From e5414c7687e8fc58dc7459f3253c168ffcbc224f Mon Sep 17 00:00:00 2001
From: David McWhorter <105815369+dmcwhorter-ddl@users.noreply.github.com>
Date: Tue, 17 Sep 2024 15:15:53 -0400
Subject: [PATCH] External Deployments Module + Policy Options  (#272)

---
 .circleci/config.yml                          |  67 +++++-
 .pre-commit-config.yaml                       |   3 +-
 examples/deploy/meta.sh                       |   4 +-
 examples/deploy/terraform/cluster/README.md   |   6 +-
 examples/deploy/terraform/cluster/main.tf     |  18 +-
 examples/deploy/terraform/cluster/outputs.tf  |  10 +-
 .../deploy/terraform/cluster/variables.tf     |  13 +-
 examples/tfvars/external-deployments.tfvars   |   8 +-
 modules/external-deployments/README.md        |  51 +++++
 modules/external-deployments/main.tf          |  15 ++
 modules/external-deployments/operator_role.tf |  64 ++++++
 .../operator_role_policies.tf                 | 205 ++++++++++++++++++
 modules/external-deployments/outputs.tf       |  11 +
 modules/external-deployments/variables.tf     |  72 ++++++
 modules/external-deployments/versions.tf      |   9 +
 modules/irsa/README.md                        |   3 -
 modules/irsa/external-deployments-operator.tf |  23 --
 modules/irsa/outputs.tf                       |   8 -
 modules/irsa/variables.tf                     |  11 -
 tests/deploy/ci-deploy.sh                     |   6 +-
 tests/deploy/cluster-ci.tfvars.tftpl          |   2 +-
 tests/deploy/meta.sh                          |   4 +-
 tests/plan/terraform/README.md                |   8 +-
 tests/plan/terraform/main.tf                  |  13 +-
 tests/plan/terraform/variables.tf             |  13 +-
 tests/plan/terraform/versions.tf              |   5 +-
 26 files changed, 552 insertions(+), 100 deletions(-)
 create mode 100644 modules/external-deployments/README.md
 create mode 100644 modules/external-deployments/main.tf
 create mode 100644 modules/external-deployments/operator_role.tf
 create mode 100644 modules/external-deployments/operator_role_policies.tf
 create mode 100644 modules/external-deployments/outputs.tf
 create mode 100644 modules/external-deployments/variables.tf
 create mode 100644 modules/external-deployments/versions.tf
 delete mode 100644 modules/irsa/external-deployments-operator.tf

diff --git a/.circleci/config.yml b/.circleci/config.yml
index eb476826..536232b7 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -34,6 +34,7 @@ commands:
     steps:
       - terraform/install:
           terraform_version: << parameters.terraform_version >>
+
   install_hcledit:
     description: "Install HCL edit"
     parameters:
@@ -47,6 +48,7 @@ commands:
           environment:
             HCLEDIT_VERSION: << parameters.hcledit_version >>
           command: bash ci-deploy.sh install_hcledit
+
   set_mod_source_current:
     description: "Set up module source to current branch."
     steps:
@@ -54,6 +56,7 @@ commands:
           name: Set module source to current branch
           working_directory: tests/deploy
           command: bash ci-deploy.sh set_mod_src_circle_branch
+
   set_infra_imports:
     description: "Set up root infra module imports."
     steps:
@@ -61,6 +64,7 @@ commands:
           name: Set root infra module imports
           working_directory: tests/deploy
           command: bash ci-deploy.sh set_infra_imports
+
   pre_upgrade_updates:
     description: "Updates necessary for upgrade."
     steps:
@@ -68,6 +72,7 @@ commands:
           name: Manual updates
           working_directory: tests/deploy
           command: bash ci-deploy.sh pre_upgrade_updates
+
   set_cluster_imports:
     description: "Set up root cluster module imports."
     steps:
@@ -75,6 +80,7 @@ commands:
           name: Set root cluster module imports
           working_directory: tests/deploy
           command: bash ci-deploy.sh set_cluster_imports
+
   set_nodes_imports:
     description: "Set up root nodes module imports."
     steps:
@@ -82,6 +88,7 @@ commands:
           name: Set root nodes module imports
           working_directory: tests/deploy
           command: bash ci-deploy.sh set_nodes_imports
+
   set_mod_source_latest_rel:
     description: "Set up module source to current branch"
     steps:
@@ -89,12 +96,14 @@ commands:
           name: Set module source to latest published release
           working_directory: tests/deploy
           command: bash ci-deploy.sh set_mod_src_latest_rel
+
   set_aws_creds:
     description: "Sets short-lived creds"
     steps:
       - aws-cli/setup:
           role-arn: "${AWS_IAM_ROLE}"
           session-duration: "900"
+
   set_tf_vars:
     description: "Sets Terraform variables"
     steps:
@@ -105,14 +114,16 @@ commands:
           name: Bootstrap terraform vars
           working_directory: tests/deploy
           command: bash ci-deploy.sh set_tf_vars
-  set_tf_mods:
+
+  setup_tf_mods:
     description: "Bootstrap modules using the CI branch"
     steps:
       - run:
           name: Bootstrap terraform module using the CI branch
           working_directory: tests/deploy
           command: bash ci-deploy.sh setup_modules_ci_branch
-  set_tf_mods_latest_rel:
+
+  setup_tf_mods_latest_rel:
     description: "Bootstrap modules using latest release"
     steps:
       - run:
@@ -120,6 +131,14 @@ commands:
           working_directory: tests/deploy
           command: bash ci-deploy.sh setup_modules_latest_rel
 
+  setup_tf_mods_upgrade:
+    description: "Upgrade existing modules using current branch"
+    steps:
+      - run:
+          name: Bootstrap terraform module using latest release
+          working_directory: tests/deploy
+          command: bash ci-deploy.sh setup_modules_upgrade
+
   install_helm:
     description: "Install Helm"
     parameters:
@@ -132,6 +151,7 @@ commands:
           environment:
             HELM_VERSION: << parameters.helm_version >>
           command: bash ci-deploy.sh install_helm
+
   tf_init_apply:
     description: "Terraform Init, Validate, Apply"
     steps:
@@ -139,6 +159,7 @@ commands:
           name: Terraform init/validate/apply
           working_directory: tests/deploy
           command: bash ci-deploy.sh deploy
+
   tf_deploy_infra:
     description: "Terraform deploy Infra"
     steps:
@@ -146,6 +167,7 @@ commands:
           name: Terraform deploy Infra
           working_directory: tests/deploy
           command: bash ci-deploy.sh deploy_infra
+
   tf_deploy_cluster:
     description: "Terraform deploy Cluster"
     steps:
@@ -153,6 +175,7 @@ commands:
           name: Terraform deploy Cluster
           working_directory: tests/deploy
           command: bash ci-deploy.sh deploy_cluster
+
   tf_deploy_nodes:
     description: "Terraform deploy Nodes"
     steps:
@@ -160,6 +183,7 @@ commands:
           name: Terraform deploy Nodes
           working_directory: tests/deploy
           command: bash ci-deploy.sh deploy_nodes
+
   tf_deploy_single_node:
     description: "Terraform deploy single-node"
     steps:
@@ -171,6 +195,7 @@ commands:
           name: Deploy single-node
           working_directory: tests/deploy
           command: bash ci-deploy.sh deploy_single_node
+
   tf_destroy_single_node:
     description: "Terraform destroy single-node"
     steps:
@@ -178,6 +203,7 @@ commands:
           name: Destroy single-node
           working_directory: tests/deploy
           command: bash ci-deploy.sh destroy_single_node
+
   tf_deploy:
     description: "Terraform deploy"
     steps:
@@ -187,6 +213,7 @@ commands:
       - tf_deploy_infra
       - tf_deploy_cluster
       - tf_deploy_nodes
+
   tf_destroy:
     description: "Terraform destroy"
     steps:
@@ -195,6 +222,7 @@ commands:
           working_directory: tests/deploy
           command: bash ci-deploy.sh destroy
           when: always
+
   tf_plan_test:
     steps:
       - set_aws_creds
@@ -202,6 +230,23 @@ commands:
           name: Terraform plan test
           working_directory: tests/plan
           command: bash tf-plan-test.sh
+
+  store_deploy_artifacts:
+    parameters:
+      path:
+        type: string
+        default: deploy
+    steps:
+      - run:
+          name: Store artifacts
+          when: always
+          command: |
+            mkdir -p /tmp/artifacts/<< parameters.path >>/{cluster,infra,nodes}
+            cp tests/deploy/deploy-test/terraform/{cluster,infra,nodes}.tfvars /tmp/artifacts/<< parameters.path >>/
+            cp tests/deploy/deploy-test/terraform/cluster/main.tf /tmp/artifacts/<< parameters.path >>/cluster/
+            cp tests/deploy/deploy-test/terraform/infra/main.tf /tmp/artifacts/<< parameters.path >>/infra/
+            cp tests/deploy/deploy-test/terraform/nodes/main.tf /tmp/artifacts/<< parameters.path >>/nodes/
+
 jobs:
   tf-plan-test:
     docker:
@@ -214,6 +259,7 @@ jobs:
       - install_tf:
           terraform_version: << parameters.terraform_version >>
       - tf_plan_test
+
   test-deploy:
     docker:
       - image: cimg/aws:2023.04.1
@@ -228,13 +274,17 @@ jobs:
           terraform_version: << parameters.terraform_version >>
       - install_helm:
           helm_version: << parameters.helm_version >>
-      - set_tf_mods
+      - setup_tf_mods
       - set_tf_vars
       - set_mod_source_current
       - tf_deploy
+      - store_deploy_artifacts
       - tf_deploy_single_node
       - tf_destroy_single_node
       - tf_destroy
+      - store_artifacts:
+          path: /tmp/artifacts/
+
   test-upgrade:
     docker:
       - image: cimg/aws:2023.04.1
@@ -251,17 +301,24 @@ jobs:
           terraform_version: << parameters.terraform_version >>
       - install_helm:
           helm_version: << parameters.helm_version >>
-      - set_tf_mods_latest_rel
+      - setup_tf_mods_latest_rel
       - set_tf_vars
       - set_mod_source_latest_rel
       - tf_deploy
+      - store_deploy_artifacts
+      - setup_tf_mods_upgrade
+      - set_tf_vars
       - set_mod_source_current
       - pre_upgrade_updates
       - set_infra_imports
       - set_cluster_imports
       - set_nodes_imports
       - tf_deploy
+      - store_deploy_artifacts:
+          path: upgrade
       - tf_destroy
+      - store_artifacts:
+          path: /tmp/artifacts/
 
 workflows:
   test-deploy-workflow:
@@ -272,6 +329,7 @@ workflows:
           context: aws-oidc
           terraform_version: << pipeline.parameters.terraform_version >>
           helm_version: << pipeline.parameters.helm_version >>
+
   test-upgrade-workflow:
     when:
       equal: ["test-upgrade-workflow", << pipeline.parameters.GHA_Action >>]
@@ -281,6 +339,7 @@ workflows:
           terraform_version: << pipeline.parameters.terraform_version >>
           helm_version: << pipeline.parameters.helm_version >>
           hcledit_version: << pipeline.parameters.hcledit_version >>
+
   examples-plan-test-workflow:
     when:
       equal:
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 8bb8e0c6..bd934b50 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,4 +1,5 @@
 ## NOTE: Changes(rename/add/delete) to pre-commit ids need to be replicated in .github/workflows/terraform-checks.yml(GHA).
+default_stages: [commit]
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.6.0
@@ -61,7 +62,7 @@ repos:
         args:
           - "--args=--compact"
           - "--args=--quiet"
-          - "--args=--skip-check CKV_CIRCLECIPIPELINES_2,CKV_CIRCLECIPIPELINES_6,CKV2_AWS_11,CKV2_AWS_12,CKV2_AWS_6,CKV_AWS_109,CKV_AWS_111,CKV_AWS_135,CKV_AWS_144,CKV_AWS_145,CKV_AWS_158,CKV_AWS_18,CKV_AWS_184,CKV_AWS_19,CKV_AWS_21,CKV_AWS_66,CKV_AWS_88,CKV2_GHA_1,CKV_AWS_163,CKV_AWS_39,CKV_AWS_38,CKV2_AWS_61,CKV2_AWS_62,CKV_AWS_136,CKV_AWS_329,CKV_AWS_338,CKV_AWS_339,CKV_AWS_341,CKV_AWS_356,CKV2_AWS_19,CKV2_AWS_5,CKV_AWS_150,CKV_AWS_123,CKV2_AWS_65,CKV2_AWS_67,CKV2_AWS_57,CKV_AWS_149,CKV_AWS_117,CKV_AWS_116,CKV_AWS_173,CKV_AWS_115,CKV_AWS_7,CKV_AWS_124"
+          - "--args=--skip-check CKV_CIRCLECIPIPELINES_2,CKV_CIRCLECIPIPELINES_6,CKV2_AWS_11,CKV2_AWS_12,CKV2_AWS_6,CKV_AWS_107,CKV_AWS_109,CKV_AWS_111,CKV_AWS_135,CKV_AWS_144,CKV_AWS_145,CKV_AWS_158,CKV_AWS_18,CKV_AWS_184,CKV_AWS_19,CKV_AWS_21,CKV_AWS_66,CKV_AWS_88,CKV2_GHA_1,CKV_AWS_163,CKV_AWS_39,CKV_AWS_38,CKV2_AWS_61,CKV2_AWS_62,CKV_AWS_136,CKV_AWS_329,CKV_AWS_338,CKV_AWS_339,CKV_AWS_341,CKV_AWS_356,CKV2_AWS_19,CKV2_AWS_5,CKV_AWS_150,CKV_AWS_123,CKV2_AWS_65,CKV2_AWS_67,CKV2_AWS_57,CKV_AWS_149,CKV_AWS_117,CKV_AWS_116,CKV_AWS_173,CKV_AWS_115,CKV_AWS_7,CKV_AWS_124"
       - id: terraform_trivy
         args:
           - "--args=--severity=HIGH,CRITICAL"
diff --git a/examples/deploy/meta.sh b/examples/deploy/meta.sh
index a69d87f5..1b32f105 100644
--- a/examples/deploy/meta.sh
+++ b/examples/deploy/meta.sh
@@ -11,13 +11,13 @@ declare -a MOD_DIRS=(
 
 declare -A COMP_MODS
 COMP_MODS["infra"]="infra"
-COMP_MODS["cluster"]="eks irsa_external_dns irsa_policies irsa_external_deployments_operator"
+COMP_MODS["cluster"]="eks irsa_external_dns irsa_policies external_deployments_operator"
 COMP_MODS["nodes"]="nodes"
 
 declare -A MOD_ADD
 MOD_ADD["irsa_external_dns"]="irsa"
 MOD_ADD["irsa_policies"]="irsa"
-MOD_ADD["irsa_external_deployments_operator"]="irsa"
+MOD_ADD["external_deployments_operator"]="external-deployments"
 
 INFRA_DIR="${MOD_DIRS[0]}"
 CLUSTER_DIR="${MOD_DIRS[1]}"
diff --git a/examples/deploy/terraform/cluster/README.md b/examples/deploy/terraform/cluster/README.md
index f69575e8..6b06a3f9 100644
--- a/examples/deploy/terraform/cluster/README.md
+++ b/examples/deploy/terraform/cluster/README.md
@@ -21,7 +21,7 @@
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_eks"></a> [eks](#module\_eks) | ./../../../../modules/eks | n/a |
-| <a name="module_irsa_external_deployments_operator"></a> [irsa\_external\_deployments\_operator](#module\_irsa\_external\_deployments\_operator) | ./../../../../modules/irsa | n/a |
+| <a name="module_external_deployments_operator"></a> [external\_deployments\_operator](#module\_external\_deployments\_operator) | ./../../../../modules/external-deployments | n/a |
 | <a name="module_irsa_external_dns"></a> [irsa\_external\_dns](#module\_irsa\_external\_dns) | ./../../../../modules/irsa | n/a |
 | <a name="module_irsa_policies"></a> [irsa\_policies](#module\_irsa\_policies) | ./../../../../modules/irsa | n/a |
 
@@ -38,7 +38,7 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_eks"></a> [eks](#input\_eks) | service\_ipv4\_cidr = CIDR for EKS cluster kubernetes\_network\_config.<br>    creation\_role\_name = Name of the role to import.<br>    k8s\_version = EKS cluster k8s version.<br>    kubeconfig = {<br>      extra\_args = Optional extra args when generating kubeconfig.<br>      path       = Fully qualified path name to write the kubeconfig file.<br>    }<br>    public\_access = {<br>      enabled = Enable EKS API public endpoint.<br>      cidrs   = List of CIDR ranges permitted for accessing the EKS public endpoint.<br>    }<br>    Custom role maps for aws auth configmap<br>    custom\_role\_maps = {<br>      rolearn  = string<br>      username = string<br>      groups   = list(string)<br>    }<br>    master\_role\_names  = IAM role names to be added as masters in eks.<br>    cluster\_addons     = EKS cluster addons. vpc-cni is installed separately.<br>    vpc\_cni            = Configuration for AWS VPC CNI<br>    ssm\_log\_group\_name = CloudWatch log group to send the SSM session logs to.<br>    identity\_providers = Configuration for IDP(Identity Provider).<br>  } | <pre>object({<br>    service_ipv4_cidr  = optional(string)<br>    creation_role_name = optional(string, null)<br>    k8s_version        = optional(string)<br>    kubeconfig = optional(object({<br>      extra_args = optional(string)<br>      path       = optional(string)<br>    }), {})<br>    public_access = optional(object({<br>      enabled = optional(bool)<br>      cidrs   = optional(list(string))<br>    }), {})<br>    custom_role_maps = optional(list(object({<br>      rolearn  = string<br>      username = string<br>      groups   = list(string)<br>    })))<br>    master_role_names  = optional(list(string))<br>    cluster_addons     = optional(list(string))<br>    ssm_log_group_name = optional(string)<br>    vpc_cni = optional(object({<br>      prefix_delegation = optional(bool)<br>      annotate_pod_ip   = optional(bool)<br>    }))<br>    identity_providers = optional(list(object({<br>      client_id                     = string<br>      groups_claim                  = optional(string)<br>      groups_prefix                 = optional(string)<br>      identity_provider_config_name = string<br>      issuer_url                    = optional(string)<br>      required_claims               = optional(string)<br>      username_claim                = optional(string)<br>      username_prefix               = optional(string)<br>    })))<br>  })</pre> | `{}` | no |
-| <a name="input_irsa_external_deployments_operator"></a> [irsa\_external\_deployments\_operator](#input\_irsa\_external\_deployments\_operator) | Config to create IRSA role for the external deployments operator. | <pre>object({<br>    enabled              = optional(bool, false)<br>    namespace            = optional(string, "domino-compute")<br>    service_account_name = optional(string, "pham-juno-operator")<br>  })</pre> | `{}` | no |
+| <a name="input_external_deployments_operator"></a> [external\_deployments\_operator](#input\_external\_deployments\_operator) | Config to create IRSA role for the external deployments operator. | <pre>object({<br>    enabled                         = optional(bool, false)<br>    namespace                       = optional(string, "domino-compute")<br>    operator_service_account_name   = optional(string, "pham-juno-operator")<br>    operator_role_suffix            = optional(string, "external-deployments-operator")<br>    repository_suffix               = optional(string, "external-deployments")<br>    bucket_suffix                   = optional(string, "external-deployments")<br>    enable_assume_any_external_role = optional(bool, true)<br>    enable_in_account_deployments   = optional(bool, true)<br>  })</pre> | `{}` | no |
 | <a name="input_irsa_external_dns"></a> [irsa\_external\_dns](#input\_irsa\_external\_dns) | Mappings for custom IRSA configurations. | <pre>object({<br>    enabled             = optional(bool, false)<br>    hosted_zone_name    = optional(string, null)<br>    namespace           = optional(string, null)<br>    serviceaccount_name = optional(string, null)<br>    rm_role_policy = optional(object({<br>      remove           = optional(bool, false)<br>      detach_from_role = optional(bool, false)<br>      policy_name      = optional(string, "")<br>    }), {})<br>  })</pre> | `{}` | no |
 | <a name="input_irsa_policies"></a> [irsa\_policies](#input\_irsa\_policies) | Mappings for custom IRSA configurations. | <pre>list(object({<br>    name                = string<br>    namespace           = string<br>    serviceaccount_name = string<br>    policy              = string #json<br>  }))</pre> | `[]` | no |
 | <a name="input_kms_info"></a> [kms\_info](#input\_kms\_info) | Overrides the KMS key information. Meant for migrated configurations.<br>    {<br>      key\_id  = KMS key id.<br>      key\_arn = KMS key arn.<br>      enabled = KMS key is enabled.<br>    } | <pre>object({<br>    key_id  = string<br>    key_arn = string<br>    enabled = bool<br>  })</pre> | `null` | no |
@@ -49,7 +49,7 @@
 | Name | Description |
 |------|-------------|
 | <a name="output_eks"></a> [eks](#output\_eks) | EKS details. |
-| <a name="output_external_deployments_operator"></a> [external\_deployments\_operator](#output\_external\_deployments\_operator) | "External\_deployments\_operator info"<br>  {<br>    irsa\_role = irsa role arn<br>    service\_account\_name = service account name<br>  } |
+| <a name="output_external_deployments_operator"></a> [external\_deployments\_operator](#output\_external\_deployments\_operator) | External deployments operator details. |
 | <a name="output_external_dns_irsa_role_arn"></a> [external\_dns\_irsa\_role\_arn](#output\_external\_dns\_irsa\_role\_arn) | "External\_dns info"<br>  {<br>    irsa\_role = irsa role arn.<br>    zone\_id   = hosted zone id for external\_dns Iam policy<br>    zone\_name = hosted zone name for external\_dns Iam policy<br>  } |
 | <a name="output_infra"></a> [infra](#output\_infra) | Infra details. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/deploy/terraform/cluster/main.tf b/examples/deploy/terraform/cluster/main.tf
index 4e4c89ed..fbb8a57a 100644
--- a/examples/deploy/terraform/cluster/main.tf
+++ b/examples/deploy/terraform/cluster/main.tf
@@ -73,16 +73,14 @@ module "irsa_policies" {
   additional_irsa_configs = var.irsa_policies
 }
 
-# If you are enabling the IRSA configuration for external-deployments-operator
-module "irsa_external_deployments_operator" {
-  source                        = "./../../../../modules/irsa"
-  use_cluster_odc_idp           = local.is_eks_account_same
-  eks_info                      = module.eks.info
-  external_deployments_operator = var.irsa_external_deployments_operator
-
-  providers = {
-    aws = aws.global
-  }
+module "external_deployments_operator" {
+  count = var.external_deployments_operator.enabled ? 1 : 0
+
+  source               = "./../../../../modules/external-deployments"
+  eks_info             = module.eks.info
+  kms_info             = local.kms
+  region               = local.infra.region
+  external_deployments = var.external_deployments_operator
 }
 
 # Provider configuration for the account where the hosted zone is defined.
diff --git a/examples/deploy/terraform/cluster/outputs.tf b/examples/deploy/terraform/cluster/outputs.tf
index 274ff13e..8ef5ac59 100644
--- a/examples/deploy/terraform/cluster/outputs.tf
+++ b/examples/deploy/terraform/cluster/outputs.tf
@@ -21,12 +21,6 @@ output "external_dns_irsa_role_arn" {
 }
 
 output "external_deployments_operator" {
-  description = <<EOF
-  "External_deployments_operator info"
-  {
-    irsa_role = irsa role arn
-    service_account_name = service account name
-  }
-  EOF
-  value       = module.irsa_external_deployments_operator
+  description = "External deployments operator details."
+  value       = module.external_deployments_operator
 }
diff --git a/examples/deploy/terraform/cluster/variables.tf b/examples/deploy/terraform/cluster/variables.tf
index e375a285..c2d4eb5b 100644
--- a/examples/deploy/terraform/cluster/variables.tf
+++ b/examples/deploy/terraform/cluster/variables.tf
@@ -118,13 +118,18 @@ variable "use_fips_endpoint" {
   default     = false
 }
 
-variable "irsa_external_deployments_operator" {
+variable "external_deployments_operator" {
   description = "Config to create IRSA role for the external deployments operator."
 
   type = object({
-    enabled              = optional(bool, false)
-    namespace            = optional(string, "domino-compute")
-    service_account_name = optional(string, "pham-juno-operator")
+    enabled                         = optional(bool, false)
+    namespace                       = optional(string, "domino-compute")
+    operator_service_account_name   = optional(string, "pham-juno-operator")
+    operator_role_suffix            = optional(string, "external-deployments-operator")
+    repository_suffix               = optional(string, "external-deployments")
+    bucket_suffix                   = optional(string, "external-deployments")
+    enable_assume_any_external_role = optional(bool, true)
+    enable_in_account_deployments   = optional(bool, true)
   })
 
   default = {}
diff --git a/examples/tfvars/external-deployments.tfvars b/examples/tfvars/external-deployments.tfvars
index 63991965..5981d16b 100644
--- a/examples/tfvars/external-deployments.tfvars
+++ b/examples/tfvars/external-deployments.tfvars
@@ -18,8 +18,8 @@ bastion = {
   enabled = true
 }
 
-irsa_external_deployments_operator = {
-  enabled              = "true",
-  namespace            = "domino-compute",
-  service_account_name = "test-operator-account"
+external_deployments_operator = {
+  enabled                       = true,
+  namespace                     = "domino-compute",
+  operator_service_account_name = "test-operator-account"
 }
diff --git a/modules/external-deployments/README.md b/modules/external-deployments/README.md
new file mode 100644
index 00000000..11981985
--- /dev/null
+++ b/modules/external-deployments/README.md
@@ -0,0 +1,51 @@
+# external-deployments
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.operator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.operator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.operator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_policy_document.assume_any_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.decrypt_blobs_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.in_account_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.operator_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.operator_grant_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.self_sagemaker_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.service_account_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_eks_info"></a> [eks\_info](#input\_eks\_info) | cluster = {<br>      specs {<br>        name            = Cluster name.<br>        account\_id      = AWS account id where the cluster resides.<br>      }<br>      oidc = {<br>        arn = OIDC provider ARN.<br>        url = OIDC provider url.<br>        cert = {<br>          thumbprint\_list = OIDC cert thumbprints.<br>          url             = OIDC cert URL.<br>      }<br>    } | <pre>object({<br>    cluster = object({<br>      specs = object({<br>        name       = string<br>        account_id = string<br>      })<br>      oidc = object({<br>        arn = string<br>        url = string<br>        cert = object({<br>          thumbprint_list = list(string)<br>          url             = string<br>        })<br>      })<br>    })<br>  })</pre> | n/a | yes |
+| <a name="input_external_deployments"></a> [external\_deployments](#input\_external\_deployments) | Config to create IRSA role for the external deployments operator. | <pre>object({<br>    namespace                       = optional(string, "domino-compute")<br>    operator_service_account_name   = optional(string, "pham-juno-operator")<br>    operator_role_suffix            = optional(string, "external-deployments-operator")<br>    repository_suffix               = optional(string, "external-deployments")<br>    bucket_suffix                   = optional(string, "external-deployments")<br>    enable_assume_any_external_role = optional(bool, true)<br>    enable_in_account_deployments   = optional(bool, true)<br>  })</pre> | `{}` | no |
+| <a name="input_kms_info"></a> [kms\_info](#input\_kms\_info) | key\_id  = KMS key id.<br>    key\_arn = KMS key arn.<br>    enabled = KMS key is enabled | <pre>object({<br>    key_id  = string<br>    key_arn = string<br>    enabled = bool<br>  })</pre> | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | AWS region for the deployment | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_eks"></a> [eks](#output\_eks) | External deployments eks info |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/external-deployments/main.tf b/modules/external-deployments/main.tf
new file mode 100644
index 00000000..eba398fa
--- /dev/null
+++ b/modules/external-deployments/main.tf
@@ -0,0 +1,15 @@
+data "aws_partition" "current" {}
+
+locals {
+  deploy_id                  = var.eks_info.cluster.specs.name
+  oidc_provider_arn          = var.eks_info.cluster.oidc.arn
+  oidc_provider_url          = var.eks_info.cluster.oidc.cert.url
+  account_id                 = var.eks_info.cluster.specs.account_id
+  blobs_s3_bucket_arn        = "arn:${data.aws_partition.current.partition}:s3:::${local.deploy_id}-blobs"
+  environments_repository    = "${local.deploy_id}/environment"
+  repository                 = "${local.deploy_id}/${var.external_deployments.repository_suffix}"
+  bucket                     = "${local.deploy_id}-${var.external_deployments.bucket_suffix}"
+  operator_role              = "${local.deploy_id}-${var.external_deployments.operator_role_suffix}"
+  operator_role_needs_policy = var.external_deployments.enable_in_account_deployments || var.external_deployments.enable_assume_any_external_role
+  region                     = var.region
+}
diff --git a/modules/external-deployments/operator_role.tf b/modules/external-deployments/operator_role.tf
new file mode 100644
index 00000000..c3d53ea2
--- /dev/null
+++ b/modules/external-deployments/operator_role.tf
@@ -0,0 +1,64 @@
+data "aws_iam_policy_document" "service_account_assume_role" {
+  statement {
+    sid     = "ServiceAccountAssumeRole"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+    principals {
+      type        = "Federated"
+      identifiers = [local.oidc_provider_arn]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "${trimprefix(local.oidc_provider_url, "https://")}:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "${trimprefix(local.oidc_provider_url, "https://")}:sub"
+      values = [
+        "system:serviceaccount:${var.external_deployments.namespace}:${var.external_deployments.operator_service_account_name}"
+      ]
+    }
+  }
+}
+data "aws_iam_policy_document" "self_sagemaker_assume_role" {
+  statement {
+    sid     = "SelfAssumeRole"
+    actions = ["sts:AssumeRole"]
+    effect  = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:${data.aws_partition.current.partition}:iam::${local.account_id}:root"
+      ]
+    }
+    condition {
+      test     = "ArnLike"
+      variable = "aws:PrincipalArn"
+      values = [
+        "arn:${data.aws_partition.current.partition}:iam::${local.account_id}:role/${local.operator_role}"
+      ]
+    }
+  }
+  statement {
+    sid     = "SagemakerAssumeRole"
+    actions = ["sts:AssumeRole"]
+    effect  = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["sagemaker.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "operator_assume_role_policy" {
+  source_policy_documents = concat(
+    [data.aws_iam_policy_document.service_account_assume_role.json],
+    var.external_deployments.enable_in_account_deployments ? [data.aws_iam_policy_document.self_sagemaker_assume_role.json] : []
+  )
+}
+
+resource "aws_iam_role" "operator" {
+  name               = local.operator_role
+  assume_role_policy = data.aws_iam_policy_document.operator_assume_role_policy.json
+}
diff --git a/modules/external-deployments/operator_role_policies.tf b/modules/external-deployments/operator_role_policies.tf
new file mode 100644
index 00000000..955f5d74
--- /dev/null
+++ b/modules/external-deployments/operator_role_policies.tf
@@ -0,0 +1,205 @@
+data "aws_iam_policy_document" "decrypt_blobs_kms" {
+  count = var.kms_info.enabled ? 1 : 0
+  statement {
+    sid       = "KmsDecryptDominoBlobs"
+    effect    = "Allow"
+    actions   = ["kms:Decrypt"]
+    resources = [var.kms_info.key_arn]
+  }
+}
+
+data "aws_iam_policy_document" "in_account_policies" {
+  source_policy_documents = var.kms_info.enabled ? [data.aws_iam_policy_document.decrypt_blobs_kms[0].json] : []
+  statement {
+    sid     = "StsAllowSelfAssumeRole"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    resources = [
+      "arn:${data.aws_partition.current.partition}:iam::${local.account_id}:role/${local.operator_role}"
+    ]
+  }
+  statement {
+    sid    = "IamAllowPassRole"
+    effect = "Allow"
+    actions = [
+      "iam:GetRole",
+      "iam:PassRole",
+    ]
+    resources = [
+      "arn:${data.aws_partition.current.partition}:iam::${local.account_id}:role/${local.operator_role}"
+    ]
+  }
+  statement {
+    sid    = "EcrRegistrySpecificSagemakerEnvironments"
+    effect = "Allow"
+    actions = [
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:BatchDeleteImage",
+      "ecr:BatchGetImage",
+      "ecr:CreateRepository",
+      "ecr:CompleteLayerUpload",
+      "ecr:DescribeImages",
+      "ecr:DescribeRepositories",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:InitiateLayerUpload",
+      "ecr:PutImage",
+      "ecr:TagResource",
+      "ecr:UploadLayerPart",
+    ]
+    resources = [
+      "arn:${data.aws_partition.current.partition}:ecr:${local.region}:${local.account_id}:repository/${local.repository}",
+      "arn:${data.aws_partition.current.partition}:ecr:${local.region}:${local.account_id}:repository/${local.repository}*"
+    ]
+  }
+  statement {
+    sid    = "EcrGlobalSagemakerEnvironments"
+    effect = "Allow"
+    actions = [
+      "ecr:GetAuthorizationToken",
+      "ecr:DescribeRegistry"
+    ]
+    resources = ["*"]
+  }
+  statement {
+    sid    = "S3AccessDominoBlobs"
+    effect = "Allow"
+    actions = [
+      "s3:GetObject",
+      "s3:ListBucket"
+    ]
+    resources = [
+      local.blobs_s3_bucket_arn,
+      "${local.blobs_s3_bucket_arn}/*"
+    ]
+  }
+  statement {
+    sid       = "MetricsForSagemaker"
+    effect    = "Allow"
+    actions   = ["cloudwatch:PutMetricData"]
+    resources = ["*"]
+  }
+  statement {
+    sid    = "LogsForSagemaker"
+    effect = "Allow"
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+      "logs:DescribeLogStreams",
+      "logs:GetLogEvents",
+      "logs:FilterLogEvents"
+    ]
+    resources = [
+      "arn:${data.aws_partition.current.partition}:logs:${local.region}:${local.account_id}:log-group:/aws/sagemaker/*"
+    ]
+  }
+  statement {
+    sid    = "SagemakerManageResources"
+    effect = "Allow"
+    actions = [
+      "sagemaker:AddTags",
+      "sagemaker:CreateEndpoint",
+      "sagemaker:CreateEndpointConfig",
+      "sagemaker:CreateModel",
+      "sagemaker:DeleteEndpoint",
+      "sagemaker:DeleteEndpointConfig",
+      "sagemaker:DeleteModel",
+      "sagemaker:DescribeEndpoint",
+      "sagemaker:DescribeEndpointConfig",
+      "sagemaker:DescribeModel",
+      "sagemaker:InvokeEndpoint",
+      "sagemaker:UpdateEndpointWeightsAndCapacities"
+    ]
+    resources = ["*"]
+  }
+  statement {
+    sid    = "AutoscalingForSagemaker"
+    effect = "Allow"
+    actions = [
+      "application-autoscaling:DeleteScalingPolicy",
+      "application-autoscaling:DeregisterScalableTarget",
+      "application-autoscaling:DescribeScalableTargets",
+      "application-autoscaling:DescribeScalingActivities",
+      "application-autoscaling:DescribeScalingPolicies",
+      "application-autoscaling:PutScalingPolicy",
+      "application-autoscaling:RegisterScalableTarget",
+      "application-autoscaling:TagResource"
+    ]
+    resources = ["*"]
+  }
+  statement {
+    sid    = "CloudwatchForAutoscaling"
+    effect = "Allow"
+    actions = [
+      "cloudwatch:PutMetricAlarm",
+      "cloudwatch:DeleteAlarms",
+      "cloudwatch:DescribeAlarms"
+    ]
+    resources = [
+      "*"
+    ]
+  }
+  statement {
+    sid    = "IamAllowCreateServiceLinkedRole"
+    effect = "Allow"
+    actions = [
+      "iam:CreateServiceLinkedRole"
+    ]
+    resources = [
+      "arn:${data.aws_partition.current.partition}:iam::${local.account_id}:role/aws-service-role/sagemaker.application-autoscaling.amazonaws.com/*"
+    ]
+    condition {
+      test     = "StringLike"
+      variable = "iam:AWSServiceName"
+      values = [
+        "sagemaker.application-autoscaling.amazonaws.com"
+      ]
+    }
+  }
+  statement {
+    sid    = "EcrRegistryReadDominoEnvironments"
+    effect = "Allow"
+    actions = [
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:BatchGetImage",
+      "ecr:GetDownloadUrlForLayer",
+    ]
+    resources = [
+      "arn:${data.aws_partition.current.partition}:ecr:${local.region}:${local.account_id}:repository/${local.environments_repository}",
+      "arn:${data.aws_partition.current.partition}:ecr:${local.region}:${local.account_id}:repository/${local.environments_repository}*"
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "assume_any_role" {
+  statement {
+    sid       = "StsAllowOtherAccountsAssumeRole"
+    effect    = "Allow"
+    actions   = ["sts:AssumeRole"]
+    resources = ["*"]
+    condition {
+      test     = "StringNotLike"
+      variable = "aws:ResourceAccount"
+      values   = [local.account_id]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "operator_grant_policy" {
+  source_policy_documents = concat(
+    var.external_deployments.enable_in_account_deployments ? [data.aws_iam_policy_document.in_account_policies.json] : [],
+    var.external_deployments.enable_assume_any_external_role ? [data.aws_iam_policy_document.assume_any_role.json] : []
+  )
+}
+
+resource "aws_iam_policy" "operator" {
+  count  = local.operator_role_needs_policy ? 1 : 0
+  name   = "${local.deploy_id}-external-deployments-operator"
+  policy = data.aws_iam_policy_document.operator_grant_policy.json
+}
+
+resource "aws_iam_role_policy_attachment" "operator" {
+  count      = local.operator_role_needs_policy ? 1 : 0
+  role       = aws_iam_role.operator.name
+  policy_arn = aws_iam_policy.operator[0].arn
+}
diff --git a/modules/external-deployments/outputs.tf b/modules/external-deployments/outputs.tf
new file mode 100644
index 00000000..60449b3d
--- /dev/null
+++ b/modules/external-deployments/outputs.tf
@@ -0,0 +1,11 @@
+output "eks" {
+  description = "External deployments eks info"
+  value = {
+    operator_role_arn             = aws_iam_role.operator.arn
+    operator_service_account_name = var.external_deployments.operator_service_account_name
+    repository                    = local.repository
+    bucket                        = local.bucket
+    can_assume_any_external_role  = var.external_deployments.enable_assume_any_external_role
+    can_deploy_in_account         = var.external_deployments.enable_in_account_deployments
+  }
+}
diff --git a/modules/external-deployments/variables.tf b/modules/external-deployments/variables.tf
new file mode 100644
index 00000000..8e47048b
--- /dev/null
+++ b/modules/external-deployments/variables.tf
@@ -0,0 +1,72 @@
+variable "external_deployments" {
+  description = "Config to create IRSA role for the external deployments operator."
+
+  type = object({
+    namespace                       = optional(string, "domino-compute")
+    operator_service_account_name   = optional(string, "pham-juno-operator")
+    operator_role_suffix            = optional(string, "external-deployments-operator")
+    repository_suffix               = optional(string, "external-deployments")
+    bucket_suffix                   = optional(string, "external-deployments")
+    enable_assume_any_external_role = optional(bool, true)
+    enable_in_account_deployments   = optional(bool, true)
+  })
+
+  default = {}
+}
+
+variable "eks_info" {
+  description = <<EOF
+    cluster = {
+      specs {
+        name            = Cluster name.
+        account_id      = AWS account id where the cluster resides.
+      }
+      oidc = {
+        arn = OIDC provider ARN.
+        url = OIDC provider url.
+        cert = {
+          thumbprint_list = OIDC cert thumbprints.
+          url             = OIDC cert URL.
+      }
+    }
+  EOF
+  type = object({
+    cluster = object({
+      specs = object({
+        name       = string
+        account_id = string
+      })
+      oidc = object({
+        arn = string
+        url = string
+        cert = object({
+          thumbprint_list = list(string)
+          url             = string
+        })
+      })
+    })
+  })
+}
+
+variable "kms_info" {
+  description = <<EOF
+    key_id  = KMS key id.
+    key_arn = KMS key arn.
+    enabled = KMS key is enabled
+  EOF
+  type = object({
+    key_id  = string
+    key_arn = string
+    enabled = bool
+  })
+}
+
+variable "region" {
+  type        = string
+  description = "AWS region for the deployment"
+  nullable    = false
+  validation {
+    condition     = can(regex("(us(-gov)?|ap|ca|cn|eu|sa|me|af|il)-(central|(north|south)?(east|west)?)-[0-9]", var.region))
+    error_message = "The provided region must follow the format of AWS region names, e.g., us-west-2, us-gov-west-1."
+  }
+}
diff --git a/modules/external-deployments/versions.tf b/modules/external-deployments/versions.tf
new file mode 100644
index 00000000..50fd4e1c
--- /dev/null
+++ b/modules/external-deployments/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
diff --git a/modules/irsa/README.md b/modules/irsa/README.md
index 2c911db5..6615d58d 100644
--- a/modules/irsa/README.md
+++ b/modules/irsa/README.md
@@ -33,7 +33,6 @@ No modules.
 | [aws_iam_policy.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.trident_operator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_role.external_deployments_operator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.trident_operator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
@@ -53,7 +52,6 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_additional_irsa_configs"></a> [additional\_irsa\_configs](#input\_additional\_irsa\_configs) | Input for additional irsa configurations | <pre>list(object({<br>    name                = string<br>    namespace           = string<br>    serviceaccount_name = string<br>    policy              = string #json<br>  }))</pre> | `[]` | no |
 | <a name="input_eks_info"></a> [eks\_info](#input\_eks\_info) | cluster = {<br>      specs {<br>        name            = Cluster name.<br>        account\_id      = AWS account id where the cluster resides.<br>      }<br>      oidc = {<br>        arn = OIDC provider ARN.<br>        url = OIDC provider url.<br>        cert = {<br>          thumbprint\_list = OIDC cert thumbprints.<br>          url             = OIDC cert URL.<br>      }<br>    } | <pre>object({<br>    nodes = object({<br>      roles = list(object({<br>        arn  = string<br>        name = string<br>      }))<br>    })<br>    cluster = object({<br>      specs = object({<br>        name       = string<br>        account_id = string<br>      })<br>      oidc = object({<br>        arn = string<br>        url = string<br>        cert = object({<br>          thumbprint_list = list(string)<br>          url             = string<br>        })<br>      })<br>    })<br>  })</pre> | n/a | yes |
-| <a name="input_external_deployments_operator"></a> [external\_deployments\_operator](#input\_external\_deployments\_operator) | Config to create IRSA role for the external deployments operator. | <pre>object({<br>    enabled              = optional(bool, false)<br>    namespace            = optional(string, "domino-compute")<br>    service_account_name = optional(string, "pham-juno-operator")<br>  })</pre> | `{}` | no |
 | <a name="input_external_dns"></a> [external\_dns](#input\_external\_dns) | Config to enable irsa for external-dns | <pre>object({<br>    enabled             = optional(bool, false)<br>    hosted_zone_name    = optional(string, null)<br>    hosted_zone_private = optional(string, false)<br>    namespace           = optional(string, "domino-platform")<br>    serviceaccount_name = optional(string, "external-dns")<br>    rm_role_policy = optional(object({<br>      remove           = optional(bool, false)<br>      detach_from_role = optional(bool, false)<br>      policy_name      = optional(string, "")<br>    }), {})<br>  })</pre> | `{}` | no |
 | <a name="input_netapp_trident_operator"></a> [netapp\_trident\_operator](#input\_netapp\_trident\_operator) | Config to create IRSA role for the netapp-trident-operator. | <pre>object({<br>    enabled             = optional(bool, false)<br>    namespace           = optional(string, "trident")<br>    serviceaccount_name = optional(string, "trident-controller")<br>    region              = optional(string)<br>  })</pre> | `{}` | no |
 | <a name="input_use_cluster_odc_idp"></a> [use\_cluster\_odc\_idp](#input\_use\_cluster\_odc\_idp) | Toogle to uset the oidc idp connector in the trust policy.<br>    Set to `true` if the cluster and the hosted zone are in different aws accounts.<br>    `rm_role_policy` used to facilitiate the cleanup if a node attached policy was used previously. | `bool` | `true` | no |
@@ -63,7 +61,6 @@ No modules.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_external_deployments_operator"></a> [external\_deployments\_operator](#output\_external\_deployments\_operator) | External deployments operator role info |
 | <a name="output_external_dns"></a> [external\_dns](#output\_external\_dns) | External\_dns info |
 | <a name="output_netapp_trident_operator"></a> [netapp\_trident\_operator](#output\_netapp\_trident\_operator) | NetApp Astra Trident NETAPP Operator role info |
 | <a name="output_roles"></a> [roles](#output\_roles) | Roles mapping info |
diff --git a/modules/irsa/external-deployments-operator.tf b/modules/irsa/external-deployments-operator.tf
deleted file mode 100644
index 493e135a..00000000
--- a/modules/irsa/external-deployments-operator.tf
+++ /dev/null
@@ -1,23 +0,0 @@
-resource "aws_iam_role" "external_deployments_operator" {
-  count = var.external_deployments_operator.enabled ? 1 : 0
-
-  name = "${local.name_prefix}-external-deployments-operator"
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action = "sts:AssumeRoleWithWebIdentity"
-        Effect = "Allow"
-        Principal = {
-          Federated = local.oidc_provider_arn
-        }
-        Condition : {
-          StringEquals : {
-            "${trimprefix(local.oidc_provider_url, "https://")}:aud" : "sts.amazonaws.com",
-            "${trimprefix(local.oidc_provider_url, "https://")}:sub" : "system:serviceaccount:${var.external_deployments_operator.namespace}:${var.external_deployments_operator.service_account_name}"
-          }
-        }
-      },
-    ]
-  })
-}
diff --git a/modules/irsa/outputs.tf b/modules/irsa/outputs.tf
index f3edc24e..d4954572 100644
--- a/modules/irsa/outputs.tf
+++ b/modules/irsa/outputs.tf
@@ -19,11 +19,3 @@ output "netapp_trident_operator" {
     irsa_role = aws_iam_role.trident_operator[0].arn
   } : null
 }
-
-output "external_deployments_operator" {
-  description = "External deployments operator role info"
-  value = var.external_deployments_operator.enabled ? {
-    irsa_role            = aws_iam_role.external_deployments_operator[0].arn
-    service_account_name = var.external_deployments_operator.service_account_name
-  } : null
-}
diff --git a/modules/irsa/variables.tf b/modules/irsa/variables.tf
index d8852122..a0be1022 100644
--- a/modules/irsa/variables.tf
+++ b/modules/irsa/variables.tf
@@ -107,14 +107,3 @@ variable "netapp_trident_operator" {
 
   default = {}
 }
-variable "external_deployments_operator" {
-  description = "Config to create IRSA role for the external deployments operator."
-
-  type = object({
-    enabled              = optional(bool, false)
-    namespace            = optional(string, "domino-compute")
-    service_account_name = optional(string, "pham-juno-operator")
-  })
-
-  default = {}
-}
diff --git a/tests/deploy/ci-deploy.sh b/tests/deploy/ci-deploy.sh
index 2b459327..887acc44 100755
--- a/tests/deploy/ci-deploy.sh
+++ b/tests/deploy/ci-deploy.sh
@@ -16,7 +16,7 @@ fi
 # remote module vars
 BASE_REMOTE_SRC="github.com/${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}.git"
 BASE_REMOTE_MOD_SRC="${BASE_REMOTE_SRC}//modules"
-LATEST_REL_TAG="$(curl -sSfL -H "X-GitHub-Api-Version: 2022-11-28" -H "Accept: application/vnd.github+json" https://api.github.com/repos/${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}/releases/latest | jq -r '.tag_name')"
+LATEST_REL_TAG="$(curl -sSfL -H "X-GitHub-Api-Version: 2022-11-28" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}/releases/latest" | jq -r '.tag_name')"
 
 deploy() {
   component=${1:-all}
@@ -62,6 +62,10 @@ setup_modules_latest_rel() {
   setup_module "$DEPLOY_DIR" "$LATEST_REL_TAG"
 }
 
+setup_modules_upgrade() {
+  rsync -ra --exclude '.terraform*' ../../examples/deploy/ "$DEPLOY_DIR"
+}
+
 install_helm() {
   if [ -z "$HELM_VERSION" ]; then
     echo "HELM_VERSION environment variable not set, exiting."
diff --git a/tests/deploy/cluster-ci.tfvars.tftpl b/tests/deploy/cluster-ci.tfvars.tftpl
index fc0e5ef4..ac42ffc2 100644
--- a/tests/deploy/cluster-ci.tfvars.tftpl
+++ b/tests/deploy/cluster-ci.tfvars.tftpl
@@ -3,7 +3,7 @@ irsa_external_dns = {
   hosted_zone_name = "deploys-delta.domino.tech"
 }
 
-irsa_external_deployments_operator = {
+external_deployments_operator = {
   enabled = true
   namespace = "domino-compute"
   service_account_name = "test-operator-account"
diff --git a/tests/deploy/meta.sh b/tests/deploy/meta.sh
index e54a95e2..ff6caf98 100644
--- a/tests/deploy/meta.sh
+++ b/tests/deploy/meta.sh
@@ -12,13 +12,13 @@ NODES_VARS_TPL="${SH_DIR}/nodes-ci.tfvars.tftpl"
 
 declare -A COMP_MODS
 COMP_MODS["infra"]="infra"
-COMP_MODS["cluster"]="eks irsa_external_dns irsa_policies irsa_external_deployments_operator"
+COMP_MODS["cluster"]="eks irsa_external_dns irsa_policies external_deployments_operator"
 COMP_MODS["nodes"]="nodes"
 
 declare -A MOD_ADD
 MOD_ADD["irsa_external_dns"]="irsa"
 MOD_ADD["irsa_policies"]="irsa"
-MOD_ADD["irsa_external_deployments_operator"]="irsa"
+MOD_ADD["external_deployments_operator"]="external_deployments_operator"
 
 export SH_DIR \
   CI_DEPLOY \
diff --git a/tests/plan/terraform/README.md b/tests/plan/terraform/README.md
index c52c13cc..35531cd5 100644
--- a/tests/plan/terraform/README.md
+++ b/tests/plan/terraform/README.md
@@ -8,21 +8,21 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.4.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | <5.67.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | <5.67.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_eks"></a> [eks](#module\_eks) | ./../../../modules/eks | n/a |
+| <a name="module_external_deployments_operator"></a> [external\_deployments\_operator](#module\_external\_deployments\_operator) | ./../../../modules/external-deployments | n/a |
 | <a name="module_infra"></a> [infra](#module\_infra) | ./../../../modules/infra/ | n/a |
-| <a name="module_irsa_external_deployments_operator"></a> [irsa\_external\_deployments\_operator](#module\_irsa\_external\_deployments\_operator) | ./../../../modules/irsa | n/a |
 | <a name="module_irsa_external_dns"></a> [irsa\_external\_dns](#module\_irsa\_external\_dns) | ./../../../modules/irsa | n/a |
 | <a name="module_irsa_policies"></a> [irsa\_policies](#module\_irsa\_policies) | ./../../../modules/irsa | n/a |
 | <a name="module_nodes"></a> [nodes](#module\_nodes) | ./../../../modules/nodes | n/a |
@@ -45,8 +45,8 @@
 | <a name="input_domino_cur"></a> [domino\_cur](#input\_domino\_cur) | Determines whether to provision domino cost related infrastructures, ie, long term storage | <pre>object({<br>    provision_cost_usage_report = optional(bool, false)<br>  })</pre> | `{}` | no |
 | <a name="input_eks"></a> [eks](#input\_eks) | k8s\_version = EKS cluster k8s version.<br>    nodes\_master  Grants the nodes role system:master access. NOT recomended<br>    kubeconfig = {<br>      extra\_args = Optional extra args when generating kubeconfig.<br>      path       = Fully qualified path name to write the kubeconfig file.<br>    }<br>    public\_access = {<br>      enabled = Enable EKS API public endpoint.<br>      cidrs   = List of CIDR ranges permitted for accessing the EKS public endpoint.<br>    }<br>    Custom role maps for aws auth configmap<br>    custom\_role\_maps = {<br>      rolearn  = string<br>      username = string<br>      groups   = list(string)<br>    }<br>    master\_role\_names  = IAM role names to be added as masters in eks.<br>    cluster\_addons     = EKS cluster addons. vpc-cni is installed separately.<br>    vpc\_cni            = Configuration for AWS VPC CNI<br>    ssm\_log\_group\_name = CloudWatch log group to send the SSM session logs to.<br>    identity\_providers = Configuration for IDP(Identity Provider).<br>  } | <pre>object({<br>    k8s_version  = optional(string, "1.27")<br>    nodes_master = optional(bool, false)<br>    kubeconfig = optional(object({<br>      extra_args = optional(string, "")<br>      path       = optional(string, null)<br>    }), {})<br>    public_access = optional(object({<br>      enabled = optional(bool, false)<br>      cidrs   = optional(list(string), [])<br>    }), {})<br>    custom_role_maps = optional(list(object({<br>      rolearn  = string<br>      username = string<br>      groups   = list(string)<br>    })), [])<br>    master_role_names  = optional(list(string), [])<br>    cluster_addons     = optional(list(string), ["kube-proxy", "coredns"])<br>    ssm_log_group_name = optional(string, "session-manager")<br>    vpc_cni = optional(object({<br>      prefix_delegation = optional(bool)<br>      annotate_pod_ip   = optional(bool)<br>    }))<br>    identity_providers = optional(list(object({<br>      client_id                     = string<br>      groups_claim                  = optional(string, null)<br>      groups_prefix                 = optional(string, null)<br>      identity_provider_config_name = string<br>      issuer_url                    = optional(string, null)<br>      required_claims               = optional(string, null)<br>      username_claim                = optional(string, null)<br>      username_prefix               = optional(string, null)<br>    })), [])<br>  })</pre> | `{}` | no |
 | <a name="input_enable_private_link"></a> [enable\_private\_link](#input\_enable\_private\_link) | Enable Private Link connections | `bool` | `false` | no |
+| <a name="input_external_deployments_operator"></a> [external\_deployments\_operator](#input\_external\_deployments\_operator) | Config to create IRSA role for the external deployments operator. | <pre>object({<br>    enabled                         = optional(bool, false)<br>    namespace                       = optional(string, "domino-compute")<br>    operator_service_account_name   = optional(string, "pham-juno-operator")<br>    operator_role_suffix            = optional(string, "external-deployments-operator")<br>    repository_suffix               = optional(string, "external-deployments")<br>    bucket_suffix                   = optional(string, "external-deployments")<br>    enable_assume_any_external_role = optional(bool, true)<br>    enable_in_account_deployments   = optional(bool, true)<br>  })</pre> | `{}` | no |
 | <a name="input_ignore_tags"></a> [ignore\_tags](#input\_ignore\_tags) | Tag keys to be ignored by the aws provider. | `list(string)` | `[]` | no |
-| <a name="input_irsa_external_deployments_operator"></a> [irsa\_external\_deployments\_operator](#input\_irsa\_external\_deployments\_operator) | Config to create IRSA role for the external deployments operator. | <pre>object({<br>    enabled              = optional(bool, false)<br>    namespace            = optional(string, "domino-compute")<br>    service_account_name = optional(string, "pham-juno-operator")<br>  })</pre> | `{}` | no |
 | <a name="input_kms"></a> [kms](#input\_kms) | enabled = Toggle,if set use either the specified KMS key\_id or a Domino-generated one.<br>    key\_id  = optional(string, null)<br>    additional\_policies = "Allows setting additional KMS key policies when using a Domino-generated key" | <pre>object({<br>    enabled             = optional(bool, true)<br>    key_id              = optional(string, null)<br>    additional_policies = optional(list(string), [])<br>  })</pre> | `{}` | no |
 | <a name="input_network"></a> [network](#input\_network) | vpc = {<br>      id = Existing vpc id, it will bypass creation by this module.<br>      subnets = {<br>        private = Existing private subnets.<br>        public  = Existing public subnets.<br>        pod     = Existing pod subnets.<br>      }), {})<br>    }), {})<br>    network\_bits = {<br>      public  = Number of network bits to allocate to the public subnet. i.e /27 -> 32 IPs.<br>      private = Number of network bits to allocate to the private subnet. i.e /19 -> 8,192 IPs.<br>      pod     = Number of network bits to allocate to the private subnet. i.e /19 -> 8,192 IPs.<br>    }<br>    cidrs = {<br>      vpc     = The IPv4 CIDR block for the VPC.<br>      pod     = The IPv4 CIDR block for the Pod subnets.<br>    }<br>    use\_pod\_cidr = Use additional pod CIDR range (ie 100.64.0.0/16) for pod networking. | <pre>object({<br>    vpc = optional(object({<br>      id = optional(string, null)<br>      subnets = optional(object({<br>        private = optional(list(string), [])<br>        public  = optional(list(string), [])<br>        pod     = optional(list(string), [])<br>      }), {})<br>    }), {})<br>    network_bits = optional(object({<br>      public  = optional(number, 27)<br>      private = optional(number, 19)<br>      pod     = optional(number, 19)<br>      }<br>    ), {})<br>    cidrs = optional(object({<br>      vpc = optional(string, "10.0.0.0/16")<br>      pod = optional(string, "100.64.0.0/16")<br>    }), {})<br>    use_pod_cidr = optional(bool, true)<br>  })</pre> | `{}` | no |
 | <a name="input_region"></a> [region](#input\_region) | AWS region for the deployment | `string` | n/a | yes |
diff --git a/tests/plan/terraform/main.tf b/tests/plan/terraform/main.tf
index 388fcc4e..e5092974 100644
--- a/tests/plan/terraform/main.tf
+++ b/tests/plan/terraform/main.tf
@@ -71,11 +71,14 @@ module "irsa_policies" {
   use_fips_endpoint = var.use_fips_endpoint
 }
 
-module "irsa_external_deployments_operator" {
-  source                        = "./../../../modules/irsa"
-  eks_info                      = module.eks.info
-  external_deployments_operator = var.irsa_external_deployments_operator
-  use_fips_endpoint             = var.use_fips_endpoint
+module "external_deployments_operator" {
+  count = var.external_deployments_operator.enabled ? 1 : 0
+
+  source               = "./../../../modules/external-deployments"
+  eks_info             = module.eks.info
+  kms_info             = module.infra.kms
+  region               = module.infra.region
+  external_deployments = var.external_deployments_operator
 }
 
 module "nodes" {
diff --git a/tests/plan/terraform/variables.tf b/tests/plan/terraform/variables.tf
index 489ee938..cdec672c 100644
--- a/tests/plan/terraform/variables.tf
+++ b/tests/plan/terraform/variables.tf
@@ -483,13 +483,18 @@ variable "use_fips_endpoint" {
   default     = false
 }
 
-variable "irsa_external_deployments_operator" {
+variable "external_deployments_operator" {
   description = "Config to create IRSA role for the external deployments operator."
 
   type = object({
-    enabled              = optional(bool, false)
-    namespace            = optional(string, "domino-compute")
-    service_account_name = optional(string, "pham-juno-operator")
+    enabled                         = optional(bool, false)
+    namespace                       = optional(string, "domino-compute")
+    operator_service_account_name   = optional(string, "pham-juno-operator")
+    operator_role_suffix            = optional(string, "external-deployments-operator")
+    repository_suffix               = optional(string, "external-deployments")
+    bucket_suffix                   = optional(string, "external-deployments")
+    enable_assume_any_external_role = optional(bool, true)
+    enable_in_account_deployments   = optional(bool, true)
   })
 
   default = {}
diff --git a/tests/plan/terraform/versions.tf b/tests/plan/terraform/versions.tf
index df931ef0..3417fb61 100644
--- a/tests/plan/terraform/versions.tf
+++ b/tests/plan/terraform/versions.tf
@@ -11,8 +11,9 @@ terraform {
   required_version = ">= 1.4.0"
   required_providers {
     aws = {
-      source  = "hashicorp/aws"
-      version = "~> 5.0"
+      source = "hashicorp/aws"
+      # pinned until https://github.com/hashicorp/terraform-provider-aws/pull/39328 is released
+      version = "<5.67.0"
     }
   }
 }