diff --git a/.gitignore b/.gitignore
index 19dfb91..72ef14d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,3 +31,16 @@ terraform.rc
 
 # Other
 .DS_Store
+todo.md
+
+# Ignore vim swap files 
+*.swp 
+*.swo 
+
+# Irgnore meld diff files 
+*.orig 
+*.backup 
+*.rej 
+
+# Ignore values files
+*.tfvars
diff --git a/.terraform-docs.yml b/.terraform-docs.yml
index 8fa328a..0c044ad 100644
--- a/.terraform-docs.yml
+++ b/.terraform-docs.yml
@@ -1,67 +1,28 @@
-content: |-
-  <!-- markdownlint-disable -->
-  <a href="https://www.appvia.io/"><img src="./appvia_banner.jpg" alt="Appvia Banner"/></a><br/><p align="right"> <a href="https://registry.terraform.io/modules/appvia/wayfinder/azurerm/latest"><img src="https://img.shields.io/static/v1?label=APPVIA&message=Terraform%20Registry&color=191970&style=for-the-badge" alt="Terraform Registry"/></a> <a href="https://github.com/appvia/terraform-azurerm-wayfinder/releases/latest"><img src="https://img.shields.io/github/release/appvia/terraform-azurerm-wayfinder.svg?style=for-the-badge&color=006400" alt="Latest Release"/></a> <a href="https://appvia-community.slack.com/join/shared_invite/zt-1s7i7xy85-T155drryqU56emm09ojMVA#/shared-invite/email"><img src="https://img.shields.io/badge/Slack-Join%20Community-purple?style=for-the-badge&logo=slack" alt="Slack Community"/></a> <a href="https://github.com/appvia/terraform-azurerm-wayfinder/graphs/contributors"><img src="https://img.shields.io/github/contributors/appvia/terraform-azurerm-wayfinder.svg?style=for-the-badge&color=FF8C00" alt="Contributors"/></a> </p>
-  <!-- markdownlint-restore -->
-  <!--
-    ***** CAUTION: DO NOT EDIT ABOVE THIS LINE ******
-  -->
-  ## Description
-
-  The "terraform-azurerm-wayfinder" Terraform Module can be used to provision and manage a licensed edition of [Appvia Wayfinder](https://www.appvia.io/wayfinder) on Azure.
-
-  ## Requirements
-
-  To run this module, you will need the following:
-  1. Product Licence Key & Instance ID. Request a free licence key from the [Appvia Portal](https://portal.appvia.io/trial?utm_source=terraform-azurerm-wayfinder).
-  2. (Optional) IDP App configuration details: Wayfinder integrates with an IDP for managing user access. You will need a valid Client ID, Client Secret and Server URL (or Azure Tenant ID) for setup. This does not need to be defined initially within Terraform, and can also be setup within the product. Wayfinder can provision a `localadmin` user for initial access if no IDP details are provided.
-  3. A public Azure DNS Zone: This module will create DNS records for the Wayfinder API and UI endpoints, and performs a DNS01 challenge via the LetsEncrypt Issuer for valid domain certificates.
-  4. Existing Virtual Network and Subnet: This module will deploy an AKS Cluster and so requires an existing vnet with outbound internet connectivity.
-
-  ## Deployment
-
-  Please see the [examples](./examples) directory to see how to deploy this module. To get up and running quickly with minimal pre-requisites, use the [quickstart](./examples/quickstart) example.
-
-  ### (Optional) Connecting to an Identity Provider
-
-  Wayfinder integrates with an IDP for managing user access. You will need a valid Client ID, Client Secret and Server URL (or Azure Tenant ID).
-
-  This configuration is optional within Terraform, and can also be setup within the product. Please view the documentation for more information: https://docs.appvia.io/wayfinder/admin/auth
-
-  The Authorized Redirect URI for the IDP Application should be set to: `https://${wayfinder_domain_name_api}/oauth/callback`
-
-  **Note:** If you are using Azure Active Directory, you must:
-  1. Set `azureTenantId` to your Azure Tenant ID (`serverUrl` is not required)
-  2. Set the IDP type to `aad`
-
-  #### Example: Generic IDP Configuration
-
-  ```hcl
-  wayfinder_idp_details = {
-    {{ "  " }}type         = "generic"
-    {{ "  " }}clientId     = "IDP-APP-CLIENT-ID"
-    {{ "  " }}clientSecret = "IDP-APP-CLIENT-SECRET"
-    {{ "  " }}serverUrl    = "https://example.okta.com" # Or "https://example.auth0.com/"
-  }
-  ```
-
-  #### Example: Azure AD IDP Configuration
-
-  ```hcl
-  wayfinder_idp_details = {
-    {{ "  " }}type          = "aad"
-    {{ "  " }}clientId      = "IDP-APP-CLIENT-ID"
-    {{ "  " }}clientSecret  = "IDP-APP-CLIENT-SECRET"
-    {{ "  " }}azureTenantId = "12345678-1234-1234-1234-123456789012"
-  }
-  ```
-
-  ## Updating Docs
-
-  The `terraform-docs` utility is used to generate this README. Follow the below steps to update:
-  1. Make changes to the `.terraform-docs.yml` file
-  2. Fetch the `terraform-docs` binary (https://terraform-docs.io/user-guide/installation/)
-  3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .`
-
-  {{ .Inputs }}
-
-  {{ .Outputs }}
+#header-from: .header.md
+settings:
+  anchor: true
+  color: true
+  default: true
+  escape: true
+  html: true
+  indent: 2
+  required: true
+  sensitive: true
+  type: true
+  lockfile: false
+
+formatter: "markdown table"
+
+output:
+  file: README.md
+  mode: inject
+
+sections:
+  show:
+    - providers
+    - inputs
+    - outputs
+
+sort:
+  enabled: true
+  by: required
diff --git a/.tflint.hcl b/.tflint.hcl
new file mode 100644
index 0000000..ea9c639
--- /dev/null
+++ b/.tflint.hcl
@@ -0,0 +1,69 @@
+plugin "aws" {
+  enabled = true
+  version = "0.34.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}
+
+plugin "terraform" {
+  enabled = true
+  version = "0.9.1"
+  source  = "github.com/terraform-linters/tflint-ruleset-terraform"
+}
+
+config {
+  call_module_type = "local"
+  force            = false
+}
+
+rule "terraform_required_providers" {
+  enabled = true
+}
+
+rule "terraform_required_version" {
+  enabled = true
+}
+
+rule "terraform_naming_convention" {
+  enabled = true
+  format  = "snake_case"
+}
+
+rule "terraform_typed_variables" {
+  enabled = true
+}
+
+rule "terraform_unused_declarations" {
+  enabled = true
+}
+
+rule "terraform_comment_syntax" {
+  enabled = true
+}
+
+rule "terraform_deprecated_index" {
+  enabled = true
+}
+
+rule "terraform_deprecated_interpolation" {
+  enabled = true
+}
+
+rule "terraform_documented_outputs" {
+  enabled = true
+}
+
+rule "terraform_documented_variables" {
+  enabled = true
+}
+
+rule "terraform_module_pinned_source" {
+  enabled = true
+}
+
+rule "terraform_standard_module_structure" {
+  enabled = true
+}
+
+rule "terraform_workspace_remote" {
+  enabled = true
+}
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
new file mode 100644
index 0000000..833ddb2
--- /dev/null
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1,128 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+- Demonstrating empathy and kindness toward other people
+- Being respectful of differing opinions, viewpoints, and experiences
+- Giving and gracefully accepting constructive feedback
+- Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+- Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+- The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+- Trolling, insulting or derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+- Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+support@appvia.io.
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at
+https://www.contributor-covenant.org/translations.
diff --git a/Makefile b/Makefile
index afa8f2e..2045b2f 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,4 @@
 #
-# Copyright (C) 2024  Appvia Ltd <info@appvia.io>
-#  
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License
 # as published by the Free Software Foundation; either version 2
@@ -14,15 +12,14 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
-AUTHOR_EMAIL=info@appvia.io
-
-.PHONY: all security lint format documentation documentation-examples validate-all validate validate-examples init
+.PHONY: all security lint format documentation documentation-examples validate-all validate validate-examples init examples tests
 
 default: all
 
 all: 
 	$(MAKE) init
 	$(MAKE) validate
+	$(MAKE) tests
 	$(MAKE) lint
 	$(MAKE) security
 	$(MAKE) format
@@ -30,6 +27,7 @@ all:
 
 examples:
 	$(MAKE) validate-examples
+	$(MAKE) tests
 	$(MAKE) lint-examples
 	$(MAKE) lint
 	$(MAKE) security
@@ -38,19 +36,36 @@ examples:
 
 documentation: 
 	@echo "--> Generating documentation"
-	@terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .
+	@terraform-docs .
 	$(MAKE) documentation-modules
 	$(MAKE) documentation-examples
 
 documentation-modules:
 	@echo "--> Generating documentation for modules"
-	@if [ -d modules ]; then \
-		find modules -type d -mindepth 1 -maxdepth 1 -exec terraform-docs markdown table --output-file README.md --output-mode inject {} \; ; \
-	fi
+	@find . -type d -regex '.*/modules/[a-za-z\-_$$]*' -not -path '*.terraform*' 2>/dev/null | while read -r dir; do \
+		echo "--> Generating documentation for module: $$dir"; \
+		terraform-docs $$dir; \
+	done;
 
 documentation-examples:
-	@echo "--> Generating documentation examples"
-	@find examples -type d -mindepth 1 -maxdepth 1 -exec terraform-docs markdown table --output-file README.md --output-mode inject {} \;
+	@echo "--> Generating documentation for examples"
+	@find . -type d -path '*/examples/*' -not -path '*.terraform*' 2>/dev/null| while read -r dir; do \
+		echo "--> Generating documentation for example: $$dir"; \
+		terraform-docs $$dir; \
+	done;
+
+upgrade-terraform-providers:
+	@printf "%s Upgrading Terraform providers for %-24s" "-->" "."
+	@terraform init -upgrade >/dev/null && echo "[OK]" || echo "[FAILED]"
+	@$(MAKE) upgrade-terraform-example-providers
+
+upgrade-terraform-example-providers:
+	@if [ -d examples ]; then \
+		find examples -type d -mindepth 1 -maxdepth 1 2>/dev/null | while read -r dir; do \
+			printf "%s Upgrading Terraform providers for %-24s" "-->" "$$dir"; \
+			terraform -chdir=$$dir init -upgrade >/dev/null && echo "[OK]" || echo "[FAILED]"; \
+		done; \
+	fi
 
 init: 
 	@echo "--> Running terraform init"
@@ -58,27 +73,27 @@ init:
 
 security: 
 	@echo "--> Running Security checks"
-	@tfsec .
+	@trivy config .
 	$(MAKE) security-modules
 	$(MAKE) security-examples
 
 security-modules:
 	@echo "--> Running Security checks on modules"
-	@if [ -d modules ]; then \
-		find modules -type d -mindepth 1 -maxdepth 1 | while read -r dir; do \
-			echo "--> Validating $$dir"; \
-			tfsec $$dir; \
-		done; \
-	fi
+	@find . -type d -regex '.*/modules/[a-zA-Z\-_$$]*' -not -path '*.terraform*' 2>/dev/null | while read -r dir; do \
+		echo "--> Validating $$dir"; \
+		trivy config  --format table --exit-code  1 --severity  CRITICAL,HIGH --ignorefile .trivyignore $$dir; \
+	done; 
 
 security-examples:
 	@echo "--> Running Security checks on examples"
-	@if [ -d examples ]; then \
-		find examples -type d -mindepth 1 -maxdepth 1 | while read -r dir; do \
-			echo "--> Validating $$dir"; \
-			tfsec $$dir; \
-		done; \
-	fi
+	@find . -type d -path '*/examples/*' -not -path '*.terraform*' 2>/dev/null | while read -r dir; do \
+		echo "--> Validating $$dir"; \
+		trivy config  --format table --exit-code  1 --severity  CRITICAL,HIGH --ignorefile .trivyignore $$dir; \
+	done;
+
+tests: 
+	@echo "--> Running Terraform Tests" 
+	@terraform test
 
 validate:
 	@echo "--> Running terraform validate"
@@ -86,26 +101,28 @@ validate:
 	@terraform validate
 	$(MAKE) validate-modules
 	$(MAKE) validate-examples
+	$(MAKE) validate-commits
 
 validate-modules:
 	@echo "--> Running terraform validate on modules"
-	@if [ -d modules ]; then \
-		find modules -type d -mindepth 1 -maxdepth 1 | while read -r dir; do \
-			echo "--> Validating $$dir"; \
-			terraform -chdir=$$dir init -backend=false; \
-			terraform -chdir=$$dir validate; \
-		done; \
-	fi
+	@find . -type d -regex '.*/modules/[a-zA-Z\-_$$]*' -not -path '*.terraform*' 2>/dev/null | while read -r dir; do \
+		echo "--> Validating Module $$dir"; \
+		terraform -chdir=$$dir init -backend=false; \
+		terraform -chdir=$$dir validate; \
+	done;
 
 validate-examples:
 	@echo "--> Running terraform validate on examples"
-	@if [ -d examples ]; then \
-		find examples -type d -mindepth 1 -maxdepth 1 | while read -r dir; do \
-			echo "--> Validating $$dir"; \
-			terraform -chdir=$$dir init -backend=false; \
-			terraform -chdir=$$dir validate; \
-		done; \
-	fi
+	@find . -type d -path '*/examples/*' -not -path '*.terraform*' 2>/dev/null | while read -r dir; do \
+		echo "--> Validating $$dir"; \
+		terraform -chdir=$$dir init -backend=false; \
+		terraform -chdir=$$dir validate; \
+	done; 
+
+validate-commits:
+	@echo "--> Running commitlint against the main branch"
+	@command -v commitlint >/dev/null 2>&1 || { echo "commitlint is not installed. Please install it by running 'npm install -g commitlint'"; exit 1; }
+	@git log --pretty=format:"%s" origin/main..HEAD | commitlint --from=origin/main
 
 lint:
 	@echo "--> Running tflint"
@@ -116,23 +133,19 @@ lint:
 
 lint-modules:
 	@echo "--> Running tflint on modules"
-	@if [ -d modules ]; then \
-		find modules -type d -mindepth 1 -maxdepth 1 | while read -r dir; do \
-			echo "--> Linting $$dir"; \
-			tflint --chdir=$$dir --init; \
-			tflint --chdir=$$dir -f compact; \
-		done; \
-	fi
+	@find . -type d -regex '.*/modules/[a-zA-Z\-_$$]*' -not -path '*.terraform*' 2>/dev/null | while read -r dir; do \
+		echo "--> Linting $$dir"; \
+		tflint --chdir=$$dir --init; \
+		tflint --chdir=$$dir -f compact; \
+	done;
 
 lint-examples:
 	@echo "--> Running tflint on examples"
-	@if [ -d examples ]; then \
-		find examples -type d -mindepth 1 -maxdepth 1 | while read -r dir; do \
-			echo "--> Linting $$dir"; \
-			tflint --chdir=$$dir --init; \
-			tflint --chdir=$$dir -f compact; \
-		done; \
-	fi
+	@find . -type d -path '*/examples/*' -not -path '*.terraform*' 2>/dev/null | while read -r dir; do \
+		echo "--> Linting $$dir"; \
+		tflint --chdir=$$dir --init; \
+		tflint --chdir=$$dir -f compact; \
+	done; 
 
 format: 
 	@echo "--> Running terraform fmt"
@@ -140,7 +153,7 @@ format:
 
 clean:
 	@echo "--> Cleaning up"
-	@find . -type d -name ".terraform" | while read -r dir; do \
+	@find . -type d -name ".terraform" 2>/dev/null | while read -r dir; do \
 		echo "--> Removing $$dir"; \
 		rm -rf $$dir; \
 	done
diff --git a/README.md b/README.md
index 63cde38..36be973 100644
--- a/README.md
+++ b/README.md
@@ -1,10 +1,12 @@
-<!-- BEGIN_TF_DOCS -->
 <!-- markdownlint-disable -->
+
 <a href="https://www.appvia.io/"><img src="./appvia_banner.jpg" alt="Appvia Banner"/></a><br/><p align="right"> <a href="https://registry.terraform.io/modules/appvia/wayfinder/azurerm/latest"><img src="https://img.shields.io/static/v1?label=APPVIA&message=Terraform%20Registry&color=191970&style=for-the-badge" alt="Terraform Registry"/></a> <a href="https://github.com/appvia/terraform-azurerm-wayfinder/releases/latest"><img src="https://img.shields.io/github/release/appvia/terraform-azurerm-wayfinder.svg?style=for-the-badge&color=006400" alt="Latest Release"/></a> <a href="https://appvia-community.slack.com/join/shared_invite/zt-1s7i7xy85-T155drryqU56emm09ojMVA#/shared-invite/email"><img src="https://img.shields.io/badge/Slack-Join%20Community-purple?style=for-the-badge&logo=slack" alt="Slack Community"/></a> <a href="https://github.com/appvia/terraform-azurerm-wayfinder/graphs/contributors"><img src="https://img.shields.io/github/contributors/appvia/terraform-azurerm-wayfinder.svg?style=for-the-badge&color=FF8C00" alt="Contributors"/></a> </p>
+
 <!-- markdownlint-restore -->
 <!--
   ***** CAUTION: DO NOT EDIT ABOVE THIS LINE ******
 -->
+
 ## Description
 
 The "terraform-azurerm-wayfinder" Terraform Module can be used to provision and manage a licensed edition of [Appvia Wayfinder](https://www.appvia.io/wayfinder) on Azure.
@@ -12,6 +14,7 @@ The "terraform-azurerm-wayfinder" Terraform Module can be used to provision and
 ## Requirements
 
 To run this module, you will need the following:
+
 1. Product Licence Key & Instance ID. Request a free licence key from the [Appvia Portal](https://portal.appvia.io/trial?utm_source=terraform-azurerm-wayfinder).
 2. (Optional) IDP App configuration details: Wayfinder integrates with an IDP for managing user access. You will need a valid Client ID, Client Secret and Server URL (or Azure Tenant ID) for setup. This does not need to be defined initially within Terraform, and can also be setup within the product. Wayfinder can provision a `localadmin` user for initial access if no IDP details are provided.
 3. A public Azure DNS Zone: This module will create DNS records for the Wayfinder API and UI endpoints, and performs a DNS01 challenge via the LetsEncrypt Issuer for valid domain certificates.
@@ -30,6 +33,7 @@ This configuration is optional within Terraform, and can also be setup within th
 The Authorized Redirect URI for the IDP Application should be set to: `https://${wayfinder_domain_name_api}/oauth/callback`
 
 **Note:** If you are using Azure Active Directory, you must:
+
 1. Set `azureTenantId` to your Azure Tenant ID (`serverUrl` is not required)
 2. Set the IDP type to `aad`
 
@@ -58,38 +62,57 @@ wayfinder_idp_details = {
 ## Updating Docs
 
 The `terraform-docs` utility is used to generate this README. Follow the below steps to update:
+
 1. Make changes to the `.terraform-docs.yml` file
 2. Fetch the `terraform-docs` binary (https://terraform-docs.io/user-guide/installation/)
 3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .`
 
+<!-- BEGIN_TF_DOCS -->
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | >= 2.53.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | >=3.51.0, < 4.0 |
+| <a name="provider_helm"></a> [helm](#provider\_helm) | >= 2.9.0 |
+| <a name="provider_kubectl"></a> [kubectl](#provider\_kubectl) | >= 2.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.5 |
+| <a name="provider_time"></a> [time](#provider\_time) | >= 0.9.0 |
+
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_adcs"></a> [adcs](#input\_adcs) | ADCS variables required when using ADCS Issuer with Cert Manager | <pre>object({<br>    url                       = string<br>    username                  = string<br>    ca_bundle                 = string<br>    certificate_template_name = string<br>  })</pre> | `null` | no |
+| <a name="input_aks_vnet_subnet_id"></a> [aks\_vnet\_subnet\_id](#input\_aks\_vnet\_subnet\_id) | The ID of the subnet in which to deploy the Kubernetes Cluster. | `string` | n/a | yes |
+| <a name="input_clusterissuer_email"></a> [clusterissuer\_email](#input\_clusterissuer\_email) | The email address to use for the cert-manager cluster issuer. | `string` | n/a | yes |
+| <a name="input_dns_zone_id"></a> [dns\_zone\_id](#input\_dns\_zone\_id) | The ID of the Azure DNS Zone to use. | `string` | n/a | yes |
+| <a name="input_dns_zone_name"></a> [dns\_zone\_name](#input\_dns\_zone\_name) | The name of the Azure DNS zone to use. | `string` | n/a | yes |
+| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group in which to create the AKS cluster. | `string` | n/a | yes |
+| <a name="input_user_assigned_identity"></a> [user\_assigned\_identity](#input\_user\_assigned\_identity) | MSI id for AKS to run as | `string` | n/a | yes |
+| <a name="input_wayfinder_domain_name_api"></a> [wayfinder\_domain\_name\_api](#input\_wayfinder\_domain\_name\_api) | The domain name to use for the Wayfinder API (e.g. api.wayfinder.example.com) | `string` | n/a | yes |
+| <a name="input_wayfinder_domain_name_ui"></a> [wayfinder\_domain\_name\_ui](#input\_wayfinder\_domain\_name\_ui) | The domain name to use for the Wayfinder UI (e.g. portal.wayfinder.example.com) | `string` | n/a | yes |
+| <a name="input_wayfinder_instance_id"></a> [wayfinder\_instance\_id](#input\_wayfinder\_instance\_id) | The instance ID to use for Wayfinder. | `string` | n/a | yes |
+| <a name="input_wayfinder_licence_key"></a> [wayfinder\_licence\_key](#input\_wayfinder\_licence\_key) | The licence key to use for Wayfinder | `string` | n/a | yes |
+| <a name="input_adcs"></a> [adcs](#input\_adcs) | ADCS variables required when using ADCS Issuer with Cert Manager | <pre>object({<br/>    url                       = string<br/>    username                  = string<br/>    ca_bundle                 = string<br/>    certificate_template_name = string<br/>  })</pre> | `null` | no |
 | <a name="input_adcs_password"></a> [adcs\_password](#input\_adcs\_password) | ADCS password required when using ADCS Issuer with Cert Manager | `string` | `""` | no |
 | <a name="input_aks_agents_size"></a> [aks\_agents\_size](#input\_aks\_agents\_size) | The default size of the agents pool. | `string` | `"Standard_D2s_v3"` | no |
-| <a name="input_aks_api_server_authorized_ip_ranges"></a> [aks\_api\_server\_authorized\_ip\_ranges](#input\_aks\_api\_server\_authorized\_ip\_ranges) | The list of authorized IP ranges to contact the API server. | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_aks_api_server_authorized_ip_ranges"></a> [aks\_api\_server\_authorized\_ip\_ranges](#input\_aks\_api\_server\_authorized\_ip\_ranges) | The list of authorized IP ranges to contact the API server. | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
 | <a name="input_aks_enable_host_encryption"></a> [aks\_enable\_host\_encryption](#input\_aks\_enable\_host\_encryption) | Whether to enable host encryption. | `bool` | `false` | no |
-| <a name="input_aks_maintenance_window"></a> [aks\_maintenance\_window](#input\_aks\_maintenance\_window) | Maintenance configuration of the managed cluster. | <pre>object({<br>    allowed = list(object({<br>      day   = string<br>      hours = set(number)<br>    })),<br>    not_allowed = list(object({<br>      end   = string<br>      start = string<br>    })),<br>  })</pre> | <pre>{<br>  "allowed": [<br>    {<br>      "day": "Sunday",<br>      "hours": [<br>        22,<br>        23<br>      ]<br>    }<br>  ],<br>  "not_allowed": []<br>}</pre> | no |
+| <a name="input_aks_maintenance_window"></a> [aks\_maintenance\_window](#input\_aks\_maintenance\_window) | Maintenance configuration of the managed cluster. | <pre>object({<br/>    allowed = list(object({<br/>      day   = string<br/>      hours = set(number)<br/>    })),<br/>    not_allowed = list(object({<br/>      end   = string<br/>      start = string<br/>    })),<br/>  })</pre> | <pre>{<br/>  "allowed": [<br/>    {<br/>      "day": "Sunday",<br/>      "hours": [<br/>        22,<br/>        23<br/>      ]<br/>    }<br/>  ],<br/>  "not_allowed": []<br/>}</pre> | no |
 | <a name="input_aks_rbac_aad_admin_group_object_ids"></a> [aks\_rbac\_aad\_admin\_group\_object\_ids](#input\_aks\_rbac\_aad\_admin\_group\_object\_ids) | List of object IDs of the Azure AD groups that will be set as cluster admin. | `list(string)` | `[]` | no |
 | <a name="input_aks_sku_tier"></a> [aks\_sku\_tier](#input\_aks\_sku\_tier) | The SKU tier for this Kubernetes Cluster. | `string` | `"Standard"` | no |
-| <a name="input_aks_vnet_subnet_id"></a> [aks\_vnet\_subnet\_id](#input\_aks\_vnet\_subnet\_id) | The ID of the subnet in which to deploy the Kubernetes Cluster. | `string` | n/a | yes |
 | <a name="input_cert_manager_keyvault_cert_name"></a> [cert\_manager\_keyvault\_cert\_name](#input\_cert\_manager\_keyvault\_cert\_name) | Keyvault certificate name to use for cert-manager. Required if cluster issuer is keyvault | `string` | `null` | no |
 | <a name="input_cert_manager_keyvault_name"></a> [cert\_manager\_keyvault\_name](#input\_cert\_manager\_keyvault\_name) | Keyvault name to use for cert-manager. Required if cluster issuer is keyvault | `string` | `null` | no |
 | <a name="input_cluster_nodepool_version"></a> [cluster\_nodepool\_version](#input\_cluster\_nodepool\_version) | The Kubernetes version to use for the AKS cluster Nodepools. | `string` | `"1.30"` | no |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The Kubernetes version to use for the AKS cluster. | `string` | `"1.30"` | no |
 | <a name="input_clusterissuer"></a> [clusterissuer](#input\_clusterissuer) | Cluster Issuer name to use for certs | `string` | `"letsencrypt-prod"` | no |
-| <a name="input_clusterissuer_email"></a> [clusterissuer\_email](#input\_clusterissuer\_email) | The email address to use for the cert-manager cluster issuer. | `string` | n/a | yes |
-| <a name="input_create_duration_delay"></a> [create\_duration\_delay](#input\_create\_duration\_delay) | Used to tune terraform apply when faced with errors caused by API caching or eventual consistency. Sets a custom delay period after creation of the specified resource type. | <pre>object({<br>    azurerm_role_definition         = optional(string, "180s")<br>    kubectl_manifest_cloud_identity = optional(string, "30s")<br>  })</pre> | `{}` | no |
+| <a name="input_create_duration_delay"></a> [create\_duration\_delay](#input\_create\_duration\_delay) | Used to tune terraform apply when faced with errors caused by API caching or eventual consistency. Sets a custom delay period after creation of the specified resource type. | <pre>object({<br/>    azurerm_role_definition         = optional(string, "180s")<br/>    kubectl_manifest_cloud_identity = optional(string, "30s")<br/>  })</pre> | `{}` | no |
 | <a name="input_create_localadmin_user"></a> [create\_localadmin\_user](#input\_create\_localadmin\_user) | Whether to create a localadmin user for access to the Wayfinder Portal and API | `bool` | `true` | no |
-| <a name="input_destroy_duration_delay"></a> [destroy\_duration\_delay](#input\_destroy\_duration\_delay) | Used to tune terraform destroy when faced with errors caused by API caching or eventual consistency. Sets a custom delay period after destruction of the specified resource type. | <pre>object({<br>    azurerm_role_definition         = optional(string, "0s")<br>    kubectl_manifest_cloud_identity = optional(string, "60s")<br>  })</pre> | `{}` | no |
+| <a name="input_destroy_duration_delay"></a> [destroy\_duration\_delay](#input\_destroy\_duration\_delay) | Used to tune terraform destroy when faced with errors caused by API caching or eventual consistency. Sets a custom delay period after destruction of the specified resource type. | <pre>object({<br/>    azurerm_role_definition         = optional(string, "0s")<br/>    kubectl_manifest_cloud_identity = optional(string, "60s")<br/>  })</pre> | `{}` | no |
 | <a name="input_disable_internet_access"></a> [disable\_internet\_access](#input\_disable\_internet\_access) | Whether to disable internet access for AKS and the Wayfinder ingress controller | `bool` | `false` | no |
 | <a name="input_disable_local_login"></a> [disable\_local\_login](#input\_disable\_local\_login) | Whether to disable local login for Wayfinder. Note: An IDP must be configured within Wayfinder, otherwise you will not be able to log in. | `bool` | `false` | no |
 | <a name="input_dns_provider"></a> [dns\_provider](#input\_dns\_provider) | DNS provider for External DNS | `string` | `"azure"` | no |
 | <a name="input_dns_resource_group_id"></a> [dns\_resource\_group\_id](#input\_dns\_resource\_group\_id) | The ID of the resource group where the DNS Zone exists, if different to Wayfinder's resource group. | `string` | `""` | no |
-| <a name="input_dns_zone_id"></a> [dns\_zone\_id](#input\_dns\_zone\_id) | The ID of the Azure DNS Zone to use. | `string` | n/a | yes |
-| <a name="input_dns_zone_name"></a> [dns\_zone\_name](#input\_dns\_zone\_name) | The name of the Azure DNS zone to use. | `string` | n/a | yes |
 | <a name="input_enable_cross_tenant_access"></a> [enable\_cross\_tenant\_access](#input\_enable\_cross\_tenant\_access) | Whether to enable cross-tenant access for Wayfinder. Will create a suitable Enterprise Application with federated credential for Wayfinder to use. | `bool` | `false` | no |
 | <a name="input_enable_k8s_resources"></a> [enable\_k8s\_resources](#input\_enable\_k8s\_resources) | Whether to enable the creation of Kubernetes resources for Wayfinder (helm and kubectl manifest deployments) | `bool` | `true` | no |
 | <a name="input_enable_wf_cloudaccess"></a> [enable\_wf\_cloudaccess](#input\_enable\_wf\_cloudaccess) | Whether to configure CloudIdentity and admin CloudAccessConfig resources in Wayfinder once installed (requires enable\_k8s\_resources) | `bool` | `true` | no |
@@ -100,18 +123,12 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | <a name="input_location"></a> [location](#input\_location) | The Azure region to use. | `string` | `"uksouth"` | no |
 | <a name="input_private_dns_zone_id"></a> [private\_dns\_zone\_id](#input\_private\_dns\_zone\_id) | Private DNS zone to use for private clusters | `string` | `null` | no |
 | <a name="input_private_link_resourcegroup"></a> [private\_link\_resourcegroup](#input\_private\_link\_resourcegroup) | The name of the resource group in which to create central private link resources for each AKS cluster. | `string` | `""` | no |
-| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group in which to create the AKS cluster. | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | A mapping of tags to assign to resources. | `map(string)` | `{}` | no |
-| <a name="input_user_assigned_identity"></a> [user\_assigned\_identity](#input\_user\_assigned\_identity) | MSI id for AKS to run as | `string` | n/a | yes |
 | <a name="input_venafi_apikey"></a> [venafi\_apikey](#input\_venafi\_apikey) | Venafi API key - required if using Venafi cluster issuer | `string` | `""` | no |
 | <a name="input_venafi_zone"></a> [venafi\_zone](#input\_venafi\_zone) | Venafi zone - required if using Venafi cluster issuer | `string` | `""` | no |
-| <a name="input_wayfinder_domain_name_api"></a> [wayfinder\_domain\_name\_api](#input\_wayfinder\_domain\_name\_api) | The domain name to use for the Wayfinder API (e.g. api.wayfinder.example.com) | `string` | n/a | yes |
-| <a name="input_wayfinder_domain_name_ui"></a> [wayfinder\_domain\_name\_ui](#input\_wayfinder\_domain\_name\_ui) | The domain name to use for the Wayfinder UI (e.g. portal.wayfinder.example.com) | `string` | n/a | yes |
-| <a name="input_wayfinder_idp_details"></a> [wayfinder\_idp\_details](#input\_wayfinder\_idp\_details) | The IDP details to use for Wayfinder to enable SSO | <pre>object({<br>    type          = string<br>    clientId      = optional(string)<br>    clientSecret  = optional(string)<br>    serverUrl     = optional(string)<br>    azureTenantId = optional(string)<br>  })</pre> | <pre>{<br>  "azureTenantId": "",<br>  "clientId": null,<br>  "clientSecret": null,<br>  "serverUrl": "",<br>  "type": "none"<br>}</pre> | no |
-| <a name="input_wayfinder_instance_id"></a> [wayfinder\_instance\_id](#input\_wayfinder\_instance\_id) | The instance ID to use for Wayfinder. | `string` | n/a | yes |
-| <a name="input_wayfinder_licence_key"></a> [wayfinder\_licence\_key](#input\_wayfinder\_licence\_key) | The licence key to use for Wayfinder | `string` | n/a | yes |
+| <a name="input_wayfinder_idp_details"></a> [wayfinder\_idp\_details](#input\_wayfinder\_idp\_details) | The IDP details to use for Wayfinder to enable SSO | <pre>object({<br/>    type          = string<br/>    clientId      = optional(string)<br/>    clientSecret  = optional(string)<br/>    serverUrl     = optional(string)<br/>    azureTenantId = optional(string)<br/>  })</pre> | <pre>{<br/>  "azureTenantId": "",<br/>  "clientId": null,<br/>  "clientSecret": null,<br/>  "serverUrl": "",<br/>  "type": "none"<br/>}</pre> | no |
 | <a name="input_wayfinder_release_channel"></a> [wayfinder\_release\_channel](#input\_wayfinder\_release\_channel) | The release channel to use for Wayfinder | `string` | `"wayfinder-releases"` | no |
-| <a name="input_wayfinder_version"></a> [wayfinder\_version](#input\_wayfinder\_version) | The version to use for Wayfinder | `string` | `"v2.8.6"` | no |
+| <a name="input_wayfinder_version"></a> [wayfinder\_version](#input\_wayfinder\_version) | The version to use for Wayfinder | `string` | `"v2.9.6"` | no |
 
 ## Outputs
 
@@ -130,4 +147,5 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | <a name="output_wayfinder_cross_tenant_identity_client_id"></a> [wayfinder\_cross\_tenant\_identity\_client\_id](#output\_wayfinder\_cross\_tenant\_identity\_client\_id) | The client ID for the cross-tenant identity. |
 | <a name="output_wayfinder_instance_id"></a> [wayfinder\_instance\_id](#output\_wayfinder\_instance\_id) | The unique identifier for the Wayfinder instance. |
 | <a name="output_wayfinder_ui_url"></a> [wayfinder\_ui\_url](#output\_wayfinder\_ui\_url) | The URL for the Wayfinder UI. |
-<!-- END_TF_DOCS -->
\ No newline at end of file
+<!-- END_TF_DOCS -->
+
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..862d78d
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,5 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please contact security@appvia.io on discovery of a vulnerability or security issue.
diff --git a/examples/complete/.terraform-docs.yml b/examples/complete/.terraform-docs.yml
deleted file mode 100644
index 4dd28c2..0000000
--- a/examples/complete/.terraform-docs.yml
+++ /dev/null
@@ -1,21 +0,0 @@
-content: |-
-  # Example: Complete (includes pre-configured Wayfinder SSO)
-
-  ## Deployment
-
-  1. Create a Resource Group for Wayfinder to be installed within.
-  2. Create a DNS Zone in Azure and ensure the domain is delegated to the Azure DNS nameservers.
-  3. Copy the `terraform.tfvars.example` file to `terraform.tfvars` and update with your values.
-  4. Run `terraform init -upgrade`
-  5. Run `terraform apply`
-
-  ## Updating Docs
-
-  The `terraform-docs` utility is used to generate this README. Follow the below steps to update:
-  1. Make changes to the `.terraform-docs.yml` file
-  2. Fetch the `terraform-docs` binary (https://terraform-docs.io/user-guide/installation/)
-  3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .`
-
-  {{ .Inputs }}
-
-  {{ .Outputs }}
diff --git a/examples/complete/README.md b/examples/complete/README.md
index 25466ee..3d73d07 100644
--- a/examples/complete/README.md
+++ b/examples/complete/README.md
@@ -1,4 +1,3 @@
-<!-- BEGIN_TF_DOCS -->
 # Example: Complete (includes pre-configured Wayfinder SSO)
 
 ## Deployment
@@ -12,15 +11,68 @@
 ## Updating Docs
 
 The `terraform-docs` utility is used to generate this README. Follow the below steps to update:
+
 1. Make changes to the `.terraform-docs.yml` file
 2. Fetch the `terraform-docs` binary (https://terraform-docs.io/user-guide/installation/)
 3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .`
 
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_azapi"></a> [azapi](#requirement\_azapi) | >= 1.8.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.84 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | ~> 2.9.0 |
+| <a name="requirement_kubectl"></a> [kubectl](#requirement\_kubectl) | ~> 2.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | ~> 2.23.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.5 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | ~> 0.9.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.116.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.6.3 |
+| <a name="provider_tls"></a> [tls](#provider\_tls) | 4.0.6 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_wayfinder"></a> [wayfinder](#module\_wayfinder) | ../../ | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_key_vault.kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault) | resource |
+| [azurerm_key_vault_certificate.root](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_certificate) | resource |
+| [azurerm_key_vault_certificate.signing](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_certificate) | resource |
+| [azurerm_private_endpoint.kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource |
+| [azurerm_role_assignment.kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.private_dns](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_subnet.aks_nodes](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource |
+| [azurerm_user_assigned_identity.aks_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
+| [azurerm_virtual_network.wayfinder](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) | resource |
+| [random_id.kv](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [tls_cert_request.signing](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |
+| [tls_locally_signed_cert.signing](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/locally_signed_cert) | resource |
+| [tls_private_key.root](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [tls_private_key.signing](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [tls_self_signed_cert.root](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
+| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
+| [azurerm_dns_zone.wayfinder](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_zone) | data source |
+| [azurerm_private_dns_zone.wayfinder](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_aks_api_server_authorized_ip_ranges"></a> [aks\_api\_server\_authorized\_ip\_ranges](#input\_aks\_api\_server\_authorized\_ip\_ranges) | The list of authorized IP ranges to contact the Wayfinder Management AKS Cluster API server. | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_aks_api_server_authorized_ip_ranges"></a> [aks\_api\_server\_authorized\_ip\_ranges](#input\_aks\_api\_server\_authorized\_ip\_ranges) | The list of authorized IP ranges to contact the Wayfinder Management AKS Cluster API server. | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
 | <a name="input_aks_rbac_aad_admin_groups"></a> [aks\_rbac\_aad\_admin\_groups](#input\_aks\_rbac\_aad\_admin\_groups) | Map of Azure AD Groups and their Object IDs that will be set as cluster admin. | `map(string)` | n/a | yes |
 | <a name="input_aks_vnet_subnet_id"></a> [aks\_vnet\_subnet\_id](#input\_aks\_vnet\_subnet\_id) | The ID of the subnet in which to deploy the Kubernetes Cluster. | `string` | `null` | no |
 | <a name="input_ca_org_name"></a> [ca\_org\_name](#input\_ca\_org\_name) | The organisation name to use for the CA. Required if using keyvault cluster issuer. | `string` | `null` | no |
@@ -43,7 +95,7 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | <a name="input_user_assigned_identity"></a> [user\_assigned\_identity](#input\_user\_assigned\_identity) | MSI id for AKS to run as | `string` | `null` | no |
 | <a name="input_venafi_apikey"></a> [venafi\_apikey](#input\_venafi\_apikey) | Venafi API key - required if using Venafi cluster issuer | `string` | `""` | no |
 | <a name="input_venafi_zone"></a> [venafi\_zone](#input\_venafi\_zone) | Venafi zone - required if using Venafi cluster issuer | `string` | `""` | no |
-| <a name="input_wayfinder_idp_details"></a> [wayfinder\_idp\_details](#input\_wayfinder\_idp\_details) | The IDP details to use for Wayfinder to enable SSO. | <pre>object({<br>    type          = string<br>    clientId      = string<br>    clientSecret  = string<br>    serverUrl     = optional(string)<br>    azureTenantId = optional(string)<br>  })</pre> | n/a | yes |
+| <a name="input_wayfinder_idp_details"></a> [wayfinder\_idp\_details](#input\_wayfinder\_idp\_details) | The IDP details to use for Wayfinder to enable SSO. | <pre>object({<br/>    type          = string<br/>    clientId      = string<br/>    clientSecret  = string<br/>    serverUrl     = optional(string)<br/>    azureTenantId = optional(string)<br/>  })</pre> | n/a | yes |
 | <a name="input_wayfinder_instance_id"></a> [wayfinder\_instance\_id](#input\_wayfinder\_instance\_id) | The instance ID to use for Wayfinder. | `string` | n/a | yes |
 | <a name="input_wayfinder_licence_key"></a> [wayfinder\_licence\_key](#input\_wayfinder\_licence\_key) | The licence key to use for Wayfinder. | `string` | n/a | yes |
 
@@ -55,4 +107,5 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | <a name="output_wayfinder_api_url"></a> [wayfinder\_api\_url](#output\_wayfinder\_api\_url) | The URL for the Wayfinder API |
 | <a name="output_wayfinder_instance_id"></a> [wayfinder\_instance\_id](#output\_wayfinder\_instance\_id) | The unique identifier for the Wayfinder instance |
 | <a name="output_wayfinder_ui_url"></a> [wayfinder\_ui\_url](#output\_wayfinder\_ui\_url) | The URL for the Wayfinder UI |
-<!-- END_TF_DOCS -->
\ No newline at end of file
+<!-- END_TF_DOCS -->
+
diff --git a/examples/quickstart/.terraform-docs.yml b/examples/quickstart/.terraform-docs.yml
deleted file mode 100644
index 8573b97..0000000
--- a/examples/quickstart/.terraform-docs.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-content: |-
-  # Example: Quickstart
-
-  **Notes:**
-  * Wayfinder will start up with an initial local administrator user (not configured to use an IDP).
-  * Any sensitive values (e.g. licence key) are passed directly as a variable to the module.
-
-  This example should be used for product testing and evaluation only. For a more production-ready deployment, please see the [complete example](../complete).
-
-  ## Deployment
-
-  1. Create a Resource Group for Wayfinder to be installed within.
-  2. Create a DNS Zone in Azure and ensure the domain is delegated to the Azure DNS nameservers.
-  3. Copy the `terraform.tfvars.example` file to `terraform.tfvars` and update with your values.
-  4. Run `terraform init -upgrade`
-  5. Run `terraform apply`
-
-  ## Updating Docs
-
-  The `terraform-docs` utility is used to generate this README. Follow the below steps to update:
-  1. Make changes to the `.terraform-docs.yml` file
-  2. Fetch the `terraform-docs` binary (https://terraform-docs.io/user-guide/installation/)
-  3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .`
-
-  {{ .Inputs }}
-
-  {{ .Outputs }}
diff --git a/examples/quickstart/README.md b/examples/quickstart/README.md
index d20912e..115d5a5 100644
--- a/examples/quickstart/README.md
+++ b/examples/quickstart/README.md
@@ -1,9 +1,9 @@
-<!-- BEGIN_TF_DOCS -->
 # Example: Quickstart
 
 **Notes:**
-* Wayfinder will start up with an initial local administrator user (not configured to use an IDP).
-* Any sensitive values (e.g. licence key) are passed directly as a variable to the module.
+
+- Wayfinder will start up with an initial local administrator user (not configured to use an IDP).
+- Any sensitive values (e.g. licence key) are passed directly as a variable to the module.
 
 This example should be used for product testing and evaluation only. For a more production-ready deployment, please see the [complete example](../complete).
 
@@ -18,15 +18,50 @@ This example should be used for product testing and evaluation only. For a more
 ## Updating Docs
 
 The `terraform-docs` utility is used to generate this README. Follow the below steps to update:
+
 1. Make changes to the `.terraform-docs.yml` file
 2. Fetch the `terraform-docs` binary (https://terraform-docs.io/user-guide/installation/)
 3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .`
 
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 3.84 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | ~> 2.9.0 |
+| <a name="requirement_kubectl"></a> [kubectl](#requirement\_kubectl) | ~> 2.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | ~> 2.23.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.5 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | ~> 0.9.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.116.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_wayfinder"></a> [wayfinder](#module\_wayfinder) | ../../ | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_subnet.aks_nodes](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource |
+| [azurerm_user_assigned_identity.aks_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
+| [azurerm_virtual_network.wayfinder](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network) | resource |
+| [azurerm_dns_zone.wayfinder](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_zone) | data source |
+
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_aks_api_server_authorized_ip_ranges"></a> [aks\_api\_server\_authorized\_ip\_ranges](#input\_aks\_api\_server\_authorized\_ip\_ranges) | The list of authorized IP ranges to contact the Wayfinder Management AKS Cluster API server. | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_aks_api_server_authorized_ip_ranges"></a> [aks\_api\_server\_authorized\_ip\_ranges](#input\_aks\_api\_server\_authorized\_ip\_ranges) | The list of authorized IP ranges to contact the Wayfinder Management AKS Cluster API server. | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
 | <a name="input_aks_rbac_aad_admin_groups"></a> [aks\_rbac\_aad\_admin\_groups](#input\_aks\_rbac\_aad\_admin\_groups) | Map of Azure AD Groups and their Object IDs that will be set as cluster admin. | `map(string)` | n/a | yes |
 | <a name="input_clusterissuer_email"></a> [clusterissuer\_email](#input\_clusterissuer\_email) | The email address to use for the cert-manager cluster issuer. | `string` | n/a | yes |
 | <a name="input_disable_internet_access"></a> [disable\_internet\_access](#input\_disable\_internet\_access) | Whether to disable internet access for AKS and the Wayfinder ingress controller. | `bool` | `false` | no |
@@ -51,4 +86,5 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | <a name="output_wayfinder_api_url"></a> [wayfinder\_api\_url](#output\_wayfinder\_api\_url) | The URL for the Wayfinder API |
 | <a name="output_wayfinder_instance_id"></a> [wayfinder\_instance\_id](#output\_wayfinder\_instance\_id) | The unique identifier for the Wayfinder instance |
 | <a name="output_wayfinder_ui_url"></a> [wayfinder\_ui\_url](#output\_wayfinder\_ui\_url) | The URL for the Wayfinder UI |
-<!-- END_TF_DOCS -->
\ No newline at end of file
+<!-- END_TF_DOCS -->
+
diff --git a/external-dns.tf b/external-dns.tf
index bad7e42..696d974 100644
--- a/external-dns.tf
+++ b/external-dns.tf
@@ -39,7 +39,7 @@ resource "helm_release" "external_dns" {
   name        = "external-dns"
   repository  = "https://kubernetes-sigs.github.io/external-dns"
   chart       = "external-dns"
-  version     = "1.14.4"
+  version     = "1.15.0"
   max_history = 5
 
   values = [
diff --git a/ingress.tf b/ingress.tf
index edfdebd..f97ac7f 100644
--- a/ingress.tf
+++ b/ingress.tf
@@ -22,7 +22,7 @@ resource "helm_release" "ingress" {
   name        = "ingress-nginx"
   repository  = "https://kubernetes.github.io/ingress-nginx"
   chart       = "ingress-nginx"
-  version     = "4.10.1"
+  version     = "4.11.2"
   max_history = 5
 
   values = [
diff --git a/modules/cloudaccess/.terraform-docs.yml b/modules/cloudaccess/.terraform-docs.yml
deleted file mode 100644
index 6559290..0000000
--- a/modules/cloudaccess/.terraform-docs.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-content: |-
-  # Terraform Module: Cloud Access for Wayfinder on Azure
-
-  This Terraform Module can be used to associate Roles to Wayfinder's Azure Identity, for creating resources within an Azure Subscription.
-
-  **Notes:**
-  * You must set `var.wayfinder_identity_azure_principal_id` to the Azure Principal ID of the Wayfinder Identity.
-  * `var.resource_suffix` is an optional suffix to use on created objects. We recommend using workspace key + stage if you wish to have multiple workspaces sharing the same AWS account, allowing independent roles to be provisioned for each.
-
-  ## Deployment
-
-  Please see the [examples](./examples) directory to see how to deploy this module.
-
-  {{ .Inputs }}
-
-  {{ .Outputs }}
-
-  ## Updating Docs
-
-  The `terraform-docs` utility is used to generate this README. Follow the below steps to update:
-  1. Make changes to the `.terraform-docs.yml` file
-  2. Fetch the `terraform-docs` binary (https://terraform-docs.io/user-guide/installation/)
-  3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .`
diff --git a/modules/cloudaccess/README.md b/modules/cloudaccess/README.md
index bdab843..49e6165 100644
--- a/modules/cloudaccess/README.md
+++ b/modules/cloudaccess/README.md
@@ -1,22 +1,30 @@
-<!-- BEGIN_TF_DOCS -->
 # Terraform Module: Cloud Access for Wayfinder on Azure
 
 This Terraform Module can be used to associate Roles to Wayfinder's Azure Identity, for creating resources within an Azure Subscription.
 
 **Notes:**
-* You must set `var.wayfinder_identity_azure_principal_id` to the Azure Principal ID of the Wayfinder Identity.
-* `var.resource_suffix` is an optional suffix to use on created objects. We recommend using workspace key + stage if you wish to have multiple workspaces sharing the same AWS account, allowing independent roles to be provisioned for each.
+
+- You must set `var.wayfinder_identity_azure_principal_id` to the Azure Principal ID of the Wayfinder Identity.
+- `var.resource_suffix` is an optional suffix to use on created objects. We recommend using workspace key + stage if you wish to have multiple workspaces sharing the same AWS account, allowing independent roles to be provisioned for each.
 
 ## Deployment
 
 Please see the [examples](./examples) directory to see how to deploy this module.
 
+<!-- BEGIN_TF_DOCS -->
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | >=3.74.0 |
+| <a name="provider_time"></a> [time](#provider\_time) | >= 0.9.0 |
+
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_create_duration_delay"></a> [create\_duration\_delay](#input\_create\_duration\_delay) | Used to tune terraform apply when faced with errors caused by API caching or eventual consistency. Sets a custom delay period after creation of the specified resource type. | <pre>object({<br>    azurerm_role_definition = optional(string, "30s")<br>  })</pre> | `{}` | no |
-| <a name="input_destroy_duration_delay"></a> [destroy\_duration\_delay](#input\_destroy\_duration\_delay) | Used to tune terraform destroy when faced with errors caused by API caching or eventual consistency. Sets a custom delay period after destruction of the specified resource type. | <pre>object({<br>    azurerm_role_definition = optional(string, "0s")<br>  })</pre> | `{}` | no |
+| <a name="input_create_duration_delay"></a> [create\_duration\_delay](#input\_create\_duration\_delay) | Used to tune terraform apply when faced with errors caused by API caching or eventual consistency. Sets a custom delay period after creation of the specified resource type. | <pre>object({<br/>    azurerm_role_definition = optional(string, "30s")<br/>  })</pre> | `{}` | no |
+| <a name="input_destroy_duration_delay"></a> [destroy\_duration\_delay](#input\_destroy\_duration\_delay) | Used to tune terraform destroy when faced with errors caused by API caching or eventual consistency. Sets a custom delay period after destruction of the specified resource type. | <pre>object({<br/>    azurerm_role_definition = optional(string, "0s")<br/>  })</pre> | `{}` | no |
 | <a name="input_enable_cloud_info"></a> [enable\_cloud\_info](#input\_enable\_cloud\_info) | Whether to create the Cloud Info IAM Role | `bool` | `false` | no |
 | <a name="input_enable_cluster_manager"></a> [enable\_cluster\_manager](#input\_enable\_cluster\_manager) | Whether to create the Cluster Manager IAM Role | `bool` | `false` | no |
 | <a name="input_enable_dns_zone_manager"></a> [enable\_dns\_zone\_manager](#input\_enable\_dns\_zone\_manager) | Whether to create the DNS Zone Manager IAM Role | `bool` | `false` | no |
@@ -39,11 +47,5 @@ Please see the [examples](./examples) directory to see how to deploy this module
 |------|-------------|
 | <a name="output_managed_identity_client_id"></a> [managed\_identity\_client\_id](#output\_managed\_identity\_client\_id) | The client ID of the created managed identity to use as spec.azure.clientID in your cloud access configuration |
 | <a name="output_managed_identity_tenant_id"></a> [managed\_identity\_tenant\_id](#output\_managed\_identity\_tenant\_id) | The tenant ID in which the managed identity exists, to use as spec.azure.tenantID in your cloud access configuration |
+<!-- END_TF_DOCS -->
 
-## Updating Docs
-
-The `terraform-docs` utility is used to generate this README. Follow the below steps to update:
-1. Make changes to the `.terraform-docs.yml` file
-2. Fetch the `terraform-docs` binary (https://terraform-docs.io/user-guide/installation/)
-3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .`
-<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/modules/cloudaccess/examples/complete/.terraform.lock.hcl b/modules/cloudaccess/examples/complete/.terraform.lock.hcl
new file mode 100644
index 0000000..460a48c
--- /dev/null
+++ b/modules/cloudaccess/examples/complete/.terraform.lock.hcl
@@ -0,0 +1,42 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/azurerm" {
+  version     = "4.6.0"
+  constraints = ">= 3.74.0"
+  hashes = [
+    "h1:dnb4t07g8JX1xNSW5Rsx9VTriKKst0bsquJNmvtqEN0=",
+    "zh:13107f35a7060efa62570e3482285003092ead0afa0fa9fa1b0dda4f70080cb9",
+    "zh:22703b9f318adbda7e75d50e76b345651cbf371bce227566a8b8532c9c4f0880",
+    "zh:601d1eb1c056e4de649561764056e3dc21b837d104d15fee31f9aaaacb292046",
+    "zh:6572232f9b0d20b149e8b5cf161fada6d8122ee1fea732c2f1e9402fe4d3375f",
+    "zh:6c19ab78c6cf7eb04b8db978daa611db04598fd490c90b85889d08726da1d095",
+    "zh:7f6eae5fa14def221422fdd34ea122ea0263d0c3c67eb0fd7870d664d7d7a360",
+    "zh:8530912ffcc8a92dd5c186ecd08a9c2f1282838a3ad5a71786c2866402c71da7",
+    "zh:a6b110c6cff0ed8c1a8969bd86583db1d5b4f3100f89ce0a0e0350b1ad8cd47b",
+    "zh:bd67b5d92e06bc44b166f4cabab189de5cc06506333283ac88b4ce21707b8c6b",
+    "zh:c472fdcafbca86a0a5b515378409d0bbddff6a6abb0bd0ecf438c610944b1e98",
+    "zh:ca4bb3797ddf20062995134211b50e313242c8a81aa5da63cc51a47e42f494c4",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/time" {
+  version     = "0.12.1"
+  constraints = ">= 0.9.0"
+  hashes = [
+    "h1:JzYsPugN8Fb7C4NlfLoFu7BBPuRVT2/fCOdCaxshveI=",
+    "zh:090023137df8effe8804e81c65f636dadf8f9d35b79c3afff282d39367ba44b2",
+    "zh:26f1e458358ba55f6558613f1427dcfa6ae2be5119b722d0b3adb27cd001efea",
+    "zh:272ccc73a03384b72b964918c7afeb22c2e6be22460d92b150aaf28f29a7d511",
+    "zh:438b8c74f5ed62fe921bd1078abe628a6675e44912933100ea4fa26863e340e9",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:85c8bd8eefc4afc33445de2ee7fbf33a7807bc34eb3734b8eefa4e98e4cddf38",
+    "zh:98bbe309c9ff5b2352de6a047e0ec6c7e3764b4ed3dfd370839c4be2fbfff869",
+    "zh:9c7bf8c56da1b124e0e2f3210a1915e778bab2be924481af684695b52672891e",
+    "zh:d2200f7f6ab8ecb8373cda796b864ad4867f5c255cff9d3b032f666e4c78f625",
+    "zh:d8c7926feaddfdc08d5ebb41b03445166df8c125417b28d64712dccd9feef136",
+    "zh:e2412a192fc340c61b373d6c20c9d805d7d3dee6c720c34db23c2a8ff0abd71b",
+    "zh:e6ac6bba391afe728a099df344dbd6481425b06d61697522017b8f7a59957d44",
+  ]
+}
diff --git a/modules/cloudaccess/examples/complete/README.md b/modules/cloudaccess/examples/complete/README.md
new file mode 100644
index 0000000..7d1f109
--- /dev/null
+++ b/modules/cloudaccess/examples/complete/README.md
@@ -0,0 +1,31 @@
+<!-- BEGIN_TF_DOCS -->
+## Providers
+
+No providers.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_region"></a> [region](#input\_region) | The region used for created resources (where required) | `string` | n/a | yes |
+| <a name="input_enable_cloud_info"></a> [enable\_cloud\_info](#input\_enable\_cloud\_info) | Whether to create the Cloud Info IAM Role | `bool` | `false` | no |
+| <a name="input_enable_cluster_manager"></a> [enable\_cluster\_manager](#input\_enable\_cluster\_manager) | Whether to create the Cluster Manager IAM Role | `bool` | `true` | no |
+| <a name="input_enable_dns_zone_manager"></a> [enable\_dns\_zone\_manager](#input\_enable\_dns\_zone\_manager) | Whether to create the DNS Zone Manager IAM Role | `bool` | `true` | no |
+| <a name="input_enable_network_manager"></a> [enable\_network\_manager](#input\_enable\_network\_manager) | Whether to create the Network Manager IAM Role | `bool` | `true` | no |
+| <a name="input_enable_peering_acceptor"></a> [enable\_peering\_acceptor](#input\_enable\_peering\_acceptor) | Whether to create the Peering Acceptor IAM Role | `bool` | `false` | no |
+| <a name="input_from_aws"></a> [from\_aws](#input\_from\_aws) | Whether Wayfinder is running on AWS. | `bool` | `false` | no |
+| <a name="input_from_azure"></a> [from\_azure](#input\_from\_azure) | Whether Wayfinder is running on Azure. | `bool` | `true` | no |
+| <a name="input_from_gcp"></a> [from\_gcp](#input\_from\_gcp) | Whether Wayfinder is running on GCP. | `bool` | `false` | no |
+| <a name="input_resource_suffix"></a> [resource\_suffix](#input\_resource\_suffix) | Suffix to apply to all generated resources. We recommend using workspace key + stage. | `string` | `""` | no |
+| <a name="input_wayfinder_identity_aws_issuer"></a> [wayfinder\_identity\_aws\_issuer](#input\_wayfinder\_identity\_aws\_issuer) | Issuer URL to trust to verify Wayfinder's AWS identity. Populate when Wayfinder is running on AWS with IRSA. | `string` | `""` | no |
+| <a name="input_wayfinder_identity_aws_subject"></a> [wayfinder\_identity\_aws\_subject](#input\_wayfinder\_identity\_aws\_subject) | Subject to trust to verify Wayfinder's AWS identity. Populate when Wayfinder is running on AWS with IRSA. | `string` | `""` | no |
+| <a name="input_wayfinder_identity_azure_principal_id"></a> [wayfinder\_identity\_azure\_principal\_id](#input\_wayfinder\_identity\_azure\_principal\_id) | Principal ID of Wayfinder's Azure AD managed identity to give access to. Populate when Wayfinder is running on Azure with AzureAD Workload Identity or when using a credential-based Azure identity. | `string` | `""` | no |
+| <a name="input_wayfinder_identity_gcp_service_account_id"></a> [wayfinder\_identity\_gcp\_service\_account\_id](#input\_wayfinder\_identity\_gcp\_service\_account\_id) | Numerical ID of Wayfinder's GCP service account to give access to. Populate when Wayfinder is running on GCP with Workload Identity. | `string` | `""` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_managed_identity_client_id"></a> [managed\_identity\_client\_id](#output\_managed\_identity\_client\_id) | n/a |
+| <a name="output_managed_identity_tenant_id"></a> [managed\_identity\_tenant\_id](#output\_managed\_identity\_tenant\_id) | n/a |
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/modules/cloudaccess/wf_cloud_info.tf b/modules/cloudaccess/wf_cloud_info.tf
index eb5dc0e..8f6618c 100644
--- a/modules/cloudaccess/wf_cloud_info.tf
+++ b/modules/cloudaccess/wf_cloud_info.tf
@@ -30,9 +30,9 @@ resource "time_sleep" "after_azurerm_role_definition_cloudinfo" {
 resource "azurerm_role_assignment" "cloudinfo" {
   count = var.enable_cloud_info && var.from_azure ? 1 : 0
 
-  scope                = data.azurerm_subscription.primary.id
-  role_definition_name = azurerm_role_definition.cloudinfo[0].name
-  principal_id         = var.wayfinder_identity_azure_principal_id
+  scope              = data.azurerm_subscription.primary.id
+  role_definition_id = azurerm_role_definition.cloudinfo[0].id
+  principal_id       = var.wayfinder_identity_azure_principal_id
 
   depends_on = [
     time_sleep.after_azurerm_role_definition_cloudinfo[0],
@@ -43,9 +43,9 @@ resource "azurerm_role_assignment" "cloudinfo" {
 resource "azurerm_role_assignment" "cloudinfo_federated" {
   count = var.enable_cloud_info && (var.from_aws || var.from_gcp) ? 1 : 0
 
-  scope                = data.azurerm_subscription.primary.id
-  role_definition_name = azurerm_role_definition.cloudinfo[0].name
-  principal_id         = azurerm_user_assigned_identity.federated_identity[0].principal_id
+  scope              = data.azurerm_subscription.primary.id
+  role_definition_id = azurerm_role_definition.cloudinfo[0].id
+  principal_id       = azurerm_user_assigned_identity.federated_identity[0].principal_id
 
   depends_on = [
     time_sleep.after_azurerm_role_definition_cloudinfo[0],
diff --git a/modules/cloudaccess/wf_cluster_manager.tf b/modules/cloudaccess/wf_cluster_manager.tf
index 99a2cad..a6662a3 100644
--- a/modules/cloudaccess/wf_cluster_manager.tf
+++ b/modules/cloudaccess/wf_cluster_manager.tf
@@ -30,9 +30,9 @@ resource "time_sleep" "after_azurerm_role_definition_clustermanager" {
 resource "azurerm_role_assignment" "clustermanager" {
   count = var.enable_cluster_manager && var.from_azure ? 1 : 0
 
-  scope                = data.azurerm_subscription.primary.id
-  role_definition_name = azurerm_role_definition.clustermanager[0].name
-  principal_id         = var.wayfinder_identity_azure_principal_id
+  scope              = data.azurerm_subscription.primary.id
+  role_definition_id = azurerm_role_definition.clustermanager[0].role_definition_resource_id
+  principal_id       = var.wayfinder_identity_azure_principal_id
 
   depends_on = [
     time_sleep.after_azurerm_role_definition_clustermanager[0],
@@ -43,9 +43,9 @@ resource "azurerm_role_assignment" "clustermanager" {
 resource "azurerm_role_assignment" "clustermanager_federated" {
   count = var.enable_cluster_manager && (var.from_aws || var.from_gcp) ? 1 : 0
 
-  scope                = data.azurerm_subscription.primary.id
-  role_definition_name = azurerm_role_definition.clustermanager[0].name
-  principal_id         = azurerm_user_assigned_identity.federated_identity[0].principal_id
+  scope              = data.azurerm_subscription.primary.id
+  role_definition_id = azurerm_role_definition.clustermanager[0].role_definition_resource_id
+  principal_id       = azurerm_user_assigned_identity.federated_identity[0].principal_id
 
   depends_on = [
     time_sleep.after_azurerm_role_definition_clustermanager[0],
diff --git a/modules/cloudaccess/wf_dnszone_manager.tf b/modules/cloudaccess/wf_dnszone_manager.tf
index 3860d86..b96e02a 100644
--- a/modules/cloudaccess/wf_dnszone_manager.tf
+++ b/modules/cloudaccess/wf_dnszone_manager.tf
@@ -30,9 +30,9 @@ resource "time_sleep" "after_azurerm_role_definition_dnszonemanager" {
 resource "azurerm_role_assignment" "dnszonemanager" {
   count = var.enable_dns_zone_manager && var.from_azure ? 1 : 0
 
-  scope                = data.azurerm_subscription.primary.id
-  role_definition_name = azurerm_role_definition.dnszonemanager[0].name
-  principal_id         = var.wayfinder_identity_azure_principal_id
+  scope              = data.azurerm_subscription.primary.id
+  role_definition_id = azurerm_role_definition.dnszonemanager[0].role_definition_resource_id
+  principal_id       = var.wayfinder_identity_azure_principal_id
 
   depends_on = [
     time_sleep.after_azurerm_role_definition_dnszonemanager[0],
@@ -43,9 +43,9 @@ resource "azurerm_role_assignment" "dnszonemanager" {
 resource "azurerm_role_assignment" "dnszonemanager_federated" {
   count = var.enable_dns_zone_manager && (var.from_aws || var.from_gcp) ? 1 : 0
 
-  scope                = data.azurerm_subscription.primary.id
-  role_definition_name = azurerm_role_definition.dnszonemanager[0].name
-  principal_id         = azurerm_user_assigned_identity.federated_identity[0].principal_id
+  scope              = data.azurerm_subscription.primary.id
+  role_definition_id = azurerm_role_definition.dnszonemanager[0].role_definition_resource_id
+  principal_id       = azurerm_user_assigned_identity.federated_identity[0].principal_id
 
   depends_on = [
     time_sleep.after_azurerm_role_definition_dnszonemanager[0],
diff --git a/modules/cloudaccess/wf_network_manager.tf b/modules/cloudaccess/wf_network_manager.tf
index 7087e2b..1f08fa6 100644
--- a/modules/cloudaccess/wf_network_manager.tf
+++ b/modules/cloudaccess/wf_network_manager.tf
@@ -30,9 +30,9 @@ resource "time_sleep" "after_azurerm_role_definition_networkmanager" {
 resource "azurerm_role_assignment" "networkmanager" {
   count = var.enable_network_manager && var.from_azure ? 1 : 0
 
-  scope                = data.azurerm_subscription.primary.id
-  role_definition_name = azurerm_role_definition.networkmanager[0].name
-  principal_id         = var.wayfinder_identity_azure_principal_id
+  scope              = data.azurerm_subscription.primary.id
+  role_definition_id = azurerm_role_definition.networkmanager[0].role_definition_resource_id
+  principal_id       = var.wayfinder_identity_azure_principal_id
 
   depends_on = [
     time_sleep.after_azurerm_role_definition_networkmanager[0],
@@ -43,9 +43,9 @@ resource "azurerm_role_assignment" "networkmanager" {
 resource "azurerm_role_assignment" "networkmanager_federated" {
   count = var.enable_network_manager && (var.from_aws || var.from_gcp) ? 1 : 0
 
-  scope                = data.azurerm_subscription.primary.id
-  role_definition_name = azurerm_role_definition.networkmanager[0].name
-  principal_id         = azurerm_user_assigned_identity.federated_identity[0].principal_id
+  scope              = data.azurerm_subscription.primary.id
+  role_definition_id = azurerm_role_definition.networkmanager[0].role_definition_resource_id
+  principal_id       = azurerm_user_assigned_identity.federated_identity[0].principal_id
 
   depends_on = [
     time_sleep.after_azurerm_role_definition_networkmanager[0],
diff --git a/modules/cloudaccess/wf_peering_acceptor.tf b/modules/cloudaccess/wf_peering_acceptor.tf
index b441442..cc47a5c 100644
--- a/modules/cloudaccess/wf_peering_acceptor.tf
+++ b/modules/cloudaccess/wf_peering_acceptor.tf
@@ -30,9 +30,9 @@ resource "time_sleep" "after_azurerm_role_definition_peeringacceptor" {
 resource "azurerm_role_assignment" "peeringacceptor" {
   count = var.enable_peering_acceptor && var.from_azure ? 1 : 0
 
-  scope                = data.azurerm_subscription.primary.id
-  role_definition_name = azurerm_role_definition.peeringacceptor[0].name
-  principal_id         = var.wayfinder_identity_azure_principal_id
+  scope              = data.azurerm_subscription.primary.id
+  role_definition_id = azurerm_role_definition.peeringacceptor[0].role_definition_resource_id
+  principal_id       = var.wayfinder_identity_azure_principal_id
 
   depends_on = [
     time_sleep.after_azurerm_role_definition_peeringacceptor[0],
@@ -43,9 +43,9 @@ resource "azurerm_role_assignment" "peeringacceptor" {
 resource "azurerm_role_assignment" "peeringacceptor_federated" {
   count = var.enable_peering_acceptor && (var.from_aws || var.from_gcp) ? 1 : 0
 
-  scope                = data.azurerm_subscription.primary.id
-  role_definition_name = azurerm_role_definition.peeringacceptor[0].name
-  principal_id         = azurerm_user_assigned_identity.federated_identity[0].principal_id
+  scope              = data.azurerm_subscription.primary.id
+  role_definition_id = azurerm_role_definition.peeringacceptor[0].role_definition_resource_id
+  principal_id       = azurerm_user_assigned_identity.federated_identity[0].principal_id
 
   depends_on = [
     time_sleep.after_azurerm_role_definition_peeringacceptor[0],
diff --git a/modules/cloudaccess/wf_privatelink_manager.tf b/modules/cloudaccess/wf_privatelink_manager.tf
index de894d6..eb50685 100644
--- a/modules/cloudaccess/wf_privatelink_manager.tf
+++ b/modules/cloudaccess/wf_privatelink_manager.tf
@@ -30,9 +30,9 @@ resource "time_sleep" "after_azurerm_role_definition_privatelinkmanager" {
 resource "azurerm_role_assignment" "privatelinkmanager" {
   count = var.enable_private_link_manager && var.from_azure ? 1 : 0
 
-  scope                = data.azurerm_subscription.primary.id
-  role_definition_name = azurerm_role_definition.privatelinkmanager[0].name
-  principal_id         = var.wayfinder_identity_azure_principal_id
+  scope              = data.azurerm_subscription.primary.id
+  role_definition_id = azurerm_role_definition.privatelinkmanager[0].role_definition_resource_id
+  principal_id       = var.wayfinder_identity_azure_principal_id
 
   depends_on = [
     time_sleep.after_azurerm_role_definition_privatelinkmanager[0],
diff --git a/versions.tf b/terraform.tf
similarity index 86%
rename from versions.tf
rename to terraform.tf
index acadbe0..d03ccef 100644
--- a/versions.tf
+++ b/terraform.tf
@@ -22,10 +22,6 @@ terraform {
       source  = "hashicorp/time"
       version = ">= 0.9.0"
     }
-    kubernetes = {
-      source  = "hashicorp/kubernetes"
-      version = ">= 2.23.0"
-    }
     random = {
       source  = "hashicorp/random"
       version = ">= 3.5"
diff --git a/variables.tf b/variables.tf
index 94f4664..09cb4a3 100644
--- a/variables.tf
+++ b/variables.tf
@@ -336,5 +336,5 @@ variable "wayfinder_release_channel" {
 variable "wayfinder_version" {
   description = "The version to use for Wayfinder"
   type        = string
-  default     = "v2.8.6"
+  default     = "v2.9.6"
 }