/modules/eks/variables.tf
@@ -251,3 +251,9 @@ variable "privatelink" {
 
   default = {}
 }
+
+variable "use_fips_endpoint" {
+  description = "Use aws FIPS endpoints"
+  type        = bool
+  default     = false
+}
diff --git a/modules/eks/versions.tf b/modules/eks/versions.tf
index be3532f5..f0d42ec2 100644
--- a/modules/eks/versions.tf
+++ b/modules/eks/versions.tf
@@ -25,6 +25,7 @@ provider "aws" {
   ignore_tags {
     keys = var.ignore_tags
   }
+  use_fips_endpoint = var.use_fips_endpoint
 }
 
 provider "aws" {
@@ -39,4 +40,6 @@ provider "aws" {
   assume_role {
     role_arn = var.create_eks_role_arn
   }
+
+  use_fips_endpoint = var.use_fips_endpoint
 }
diff --git a/modules/flyte/README.md b/modules/flyte/README.md
index 4b18ff49..cc1fbe25 100644
--- a/modules/flyte/README.md
+++ b/modules/flyte/README.md
@@ -53,6 +53,7 @@ No modules.
 | <a name="input_platform_namespace"></a> [platform\_namespace](#input\_platform\_namespace) | Name of Domino platform namespace for this deploy | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | AWS region for the deployment | `string` | n/a | yes |
 | <a name="input_serviceaccount_names"></a> [serviceaccount\_names](#input\_serviceaccount\_names) | Service account names for Flyte | <pre>object({<br>    datacatalog    = optional(string, "datacatalog")<br>    flyteadmin     = optional(string, "flyteadmin")<br>    flytepropeller = optional(string, "flytepropeller")<br>  })</pre> | `{}` | no |
+| <a name="input_use_fips_endpoint"></a> [use\_fips\_endpoint](#input\_use\_fips\_endpoint) | Use aws FIPS endpoints | `bool` | `false` | no |
 
 ## Outputs
 
diff --git a/modules/flyte/variables.tf b/modules/flyte/variables.tf
index 9536a831..db0e4786 100644
--- a/modules/flyte/variables.tf
+++ b/modules/flyte/variables.tf
@@ -81,3 +81,10 @@ variable "region" {
     error_message = "The provided region must follow the format of AWS region names, e.g., us-west-2, us-gov-west-1."
   }
 }
+
+
+variable "use_fips_endpoint" {
+  description = "Use aws FIPS endpoints"
+  type        = bool
+  default     = false
+}
diff --git a/modules/flyte/versions.tf b/modules/flyte/versions.tf
index 6fe2b841..73822a47 100644
--- a/modules/flyte/versions.tf
+++ b/modules/flyte/versions.tf
@@ -11,3 +11,8 @@ terraform {
     }
   }
 }
+
+provider "aws" {
+  region            = var.region
+  use_fips_endpoint = var.use_fips_endpoint
+}
diff --git a/modules/iam-bootstrap/README.md b/modules/iam-bootstrap/README.md
index edf3ea13..ce0d12c6 100644
--- a/modules/iam-bootstrap/README.md
+++ b/modules/iam-bootstrap/README.md
@@ -37,6 +37,7 @@ No modules.
 | <a name="input_max_session_duration"></a> [max\_session\_duration](#input\_max\_session\_duration) | Maximum session duration for role in seconds | `number` | `43200` | no |
 | <a name="input_region"></a> [region](#input\_region) | AWS region for the deployment | `string` | n/a | yes |
 | <a name="input_template_config"></a> [template\_config](#input\_template\_config) | Variables to use for any templating in the IAM policies. AWS account ID (as 'account\_id'), deploy\_id, region and partition are automatically included. | `map(any)` | `{}` | no |
+| <a name="input_use_fips_endpoint"></a> [use\_fips\_endpoint](#input\_use\_fips\_endpoint) | Use aws FIPS endpoints | `bool` | `false` | no |
 
 ## Outputs
 
diff --git a/modules/iam-bootstrap/variables.tf b/modules/iam-bootstrap/variables.tf
index a27b64d7..63850841 100644
--- a/modules/iam-bootstrap/variables.tf
+++ b/modules/iam-bootstrap/variables.tf
@@ -41,3 +41,9 @@ variable "ignore_tags" {
   description = "Tag keys to be ignored by the aws provider."
   default     = []
 }
+
+variable "use_fips_endpoint" {
+  description = "Use aws FIPS endpoints"
+  type        = bool
+  default     = false
+}
diff --git a/modules/iam-bootstrap/versions.tf b/modules/iam-bootstrap/versions.tf
index 858de3dd..eed6e1af 100644
--- a/modules/iam-bootstrap/versions.tf
+++ b/modules/iam-bootstrap/versions.tf
@@ -13,4 +13,6 @@ provider "aws" {
   ignore_tags {
     keys = var.ignore_tags
   }
+
+  use_fips_endpoint = var.use_fips_endpoint
 }
diff --git a/modules/infra/README.md b/modules/infra/README.md
index a5ddc53d..26eda1b1 100644
--- a/modules/infra/README.md
+++ b/modules/infra/README.md
@@ -65,6 +65,7 @@
 | <a name="input_ssh_pvt_key_path"></a> [ssh\_pvt\_key\_path](#input\_ssh\_pvt\_key\_path) | SSH private key filepath. | `string` | n/a | yes |
 | <a name="input_storage"></a> [storage](#input\_storage) | storage = {<br>      efs = {<br>        access\_point\_path = Filesystem path for efs.<br>        backup\_vault = {<br>          create        = Create backup vault for EFS toggle.<br>          force\_destroy = Toggle to allow automatic destruction of all backups when destroying.<br>          backup = {<br>            schedule           = Cron-style schedule for EFS backup vault (default: once a day at 12pm).<br>            cold\_storage\_after = Move backup data to cold storage after this many days.<br>            delete\_after       = Delete backup data after this many days.<br>          }<br>        }<br>      }<br>      s3 = {<br>        force\_destroy\_on\_deletion = Toogle to allow recursive deletion of all objects in the s3 buckets. if 'false' terraform will NOT be able to delete non-empty buckets.<br>      }<br>      ecr = {<br>        force\_destroy\_on\_deletion = Toogle to allow recursive deletion of all objects in the ECR repositories. if 'false' terraform will NOT be able to delete non-empty repositories.<br>      }<br>      enable\_remote\_backup = Enable tagging required for cross-account backups<br>      costs\_enabled = Determines whether to provision domino cost related infrastructures, ie, long term storage<br>    }<br>  } | <pre>object({<br>    efs = optional(object({<br>      access_point_path = optional(string, "/domino")<br>      backup_vault = optional(object({<br>        create        = optional(bool, true)<br>        force_destroy = optional(bool, true)<br>        backup = optional(object({<br>          schedule           = optional(string, "0 12 * * ? *")<br>          cold_storage_after = optional(number, 35)<br>          delete_after       = optional(number, 125)<br>        }), {})<br>      }), {})<br>    }), {})<br>    s3 = optional(object({<br>      force_destroy_on_deletion = optional(bool, true)<br>    }), {})<br>    ecr = optional(object({<br>      force_destroy_on_deletion = optional(bool, true)<br>    }), {}),<br>    enable_remote_backup = optional(bool, false)<br>    costs_enabled        = optional(bool, true)<br>  })</pre> | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Deployment tags. | `map(string)` | `{}` | no |
+| <a name="input_use_fips_endpoint"></a> [use\_fips\_endpoint](#input\_use\_fips\_endpoint) | Use aws FIPS endpoints | `bool` | `false` | no |
 
 ## Outputs
 
diff --git a/modules/infra/main.tf b/modules/infra/main.tf
index ff3f1006..f0251c1b 100644
--- a/modules/infra/main.tf
+++ b/modules/infra/main.tf
@@ -26,11 +26,13 @@ module "cost_usage_report" {
 }
 
 module "storage" {
-  source       = "./submodules/storage"
-  deploy_id    = var.deploy_id
-  network_info = module.network.info
-  kms_info     = local.kms_info
-  storage      = var.storage
+  source            = "./submodules/storage"
+  deploy_id         = var.deploy_id
+  network_info      = module.network.info
+  kms_info          = local.kms_info
+  storage           = var.storage
+  use_fips_endpoint = var.use_fips_endpoint
+
 }
 
 data "aws_ec2_instance_type" "all" {
@@ -99,14 +101,3 @@ locals {
   node_iam_policies_storage = [module.storage.info.s3.iam_policy_arn, module.storage.info.ecr.iam_policy_arn]
   node_iam_policies         = local.cost_usage_report_info != null ? concat(local.node_iam_policies_storage, [local.cost_usage_report_info.cur_iam_policy_arn]) : local.node_iam_policies_storage
 }
-
-provider "aws" {
-  region = strcontains(var.region, "us-gov") ? "us-gov-east-1" : "us-east-1"
-  alias  = "us-east-1"
-  default_tags {
-    tags = var.tags
-  }
-  ignore_tags {
-    keys = var.ignore_tags
-  }
-}
diff --git a/modules/infra/submodules/bastion/README.md b/modules/infra/submodules/bastion/README.md
index 1a259216..031cf890 100644
--- a/modules/infra/submodules/bastion/README.md
+++ b/modules/infra/submodules/bastion/README.md
@@ -55,6 +55,7 @@ No modules.
 | <a name="input_network_info"></a> [network\_info](#input\_network\_info) | id = VPC ID.<br>    subnets = {<br>      public = List of public Subnets.<br>      [{<br>        name = Subnet name.<br>        subnet\_id = Subnet ud<br>        az = Subnet availability\_zone<br>        az\_id = Subnet availability\_zone\_id<br>      }]<br>      private = List of private Subnets.<br>      [{<br>        name = Subnet name.<br>        subnet\_id = Subnet ud<br>        az = Subnet availability\_zone<br>        az\_id = Subnet availability\_zone\_id<br>      }]<br>      pod = List of pod Subnets.<br>      [{<br>        name = Subnet name.<br>        subnet\_id = Subnet ud<br>        az = Subnet availability\_zone<br>        az\_id = Subnet availability\_zone\_id<br>      }]<br>    } | <pre>object({<br>    vpc_id = string<br>    subnets = object({<br>      public = list(object({<br>        name      = string<br>        subnet_id = string<br>        az        = string<br>        az_id     = string<br>      }))<br>      private = optional(list(object({<br>        name      = string<br>        subnet_id = string<br>        az        = string<br>        az_id     = string<br>      })), [])<br>      pod = optional(list(object({<br>        name      = string<br>        subnet_id = string<br>        az        = string<br>        az_id     = string<br>      })), [])<br>    })<br>  })</pre> | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | AWS region for the deployment | `string` | n/a | yes |
 | <a name="input_ssh_key"></a> [ssh\_key](#input\_ssh\_key) | path          = SSH private key filepath.<br>    key\_pair\_name = AWS key\_pair name. | <pre>object({<br>    path          = string<br>    key_pair_name = string<br>  })</pre> | n/a | yes |
+| <a name="input_use_fips_endpoint"></a> [use\_fips\_endpoint](#input\_use\_fips\_endpoint) | Use aws FIPS endpoints | `bool` | `false` | no |
 
 ## Outputs
 
diff --git a/modules/infra/submodules/bastion/main.tf b/modules/infra/submodules/bastion/main.tf
index 318fa206..95a5435d 100644
--- a/modules/infra/submodules/bastion/main.tf
+++ b/modules/infra/submodules/bastion/main.tf
@@ -123,6 +123,9 @@ resource "terraform_data" "check_bastion_instance_profile" {
       exit 1
     EOF
     interpreter = ["bash", "-c"]
+    environment = {
+      AWS_USE_FIPS_ENDPOINT = tostring(var.use_fips_endpoint)
+    }
   }
   depends_on = [aws_iam_instance_profile.bastion]
 }
diff --git a/modules/infra/submodules/bastion/variables.tf b/modules/infra/submodules/bastion/variables.tf
index 8abf18e9..f8093075 100644
--- a/modules/infra/submodules/bastion/variables.tf
+++ b/modules/infra/submodules/bastion/variables.tf
@@ -113,3 +113,9 @@ variable "ssh_key" {
     key_pair_name = string
   })
 }
+
+variable "use_fips_endpoint" {
+  description = "Use aws FIPS endpoints"
+  type        = bool
+  default     = false
+}
diff --git a/modules/infra/submodules/storage/README.md b/modules/infra/submodules/storage/README.md
index ee77aa42..4b763982 100644
--- a/modules/infra/submodules/storage/README.md
+++ b/modules/infra/submodules/storage/README.md
@@ -70,6 +70,7 @@ No modules.
 | <a name="input_kms_info"></a> [kms\_info](#input\_kms\_info) | key\_id  = KMS key id.<br>    key\_arn = KMS key arn.<br>    enabled = KMS key is enabled | <pre>object({<br>    key_id  = string<br>    key_arn = string<br>    enabled = bool<br>  })</pre> | n/a | yes |
 | <a name="input_network_info"></a> [network\_info](#input\_network\_info) | id = VPC ID.<br>    subnets = {<br>      public = List of public Subnets.<br>      [{<br>        name = Subnet name.<br>        subnet\_id = Subnet ud<br>        az = Subnet availability\_zone<br>        az\_id = Subnet availability\_zone\_id<br>      }]<br>      private = List of private Subnets.<br>      [{<br>        name = Subnet name.<br>        subnet\_id = Subnet ud<br>        az = Subnet availability\_zone<br>        az\_id = Subnet availability\_zone\_id<br>      }]<br>      pod = List of pod Subnets.<br>      [{<br>        name = Subnet name.<br>        subnet\_id = Subnet ud<br>        az = Subnet availability\_zone<br>        az\_id = Subnet availability\_zone\_id<br>      }]<br>    } | <pre>object({<br>    vpc_id = string<br>    subnets = object({<br>      public = optional(list(object({<br>        name      = string<br>        subnet_id = string<br>        az        = string<br>        az_id     = string<br>      })), [])<br>      private = list(object({<br>        name      = string<br>        subnet_id = string<br>        az        = string<br>        az_id     = string<br>      }))<br>      pod = optional(list(object({<br>        name      = string<br>        subnet_id = string<br>        az        = string<br>        az_id     = string<br>      })), [])<br>    })<br>  })</pre> | n/a | yes |
 | <a name="input_storage"></a> [storage](#input\_storage) | storage = {<br>      efs = {<br>        access\_point\_path = Filesystem path for efs.<br>        backup\_vault = {<br>          create        = Create backup vault for EFS toggle.<br>          force\_destroy = Toggle to allow automatic destruction of all backups when destroying.<br>          backup = {<br>            schedule           = Cron-style schedule for EFS backup vault (default: once a day at 12pm).<br>            cold\_storage\_after = Move backup data to cold storage after this many days.<br>            delete\_after       = Delete backup data after this many days.<br>          }<br>        }<br>      }<br>      s3 = {<br>        force\_destroy\_on\_deletion = Toogle to allow recursive deletion of all objects in the s3 buckets. if 'false' terraform will NOT be able to delete non-empty buckets.<br>      }<br>      ecr = {<br>        force\_destroy\_on\_deletion = Toogle to allow recursive deletion of all objects in the ECR repositories. if 'false' terraform will NOT be able to delete non-empty repositories.<br>      }<br>      enable\_remote\_backup = Enable tagging required for cross-account backups<br>      costs\_enabled = Determines whether to provision domino cost related infrastructures, ie, long term storage<br>    }<br>  } | <pre>object({<br>    efs = optional(object({<br>      access_point_path = optional(string)<br>      backup_vault = optional(object({<br>        create        = optional(bool)<br>        force_destroy = optional(bool)<br>        backup = optional(object({<br>          schedule           = optional(string)<br>          cold_storage_after = optional(number)<br>          delete_after       = optional(number)<br>        }))<br>      }))<br>    }))<br>    s3 = optional(object({<br>      force_destroy_on_deletion = optional(bool)<br>    }))<br>    ecr = optional(object({<br>      force_destroy_on_deletion = optional(bool)<br>    }))<br>    enable_remote_backup = optional(bool)<br>    costs_enabled        = optional(bool)<br>  })</pre> | n/a | yes |
+| <a name="input_use_fips_endpoint"></a> [use\_fips\_endpoint](#input\_use\_fips\_endpoint) | Use aws FIPS endpoints | `bool` | `false` | no |
 
 ## Outputs
 
diff --git a/modules/infra/submodules/storage/efs_backup_vault.tf b/modules/infra/submodules/storage/efs_backup_vault.tf
index 3106d115..7699c97c 100644
--- a/modules/infra/submodules/storage/efs_backup_vault.tf
+++ b/modules/infra/submodules/storage/efs_backup_vault.tf
@@ -87,8 +87,12 @@ resource "terraform_data" "check_backup_role" {
       exit 1
     EOF
     interpreter = ["bash", "-c"]
+    environment = {
+      AWS_USE_FIPS_ENDPOINT = tostring(var.use_fips_endpoint)
+    }
   }
 
+
   triggers_replace = [
     aws_iam_role.efs_backup_role[0].id,
   ]
diff --git a/modules/infra/submodules/storage/main.tf b/modules/infra/submodules/storage/main.tf
index bb378f33..f1bd50fd 100644
--- a/modules/infra/submodules/storage/main.tf
+++ b/modules/infra/submodules/storage/main.tf
@@ -7,40 +7,58 @@ locals {
 
   s3_buckets = { for k, v in {
     backups = {
-      bucket_name = aws_s3_bucket.backups.bucket
-      id          = aws_s3_bucket.backups.id
-      policy_json = data.aws_iam_policy_document.backups.json
-      arn         = aws_s3_bucket.backups.arn
+      bucket_name               = aws_s3_bucket.backups.bucket
+      id                        = aws_s3_bucket.backups.id
+      policy_json               = data.aws_iam_policy_document.backups.json
+      arn                       = aws_s3_bucket.backups.arn
+      domain_name               = aws_s3_bucket.backups.bucket_domain_name
+      regional_domain_name      = aws_s3_bucket.backups.bucket_regional_domain_name
+      fips_regional_domain_name = replace(aws_s3_bucket.backups.bucket_regional_domain_name, ".s3.", ".s3-fips.")
     }
     blobs = {
-      bucket_name = aws_s3_bucket.blobs.bucket
-      id          = aws_s3_bucket.blobs.id
-      policy_json = data.aws_iam_policy_document.blobs.json
-      arn         = aws_s3_bucket.blobs.arn
+      bucket_name               = aws_s3_bucket.blobs.bucket
+      id                        = aws_s3_bucket.blobs.id
+      policy_json               = data.aws_iam_policy_document.blobs.json
+      arn                       = aws_s3_bucket.blobs.arn
+      domain_name               = aws_s3_bucket.blobs.bucket_domain_name
+      regional_domain_name      = aws_s3_bucket.blobs.bucket_regional_domain_name
+      fips_regional_domain_name = replace(aws_s3_bucket.blobs.bucket_regional_domain_name, ".s3.", ".s3-fips.")
     }
     costs = var.storage.costs_enabled ? {
-      bucket_name = aws_s3_bucket.costs[0].bucket
-      id          = aws_s3_bucket.costs[0].id
-      policy_json = data.aws_iam_policy_document.costs[0].json
-      arn         = aws_s3_bucket.costs[0].arn
+      bucket_name               = aws_s3_bucket.costs[0].bucket
+      id                        = aws_s3_bucket.costs[0].id
+      policy_json               = data.aws_iam_policy_document.costs[0].json
+      arn                       = aws_s3_bucket.costs[0].arn
+      domain_name               = aws_s3_bucket.costs[0].bucket_domain_name
+      regional_domain_name      = aws_s3_bucket.costs[0].bucket_regional_domain_name
+      fips_regional_domain_name = replace(aws_s3_bucket.costs[0].bucket_regional_domain_name, ".s3.", ".s3-fips.")
     } : {}
     logs = {
-      bucket_name = aws_s3_bucket.logs.bucket
-      id          = aws_s3_bucket.logs.id
-      policy_json = data.aws_iam_policy_document.logs.json
-      arn         = aws_s3_bucket.logs.arn
+      bucket_name               = aws_s3_bucket.logs.bucket
+      id                        = aws_s3_bucket.logs.id
+      policy_json               = data.aws_iam_policy_document.logs.json
+      arn                       = aws_s3_bucket.logs.arn
+      domain_name               = aws_s3_bucket.logs.bucket_domain_name
+      regional_domain_name      = aws_s3_bucket.logs.bucket_regional_domain_name
+      fips_regional_domain_name = replace(aws_s3_bucket.logs.bucket_regional_domain_name, ".s3.", ".s3-fips.")
     }
     monitoring = {
-      bucket_name = aws_s3_bucket.monitoring.bucket
-      id          = aws_s3_bucket.monitoring.id
-      policy_json = data.aws_iam_policy_document.monitoring.json
-      arn         = aws_s3_bucket.monitoring.arn
+      bucket_name               = aws_s3_bucket.monitoring.bucket
+      id                        = aws_s3_bucket.monitoring.id
+      policy_json               = data.aws_iam_policy_document.monitoring.json
+      arn                       = aws_s3_bucket.monitoring.arn
+      domain_name               = aws_s3_bucket.monitoring.bucket_domain_name
+      regional_domain_name      = aws_s3_bucket.monitoring.bucket_regional_domain_name
+      fips_regional_domain_name = replace(aws_s3_bucket.monitoring.bucket_regional_domain_name, ".s3.", ".s3-fips.")
     }
     registry = {
-      bucket_name = aws_s3_bucket.registry.bucket
-      id          = aws_s3_bucket.registry.id
-      policy_json = data.aws_iam_policy_document.registry.json
-      arn         = aws_s3_bucket.registry.arn
+      bucket_name               = aws_s3_bucket.registry.bucket
+      id                        = aws_s3_bucket.registry.id
+      policy_json               = data.aws_iam_policy_document.registry.json
+      arn                       = aws_s3_bucket.registry.arn
+      domain_name               = aws_s3_bucket.registry.bucket_domain_name
+      regional_domain_name      = aws_s3_bucket.registry.bucket_regional_domain_name
+      fips_regional_domain_name = replace(aws_s3_bucket.registry.bucket_regional_domain_name, ".s3.", ".s3-fips.")
     }
   } : k => v if contains(keys(v), "bucket_name") }
 
diff --git a/modules/infra/submodules/storage/outputs.tf b/modules/infra/submodules/storage/outputs.tf
index 3ebd597c..657f2705 100644
--- a/modules/infra/submodules/storage/outputs.tf
+++ b/modules/infra/submodules/storage/outputs.tf
@@ -22,9 +22,13 @@ output "info" {
     }
     s3 = {
       buckets = { for k, b in local.s3_buckets : k => {
-        "bucket_name" = b.bucket_name,
-        "arn"         = b.arn
-      } }
+        "bucket_name"               = b.bucket_name,
+        "arn"                       = b.arn
+        "domain_name"               = b.domain_name
+        "regional_domain_name"      = b.regional_domain_name
+        "fips_regional_domain_name" = b.fips_regional_domain_name
+        }
+      }
       iam_policy_arn = aws_iam_policy.s3.arn
     }
     ecr = {
diff --git a/modules/infra/submodules/storage/s3.tf b/modules/infra/submodules/storage/s3.tf
index 4d1a5e2d..a9b9688a 100644
--- a/modules/infra/submodules/storage/s3.tf
+++ b/modules/infra/submodules/storage/s3.tf
@@ -213,7 +213,6 @@ resource "aws_s3_bucket" "monitoring" {
   bucket              = "${var.deploy_id}-monitoring"
   force_destroy       = var.storage.s3.force_destroy_on_deletion
   object_lock_enabled = false
-
 }
 
 data "aws_iam_policy_document" "monitoring" {
@@ -354,6 +353,9 @@ resource "terraform_data" "set_monitoring_private_acl" {
       exit 1
     EOF
     interpreter = ["bash", "-c"]
+    environment = {
+      AWS_USE_FIPS_ENDPOINT = tostring(var.use_fips_endpoint)
+    }
   }
 
   depends_on = [aws_s3_bucket.monitoring]
diff --git a/modules/infra/submodules/storage/variables.tf b/modules/infra/submodules/storage/variables.tf
index 9a535c86..f02bb624 100644
--- a/modules/infra/submodules/storage/variables.tf
+++ b/modules/infra/submodules/storage/variables.tf
@@ -122,3 +122,9 @@ variable "network_info" {
     })
   })
 }
+
+variable "use_fips_endpoint" {
+  description = "Use aws FIPS endpoints"
+  type        = bool
+  default     = false
+}
diff --git a/modules/infra/variables.tf b/modules/infra/variables.tf
index bfd3a556..bc5d6b70 100644
--- a/modules/infra/variables.tf
+++ b/modules/infra/variables.tf
@@ -415,3 +415,9 @@ variable "domino_cur" {
 
   default = {}
 }
+
+variable "use_fips_endpoint" {
+  description = "Use aws FIPS endpoints"
+  type        = bool
+  default     = false
+}
diff --git a/modules/infra/versions.tf b/modules/infra/versions.tf
index 272758bb..cf4bb4c4 100644
--- a/modules/infra/versions.tf
+++ b/modules/infra/versions.tf
@@ -28,4 +28,19 @@ provider "aws" {
   ignore_tags {
     keys = var.ignore_tags
   }
+
+  use_fips_endpoint = var.use_fips_endpoint
+}
+
+provider "aws" {
+  region = strcontains(var.region, "us-gov") ? "us-gov-east-1" : "us-east-1"
+  alias  = "us-east-1"
+  default_tags {
+    tags = var.tags
+  }
+  ignore_tags {
+    keys = var.ignore_tags
+  }
+
+  use_fips_endpoint = var.use_fips_endpoint
 }
diff --git a/modules/irsa/README.md b/modules/irsa/README.md
index 7be5b183..5b592748 100644
--- a/modules/irsa/README.md
+++ b/modules/irsa/README.md
@@ -50,6 +50,7 @@ No modules.
 | <a name="input_eks_info"></a> [eks\_info](#input\_eks\_info) | cluster = {<br>      specs {<br>        name            = Cluster name.<br>        account\_id      = AWS account id where the cluster resides.<br>      }<br>      oidc = {<br>        arn = OIDC provider ARN.<br>        url = OIDC provider url.<br>        cert = {<br>          thumbprint\_list = OIDC cert thumbprints.<br>          url             = OIDC cert URL.<br>      }<br>    } | <pre>object({<br>    nodes = object({<br>      roles = list(object({<br>        arn  = string<br>        name = string<br>      }))<br>    })<br>    cluster = object({<br>      specs = object({<br>        name       = string<br>        account_id = string<br>      })<br>      oidc = object({<br>        arn = string<br>        url = string<br>        cert = object({<br>          thumbprint_list = list(string)<br>          url             = string<br>        })<br>      })<br>    })<br>  })</pre> | n/a | yes |
 | <a name="input_external_dns"></a> [external\_dns](#input\_external\_dns) | Config to enable irsa for external-dns | <pre>object({<br>    enabled             = optional(bool, false)<br>    hosted_zone_name    = optional(string, null)<br>    hosted_zone_private = optional(string, false)<br>    namespace           = optional(string, "domino-platform")<br>    serviceaccount_name = optional(string, "external-dns")<br>    rm_role_policy = optional(object({<br>      remove           = optional(bool, false)<br>      detach_from_role = optional(bool, false)<br>      policy_name      = optional(string, "")<br>    }), {})<br>  })</pre> | `{}` | no |
 | <a name="input_use_cluster_odc_idp"></a> [use\_cluster\_odc\_idp](#input\_use\_cluster\_odc\_idp) | Toogle to uset the oidc idp connector in the trust policy.<br>    Set to `true` if the cluster and the hosted zone are in different aws accounts.<br>    `rm_role_policy` used to facilitiate the cleanup if a node attached policy was used previously. | `bool` | `true` | no |
+| <a name="input_use_fips_endpoint"></a> [use\_fips\_endpoint](#input\_use\_fips\_endpoint) | Use aws FIPS endpoints | `bool` | `false` | no |
 
 ## Outputs
 
diff --git a/modules/irsa/external-dns.tf b/modules/irsa/external-dns.tf
index 916c005d..3aa05b42 100644
--- a/modules/irsa/external-dns.tf
+++ b/modules/irsa/external-dns.tf
@@ -70,7 +70,7 @@ resource "terraform_data" "delete_route53_policy" {
     var.external_dns.rm_role_policy.policy_name
   ]
   provisioner "local-exec" {
-    command     = <<-EOF
+    command = <<-EOF
       set -x -o pipefail
 
       policy_arn="arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.aws_account.account_id}:policy/${var.external_dns.rm_role_policy.policy_name}"
@@ -92,6 +92,9 @@ resource "terraform_data" "delete_route53_policy" {
       fi
 
     EOF
+    environment = {
+      AWS_USE_FIPS_ENDPOINT = tostring(var.use_fips_endpoint)
+    }
     interpreter = ["bash", "-c"]
   }
   depends_on = [aws_iam_role_policy_attachment.external_dns]
diff --git a/modules/irsa/variables.tf b/modules/irsa/variables.tf
index a3e07a5e..0b48958e 100644
--- a/modules/irsa/variables.tf
+++ b/modules/irsa/variables.tf
@@ -65,6 +65,10 @@ variable "external_dns" {
   })
 
   default = {}
+  validation {
+    condition     = var.external_dns.enabled ? (var.external_dns.hosted_zone_name != null && length(var.external_dns.hosted_zone_name) > 0) : true
+    error_message = "Must provide a non-empty `external_dns.hosted_zone_name` if `external_dns.enabled` == true"
+  }
 }
 
 variable "additional_irsa_configs" {
@@ -83,3 +87,9 @@ variable "additional_irsa_configs" {
     error_message = "Invalid json found in policy"
   }
 }
+
+variable "use_fips_endpoint" {
+  description = "Use aws FIPS endpoints"
+  type        = bool
+  default     = false
+}
diff --git a/modules/nodes/README.md b/modules/nodes/README.md
index 64f68105..2ef6539a 100644
--- a/modules/nodes/README.md
+++ b/modules/nodes/README.md
@@ -52,6 +52,7 @@ No modules.
 | <a name="input_region"></a> [region](#input\_region) | AWS region for the deployment | `string` | n/a | yes |
 | <a name="input_ssh_key"></a> [ssh\_key](#input\_ssh\_key) | path          = SSH private key filepath.<br>    key\_pair\_name = AWS key\_pair name. | <pre>object({<br>    path          = string<br>    key_pair_name = string<br>  })</pre> | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Deployment tags. | `map(string)` | `{}` | no |
+| <a name="input_use_fips_endpoint"></a> [use\_fips\_endpoint](#input\_use\_fips\_endpoint) | Use aws FIPS endpoints | `bool` | `false` | no |
 
 ## Outputs
 
diff --git a/modules/nodes/variables.tf b/modules/nodes/variables.tf
index 013255f4..d7d8de7c 100644
--- a/modules/nodes/variables.tf
+++ b/modules/nodes/variables.tf
@@ -350,3 +350,9 @@ variable "kms_info" {
     enabled = bool
   })
 }
+
+variable "use_fips_endpoint" {
+  description = "Use aws FIPS endpoints"
+  type        = bool
+  default     = false
+}
diff --git a/modules/nodes/versions.tf b/modules/nodes/versions.tf
index f62e366f..ec59bb9b 100644
--- a/modules/nodes/versions.tf
+++ b/modules/nodes/versions.tf
@@ -24,4 +24,6 @@ provider "aws" {
   ignore_tags {
     keys = var.ignore_tags
   }
+
+  use_fips_endpoint = var.use_fips_endpoint
 }
diff --git a/tests/deploy/ci-deploy.sh b/tests/deploy/ci-deploy.sh
index c0adc4f5..2b459327 100755
--- a/tests/deploy/ci-deploy.sh
+++ b/tests/deploy/ci-deploy.sh
@@ -107,13 +107,17 @@ set_tf_vars() {
   [ -f "$PVT_KEY" ] || { ssh-keygen -q -P '' -t rsa -b 4096 -m PEM -f "$PVT_KEY" && chmod 600 "$PVT_KEY"; }
 
   export CUSTOM_AMI PVT_KEY
-  local default_nodes=$(envsubst <"$INFRA_VARS_TPL" | tee "$INFRA_VARS" | hcledit attribute get default_node_groups)
+
+  printf "\nInfra vars:\n"
+  envsubst <"$INFRA_VARS_TPL" | tee "$INFRA_VARS"
+
+  export DEFAULT_NODES=$(hcledit attribute get default_node_groups -f "$INFRA_VARS")
+
+  printf "\nCluster vars:\n"
   envsubst <"$CLUSTER_VARS_TPL" | tee "$CLUSTER_VARS"
-  echo "default_node_groups = $default_nodes" >"$NODES_VARS"
 
-  echo "Infra vars:" && cat "$INFRA_VARS"
-  echo "Cluster vars:" && cat "$CLUSTER_VARS"
-  echo "Nodes vars:" && cat "$NODES_VARS"
+  printf "\nNodes vars:\n"
+  envsubst <"$NODES_VARS_TPL" | tee "$NODES_VARS"
 }
 
 # Not used atm, but we could test nodes upgrades(OS-patches).
diff --git a/tests/deploy/cluster-ci.tfvars.tftpl b/tests/deploy/cluster-ci.tfvars.tftpl
index 38d56d4f..f8623d77 100644
--- a/tests/deploy/cluster-ci.tfvars.tftpl
+++ b/tests/deploy/cluster-ci.tfvars.tftpl
@@ -2,3 +2,5 @@ irsa_external_dns = {
   enabled = true
   hosted_zone_name = "deploys-delta.domino.tech"
 }
+
+use_fips_endpoint = true
diff --git a/tests/deploy/infra-ci.tfvars.tftpl b/tests/deploy/infra-ci.tfvars.tftpl
index f6eff556..60d87612 100644
--- a/tests/deploy/infra-ci.tfvars.tftpl
+++ b/tests/deploy/infra-ci.tfvars.tftpl
@@ -67,4 +67,5 @@ tags = {
   CIRCLE_BUILD_NUM      = "${CIRCLE_BUILD_NUM}"
 }
 
-ignore_tags = ["my-ignored-tag"]
+ignore_tags       = ["my-ignored-tag"]
+use_fips_endpoint = true
diff --git a/tests/deploy/meta.sh b/tests/deploy/meta.sh
index 08248a07..c5d6bcc9 100644
--- a/tests/deploy/meta.sh
+++ b/tests/deploy/meta.sh
@@ -8,6 +8,7 @@ PVT_KEY="${DEPLOY_DIR}/domino.pem"
 
 INFRA_VARS_TPL="${SH_DIR}/infra-ci.tfvars.tftpl"
 CLUSTER_VARS_TPL="${SH_DIR}/cluster-ci.tfvars.tftpl"
+NODES_VARS_TPL="${SH_DIR}/nodes-ci.tfvars.tftpl"
 
 declare -A COMP_MODS
 COMP_MODS["infra"]="infra"
@@ -24,5 +25,6 @@ export SH_DIR \
   PVT_KEY \
   INFRA_VARS_TPL \
   CLUSTER_VARS_TPL \
+  NODES_VARS_TPL \
   COMP_MODS \
   MOD_ADD
diff --git a/tests/deploy/nodes-ci.tfvars.tftpl b/tests/deploy/nodes-ci.tfvars.tftpl
new file mode 100644
index 00000000..4b90e537
--- /dev/null
+++ b/tests/deploy/nodes-ci.tfvars.tftpl
@@ -0,0 +1,2 @@
+default_node_groups = ${DEFAULT_NODES}
+use_fips_endpoint   = true
diff --git a/tests/plan/terraform/README.md b/tests/plan/terraform/README.md
index de485a16..7818ee2e 100644
--- a/tests/plan/terraform/README.md
+++ b/tests/plan/terraform/README.md
@@ -53,6 +53,7 @@
 | <a name="input_ssh_pvt_key_path"></a> [ssh\_pvt\_key\_path](#input\_ssh\_pvt\_key\_path) | SSH private key filepath. | `string` | n/a | yes |
 | <a name="input_storage"></a> [storage](#input\_storage) | storage = {<br>      efs = {<br>        access\_point\_path = Filesystem path for efs.<br>        backup\_vault = {<br>          create        = Create backup vault for EFS toggle.<br>          force\_destroy = Toggle to allow automatic destruction of all backups when destroying.<br>          backup = {<br>            schedule           = Cron-style schedule for EFS backup vault (default: once a day at 12pm).<br>            cold\_storage\_after = Move backup data to cold storage after this many days.<br>            delete\_after       = Delete backup data after this many days.<br>          }<br>        }<br>      }<br>      s3 = {<br>        force\_destroy\_on\_deletion = Toogle to allow recursive deletion of all objects in the s3 buckets. if 'false' terraform will NOT be able to delete non-empty buckets.<br>      }<br>      ecr = {<br>        force\_destroy\_on\_deletion = Toogle to allow recursive deletion of all objects in the ECR repositories. if 'false' terraform will NOT be able to delete non-empty repositories.<br>      }<br>    }<br>  } | <pre>object({<br>    efs = optional(object({<br>      access_point_path = optional(string, "/domino")<br>      backup_vault = optional(object({<br>        create        = optional(bool, true)<br>        force_destroy = optional(bool, true)<br>        backup = optional(object({<br>          schedule           = optional(string, "0 12 * * ? *")<br>          cold_storage_after = optional(number, 35)<br>          delete_after       = optional(number, 125)<br>        }), {})<br>      }), {})<br>    }), {})<br>    s3 = optional(object({<br>      force_destroy_on_deletion = optional(bool, true)<br>    }), {})<br>    ecr = optional(object({<br>      force_destroy_on_deletion = optional(bool, true)<br>    }), {})<br>    costs_enabled = optional(bool, true)<br>  })</pre> | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Deployment tags. | `map(string)` | `{}` | no |
+| <a name="input_use_fips_endpoint"></a> [use\_fips\_endpoint](#input\_use\_fips\_endpoint) | Use aws FIPS endpoints | `bool` | `false` | no |
 
 ## Outputs
 
diff --git a/tests/plan/terraform/main.tf b/tests/plan/terraform/main.tf
index f5a233b7..2b38be98 100644
--- a/tests/plan/terraform/main.tf
+++ b/tests/plan/terraform/main.tf
@@ -13,6 +13,7 @@ module "infra" {
   ssh_pvt_key_path       = var.ssh_pvt_key_path
   tags                   = var.tags
   domino_cur             = var.domino_cur
+  use_fips_endpoint      = var.use_fips_endpoint
 }
 
 
@@ -35,16 +36,17 @@ module "eks" {
     monitoring_bucket        = module.infra.monitoring_bucket
     route53_hosted_zone_name = var.route53_hosted_zone_name
   }
+  use_fips_endpoint = var.use_fips_endpoint
 }
 
 module "irsa_external_dns" {
-  count    = var.route53_hosted_zone_name != null ? 1 : 0
   source   = "./../../../modules/irsa"
   eks_info = module.eks.info
   external_dns = {
-    enabled          = true
+    enabled          = var.route53_hosted_zone_name != null
     hosted_zone_name = var.route53_hosted_zone_name
   }
+  use_fips_endpoint = var.use_fips_endpoint
 }
 
 data "aws_iam_policy_document" "mypod_s3" {
@@ -64,6 +66,7 @@ module "irsa_policies" {
     policy              = data.aws_iam_policy_document.mypod_s3.json
     serviceaccount_name = "mypod-s3"
   }]
+  use_fips_endpoint = var.use_fips_endpoint
 }
 
 module "nodes" {
@@ -77,6 +80,7 @@ module "nodes" {
   network_info           = module.infra.network
   kms_info               = module.infra.kms
   tags                   = module.infra.tags
+  use_fips_endpoint      = var.use_fips_endpoint
 }
 
 module "single_node" {
diff --git a/tests/plan/terraform/variables.tf b/tests/plan/terraform/variables.tf
index 0e0f1640..9fe3438c 100644
--- a/tests/plan/terraform/variables.tf
+++ b/tests/plan/terraform/variables.tf
@@ -443,3 +443,9 @@ variable "domino_cur" {
 
   default = {}
 }
+
+variable "use_fips_endpoint" {
+  description = "Use aws FIPS endpoints"
+  type        = bool
+  default     = false
+}
diff --git a/tests/plan/terraform/versions.tf b/tests/plan/terraform/versions.tf
index ae4c1b0f..df931ef0 100644
--- a/tests/plan/terraform/versions.tf
+++ b/tests/plan/terraform/versions.tf
@@ -3,6 +3,8 @@ provider "aws" {
   ignore_tags {
     keys = var.ignore_tags
   }
+
+  use_fips_endpoint = var.use_fips_endpoint
 }
 
 terraform {