diff --git a/README.md b/README.md
index 693e4ff..7eab61c 100644
--- a/README.md
+++ b/README.md
@@ -119,7 +119,7 @@ No provider.
 | worker\_ami\_name\_filter | Name filter for AWS EKS worker AMI. If not provided, the latest official AMI for the specified 'cluster\_version' is used. | `string` | `""` | no |
 | worker\_ami\_name\_filter\_windows | Name filter for AWS EKS Windows worker AMI. If not provided, the latest official AMI for the specified 'cluster\_version' is used. | `string` | `""` | no |
 | worker\_ami\_owner\_id | The ID of the owner for the AMI to use for the AWS EKS workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft'). | `string` | `"602401143452"` | no |
-| worker\_ami\_owner\_id\_windows | The ID of the owner for the AMI to use for the AWS EKS Windows workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft'). | `string` | `"801119661308"` | no |
+| worker\_ami\_owner\_id\_windows | The ID of the owner for the AMI to use for the AWS EKS Windows workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft'). | `string` | `"402743460324"` | no |
 | worker\_create\_initial\_lifecycle\_hooks | Whether to create initial lifecycle hooks provided in worker groups. | `bool` | `false` | no |
 | worker\_create\_security\_group | Whether to create a security group for the workers or attach the workers to `worker_security_group_id`. | `bool` | `true` | no |
 | worker\_groups | A list of maps defining worker group configurations to be defined using AWS Launch Configurations. See workers\_group\_defaults for valid keys. | `any` | `[]` | no |
diff --git a/modules/control_plane/outputs.tf b/modules/control_plane/outputs.tf
index caa30cc..644b3ca 100644
--- a/modules/control_plane/outputs.tf
+++ b/modules/control_plane/outputs.tf
@@ -1,26 +1,26 @@
 output "cluster_id" {
   description = "The name/id of the EKS cluster."
-  value       = element(concat(aws_eks_cluster.this.*.id, list("")), 0)
+  value       = element(concat(aws_eks_cluster.this.*.id, tolist([""])), 0)
 }
 
 output "cluster_arn" {
   description = "The Amazon Resource Name (ARN) of the cluster."
-  value       = element(concat(aws_eks_cluster.this.*.arn, list("")), 0)
+  value       = element(concat(aws_eks_cluster.this.*.arn, tolist([""])), 0)
 }
 
 output "cluster_certificate_authority_data" {
   description = "Nested attribute containing certificate-authority-data for your cluster. This is the base64 encoded certificate data required to communicate with your cluster."
-  value       = element(concat(aws_eks_cluster.this[*].certificate_authority[0].data, list("")), 0)
+  value       = element(concat(aws_eks_cluster.this[*].certificate_authority[0].data, tolist([""])), 0)
 }
 
 output "cluster_endpoint" {
   description = "The endpoint for your EKS Kubernetes API."
-  value       = element(concat(aws_eks_cluster.this.*.endpoint, list("")), 0)
+  value       = element(concat(aws_eks_cluster.this.*.endpoint, tolist([""])), 0)
 }
 
 output "cluster_version" {
   description = "The Kubernetes server version for the EKS cluster."
-  value       = element(concat(aws_eks_cluster.this[*].version, list("")), 0)
+  value       = element(concat(aws_eks_cluster.this[*].version, tolist([""])), 0)
 }
 
 output "cluster_security_group_id" {
@@ -35,7 +35,7 @@ output "cluster_iam_role_arn" {
 
 output "cluster_oidc_issuer_url" {
   description = "The URL on the EKS cluster OIDC Issuer"
-  value       = var.enable_irsa ? flatten(concat(aws_eks_cluster.this[*].identity[*].oidc.0.issuer, [""]))[0] : null
+  value       = var.enable_irsa ? flatten(concat(aws_eks_cluster.this[*].identity[*].oidc.0.issuer, tolist([""])))[0] : null
 }
 
 output "cloudwatch_log_group_name" {
@@ -45,15 +45,15 @@ output "cloudwatch_log_group_name" {
 
 output "kubeconfig" {
   description = "kubectl config file contents for this EKS cluster."
-  value       = concat(data.template_file.kubeconfig[*].rendered, [""])[0]
+  value       = concat(data.template_file.kubeconfig[*].rendered, tolist([""]))[0]
 }
 
 output "kubeconfig_filename" {
   description = "The filename of the generated kubectl config."
-  value       = concat(local_file.kubeconfig.*.filename, [""])[0]
+  value       = concat(local_file.kubeconfig.*.filename, tolist([""]))[0]
 }
 
 output "oidc_provider_arn" {
   description = "The ARN of the OIDC Provider if `enable_irsa = true`."
-  value       = var.enable_irsa ? concat(aws_iam_openid_connect_provider.oidc_provider[*].arn, [""])[0] : null
+  value       = var.enable_irsa ? concat(aws_iam_openid_connect_provider.oidc_provider[*].arn, tolist([""]))[0] : null
 }
diff --git a/modules/worker_groups/README.md b/modules/worker_groups/README.md
index 35f87e5..c3e3579 100644
--- a/modules/worker_groups/README.md
+++ b/modules/worker_groups/README.md
@@ -33,7 +33,7 @@ This submodule is designed for use by both the parent `eks` module and by the us
 | worker\_ami\_name\_filter | Name filter for AWS EKS worker AMI. If not provided, the latest official AMI for the specified 'cluster\_version' is used. | `string` | `""` | no |
 | worker\_ami\_name\_filter\_windows | Name filter for AWS EKS Windows worker AMI. If not provided, the latest official AMI for the specified 'cluster\_version' is used. | `string` | `""` | no |
 | worker\_ami\_owner\_id | The ID of the owner for the AMI to use for the AWS EKS workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft'). | `string` | `"602401143452"` | no |
-| worker\_ami\_owner\_id\_windows | The ID of the owner for the AMI to use for the AWS EKS Windows workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft'). | `string` | `"801119661308"` | no |
+| worker\_ami\_owner\_id\_windows | The ID of the owner for the AMI to use for the AWS EKS Windows workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft'). | `string` | `"402743460324"` | no |
 | worker\_create\_initial\_lifecycle\_hooks | Whether to create initial lifecycle hooks provided in worker groups. | `bool` | `false` | no |
 | worker\_create\_security\_group | Whether to create a security group for the workers or attach the workers to `worker_security_group_id`. | `bool` | `true` | no |
 | worker\_groups | Map of map of worker groups to create. See documentation above for more details. | `any` | `{}` | no |
diff --git a/modules/worker_groups/locals.tf b/modules/worker_groups/locals.tf
index 4a75a51..0903005 100644
--- a/modules/worker_groups/locals.tf
+++ b/modules/worker_groups/locals.tf
@@ -73,6 +73,10 @@ locals {
     spot_allocation_strategy                 = "lowest-price" # Valid options are 'lowest-price' and 'capacity-optimized'. If 'lowest-price', the Auto Scaling group launches instances using the Spot pools with the lowest price, and evenly allocates your instances across the number of Spot pools. If 'capacity-optimized', the Auto Scaling group launches instances using Spot pools that are optimally chosen based on the available Spot capacity.
     spot_instance_pools                      = 10             # "Number of Spot pools per availability zone to allocate capacity. EC2 Auto Scaling selects the cheapest Spot pools and evenly allocates Spot capacity across the number of Spot pools that you specify."
     spot_max_price                           = ""             # Maximum price per unit hour that the user is willing to pay for the Spot instances. Default is the on-demand price
+    http_endpoint               = "disabled" # Whether the metadata service is available
+    http_tokens                 = "optional" # Whether or not the metadata service requires session tokens
+    http_put_response_hop_limit = 1 # The desired HTTP PUT response hop limit for instance metadata requests
+    instance_metadata_tags = "disabled" # Enables or disables access to instance tags from the instance metadata service
   }
 
   # Merge defaults and per-group values to make code cleaner
diff --git a/modules/worker_groups/variables.tf b/modules/worker_groups/variables.tf
index b487059..f6c0ea0 100644
--- a/modules/worker_groups/variables.tf
+++ b/modules/worker_groups/variables.tf
@@ -88,7 +88,7 @@ variable "worker_ami_owner_id" {
 variable "worker_ami_owner_id_windows" {
   description = "The ID of the owner for the AMI to use for the AWS EKS Windows workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft')."
   type        = string
-  default     = "801119661308" // The ID of the owner of the official AWS EKS Windows AMIs.
+  default     = "402743460324" // The ID of the owner of the official AWS EKS Windows AMIs.
 }
 
 variable "manage_worker_iam_resources" {
diff --git a/modules/worker_groups/worker_groups.tf b/modules/worker_groups/worker_groups.tf
index 2ac2383..4677741 100644
--- a/modules/worker_groups/worker_groups.tf
+++ b/modules/worker_groups/worker_groups.tf
@@ -32,7 +32,7 @@ resource "aws_autoscaling_group" "worker_groups" {
 
   dynamic "mixed_instances_policy" {
     iterator = item
-    for_each = (lookup(each.value, "override_instance_types", null) != null) || (lookup(each.value, "on_demand_allocation_strategy", null) != null) ? list(each.value) : []
+    for_each = (lookup(each.value, "override_instance_types", null) != null) || (lookup(each.value, "on_demand_allocation_strategy", null) != null) ? tolist([each.value]) : []
 
     content {
       instances_distribution {
@@ -66,7 +66,7 @@ resource "aws_autoscaling_group" "worker_groups" {
 
   dynamic "launch_template" {
     iterator = item
-    for_each = (lookup(each.value, "override_instance_types", null) != null) || (lookup(each.value, "on_demand_allocation_strategy", null) != null) ? [] : list(each.value)
+    for_each = (lookup(each.value, "override_instance_types", null) != null) || (lookup(each.value, "on_demand_allocation_strategy", null) != null) ? [] : tolist([each.value])
 
     content {
       id      = aws_launch_template.worker_groups[each.key].id
@@ -206,6 +206,12 @@ resource "aws_launch_template" "worker_groups" {
     }
   }
 
+  metadata_options {
+    http_endpoint               = each.value["http_endpoint"]
+    http_tokens                 = each.value["http_tokens"]
+    http_put_response_hop_limit = each.value["http_put_response_hop_limit"]
+    instance_metadata_tags      = each.value["instance_metadata_tags"]
+  }
   tags = var.tags
 
   lifecycle {
diff --git a/variables.tf b/variables.tf
index 53f40fe..46a9e13 100644
--- a/variables.tf
+++ b/variables.tf
@@ -135,7 +135,7 @@ variable "worker_ami_owner_id" {
 variable "worker_ami_owner_id_windows" {
   description = "The ID of the owner for the AMI to use for the AWS EKS Windows workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft')."
   type        = string
-  default     = "801119661308" // The ID of the owner of the official AWS EKS Windows AMIs.
+  default     = "402743460324" // The ID of the owner of the official AWS EKS Windows AMIs.
 }
 
 variable "worker_additional_security_group_ids" {