From c9339a831fcc7d14178adf5a98876733eb93020d Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Tue, 1 Oct 2024 12:00:59 -0300
Subject: [PATCH 01/28] Add variable to enable CW Logs

---
 modules/eks-monitoring/add-ons/aws-for-fluentbit/locals.tf  | 1 +
 .../eks-monitoring/add-ons/aws-for-fluentbit/values.yaml    | 2 +-
 .../eks-monitoring/add-ons/aws-for-fluentbit/variables.tf   | 6 ++++++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/eks-monitoring/add-ons/aws-for-fluentbit/locals.tf b/modules/eks-monitoring/add-ons/aws-for-fluentbit/locals.tf
index e77d609e..1191a2a5 100644
--- a/modules/eks-monitoring/add-ons/aws-for-fluentbit/locals.tf
+++ b/modules/eks-monitoring/add-ons/aws-for-fluentbit/locals.tf
@@ -35,6 +35,7 @@ locals {
     log_retention_days = var.cw_log_retention_days
     refresh_interval   = var.refresh_interval
     service_account    = local.service_account
+    cw_logs_enabled    = var.cw_logs_enabled
   })]
 
   irsa_config = {
diff --git a/modules/eks-monitoring/add-ons/aws-for-fluentbit/values.yaml b/modules/eks-monitoring/add-ons/aws-for-fluentbit/values.yaml
index be4afb9f..33a09648 100644
--- a/modules/eks-monitoring/add-ons/aws-for-fluentbit/values.yaml
+++ b/modules/eks-monitoring/add-ons/aws-for-fluentbit/values.yaml
@@ -6,7 +6,7 @@ cloudWatch:
   enabled: false
 
 cloudWatchLogs:
-  enabled: true
+  enabled: ${cw_logs_enabled}
   region: ${aws_region}
   # logGroupName is a fallback to failed parsing
   logGroupName: /aws/eks/observability-accelerator/workloads
diff --git a/modules/eks-monitoring/add-ons/aws-for-fluentbit/variables.tf b/modules/eks-monitoring/add-ons/aws-for-fluentbit/variables.tf
index cbab80a1..bc6207b7 100644
--- a/modules/eks-monitoring/add-ons/aws-for-fluentbit/variables.tf
+++ b/modules/eks-monitoring/add-ons/aws-for-fluentbit/variables.tf
@@ -10,6 +10,12 @@ variable "cw_log_retention_days" {
   default     = 90
 }
 
+variable "cw_logs_enabled" {
+  description = "FluentBit CloudWatch Log enable"
+  type        = bool
+  default     = true
+}
+
 variable "refresh_interval" {
   description = "FluentBit input refresh interval"
   type        = number

From fd6640f6f12d23b4043d1603995312eb1a33d741 Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Tue, 1 Oct 2024 15:24:27 -0300
Subject: [PATCH 02/28] Add support for OpenSearch logs

---
 .../add-ons/aws-for-fluentbit/locals.tf        |  3 +++
 .../add-ons/aws-for-fluentbit/values.yaml      |  7 +++++++
 .../add-ons/aws-for-fluentbit/variables.tf     | 18 ++++++++++++++++++
 modules/eks-monitoring/main.tf                 |  5 +++++
 modules/eks-monitoring/variables.tf            | 18 ++++++++++++++++++
 5 files changed, 51 insertions(+)

diff --git a/modules/eks-monitoring/add-ons/aws-for-fluentbit/locals.tf b/modules/eks-monitoring/add-ons/aws-for-fluentbit/locals.tf
index 1191a2a5..31d79960 100644
--- a/modules/eks-monitoring/add-ons/aws-for-fluentbit/locals.tf
+++ b/modules/eks-monitoring/add-ons/aws-for-fluentbit/locals.tf
@@ -36,6 +36,9 @@ locals {
     refresh_interval   = var.refresh_interval
     service_account    = local.service_account
     cw_logs_enabled    = var.cw_logs_enabled
+    os_logs_enabled    = var.os_logs_enabled
+    os_logs_host       = var.os_logs_host
+    os_logs_index      = var.os_logs_index
   })]
 
   irsa_config = {
diff --git a/modules/eks-monitoring/add-ons/aws-for-fluentbit/values.yaml b/modules/eks-monitoring/add-ons/aws-for-fluentbit/values.yaml
index 33a09648..b5ea504f 100644
--- a/modules/eks-monitoring/add-ons/aws-for-fluentbit/values.yaml
+++ b/modules/eks-monitoring/add-ons/aws-for-fluentbit/values.yaml
@@ -15,6 +15,13 @@ cloudWatchLogs:
   logKey: log
   logRetentionDays: ${log_retention_days}
 
+opensearch:
+  enabled: ${os_logs_enabled}
+  match: "*"
+  awsRegion: ${aws_region}
+  host: ${os_logs_host}
+  index: ${os_logs_index}
+
 input:
   enabled: false
 
diff --git a/modules/eks-monitoring/add-ons/aws-for-fluentbit/variables.tf b/modules/eks-monitoring/add-ons/aws-for-fluentbit/variables.tf
index bc6207b7..28f327cd 100644
--- a/modules/eks-monitoring/add-ons/aws-for-fluentbit/variables.tf
+++ b/modules/eks-monitoring/add-ons/aws-for-fluentbit/variables.tf
@@ -16,6 +16,24 @@ variable "cw_logs_enabled" {
   default     = true
 }
 
+variable "os_logs_enabled" {
+  description = "FluentBit OpenSearch enable"
+  type        = bool
+  default     = false
+}
+
+variable "os_logs_host" {
+  description = "FluentBit OpenSearch"
+  type        = string
+  default     = ""
+}
+
+variable "os_logs_index" {
+  description = "FluentBit OpenSearch"
+  type        = string
+  default     = "observability-accelerator"
+}
+
 variable "refresh_interval" {
   description = "FluentBit input refresh interval"
   type        = number
diff --git a/modules/eks-monitoring/main.tf b/modules/eks-monitoring/main.tf
index 5b788b4a..ac1381dd 100644
--- a/modules/eks-monitoring/main.tf
+++ b/modules/eks-monitoring/main.tf
@@ -259,6 +259,11 @@ module "fluentbit_logs" {
 
   cw_log_retention_days = var.logs_config.cw_log_retention_days
   addon_context         = local.context
+
+  os_logs_enabled = var.os_logs_enabled
+  os_logs_host    = var.os_logs_host
+  os_logs_index   = var.os_logs_index
+
 }
 
 module "external_secrets" {
diff --git a/modules/eks-monitoring/variables.tf b/modules/eks-monitoring/variables.tf
index e1e58da1..059af0aa 100644
--- a/modules/eks-monitoring/variables.tf
+++ b/modules/eks-monitoring/variables.tf
@@ -376,6 +376,24 @@ variable "enable_logs" {
   default     = true
 }
 
+variable "os_logs_enabled" {
+  description = "FluentBit OpenSearch enable"
+  type        = bool
+  default     = false
+}
+
+variable "os_logs_host" {
+  description = "FluentBit OpenSearch"
+  type        = string
+  default     = ""
+}
+
+variable "os_logs_index" {
+  description = "FluentBit OpenSearch"
+  type        = string
+  default     = "observability-accelerator"
+}
+
 variable "logs_config" {
   description = "Configuration object for logs collection"
   type = object({

From 8e18cdc538e5e84f7c29b728cef642937af29e07 Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Tue, 1 Oct 2024 21:57:35 -0300
Subject: [PATCH 03/28] Add OpenSearch install example

---
 examples/amazon-opensearch-domain/ec2.tf      |  61 +++++++++
 examples/amazon-opensearch-domain/main.tf     | 122 ++++++++++++++++++
 .../amazon-opensearch-domain/opensearch.tf    |   0
 examples/amazon-opensearch-domain/outputs.tf  |  73 +++++++++++
 examples/amazon-opensearch-domain/readme.md   |   4 +
 .../amazon-opensearch-domain/user_data.sh     |  45 +++++++
 .../amazon-opensearch-domain/variables.tf     |  35 +++++
 examples/amazon-opensearch-domain/versions.tf |  11 ++
 8 files changed, 351 insertions(+)
 create mode 100644 examples/amazon-opensearch-domain/ec2.tf
 create mode 100644 examples/amazon-opensearch-domain/main.tf
 create mode 100644 examples/amazon-opensearch-domain/opensearch.tf
 create mode 100644 examples/amazon-opensearch-domain/outputs.tf
 create mode 100644 examples/amazon-opensearch-domain/readme.md
 create mode 100644 examples/amazon-opensearch-domain/user_data.sh
 create mode 100644 examples/amazon-opensearch-domain/variables.tf
 create mode 100644 examples/amazon-opensearch-domain/versions.tf

diff --git a/examples/amazon-opensearch-domain/ec2.tf b/examples/amazon-opensearch-domain/ec2.tf
new file mode 100644
index 00000000..6ea6f784
--- /dev/null
+++ b/examples/amazon-opensearch-domain/ec2.tf
@@ -0,0 +1,61 @@
+data "aws_ami" "reverse_proxy" {
+  most_recent      = true
+  owners = ["amazon"]
+
+  filter {
+    name   = "name"
+    values = ["al2023-ami-2023.*-kernel-6.1-x86_64"]
+  }
+
+  filter {
+    name   = "root-device-type"
+    values = ["ebs"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+}
+
+resource "aws_security_group" "reverse_proxy" {
+  name        = "reverse_proxy"
+  description = "Allow TLS inbound traffic and all outbound traffic"
+  vpc_id      = var.vpc_id
+
+  tags = {
+    Name = "reverse_proxy"
+  }
+}
+
+resource "aws_vpc_security_group_ingress_rule" "reverse_proxy_ipv4" {
+  security_group_id = aws_security_group.reverse_proxy.id
+  cidr_ipv4         = local.reverse_proxy_client_ip
+  from_port         = 443
+  ip_protocol       = "tcp"
+  to_port           = 443
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_all_traffic_ipv4" {
+  security_group_id = aws_security_group.reverse_proxy.id
+  cidr_ipv4         = "0.0.0.0/0"
+  ip_protocol       = "-1" # semantically equivalent to all ports
+}
+
+resource "aws_launch_configuration" "reverse_proxy" {
+  name          = "reverse_proxy"
+  image_id      = data.aws_ami.reverse_proxy.id
+  instance_type = "t2.medium"
+  associate_public_ip_address = true
+  user_data = templatefile("${path.module}/user_data.sh", {os_domain = module.opensearch.domain_endpoint})
+  security_groups = [aws_security_group.reverse_proxy.id]
+}
+
+resource "aws_autoscaling_group" "reverse_proxy" {
+  name                      = "reverse_proxy"
+  max_size                  = 1
+  min_size                  = 1
+  desired_capacity          = 1
+  launch_configuration      = aws_launch_configuration.reverse_proxy.name
+  vpc_zone_identifier       = [local.public_subnet_id]
+}
\ No newline at end of file
diff --git a/examples/amazon-opensearch-domain/main.tf b/examples/amazon-opensearch-domain/main.tf
new file mode 100644
index 00000000..551c0d74
--- /dev/null
+++ b/examples/amazon-opensearch-domain/main.tf
@@ -0,0 +1,122 @@
+provider "aws" {
+  region = var.aws_region
+}
+
+data "aws_availability_zones" "available" {}
+
+data "aws_vpc" "main" {
+  id = var.vpc_id
+}
+
+locals {
+  region = var.aws_region
+  name        = "aws-o11y-accelerator"
+
+  vpc_cidr = data.aws_vpc.main.cidr_block
+  public_subnet_id = var.public_subnet_id
+  private_subnet_id = var.private_subnet_id
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+  reverse_proxy_client_ip = var.reverse_proxy_client_ip
+
+  tags = {
+    GithubRepo = "terraform-aws-observability-accelerator"
+    GithubOrg  = "aws-observability"
+  }
+}
+
+module "opensearch" {
+  source = "terraform-aws-modules/opensearch/aws"
+
+  # Domain
+  advanced_options = {
+    "rest.action.multi.allow_explicit_index" = "true"
+  }
+
+  advanced_security_options = {
+    enabled                        = true
+    anonymous_auth_enabled         = false
+    internal_user_database_enabled = true
+
+    master_user_options = {
+      master_user_name     = var.master_user_name
+      master_user_password = var.master_user_password
+    }
+  }
+
+  cluster_config = {
+    instance_count           = 1
+    dedicated_master_enabled = false
+    instance_type            = "r6g.large.search"
+
+    zone_awareness_enabled = false
+  }
+
+  domain_endpoint_options = {
+    enforce_https       = true
+    tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
+  }
+
+  domain_name = local.name
+
+  ebs_options = {
+    ebs_enabled = true
+    iops        = 3000
+    throughput  = 125
+    volume_type = "gp3"
+    volume_size = 20
+  }
+
+  encrypt_at_rest = {
+    enabled = true
+  }
+
+  engine_version = "OpenSearch_2.11"
+
+  node_to_node_encryption = {
+    enabled = true
+  }
+
+  software_update_options = {
+    auto_software_update_enabled = false
+  }
+
+  vpc_options = {
+    subnet_ids = [local.private_subnet_id]
+  }
+
+  # VPC endpoint
+  vpc_endpoints = {
+    one = {
+      subnet_ids = [local.private_subnet_id]
+    }
+  }
+
+  security_group_rules = {
+    ingress_443 = {
+      type        = "ingress"
+      description = "HTTPS access from VPC"
+      from_port   = 443
+      to_port     = 443
+      ip_protocol = "tcp"
+      cidr_ipv4   = local.vpc_cidr
+    }
+  }
+
+  # Access policy
+  access_policy_statements = [
+    {
+      effect = "Allow"
+
+      principals = [{
+        type        = "AWS"
+        identifiers = ["*"]
+      }]
+
+      actions = ["es:*"]
+    }
+  ]
+  tags = {
+    Terraform   = "true"
+    Environment = "dev"
+  }
+}
diff --git a/examples/amazon-opensearch-domain/opensearch.tf b/examples/amazon-opensearch-domain/opensearch.tf
new file mode 100644
index 00000000..e69de29b
diff --git a/examples/amazon-opensearch-domain/outputs.tf b/examples/amazon-opensearch-domain/outputs.tf
new file mode 100644
index 00000000..e5d300d9
--- /dev/null
+++ b/examples/amazon-opensearch-domain/outputs.tf
@@ -0,0 +1,73 @@
+################################################################################
+# Domain
+################################################################################
+
+output "domain_arn" {
+  description = "The Amazon Resource Name (ARN) of the domain"
+  value       = module.opensearch.domain_arn
+}
+
+output "domain_id" {
+  description = "The unique identifier for the domain"
+  value       = module.opensearch.domain_id
+}
+
+output "domain_endpoint" {
+  description = "Domain-specific endpoint used to submit index, search, and data upload requests"
+  value       = module.opensearch.domain_endpoint
+}
+
+output "domain_dashboard_endpoint" {
+  description = "Domain-specific endpoint for Dashboard without https scheme"
+  value       = module.opensearch.domain_dashboard_endpoint
+}
+
+################################################################################
+# Package Association(s)
+################################################################################
+
+output "package_associations" {
+  description = "Map of package associations created and their attributes"
+  value       = module.opensearch.package_associations
+}
+
+################################################################################
+# VPC Endpoint(s)
+################################################################################
+
+output "vpc_endpoints" {
+  description = "Map of VPC endpoints created and their attributes"
+  value       = module.opensearch.vpc_endpoints
+}
+
+################################################################################
+# Outbound Connections
+################################################################################
+
+output "outbound_connections" {
+  description = "Map of outbound connections created and their attributes"
+  value       = module.opensearch.outbound_connections
+}
+
+################################################################################
+# CloudWatch Log Groups
+################################################################################
+
+output "cloudwatch_logs" {
+  description = "Map of CloudWatch log groups created and their attributes"
+  value       = module.opensearch.cloudwatch_logs
+}
+
+################################################################################
+# Security Group
+################################################################################
+
+output "security_group_arn" {
+  description = "Amazon Resource Name (ARN) of the security group"
+  value       = module.opensearch.security_group_arn
+}
+
+output "security_group_id" {
+  description = "ID of the security group"
+  value       = module.opensearch.security_group_id
+}
diff --git a/examples/amazon-opensearch-domain/readme.md b/examples/amazon-opensearch-domain/readme.md
new file mode 100644
index 00000000..93e10e0e
--- /dev/null
+++ b/examples/amazon-opensearch-domain/readme.md
@@ -0,0 +1,4 @@
+# Amazon OpenSearch Domain Setup
+
+This example creates an Amazon OpenSearch domain.
+
diff --git a/examples/amazon-opensearch-domain/user_data.sh b/examples/amazon-opensearch-domain/user_data.sh
new file mode 100644
index 00000000..8b3c2fa2
--- /dev/null
+++ b/examples/amazon-opensearch-domain/user_data.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+yum update -y
+yum install jq -y
+yum install nginx.x86_64 -y
+openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/cert.key -out /etc/nginx/cert.crt -subj /C=US/ST=./L=./O=./CN=.\n
+
+cat << EOF > /etc/nginx/conf.d/nginx_opensearch.conf
+server {
+    listen 443;
+    server_name \$host;
+    rewrite ^/$ https://\$host/_dashboards redirect;
+
+    # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/cert.key -out /etc/nginx/cert.crt -subj /C=US/ST=./L=./O=./CN=.\n
+    ssl_certificate           /etc/nginx/cert.crt;
+    ssl_certificate_key       /etc/nginx/cert.key;
+
+    ssl on;
+    ssl_session_cache  builtin:1000  shared:SSL:10m;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
+    ssl_prefer_server_ciphers on;
+
+
+    location ^~ /_dashboards {
+        # Forward requests to OpenSearch Dashboards
+        proxy_pass https://DOMAIN_ENDPOINT/_dashboards;
+
+        # Update cookie domain and path
+        proxy_cookie_domain DOMAIN_ENDPOINT \$host;
+
+        proxy_set_header Accept-Encoding "";
+        sub_filter_types *;
+        sub_filter DOMAIN_ENDPOINT \$host;
+        sub_filter_once off;
+
+        # Response buffer settings
+        proxy_buffer_size 128k;
+        proxy_buffers 4 256k;
+        proxy_busy_buffers_size 256k;
+    }
+}          
+EOF
+sed -i -e "s/DOMAIN_ENDPOINT/${os_domain}/g" /etc/nginx/conf.d/nginx_opensearch.conf
+systemctl restart nginx.service
+systemctl enable nginx.service
\ No newline at end of file
diff --git a/examples/amazon-opensearch-domain/variables.tf b/examples/amazon-opensearch-domain/variables.tf
new file mode 100644
index 00000000..8b72e09c
--- /dev/null
+++ b/examples/amazon-opensearch-domain/variables.tf
@@ -0,0 +1,35 @@
+variable "aws_region" {
+  description = "AWS Region"
+  type        = string
+}
+
+variable "vpc_id" {
+  description = "EKS cluster VPC Id"
+  type        = string
+}
+
+variable "private_subnet_id" {
+  description = "One of the EKS cluster private subnets"
+  type        = string
+}
+
+variable "public_subnet_id" {
+  description = "One of the EKS cluster public subnets"
+  type        = string
+}
+
+variable "master_user_name" {
+  description = "OpenSearch domain user name"
+  type        = string
+}
+variable "master_user_password" {
+  description = "OpenSearch domain password"
+  type        = string
+  sensitive   = true
+}
+
+variable "reverse_proxy_client_ip" {
+  description = "CIDR block to grant access for OpenSearch reverse proxy"
+  type        = string
+  default     = "127.0.0.1/32"
+}
diff --git a/examples/amazon-opensearch-domain/versions.tf b/examples/amazon-opensearch-domain/versions.tf
new file mode 100644
index 00000000..f09cdf67
--- /dev/null
+++ b/examples/amazon-opensearch-domain/versions.tf
@@ -0,0 +1,11 @@
+terraform {
+  required_version = ">= 1.3.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0.0"
+    }
+  }
+
+}

From f91ecb9d08b54ca6ab170968dc1c51928d80e875 Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Tue, 1 Oct 2024 21:59:25 -0300
Subject: [PATCH 04/28] Add eks opensearch monitoring example

---
 .../README.md                                 | 70 ++++++++++++++++
 .../cleanup.sh                                | 31 +++++++
 .../install.sh                                | 32 +++++++
 .../main.tf                                   | 83 +++++++++++++++++++
 .../outputs.tf                                | 24 ++++++
 .../variables.tf                              | 50 +++++++++++
 .../versions.tf                               | 30 +++++++
 7 files changed, 320 insertions(+)
 create mode 100644 examples/existing-cluster-with-base-and-infra-opensearch/README.md
 create mode 100755 examples/existing-cluster-with-base-and-infra-opensearch/cleanup.sh
 create mode 100755 examples/existing-cluster-with-base-and-infra-opensearch/install.sh
 create mode 100644 examples/existing-cluster-with-base-and-infra-opensearch/main.tf
 create mode 100644 examples/existing-cluster-with-base-and-infra-opensearch/outputs.tf
 create mode 100644 examples/existing-cluster-with-base-and-infra-opensearch/variables.tf
 create mode 100644 examples/existing-cluster-with-base-and-infra-opensearch/versions.tf

diff --git a/examples/existing-cluster-with-base-and-infra-opensearch/README.md b/examples/existing-cluster-with-base-and-infra-opensearch/README.md
new file mode 100644
index 00000000..fee9b26b
--- /dev/null
+++ b/examples/existing-cluster-with-base-and-infra-opensearch/README.md
@@ -0,0 +1,70 @@
+# Existing Cluster with the AWS Observability accelerator EKS Infrastructure monitoring and OpenSearch logs
+
+This example demonstrates how to use the AWS Observability Accelerator Terraform
+modules with Infrastructure monitoring enabled.
+The current example deploys the [AWS Distro for OpenTelemetry Operator](https://docs.aws.amazon.com/eks/latest/userguide/opentelemetry.html)
+for Amazon EKS with its requirements and make use of an existing Amazon Managed Grafana workspace.
+It creates a new Amazon Managed Service for Prometheus workspace unless provided with an existing one to reuse.
+
+It uses the `EKS monitoring` [module](../../modules/eks-monitoring/)
+to provide an existing EKS cluster with an OpenTelemetry collector,
+curated Grafana dashboards, Prometheus alerting and recording rules with multiple
+configuration options on the cluster infrastructure.
+
+In addition, logs are shipped to an OpenSearch domain.
+
+View the full documentation for this example [here](https://aws-observability.github.io/terraform-aws-observability-accelerator/eks/)
+
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0.0 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.4.1 |
+| <a name="requirement_kubectl"></a> [kubectl](#requirement\_kubectl) | >= 2.0.3 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.10 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_eks_monitoring"></a> [eks\_monitoring](#module\_eks\_monitoring) | ../../modules/eks-monitoring | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_eks_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
+| [aws_eks_cluster_auth.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |
+| [aws_grafana_workspace.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/grafana_workspace) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS Region | `string` | n/a | yes |
+| <a name="input_eks_cluster_id"></a> [eks\_cluster\_id](#input\_eks\_cluster\_id) | Name of the EKS cluster | `string` | `"eks-cluster-with-vpc"` | no |
+| <a name="input_enable_dashboards"></a> [enable\_dashboards](#input\_enable\_dashboards) | Enables or disables curated dashboards. Dashboards are managed by the Grafana Operator | `bool` | `true` | no |
+| <a name="input_grafana_api_key"></a> [grafana\_api\_key](#input\_grafana\_api\_key) | API key for authorizing the Grafana provider to make changes to Amazon Managed Grafana | `string` | n/a | yes |
+| <a name="input_managed_grafana_workspace_id"></a> [managed\_grafana\_workspace\_id](#input\_managed\_grafana\_workspace\_id) | Amazon Managed Grafana Workspace ID | `string` | n/a | yes |
+| <a name="input_managed_prometheus_workspace_id"></a> [managed\_prometheus\_workspace\_id](#input\_managed\_prometheus\_workspace\_id) | Amazon Managed Service for Prometheus Workspace ID | `string` | `""` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_eks_cluster_id"></a> [eks\_cluster\_id](#output\_eks\_cluster\_id) | EKS Cluster Id |
+| <a name="output_eks_cluster_version"></a> [eks\_cluster\_version](#output\_eks\_cluster\_version) | EKS Cluster version |
+| <a name="output_managed_prometheus_workspace_endpoint"></a> [managed\_prometheus\_workspace\_endpoint](#output\_managed\_prometheus\_workspace\_endpoint) | Amazon Managed Prometheus workspace endpoint |
+| <a name="output_managed_prometheus_workspace_id"></a> [managed\_prometheus\_workspace\_id](#output\_managed\_prometheus\_workspace\_id) | Amazon Managed Prometheus workspace ID |
+| <a name="output_managed_prometheus_workspace_region"></a> [managed\_prometheus\_workspace\_region](#output\_managed\_prometheus\_workspace\_region) | AWS Region |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/existing-cluster-with-base-and-infra-opensearch/cleanup.sh b/examples/existing-cluster-with-base-and-infra-opensearch/cleanup.sh
new file mode 100755
index 00000000..1c9402ae
--- /dev/null
+++ b/examples/existing-cluster-with-base-and-infra-opensearch/cleanup.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+set -o errexit
+set -o pipefail
+
+read -p "Enter the region: " region
+export AWS_DEFAULT_REGION=$region
+
+targets=(
+"module.eks_monitoring"
+)
+
+for target in "${targets[@]}"
+do
+  terraform destroy -target="$target" -auto-approve
+  destroy_output=$(terraform destroy -target="$target" -auto-approve 2>&1)
+  if [[ $? -eq 0 && $destroy_output == *"Destroy complete!"* ]]; then
+    echo "SUCCESS: Terraform destroy of $target completed successfully"
+  else
+    echo "FAILED: Terraform destroy of $target failed"
+    exit 1
+  fi
+done
+
+terraform destroy -auto-approve
+destroy_output=$(terraform destroy -auto-approve 2>&1)
+if [[ $? -eq 0 && $destroy_output == *"Destroy complete!"* ]]; then
+  echo "SUCCESS: Terraform destroy of all targets completed successfully"
+else
+  echo "FAILED: Terraform destroy of all targets failed"
+  exit 1
+fi
diff --git a/examples/existing-cluster-with-base-and-infra-opensearch/install.sh b/examples/existing-cluster-with-base-and-infra-opensearch/install.sh
new file mode 100755
index 00000000..a94380b6
--- /dev/null
+++ b/examples/existing-cluster-with-base-and-infra-opensearch/install.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+echo "Initializing ..."
+terraform init || echo "\"terraform init\" failed"
+
+# List of Terraform modules to apply in sequence
+targets=(
+  "module.eks_monitoring"
+)
+
+# Apply modules in sequence
+for target in "${targets[@]}"
+do
+  echo "Applying module $target..."
+  apply_output=$(terraform apply -target="$target" -auto-approve 2>&1 | tee /dev/tty)
+  if [[ ${PIPESTATUS[0]} -eq 0 && $apply_output == *"Apply complete"* ]]; then
+    echo "SUCCESS: Terraform apply of $target completed successfully"
+  else
+    echo "FAILED: Terraform apply of $target failed"
+    exit 1
+  fi
+done
+
+# Final apply to catch any remaining resources
+echo "Applying remaining resources..."
+apply_output=$(terraform apply -auto-approve 2>&1 | tee /dev/tty)
+if [[ ${PIPESTATUS[0]} -eq 0 && $apply_output == *"Apply complete"* ]]; then
+  echo "SUCCESS: Terraform apply of all modules completed successfully"
+else
+  echo "FAILED: Terraform apply of all modules failed"
+  exit 1
+fi
diff --git a/examples/existing-cluster-with-base-and-infra-opensearch/main.tf b/examples/existing-cluster-with-base-and-infra-opensearch/main.tf
new file mode 100644
index 00000000..1be75ed1
--- /dev/null
+++ b/examples/existing-cluster-with-base-and-infra-opensearch/main.tf
@@ -0,0 +1,83 @@
+provider "aws" {
+  region = local.region
+}
+
+data "aws_eks_cluster_auth" "this" {
+  name = var.eks_cluster_id
+}
+
+data "aws_eks_cluster" "this" {
+  name = var.eks_cluster_id
+}
+
+data "aws_grafana_workspace" "this" {
+  workspace_id = var.managed_grafana_workspace_id
+}
+
+provider "kubernetes" {
+  host                   = local.eks_cluster_endpoint
+  cluster_ca_certificate = base64decode(data.aws_eks_cluster.this.certificate_authority[0].data)
+  token                  = data.aws_eks_cluster_auth.this.token
+}
+
+provider "helm" {
+  kubernetes {
+    host                   = local.eks_cluster_endpoint
+    cluster_ca_certificate = base64decode(data.aws_eks_cluster.this.certificate_authority[0].data)
+    token                  = data.aws_eks_cluster_auth.this.token
+  }
+}
+
+locals {
+  region               = var.aws_region
+  eks_cluster_endpoint = data.aws_eks_cluster.this.endpoint
+  create_new_workspace = var.managed_prometheus_workspace_id == "" ? true : false
+  tags = {
+    Source = "github.com/aws-observability/terraform-aws-observability-accelerator"
+  }
+}
+
+module "eks_monitoring" {
+  source = "../../modules/eks-monitoring"
+  # source = "github.com/aws-observability/terraform-aws-observability-accelerator//modules/eks-monitoring?ref=v2.0.0"
+
+  eks_cluster_id = var.eks_cluster_id
+
+  # deploys AWS Distro for OpenTelemetry operator into the cluster
+  enable_amazon_eks_adot = true
+
+  # reusing existing certificate manager? defaults to true
+  enable_cert_manager = true
+
+  # enable EKS API server monitoring
+  enable_apiserver_monitoring = true
+
+  # deploys external-secrets in to the cluster
+  enable_external_secrets = true
+  grafana_api_key         = var.grafana_api_key
+  target_secret_name      = "grafana-admin-credentials"
+  target_secret_namespace = "grafana-operator"
+  grafana_url             = "https://${data.aws_grafana_workspace.this.endpoint}"
+
+  # control the publishing of dashboards by specifying the boolean value for the variable 'enable_dashboards', default is 'true'
+  enable_dashboards = var.enable_dashboards
+
+  # creates a new Amazon Managed Prometheus workspace, defaults to true
+  enable_managed_prometheus       = local.create_new_workspace
+  managed_prometheus_workspace_id = var.managed_prometheus_workspace_id
+
+  # sets up the Amazon Managed Prometheus alert manager at the workspace level
+  enable_alertmanager = true
+
+  # optional, defaults to 60s interval and 15s timeout
+  prometheus_config = {
+    global_scrape_interval = "60s"
+    global_scrape_timeout  = "15s"
+  }
+
+  enable_logs = true
+  os_logs_enabled = true
+  os_logs_host = var.os_logs_host
+
+  tags = local.tags
+}
diff --git a/examples/existing-cluster-with-base-and-infra-opensearch/outputs.tf b/examples/existing-cluster-with-base-and-infra-opensearch/outputs.tf
new file mode 100644
index 00000000..e14427e3
--- /dev/null
+++ b/examples/existing-cluster-with-base-and-infra-opensearch/outputs.tf
@@ -0,0 +1,24 @@
+output "managed_prometheus_workspace_region" {
+  description = "AWS Region"
+  value       = module.eks_monitoring.managed_prometheus_workspace_region
+}
+
+output "managed_prometheus_workspace_endpoint" {
+  description = "Amazon Managed Prometheus workspace endpoint"
+  value       = module.eks_monitoring.managed_prometheus_workspace_endpoint
+}
+
+output "managed_prometheus_workspace_id" {
+  description = "Amazon Managed Prometheus workspace ID"
+  value       = module.eks_monitoring.managed_prometheus_workspace_id
+}
+
+output "eks_cluster_version" {
+  description = "EKS Cluster version"
+  value       = module.eks_monitoring.eks_cluster_version
+}
+
+output "eks_cluster_id" {
+  description = "EKS Cluster Id"
+  value       = module.eks_monitoring.eks_cluster_id
+}
diff --git a/examples/existing-cluster-with-base-and-infra-opensearch/variables.tf b/examples/existing-cluster-with-base-and-infra-opensearch/variables.tf
new file mode 100644
index 00000000..9f6de39f
--- /dev/null
+++ b/examples/existing-cluster-with-base-and-infra-opensearch/variables.tf
@@ -0,0 +1,50 @@
+variable "eks_cluster_id" {
+  description = "Name of the EKS cluster"
+  type        = string
+  default     = "eks-cluster-with-vpc"
+}
+
+variable "aws_region" {
+  description = "AWS Region"
+  type        = string
+}
+
+variable "managed_prometheus_workspace_id" {
+  description = "Amazon Managed Service for Prometheus Workspace ID"
+  type        = string
+  default     = ""
+}
+
+variable "managed_grafana_workspace_id" {
+  description = "Amazon Managed Grafana Workspace ID"
+  type        = string
+}
+
+variable "grafana_api_key" {
+  description = "API key for authorizing the Grafana provider to make changes to Amazon Managed Grafana"
+  type        = string
+  sensitive   = true
+}
+
+variable "enable_dashboards" {
+  description = "Enables or disables curated dashboards. Dashboards are managed by the Grafana Operator"
+  type        = bool
+  default     = true
+}
+
+variable "os_logs_host" {
+  description = "OpenSearch domain URL for logs"
+  type        = string
+  default     = ""
+}
+
+variable "os_logs_username" {
+  description = "OpenSearch domain username"
+  type        = string
+}
+
+variable "os_logs_password" {
+  description = "OpenSearch domain password"
+  type        = string
+  sensitive   = true
+}
diff --git a/examples/existing-cluster-with-base-and-infra-opensearch/versions.tf b/examples/existing-cluster-with-base-and-infra-opensearch/versions.tf
new file mode 100644
index 00000000..55281dba
--- /dev/null
+++ b/examples/existing-cluster-with-base-and-infra-opensearch/versions.tf
@@ -0,0 +1,30 @@
+terraform {
+  required_version = ">= 1.1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.10"
+    }
+    kubectl = {
+      source  = "alekc/kubectl"
+      version = ">= 2.0.3"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = ">= 2.4.1"
+    }
+  }
+
+  # ##  Used for end-to-end testing on project; update to suit your needs
+  # backend "s3" {
+  #   bucket = "aws-observability-accelerator-terraform-states"
+  #   region = "us-west-2"
+  #   key    = "e2e/existing-cluster-with-base-and-infra/terraform.tfstate"
+  # }
+
+}

From 91627fd13adfa4fbf67503df72486162f9df1ca3 Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Wed, 2 Oct 2024 13:55:56 -0300
Subject: [PATCH 05/28] Add outputs and instructions to allow fluentbit writing
 to opensearch

---
 examples/amazon-opensearch-domain/outputs.tf   | 18 ------------------
 .../README.md                                  | 14 ++++++++++++++
 .../outputs.tf                                 |  5 +++++
 modules/eks-monitoring/outputs.tf              |  5 +++++
 4 files changed, 24 insertions(+), 18 deletions(-)

diff --git a/examples/amazon-opensearch-domain/outputs.tf b/examples/amazon-opensearch-domain/outputs.tf
index e5d300d9..43b7c3fd 100644
--- a/examples/amazon-opensearch-domain/outputs.tf
+++ b/examples/amazon-opensearch-domain/outputs.tf
@@ -22,15 +22,6 @@ output "domain_dashboard_endpoint" {
   value       = module.opensearch.domain_dashboard_endpoint
 }
 
-################################################################################
-# Package Association(s)
-################################################################################
-
-output "package_associations" {
-  description = "Map of package associations created and their attributes"
-  value       = module.opensearch.package_associations
-}
-
 ################################################################################
 # VPC Endpoint(s)
 ################################################################################
@@ -40,15 +31,6 @@ output "vpc_endpoints" {
   value       = module.opensearch.vpc_endpoints
 }
 
-################################################################################
-# Outbound Connections
-################################################################################
-
-output "outbound_connections" {
-  description = "Map of outbound connections created and their attributes"
-  value       = module.opensearch.outbound_connections
-}
-
 ################################################################################
 # CloudWatch Log Groups
 ################################################################################
diff --git a/examples/existing-cluster-with-base-and-infra-opensearch/README.md b/examples/existing-cluster-with-base-and-infra-opensearch/README.md
index fee9b26b..4405f654 100644
--- a/examples/existing-cluster-with-base-and-infra-opensearch/README.md
+++ b/examples/existing-cluster-with-base-and-infra-opensearch/README.md
@@ -13,6 +13,20 @@ configuration options on the cluster infrastructure.
 
 In addition, logs are shipped to an OpenSearch domain.
 
+## Allow FluentBit to send logs to OpenSearch
+
+After provisioning the example, get the FluentBit IAM role:
+
+```
+terraform output -json | jq -r '.fluentbit_irsa_arn.value'
+```
+
+Access the OpenSearch dashboards directly or using a proxy and add the IAM Role as a
+backend role to the desired role. Althought the `all_access` role will work, it is
+safer to restrict access in production environments. Check the 
+[service documentation](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html)
+for more information.
+
 View the full documentation for this example [here](https://aws-observability.github.io/terraform-aws-observability-accelerator/eks/)
 
 
diff --git a/examples/existing-cluster-with-base-and-infra-opensearch/outputs.tf b/examples/existing-cluster-with-base-and-infra-opensearch/outputs.tf
index e14427e3..0812c552 100644
--- a/examples/existing-cluster-with-base-and-infra-opensearch/outputs.tf
+++ b/examples/existing-cluster-with-base-and-infra-opensearch/outputs.tf
@@ -22,3 +22,8 @@ output "eks_cluster_id" {
   description = "EKS Cluster Id"
   value       = module.eks_monitoring.eks_cluster_id
 }
+
+output "fluentbit_irsa_arn" {
+  description = "IRSA Arn for FluentBit"
+  value       = module.eks_monitoring.fluentbit_irsa_arn
+}
\ No newline at end of file
diff --git a/modules/eks-monitoring/outputs.tf b/modules/eks-monitoring/outputs.tf
index 38027fae..00be5761 100644
--- a/modules/eks-monitoring/outputs.tf
+++ b/modules/eks-monitoring/outputs.tf
@@ -13,6 +13,11 @@ output "adot_irsa_arn" {
   value       = module.helm_addon.irsa_arn
 }
 
+output "fluentbit_irsa_arn" {
+  description = "IRSA Arn for FluentBit"
+  value       = var.enable_logs ? module.fluentbit_logs[0].irsa_arn : ""
+}
+
 output "managed_prometheus_workspace_endpoint" {
   description = "Amazon Managed Prometheus workspace endpoint"
   value       = local.managed_prometheus_workspace_endpoint

From 5e2fd2f24d6fa9f01aae01fa41ee6cc75a92c880 Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Wed, 2 Oct 2024 14:02:48 -0300
Subject: [PATCH 06/28] Document opensearch inputs

---
 .../README.md                                                | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/examples/existing-cluster-with-base-and-infra-opensearch/README.md b/examples/existing-cluster-with-base-and-infra-opensearch/README.md
index 4405f654..3eca2a85 100644
--- a/examples/existing-cluster-with-base-and-infra-opensearch/README.md
+++ b/examples/existing-cluster-with-base-and-infra-opensearch/README.md
@@ -71,6 +71,9 @@ View the full documentation for this example [here](https://aws-observability.gi
 | <a name="input_grafana_api_key"></a> [grafana\_api\_key](#input\_grafana\_api\_key) | API key for authorizing the Grafana provider to make changes to Amazon Managed Grafana | `string` | n/a | yes |
 | <a name="input_managed_grafana_workspace_id"></a> [managed\_grafana\_workspace\_id](#input\_managed\_grafana\_workspace\_id) | Amazon Managed Grafana Workspace ID | `string` | n/a | yes |
 | <a name="input_managed_prometheus_workspace_id"></a> [managed\_prometheus\_workspace\_id](#input\_managed\_prometheus\_workspace\_id) | Amazon Managed Service for Prometheus Workspace ID | `string` | `""` | no |
+| <a name="input_os_logs_host"></a> [os\_logs\_host](#input\_os\_logs\_host) | Amazon Opensearch host | `string` | `""` | yes |
+| <a name="input_os_logs_username"></a> [os\_logs\_username](#input\_os\_logs\_username) | Amazon Opensearch master username | `string` | `""` | yes |
+| <a name="input_os_logs_password"></a> [os\_logs\_password](#input\_os\_logs\_password) | Amazon Opensearch password | `string` | `""` | yes |
 
 ## Outputs
 
@@ -81,4 +84,6 @@ View the full documentation for this example [here](https://aws-observability.gi
 | <a name="output_managed_prometheus_workspace_endpoint"></a> [managed\_prometheus\_workspace\_endpoint](#output\_managed\_prometheus\_workspace\_endpoint) | Amazon Managed Prometheus workspace endpoint |
 | <a name="output_managed_prometheus_workspace_id"></a> [managed\_prometheus\_workspace\_id](#output\_managed\_prometheus\_workspace\_id) | Amazon Managed Prometheus workspace ID |
 | <a name="output_managed_prometheus_workspace_region"></a> [managed\_prometheus\_workspace\_region](#output\_managed\_prometheus\_workspace\_region) | AWS Region |
+| <a name="output_fluentbit_irsa_arn"></a> [managed\_fluentbit\_irsa\_arn](#output\_managed\_fluentbit\_irsa\_arn) | FluentBit IAM Role ARN |
+
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

From 89f085cfc63d35706304f846ffccd02308982f0e Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Wed, 2 Oct 2024 14:42:07 -0300
Subject: [PATCH 07/28] Add OpenSearch related information to README files

---
 examples/amazon-opensearch-domain/ec2.tf      | 28 +++++++++----------
 examples/amazon-opensearch-domain/main.tf     | 10 +++----
 examples/amazon-opensearch-domain/readme.md   |  1 -
 .../amazon-opensearch-domain/user_data.sh     |  4 +--
 .../README.md                                 | 11 ++++----
 .../main.tf                                   |  4 +--
 .../outputs.tf                                |  2 +-
 modules/eks-monitoring/README.md              |  1 +
 .../add-ons/aws-for-fluentbit/README.md       |  4 +++
 9 files changed, 34 insertions(+), 31 deletions(-)

diff --git a/examples/amazon-opensearch-domain/ec2.tf b/examples/amazon-opensearch-domain/ec2.tf
index 6ea6f784..c7490fa8 100644
--- a/examples/amazon-opensearch-domain/ec2.tf
+++ b/examples/amazon-opensearch-domain/ec2.tf
@@ -1,6 +1,6 @@
 data "aws_ami" "reverse_proxy" {
-  most_recent      = true
-  owners = ["amazon"]
+  most_recent = true
+  owners      = ["amazon"]
 
   filter {
     name   = "name"
@@ -43,19 +43,19 @@ resource "aws_vpc_security_group_egress_rule" "allow_all_traffic_ipv4" {
 }
 
 resource "aws_launch_configuration" "reverse_proxy" {
-  name          = "reverse_proxy"
-  image_id      = data.aws_ami.reverse_proxy.id
-  instance_type = "t2.medium"
+  name                        = "reverse_proxy"
+  image_id                    = data.aws_ami.reverse_proxy.id
+  instance_type               = "t2.medium"
   associate_public_ip_address = true
-  user_data = templatefile("${path.module}/user_data.sh", {os_domain = module.opensearch.domain_endpoint})
-  security_groups = [aws_security_group.reverse_proxy.id]
+  user_data                   = templatefile("${path.module}/user_data.sh", { os_domain = module.opensearch.domain_endpoint })
+  security_groups             = [aws_security_group.reverse_proxy.id]
 }
 
 resource "aws_autoscaling_group" "reverse_proxy" {
-  name                      = "reverse_proxy"
-  max_size                  = 1
-  min_size                  = 1
-  desired_capacity          = 1
-  launch_configuration      = aws_launch_configuration.reverse_proxy.name
-  vpc_zone_identifier       = [local.public_subnet_id]
-}
\ No newline at end of file
+  name                 = "reverse_proxy"
+  max_size             = 1
+  min_size             = 1
+  desired_capacity     = 1
+  launch_configuration = aws_launch_configuration.reverse_proxy.name
+  vpc_zone_identifier  = [local.public_subnet_id]
+}
diff --git a/examples/amazon-opensearch-domain/main.tf b/examples/amazon-opensearch-domain/main.tf
index 551c0d74..49a50ab7 100644
--- a/examples/amazon-opensearch-domain/main.tf
+++ b/examples/amazon-opensearch-domain/main.tf
@@ -10,12 +10,12 @@ data "aws_vpc" "main" {
 
 locals {
   region = var.aws_region
-  name        = "aws-o11y-accelerator"
+  name   = "aws-o11y-accelerator"
 
-  vpc_cidr = data.aws_vpc.main.cidr_block
-  public_subnet_id = var.public_subnet_id
-  private_subnet_id = var.private_subnet_id
-  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+  vpc_cidr                = data.aws_vpc.main.cidr_block
+  public_subnet_id        = var.public_subnet_id
+  private_subnet_id       = var.private_subnet_id
+  azs                     = slice(data.aws_availability_zones.available.names, 0, 3)
   reverse_proxy_client_ip = var.reverse_proxy_client_ip
 
   tags = {
diff --git a/examples/amazon-opensearch-domain/readme.md b/examples/amazon-opensearch-domain/readme.md
index 93e10e0e..61718eff 100644
--- a/examples/amazon-opensearch-domain/readme.md
+++ b/examples/amazon-opensearch-domain/readme.md
@@ -1,4 +1,3 @@
 # Amazon OpenSearch Domain Setup
 
 This example creates an Amazon OpenSearch domain.
-
diff --git a/examples/amazon-opensearch-domain/user_data.sh b/examples/amazon-opensearch-domain/user_data.sh
index 8b3c2fa2..e53fe959 100644
--- a/examples/amazon-opensearch-domain/user_data.sh
+++ b/examples/amazon-opensearch-domain/user_data.sh
@@ -38,8 +38,8 @@ server {
         proxy_buffers 4 256k;
         proxy_busy_buffers_size 256k;
     }
-}          
+}
 EOF
 sed -i -e "s/DOMAIN_ENDPOINT/${os_domain}/g" /etc/nginx/conf.d/nginx_opensearch.conf
 systemctl restart nginx.service
-systemctl enable nginx.service
\ No newline at end of file
+systemctl enable nginx.service
diff --git a/examples/existing-cluster-with-base-and-infra-opensearch/README.md b/examples/existing-cluster-with-base-and-infra-opensearch/README.md
index 3eca2a85..4875b71b 100644
--- a/examples/existing-cluster-with-base-and-infra-opensearch/README.md
+++ b/examples/existing-cluster-with-base-and-infra-opensearch/README.md
@@ -23,7 +23,7 @@ terraform output -json | jq -r '.fluentbit_irsa_arn.value'
 
 Access the OpenSearch dashboards directly or using a proxy and add the IAM Role as a
 backend role to the desired role. Althought the `all_access` role will work, it is
-safer to restrict access in production environments. Check the 
+safer to restrict access in production environments. Check the
 [service documentation](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html)
 for more information.
 
@@ -71,9 +71,9 @@ View the full documentation for this example [here](https://aws-observability.gi
 | <a name="input_grafana_api_key"></a> [grafana\_api\_key](#input\_grafana\_api\_key) | API key for authorizing the Grafana provider to make changes to Amazon Managed Grafana | `string` | n/a | yes |
 | <a name="input_managed_grafana_workspace_id"></a> [managed\_grafana\_workspace\_id](#input\_managed\_grafana\_workspace\_id) | Amazon Managed Grafana Workspace ID | `string` | n/a | yes |
 | <a name="input_managed_prometheus_workspace_id"></a> [managed\_prometheus\_workspace\_id](#input\_managed\_prometheus\_workspace\_id) | Amazon Managed Service for Prometheus Workspace ID | `string` | `""` | no |
-| <a name="input_os_logs_host"></a> [os\_logs\_host](#input\_os\_logs\_host) | Amazon Opensearch host | `string` | `""` | yes |
-| <a name="input_os_logs_username"></a> [os\_logs\_username](#input\_os\_logs\_username) | Amazon Opensearch master username | `string` | `""` | yes |
-| <a name="input_os_logs_password"></a> [os\_logs\_password](#input\_os\_logs\_password) | Amazon Opensearch password | `string` | `""` | yes |
+| <a name="input_os_logs_host"></a> [os\_logs\_host](#input\_os\_logs\_host) | OpenSearch domain URL for logs | `string` | `""` | no |
+| <a name="input_os_logs_password"></a> [os\_logs\_password](#input\_os\_logs\_password) | OpenSearch domain password | `string` | n/a | yes |
+| <a name="input_os_logs_username"></a> [os\_logs\_username](#input\_os\_logs\_username) | OpenSearch domain username | `string` | n/a | yes |
 
 ## Outputs
 
@@ -81,9 +81,8 @@ View the full documentation for this example [here](https://aws-observability.gi
 |------|-------------|
 | <a name="output_eks_cluster_id"></a> [eks\_cluster\_id](#output\_eks\_cluster\_id) | EKS Cluster Id |
 | <a name="output_eks_cluster_version"></a> [eks\_cluster\_version](#output\_eks\_cluster\_version) | EKS Cluster version |
+| <a name="output_fluentbit_irsa_arn"></a> [fluentbit\_irsa\_arn](#output\_fluentbit\_irsa\_arn) | IRSA Arn for FluentBit |
 | <a name="output_managed_prometheus_workspace_endpoint"></a> [managed\_prometheus\_workspace\_endpoint](#output\_managed\_prometheus\_workspace\_endpoint) | Amazon Managed Prometheus workspace endpoint |
 | <a name="output_managed_prometheus_workspace_id"></a> [managed\_prometheus\_workspace\_id](#output\_managed\_prometheus\_workspace\_id) | Amazon Managed Prometheus workspace ID |
 | <a name="output_managed_prometheus_workspace_region"></a> [managed\_prometheus\_workspace\_region](#output\_managed\_prometheus\_workspace\_region) | AWS Region |
-| <a name="output_fluentbit_irsa_arn"></a> [managed\_fluentbit\_irsa\_arn](#output\_managed\_fluentbit\_irsa\_arn) | FluentBit IAM Role ARN |
-
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/existing-cluster-with-base-and-infra-opensearch/main.tf b/examples/existing-cluster-with-base-and-infra-opensearch/main.tf
index 1be75ed1..3e7810ee 100644
--- a/examples/existing-cluster-with-base-and-infra-opensearch/main.tf
+++ b/examples/existing-cluster-with-base-and-infra-opensearch/main.tf
@@ -75,9 +75,9 @@ module "eks_monitoring" {
     global_scrape_timeout  = "15s"
   }
 
-  enable_logs = true
+  enable_logs     = true
   os_logs_enabled = true
-  os_logs_host = var.os_logs_host
+  os_logs_host    = var.os_logs_host
 
   tags = local.tags
 }
diff --git a/examples/existing-cluster-with-base-and-infra-opensearch/outputs.tf b/examples/existing-cluster-with-base-and-infra-opensearch/outputs.tf
index 0812c552..6712e58b 100644
--- a/examples/existing-cluster-with-base-and-infra-opensearch/outputs.tf
+++ b/examples/existing-cluster-with-base-and-infra-opensearch/outputs.tf
@@ -26,4 +26,4 @@ output "eks_cluster_id" {
 output "fluentbit_irsa_arn" {
   description = "IRSA Arn for FluentBit"
   value       = module.eks_monitoring.fluentbit_irsa_arn
-}
\ No newline at end of file
+}
diff --git a/modules/eks-monitoring/README.md b/modules/eks-monitoring/README.md
index 1c984667..06f799c8 100644
--- a/modules/eks-monitoring/README.md
+++ b/modules/eks-monitoring/README.md
@@ -144,6 +144,7 @@ See examples using this Terraform modules in the **Amazon EKS** section of [this
 | <a name="output_adot_irsa_arn"></a> [adot\_irsa\_arn](#output\_adot\_irsa\_arn) | IRSA Arn for ADOT |
 | <a name="output_eks_cluster_id"></a> [eks\_cluster\_id](#output\_eks\_cluster\_id) | EKS Cluster Id |
 | <a name="output_eks_cluster_version"></a> [eks\_cluster\_version](#output\_eks\_cluster\_version) | EKS Cluster version |
+| <a name="output_fluentbit_irsa_arn"></a> [fluentbit\_irsa\_arn](#output\_fluentbit\_irsa\_arn) | IRSA Arn for FluentBit |
 | <a name="output_managed_prometheus_workspace_endpoint"></a> [managed\_prometheus\_workspace\_endpoint](#output\_managed\_prometheus\_workspace\_endpoint) | Amazon Managed Prometheus workspace endpoint |
 | <a name="output_managed_prometheus_workspace_id"></a> [managed\_prometheus\_workspace\_id](#output\_managed\_prometheus\_workspace\_id) | Amazon Managed Prometheus workspace ID |
 | <a name="output_managed_prometheus_workspace_region"></a> [managed\_prometheus\_workspace\_region](#output\_managed\_prometheus\_workspace\_region) | Amazon Managed Prometheus workspace region |
diff --git a/modules/eks-monitoring/add-ons/aws-for-fluentbit/README.md b/modules/eks-monitoring/add-ons/aws-for-fluentbit/README.md
index 8b37ec6a..ae067221 100644
--- a/modules/eks-monitoring/add-ons/aws-for-fluentbit/README.md
+++ b/modules/eks-monitoring/add-ons/aws-for-fluentbit/README.md
@@ -39,9 +39,13 @@ See this [Helm Chart](https://github.com/aws/eks-charts/tree/master/stable/aws-f
 |------|-------------|------|---------|:--------:|
 | <a name="input_addon_context"></a> [addon\_context](#input\_addon\_context) | Input configuration for the addon | <pre>object({<br>    aws_caller_identity_account_id = string<br>    aws_caller_identity_arn        = string<br>    aws_eks_cluster_endpoint       = string<br>    aws_partition_id               = string<br>    aws_region_name                = string<br>    eks_cluster_id                 = string<br>    eks_oidc_issuer_url            = string<br>    eks_oidc_provider_arn          = string<br>    tags                           = map(string)<br>    irsa_iam_role_path             = string<br>    irsa_iam_permissions_boundary  = string<br>  })</pre> | n/a | yes |
 | <a name="input_cw_log_retention_days"></a> [cw\_log\_retention\_days](#input\_cw\_log\_retention\_days) | FluentBit CloudWatch Log group retention period | `number` | `90` | no |
+| <a name="input_cw_logs_enabled"></a> [cw\_logs\_enabled](#input\_cw\_logs\_enabled) | FluentBit CloudWatch Log enable | `bool` | `true` | no |
 | <a name="input_helm_config"></a> [helm\_config](#input\_helm\_config) | Helm provider config aws\_for\_fluent\_bit. | `any` | `{}` | no |
 | <a name="input_irsa_policies"></a> [irsa\_policies](#input\_irsa\_policies) | Additional IAM policies for a IAM role for service accounts | `list(string)` | `[]` | no |
 | <a name="input_manage_via_gitops"></a> [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no |
+| <a name="input_os_logs_enabled"></a> [os\_logs\_enabled](#input\_os\_logs\_enabled) | FluentBit OpenSearch enable | `bool` | `false` | no |
+| <a name="input_os_logs_host"></a> [os\_logs\_host](#input\_os\_logs\_host) | FluentBit OpenSearch | `string` | `""` | no |
+| <a name="input_os_logs_index"></a> [os\_logs\_index](#input\_os\_logs\_index) | FluentBit OpenSearch | `string` | `"observability-accelerator"` | no |
 | <a name="input_refresh_interval"></a> [refresh\_interval](#input\_refresh\_interval) | FluentBit input refresh interval | `number` | `60` | no |
 
 ## Outputs

From 66a1ddb07b74197734335569cfb509cfb4192230 Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Wed, 2 Oct 2024 14:46:58 -0300
Subject: [PATCH 08/28] Improve opensearch domain example readme

---
 examples/amazon-opensearch-domain/readme.md | 62 ++++++++++++++++++++-
 1 file changed, 61 insertions(+), 1 deletion(-)

diff --git a/examples/amazon-opensearch-domain/readme.md b/examples/amazon-opensearch-domain/readme.md
index 61718eff..1df999e1 100644
--- a/examples/amazon-opensearch-domain/readme.md
+++ b/examples/amazon-opensearch-domain/readme.md
@@ -1,3 +1,63 @@
 # Amazon OpenSearch Domain Setup
 
-This example creates an Amazon OpenSearch domain.
+This example creates an Amazon OpenSearch domain in the same VPC of the EKS cluster,
+and a proxy instance to Amazon OpenSearch Dashboards, to allow access from outside of the VPC.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.69.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_opensearch"></a> [opensearch](#module\_opensearch) | terraform-aws-modules/opensearch/aws | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_autoscaling_group.reverse_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) | resource |
+| [aws_launch_configuration.reverse_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration) | resource |
+| [aws_security_group.reverse_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_vpc_security_group_egress_rule.allow_all_traffic_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
+| [aws_vpc_security_group_ingress_rule.reverse_proxy_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
+| [aws_ami.reverse_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
+| [aws_vpc.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS Region | `string` | n/a | yes |
+| <a name="input_master_user_name"></a> [master\_user\_name](#input\_master\_user\_name) | OpenSearch domain user name | `string` | n/a | yes |
+| <a name="input_master_user_password"></a> [master\_user\_password](#input\_master\_user\_password) | OpenSearch domain password | `string` | n/a | yes |
+| <a name="input_private_subnet_id"></a> [private\_subnet\_id](#input\_private\_subnet\_id) | One of the EKS cluster private subnets | `string` | n/a | yes |
+| <a name="input_public_subnet_id"></a> [public\_subnet\_id](#input\_public\_subnet\_id) | One of the EKS cluster public subnets | `string` | n/a | yes |
+| <a name="input_reverse_proxy_client_ip"></a> [reverse\_proxy\_client\_ip](#input\_reverse\_proxy\_client\_ip) | CIDR block to grant access for OpenSearch reverse proxy | `string` | `"127.0.0.1/32"` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | EKS cluster VPC Id | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_cloudwatch_logs"></a> [cloudwatch\_logs](#output\_cloudwatch\_logs) | Map of CloudWatch log groups created and their attributes |
+| <a name="output_domain_arn"></a> [domain\_arn](#output\_domain\_arn) | The Amazon Resource Name (ARN) of the domain |
+| <a name="output_domain_dashboard_endpoint"></a> [domain\_dashboard\_endpoint](#output\_domain\_dashboard\_endpoint) | Domain-specific endpoint for Dashboard without https scheme |
+| <a name="output_domain_endpoint"></a> [domain\_endpoint](#output\_domain\_endpoint) | Domain-specific endpoint used to submit index, search, and data upload requests |
+| <a name="output_domain_id"></a> [domain\_id](#output\_domain\_id) | The unique identifier for the domain |
+| <a name="output_security_group_arn"></a> [security\_group\_arn](#output\_security\_group\_arn) | Amazon Resource Name (ARN) of the security group |
+| <a name="output_security_group_id"></a> [security\_group\_id](#output\_security\_group\_id) | ID of the security group |
+| <a name="output_vpc_endpoints"></a> [vpc\_endpoints](#output\_vpc\_endpoints) | Map of VPC endpoints created and their attributes |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

From 1fb452886a7f664a51416e980f1356ff99309adf Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Wed, 2 Oct 2024 15:14:48 -0300
Subject: [PATCH 09/28] Rename oso example

---
 .../README.md                                                     | 0
 .../cleanup.sh                                                    | 0
 .../install.sh                                                    | 0
 .../main.tf                                                       | 0
 .../outputs.tf                                                    | 0
 .../variables.tf                                                  | 0
 .../versions.tf                                                   | 0
 7 files changed, 0 insertions(+), 0 deletions(-)
 rename examples/{existing-cluster-with-base-and-infra-opensearch => eks-managed-open-source-observability}/README.md (100%)
 rename examples/{existing-cluster-with-base-and-infra-opensearch => eks-managed-open-source-observability}/cleanup.sh (100%)
 rename examples/{existing-cluster-with-base-and-infra-opensearch => eks-managed-open-source-observability}/install.sh (100%)
 rename examples/{existing-cluster-with-base-and-infra-opensearch => eks-managed-open-source-observability}/main.tf (100%)
 rename examples/{existing-cluster-with-base-and-infra-opensearch => eks-managed-open-source-observability}/outputs.tf (100%)
 rename examples/{existing-cluster-with-base-and-infra-opensearch => eks-managed-open-source-observability}/variables.tf (100%)
 rename examples/{existing-cluster-with-base-and-infra-opensearch => eks-managed-open-source-observability}/versions.tf (100%)

diff --git a/examples/existing-cluster-with-base-and-infra-opensearch/README.md b/examples/eks-managed-open-source-observability/README.md
similarity index 100%
rename from examples/existing-cluster-with-base-and-infra-opensearch/README.md
rename to examples/eks-managed-open-source-observability/README.md
diff --git a/examples/existing-cluster-with-base-and-infra-opensearch/cleanup.sh b/examples/eks-managed-open-source-observability/cleanup.sh
similarity index 100%
rename from examples/existing-cluster-with-base-and-infra-opensearch/cleanup.sh
rename to examples/eks-managed-open-source-observability/cleanup.sh
diff --git a/examples/existing-cluster-with-base-and-infra-opensearch/install.sh b/examples/eks-managed-open-source-observability/install.sh
similarity index 100%
rename from examples/existing-cluster-with-base-and-infra-opensearch/install.sh
rename to examples/eks-managed-open-source-observability/install.sh
diff --git a/examples/existing-cluster-with-base-and-infra-opensearch/main.tf b/examples/eks-managed-open-source-observability/main.tf
similarity index 100%
rename from examples/existing-cluster-with-base-and-infra-opensearch/main.tf
rename to examples/eks-managed-open-source-observability/main.tf
diff --git a/examples/existing-cluster-with-base-and-infra-opensearch/outputs.tf b/examples/eks-managed-open-source-observability/outputs.tf
similarity index 100%
rename from examples/existing-cluster-with-base-and-infra-opensearch/outputs.tf
rename to examples/eks-managed-open-source-observability/outputs.tf
diff --git a/examples/existing-cluster-with-base-and-infra-opensearch/variables.tf b/examples/eks-managed-open-source-observability/variables.tf
similarity index 100%
rename from examples/existing-cluster-with-base-and-infra-opensearch/variables.tf
rename to examples/eks-managed-open-source-observability/variables.tf
diff --git a/examples/existing-cluster-with-base-and-infra-opensearch/versions.tf b/examples/eks-managed-open-source-observability/versions.tf
similarity index 100%
rename from examples/existing-cluster-with-base-and-infra-opensearch/versions.tf
rename to examples/eks-managed-open-source-observability/versions.tf

From cc85b4caf456681af758534c697875241220ba4d Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Fri, 22 Nov 2024 11:47:15 -0300
Subject: [PATCH 10/28] Simplify variables

---
 examples/amazon-opensearch-domain/ec2.tf      | 10 +++-
 examples/amazon-opensearch-domain/locals.tf   | 11 ++++
 examples/amazon-opensearch-domain/main.tf     | 52 +++++++++++++++++--
 .../amazon-opensearch-domain/opensearch.tf    |  0
 .../amazon-opensearch-domain/variables.tf     | 26 ++++++----
 5 files changed, 84 insertions(+), 15 deletions(-)
 create mode 100644 examples/amazon-opensearch-domain/locals.tf
 delete mode 100644 examples/amazon-opensearch-domain/opensearch.tf

diff --git a/examples/amazon-opensearch-domain/ec2.tf b/examples/amazon-opensearch-domain/ec2.tf
index c7490fa8..ad23c2ab 100644
--- a/examples/amazon-opensearch-domain/ec2.tf
+++ b/examples/amazon-opensearch-domain/ec2.tf
@@ -43,19 +43,25 @@ resource "aws_vpc_security_group_egress_rule" "allow_all_traffic_ipv4" {
 }
 
 resource "aws_launch_configuration" "reverse_proxy" {
-  name                        = "reverse_proxy"
+#  name                        = "reverse_proxy"
   image_id                    = data.aws_ami.reverse_proxy.id
   instance_type               = "t2.medium"
   associate_public_ip_address = true
   user_data                   = templatefile("${path.module}/user_data.sh", { os_domain = module.opensearch.domain_endpoint })
   security_groups             = [aws_security_group.reverse_proxy.id]
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
 resource "aws_autoscaling_group" "reverse_proxy" {
-  name                 = "reverse_proxy"
+  name                 = aws_launch_configuration.reverse_proxy.name
   max_size             = 1
   min_size             = 1
   desired_capacity     = 1
   launch_configuration = aws_launch_configuration.reverse_proxy.name
   vpc_zone_identifier  = [local.public_subnet_id]
+  lifecycle {
+    create_before_destroy = true
+  }
 }
diff --git a/examples/amazon-opensearch-domain/locals.tf b/examples/amazon-opensearch-domain/locals.tf
new file mode 100644
index 00000000..8b062e96
--- /dev/null
+++ b/examples/amazon-opensearch-domain/locals.tf
@@ -0,0 +1,11 @@
+resource "random_password" "opensearch_master_password" {
+  length           = 16
+  special          = true
+  override_special = "!#$%&*()-_=+[]{}<>:?"
+}
+
+locals {
+    opensearch_master_user_name     = var.master_user_name == "" ? "observability-accelerator" : var.master_user_name
+    opensearch_master_user_password = var.master_user_password == "" ? random_password.opensearch_master_password.result : var.master_user_password
+    availability_zone               = var.availability_zone == "" ? "${var.aws_region}a" : var.availability_zone
+}
\ No newline at end of file
diff --git a/examples/amazon-opensearch-domain/main.tf b/examples/amazon-opensearch-domain/main.tf
index 49a50ab7..fe77ea76 100644
--- a/examples/amazon-opensearch-domain/main.tf
+++ b/examples/amazon-opensearch-domain/main.tf
@@ -8,13 +8,37 @@ data "aws_vpc" "main" {
   id = var.vpc_id
 }
 
+data "aws_subnet" "private_subnet" {
+  vpc_id = var.vpc_id
+  availability_zone = local.availability_zone
+  filter {
+    name = "tag:Name"
+    values = [
+      "*private*",
+      "*Private*"
+    ]
+  }
+}
+
+data "aws_subnet" "public_subnet" {
+  vpc_id = var.vpc_id
+  availability_zone = local.availability_zone
+  filter {
+    name = "tag:Name"
+    values = [
+      "*public*",
+      "*Public*"
+    ]
+  }
+}
+
 locals {
   region = var.aws_region
   name   = "aws-o11y-accelerator"
 
   vpc_cidr                = data.aws_vpc.main.cidr_block
-  public_subnet_id        = var.public_subnet_id
-  private_subnet_id       = var.private_subnet_id
+  public_subnet_id        = data.aws_subnet.public_subnet.id
+  private_subnet_id       = data.aws_subnet.private_subnet.id
   azs                     = slice(data.aws_availability_zones.available.names, 0, 3)
   reverse_proxy_client_ip = var.reverse_proxy_client_ip
 
@@ -24,6 +48,26 @@ locals {
   }
 }
 
+resource "aws_ssm_parameter" "opensearch_master_user_name" {
+  name        = "/terraform-accelerator/opensearch-master-user-name"
+  type        = "SecureString"
+  value       = local.opensearch_master_user_name
+
+  tags = {
+    environment = "production"
+  }
+}
+
+resource "aws_ssm_parameter" "opensearch_master_user_password" {
+  name        = "/terraform-accelerator/opensearch/master-user-password"
+  type        = "SecureString"
+  value       = local.opensearch_master_user_password
+
+  tags = {
+    environment = "production"
+  }
+}
+
 module "opensearch" {
   source = "terraform-aws-modules/opensearch/aws"
 
@@ -38,8 +82,8 @@ module "opensearch" {
     internal_user_database_enabled = true
 
     master_user_options = {
-      master_user_name     = var.master_user_name
-      master_user_password = var.master_user_password
+      master_user_name     = local.opensearch_master_user_name
+      master_user_password = local.opensearch_master_user_password
     }
   }
 
diff --git a/examples/amazon-opensearch-domain/opensearch.tf b/examples/amazon-opensearch-domain/opensearch.tf
deleted file mode 100644
index e69de29b..00000000
diff --git a/examples/amazon-opensearch-domain/variables.tf b/examples/amazon-opensearch-domain/variables.tf
index 8b72e09c..09a7b1f4 100644
--- a/examples/amazon-opensearch-domain/variables.tf
+++ b/examples/amazon-opensearch-domain/variables.tf
@@ -8,28 +8,36 @@ variable "vpc_id" {
   type        = string
 }
 
-variable "private_subnet_id" {
-  description = "One of the EKS cluster private subnets"
-  type        = string
-}
+# variable "private_subnet_id" {
+#   description = "One of the EKS cluster private subnets"
+#   type        = string
+# }
 
-variable "public_subnet_id" {
-  description = "One of the EKS cluster public subnets"
-  type        = string
-}
+# variable "public_subnet_id" {
+#   description = "One of the EKS cluster public subnets"
+#   type        = string
+# }
 
 variable "master_user_name" {
   description = "OpenSearch domain user name"
   type        = string
+  default     = ""
 }
 variable "master_user_password" {
   description = "OpenSearch domain password"
   type        = string
   sensitive   = true
+  default     = ""
 }
 
 variable "reverse_proxy_client_ip" {
   description = "CIDR block to grant access for OpenSearch reverse proxy"
   type        = string
-  default     = "127.0.0.1/32"
+  default     = "0.0.0.0/0"
+}
+
+variable "availability_zone" {
+  description = "AZ where the example domain and its proxy instance will be created"
+  type        = string
+  default     = ""
 }

From 6d1fc0e3e89716f59e76d6b81f74cff23c76d947 Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Fri, 22 Nov 2024 11:49:36 -0300
Subject: [PATCH 11/28] Update SSL configuration

---
 examples/amazon-opensearch-domain/user_data.sh | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/examples/amazon-opensearch-domain/user_data.sh b/examples/amazon-opensearch-domain/user_data.sh
index e53fe959..3a98f1a9 100644
--- a/examples/amazon-opensearch-domain/user_data.sh
+++ b/examples/amazon-opensearch-domain/user_data.sh
@@ -6,7 +6,7 @@ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/cert.key
 
 cat << EOF > /etc/nginx/conf.d/nginx_opensearch.conf
 server {
-    listen 443;
+    listen 443 ssl;
     server_name \$host;
     rewrite ^/$ https://\$host/_dashboards redirect;
 
@@ -14,7 +14,6 @@ server {
     ssl_certificate           /etc/nginx/cert.crt;
     ssl_certificate_key       /etc/nginx/cert.key;
 
-    ssl on;
     ssl_session_cache  builtin:1000  shared:SSL:10m;
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
     ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;

From cdcb99700bef56542861a62f100cb7fbe1da0801 Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Fri, 22 Nov 2024 11:49:36 -0300
Subject: [PATCH 12/28] Update SSL configuration

---
 examples/amazon-opensearch-domain/ec2.tf    |  9 +++++++--
 examples/amazon-opensearch-domain/locals.tf |  8 ++++----
 examples/amazon-opensearch-domain/main.tf   | 16 ++++++++--------
 examples/amazon-opensearch-domain/readme.md | 17 +++++++++++------
 4 files changed, 30 insertions(+), 20 deletions(-)

diff --git a/examples/amazon-opensearch-domain/ec2.tf b/examples/amazon-opensearch-domain/ec2.tf
index ad23c2ab..0ab2a92d 100644
--- a/examples/amazon-opensearch-domain/ec2.tf
+++ b/examples/amazon-opensearch-domain/ec2.tf
@@ -43,12 +43,17 @@ resource "aws_vpc_security_group_egress_rule" "allow_all_traffic_ipv4" {
 }
 
 resource "aws_launch_configuration" "reverse_proxy" {
-#  name                        = "reverse_proxy"
   image_id                    = data.aws_ami.reverse_proxy.id
   instance_type               = "t2.medium"
-  associate_public_ip_address = true
+  associate_public_ip_address = false
   user_data                   = templatefile("${path.module}/user_data.sh", { os_domain = module.opensearch.domain_endpoint })
   security_groups             = [aws_security_group.reverse_proxy.id]
+  root_block_device {
+    encrypted = true
+  }
+  metadata_options {
+    http_tokens = "required"
+  }
   lifecycle {
     create_before_destroy = true
   }
diff --git a/examples/amazon-opensearch-domain/locals.tf b/examples/amazon-opensearch-domain/locals.tf
index 8b062e96..e3a9a628 100644
--- a/examples/amazon-opensearch-domain/locals.tf
+++ b/examples/amazon-opensearch-domain/locals.tf
@@ -5,7 +5,7 @@ resource "random_password" "opensearch_master_password" {
 }
 
 locals {
-    opensearch_master_user_name     = var.master_user_name == "" ? "observability-accelerator" : var.master_user_name
-    opensearch_master_user_password = var.master_user_password == "" ? random_password.opensearch_master_password.result : var.master_user_password
-    availability_zone               = var.availability_zone == "" ? "${var.aws_region}a" : var.availability_zone
-}
\ No newline at end of file
+  opensearch_master_user_name     = var.master_user_name == "" ? "observability-accelerator" : var.master_user_name
+  opensearch_master_user_password = var.master_user_password == "" ? random_password.opensearch_master_password.result : var.master_user_password
+  availability_zone               = var.availability_zone == "" ? "${var.aws_region}a" : var.availability_zone
+}
diff --git a/examples/amazon-opensearch-domain/main.tf b/examples/amazon-opensearch-domain/main.tf
index fe77ea76..4ce28a1c 100644
--- a/examples/amazon-opensearch-domain/main.tf
+++ b/examples/amazon-opensearch-domain/main.tf
@@ -9,7 +9,7 @@ data "aws_vpc" "main" {
 }
 
 data "aws_subnet" "private_subnet" {
-  vpc_id = var.vpc_id
+  vpc_id            = var.vpc_id
   availability_zone = local.availability_zone
   filter {
     name = "tag:Name"
@@ -21,7 +21,7 @@ data "aws_subnet" "private_subnet" {
 }
 
 data "aws_subnet" "public_subnet" {
-  vpc_id = var.vpc_id
+  vpc_id            = var.vpc_id
   availability_zone = local.availability_zone
   filter {
     name = "tag:Name"
@@ -49,9 +49,9 @@ locals {
 }
 
 resource "aws_ssm_parameter" "opensearch_master_user_name" {
-  name        = "/terraform-accelerator/opensearch-master-user-name"
-  type        = "SecureString"
-  value       = local.opensearch_master_user_name
+  name  = "/terraform-accelerator/opensearch-master-user-name"
+  type  = "SecureString"
+  value = local.opensearch_master_user_name
 
   tags = {
     environment = "production"
@@ -59,9 +59,9 @@ resource "aws_ssm_parameter" "opensearch_master_user_name" {
 }
 
 resource "aws_ssm_parameter" "opensearch_master_user_password" {
-  name        = "/terraform-accelerator/opensearch/master-user-password"
-  type        = "SecureString"
-  value       = local.opensearch_master_user_password
+  name  = "/terraform-accelerator/opensearch/master-user-password"
+  type  = "SecureString"
+  value = local.opensearch_master_user_password
 
   tags = {
     environment = "production"
diff --git a/examples/amazon-opensearch-domain/readme.md b/examples/amazon-opensearch-domain/readme.md
index 1df999e1..329e373c 100644
--- a/examples/amazon-opensearch-domain/readme.md
+++ b/examples/amazon-opensearch-domain/readme.md
@@ -15,7 +15,8 @@ and a proxy instance to Amazon OpenSearch Dashboards, to allow access from outsi
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.69.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | n/a |
 
 ## Modules
 
@@ -30,22 +31,26 @@ and a proxy instance to Amazon OpenSearch Dashboards, to allow access from outsi
 | [aws_autoscaling_group.reverse_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) | resource |
 | [aws_launch_configuration.reverse_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration) | resource |
 | [aws_security_group.reverse_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_ssm_parameter.opensearch_master_user_name](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
+| [aws_ssm_parameter.opensearch_master_user_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
 | [aws_vpc_security_group_egress_rule.allow_all_traffic_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
 | [aws_vpc_security_group_ingress_rule.reverse_proxy_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
+| [random_password.opensearch_master_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [aws_ami.reverse_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
 | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
+| [aws_subnet.private_subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
+| [aws_subnet.public_subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
 | [aws_vpc.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_availability_zone"></a> [availability\_zone](#input\_availability\_zone) | AZ where the example domain and its proxy instance will be created | `string` | `""` | no |
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS Region | `string` | n/a | yes |
-| <a name="input_master_user_name"></a> [master\_user\_name](#input\_master\_user\_name) | OpenSearch domain user name | `string` | n/a | yes |
-| <a name="input_master_user_password"></a> [master\_user\_password](#input\_master\_user\_password) | OpenSearch domain password | `string` | n/a | yes |
-| <a name="input_private_subnet_id"></a> [private\_subnet\_id](#input\_private\_subnet\_id) | One of the EKS cluster private subnets | `string` | n/a | yes |
-| <a name="input_public_subnet_id"></a> [public\_subnet\_id](#input\_public\_subnet\_id) | One of the EKS cluster public subnets | `string` | n/a | yes |
-| <a name="input_reverse_proxy_client_ip"></a> [reverse\_proxy\_client\_ip](#input\_reverse\_proxy\_client\_ip) | CIDR block to grant access for OpenSearch reverse proxy | `string` | `"127.0.0.1/32"` | no |
+| <a name="input_master_user_name"></a> [master\_user\_name](#input\_master\_user\_name) | OpenSearch domain user name | `string` | `""` | no |
+| <a name="input_master_user_password"></a> [master\_user\_password](#input\_master\_user\_password) | OpenSearch domain password | `string` | `""` | no |
+| <a name="input_reverse_proxy_client_ip"></a> [reverse\_proxy\_client\_ip](#input\_reverse\_proxy\_client\_ip) | CIDR block to grant access for OpenSearch reverse proxy | `string` | `"0.0.0.0/0"` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | EKS cluster VPC Id | `string` | n/a | yes |
 
 ## Outputs

From fee62808fc4848b53422a1d23064945b7afe4584 Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Fri, 22 Nov 2024 12:36:47 -0300
Subject: [PATCH 13/28] Fix username variable

---
 examples/amazon-opensearch-domain/locals.tf    | 2 +-
 examples/amazon-opensearch-domain/readme.md    | 2 +-
 examples/amazon-opensearch-domain/variables.tf | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/examples/amazon-opensearch-domain/locals.tf b/examples/amazon-opensearch-domain/locals.tf
index e3a9a628..d1a8ee51 100644
--- a/examples/amazon-opensearch-domain/locals.tf
+++ b/examples/amazon-opensearch-domain/locals.tf
@@ -6,6 +6,6 @@ resource "random_password" "opensearch_master_password" {
 
 locals {
   opensearch_master_user_name     = var.master_user_name == "" ? "observability-accelerator" : var.master_user_name
-  opensearch_master_user_password = var.master_user_password == "" ? random_password.opensearch_master_password.result : var.master_user_password
+  opensearch_master_user_password = var.master_user_password
   availability_zone               = var.availability_zone == "" ? "${var.aws_region}a" : var.availability_zone
 }
diff --git a/examples/amazon-opensearch-domain/readme.md b/examples/amazon-opensearch-domain/readme.md
index 329e373c..39363a75 100644
--- a/examples/amazon-opensearch-domain/readme.md
+++ b/examples/amazon-opensearch-domain/readme.md
@@ -48,7 +48,7 @@ and a proxy instance to Amazon OpenSearch Dashboards, to allow access from outsi
 |------|-------------|------|---------|:--------:|
 | <a name="input_availability_zone"></a> [availability\_zone](#input\_availability\_zone) | AZ where the example domain and its proxy instance will be created | `string` | `""` | no |
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS Region | `string` | n/a | yes |
-| <a name="input_master_user_name"></a> [master\_user\_name](#input\_master\_user\_name) | OpenSearch domain user name | `string` | `""` | no |
+| <a name="input_master_user_name"></a> [master\_user\_name](#input\_master\_user\_name) | OpenSearch domain user name | `string` | `"observability-accelerator"` | no |
 | <a name="input_master_user_password"></a> [master\_user\_password](#input\_master\_user\_password) | OpenSearch domain password | `string` | `""` | no |
 | <a name="input_reverse_proxy_client_ip"></a> [reverse\_proxy\_client\_ip](#input\_reverse\_proxy\_client\_ip) | CIDR block to grant access for OpenSearch reverse proxy | `string` | `"0.0.0.0/0"` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | EKS cluster VPC Id | `string` | n/a | yes |
diff --git a/examples/amazon-opensearch-domain/variables.tf b/examples/amazon-opensearch-domain/variables.tf
index 09a7b1f4..abc4c7ec 100644
--- a/examples/amazon-opensearch-domain/variables.tf
+++ b/examples/amazon-opensearch-domain/variables.tf
@@ -21,7 +21,7 @@ variable "vpc_id" {
 variable "master_user_name" {
   description = "OpenSearch domain user name"
   type        = string
-  default     = ""
+  default     = "observability-accelerator"
 }
 variable "master_user_password" {
   description = "OpenSearch domain password"

From 7f97d833c3a57b42b9b67ec5dcb755f5a5008e7f Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Fri, 22 Nov 2024 13:39:42 -0300
Subject: [PATCH 14/28] Optional exposing proxy instance

---
 examples/amazon-opensearch-domain/ec2.tf       |  2 +-
 examples/amazon-opensearch-domain/variables.tf | 16 ++++++----------
 2 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/examples/amazon-opensearch-domain/ec2.tf b/examples/amazon-opensearch-domain/ec2.tf
index 0ab2a92d..1af077eb 100644
--- a/examples/amazon-opensearch-domain/ec2.tf
+++ b/examples/amazon-opensearch-domain/ec2.tf
@@ -45,7 +45,7 @@ resource "aws_vpc_security_group_egress_rule" "allow_all_traffic_ipv4" {
 resource "aws_launch_configuration" "reverse_proxy" {
   image_id                    = data.aws_ami.reverse_proxy.id
   instance_type               = "t2.medium"
-  associate_public_ip_address = false
+  associate_public_ip_address = var.expose_proxy
   user_data                   = templatefile("${path.module}/user_data.sh", { os_domain = module.opensearch.domain_endpoint })
   security_groups             = [aws_security_group.reverse_proxy.id]
   root_block_device {
diff --git a/examples/amazon-opensearch-domain/variables.tf b/examples/amazon-opensearch-domain/variables.tf
index abc4c7ec..ca4f135c 100644
--- a/examples/amazon-opensearch-domain/variables.tf
+++ b/examples/amazon-opensearch-domain/variables.tf
@@ -8,16 +8,6 @@ variable "vpc_id" {
   type        = string
 }
 
-# variable "private_subnet_id" {
-#   description = "One of the EKS cluster private subnets"
-#   type        = string
-# }
-
-# variable "public_subnet_id" {
-#   description = "One of the EKS cluster public subnets"
-#   type        = string
-# }
-
 variable "master_user_name" {
   description = "OpenSearch domain user name"
   type        = string
@@ -41,3 +31,9 @@ variable "availability_zone" {
   type        = string
   default     = ""
 }
+
+variable "expose_proxy" {
+  description = "Whether or not to expose EC2 proxy instance for Amazon Opensearch dashboards to the Internet"
+  type        = bool
+  default     = false
+}

From bf32ba88685fa8d1ce01ec283b26f9e5762763a4 Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Fri, 22 Nov 2024 13:41:30 -0300
Subject: [PATCH 15/28] Add expose_proxy doc to README

---
 examples/amazon-opensearch-domain/readme.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/examples/amazon-opensearch-domain/readme.md b/examples/amazon-opensearch-domain/readme.md
index 39363a75..eaabd846 100644
--- a/examples/amazon-opensearch-domain/readme.md
+++ b/examples/amazon-opensearch-domain/readme.md
@@ -52,6 +52,7 @@ and a proxy instance to Amazon OpenSearch Dashboards, to allow access from outsi
 | <a name="input_master_user_password"></a> [master\_user\_password](#input\_master\_user\_password) | OpenSearch domain password | `string` | `""` | no |
 | <a name="input_reverse_proxy_client_ip"></a> [reverse\_proxy\_client\_ip](#input\_reverse\_proxy\_client\_ip) | CIDR block to grant access for OpenSearch reverse proxy | `string` | `"0.0.0.0/0"` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | EKS cluster VPC Id | `string` | n/a | yes |
+| <a name="expose_proxy"></a> [vpc\_id](#expose\_proxy) | Whether or not to expose EC2 proxy instance for Amazon Opensearch dashboards to the Internet | `string` | false | no |
 
 ## Outputs
 

From 7a3af5c0a591a0b564c9c41a509e6886777e20b3 Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Fri, 22 Nov 2024 17:59:46 -0300
Subject: [PATCH 16/28] Add expose_proxy doc to README

---
 examples/amazon-opensearch-domain/readme.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/examples/amazon-opensearch-domain/readme.md b/examples/amazon-opensearch-domain/readme.md
index eaabd846..ee36bb2f 100644
--- a/examples/amazon-opensearch-domain/readme.md
+++ b/examples/amazon-opensearch-domain/readme.md
@@ -3,6 +3,8 @@
 This example creates an Amazon OpenSearch domain in the same VPC of the EKS cluster,
 and a proxy instance to Amazon OpenSearch Dashboards, to allow access from outside of the VPC.
 
+Step-by-step instructions available on our [docs site](https://aws-observability.github.io/terraform-aws-observability-accelerator/)
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
@@ -52,7 +54,7 @@ and a proxy instance to Amazon OpenSearch Dashboards, to allow access from outsi
 | <a name="input_master_user_password"></a> [master\_user\_password](#input\_master\_user\_password) | OpenSearch domain password | `string` | `""` | no |
 | <a name="input_reverse_proxy_client_ip"></a> [reverse\_proxy\_client\_ip](#input\_reverse\_proxy\_client\_ip) | CIDR block to grant access for OpenSearch reverse proxy | `string` | `"0.0.0.0/0"` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | EKS cluster VPC Id | `string` | n/a | yes |
-| <a name="expose_proxy"></a> [vpc\_id](#expose\_proxy) | Whether or not to expose EC2 proxy instance for Amazon Opensearch dashboards to the Internet | `string` | false | no |
+| <a name="input_expose_proxy"></a> [expose\_proxy](#expose\_proxy) | Whether or not to expose EC2 proxy instance for Amazon Opensearch dashboards to the Internet | `string` | false | no |
 
 ## Outputs
 

From 9c17d2b216a00b765bb45935f431e7236be51e64 Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Fri, 22 Nov 2024 18:18:53 -0300
Subject: [PATCH 17/28] Use launch templates for reverse proxy

---
 examples/amazon-opensearch-domain/ec2.tf    | 36 +++++++++++++--------
 examples/amazon-opensearch-domain/readme.md |  4 +--
 2 files changed, 24 insertions(+), 16 deletions(-)

diff --git a/examples/amazon-opensearch-domain/ec2.tf b/examples/amazon-opensearch-domain/ec2.tf
index 1af077eb..9a956dc4 100644
--- a/examples/amazon-opensearch-domain/ec2.tf
+++ b/examples/amazon-opensearch-domain/ec2.tf
@@ -42,30 +42,38 @@ resource "aws_vpc_security_group_egress_rule" "allow_all_traffic_ipv4" {
   ip_protocol       = "-1" # semantically equivalent to all ports
 }
 
-resource "aws_launch_configuration" "reverse_proxy" {
-  image_id                    = data.aws_ami.reverse_proxy.id
-  instance_type               = "t2.medium"
-  associate_public_ip_address = var.expose_proxy
-  user_data                   = templatefile("${path.module}/user_data.sh", { os_domain = module.opensearch.domain_endpoint })
-  security_groups             = [aws_security_group.reverse_proxy.id]
-  root_block_device {
-    encrypted = true
+resource "aws_launch_template" "reverse_proxy" {
+  image_id      = data.aws_ami.reverse_proxy.id
+  instance_type = "t2.medium"
+  network_interfaces {
+    associate_public_ip_address = var.expose_proxy
+    security_groups             = [aws_security_group.reverse_proxy.id]
   }
+  user_data = base64encode(templatefile("${path.module}/user_data.sh", { os_domain = module.opensearch.domain_endpoint }))
   metadata_options {
     http_tokens = "required"
   }
+  block_device_mappings {
+    device_name = "/dev/xvda"
+    ebs {
+      encrypted = true
+    }
+  }
   lifecycle {
     create_before_destroy = true
   }
 }
 
 resource "aws_autoscaling_group" "reverse_proxy" {
-  name                 = aws_launch_configuration.reverse_proxy.name
-  max_size             = 1
-  min_size             = 1
-  desired_capacity     = 1
-  launch_configuration = aws_launch_configuration.reverse_proxy.name
-  vpc_zone_identifier  = [local.public_subnet_id]
+  name             = aws_launch_template.reverse_proxy.name
+  max_size         = 1
+  min_size         = 0
+  desired_capacity = 1
+  launch_template {
+    id      = aws_launch_template.reverse_proxy.id
+    version = "$Latest"
+  }
+  vpc_zone_identifier = [local.public_subnet_id]
   lifecycle {
     create_before_destroy = true
   }
diff --git a/examples/amazon-opensearch-domain/readme.md b/examples/amazon-opensearch-domain/readme.md
index ee36bb2f..2ac4838f 100644
--- a/examples/amazon-opensearch-domain/readme.md
+++ b/examples/amazon-opensearch-domain/readme.md
@@ -31,7 +31,7 @@ Step-by-step instructions available on our [docs site](https://aws-observability
 | Name | Type |
 |------|------|
 | [aws_autoscaling_group.reverse_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) | resource |
-| [aws_launch_configuration.reverse_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration) | resource |
+| [aws_launch_template.reverse_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |
 | [aws_security_group.reverse_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_ssm_parameter.opensearch_master_user_name](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
 | [aws_ssm_parameter.opensearch_master_user_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
@@ -50,11 +50,11 @@ Step-by-step instructions available on our [docs site](https://aws-observability
 |------|-------------|------|---------|:--------:|
 | <a name="input_availability_zone"></a> [availability\_zone](#input\_availability\_zone) | AZ where the example domain and its proxy instance will be created | `string` | `""` | no |
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS Region | `string` | n/a | yes |
+| <a name="input_expose_proxy"></a> [expose\_proxy](#input\_expose\_proxy) | Whether or not to expose EC2 proxy instance for Amazon Opensearch dashboards to the Internet | `bool` | `false` | no |
 | <a name="input_master_user_name"></a> [master\_user\_name](#input\_master\_user\_name) | OpenSearch domain user name | `string` | `"observability-accelerator"` | no |
 | <a name="input_master_user_password"></a> [master\_user\_password](#input\_master\_user\_password) | OpenSearch domain password | `string` | `""` | no |
 | <a name="input_reverse_proxy_client_ip"></a> [reverse\_proxy\_client\_ip](#input\_reverse\_proxy\_client\_ip) | CIDR block to grant access for OpenSearch reverse proxy | `string` | `"0.0.0.0/0"` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | EKS cluster VPC Id | `string` | n/a | yes |
-| <a name="input_expose_proxy"></a> [expose\_proxy](#expose\_proxy) | Whether or not to expose EC2 proxy instance for Amazon Opensearch dashboards to the Internet | `string` | false | no |
 
 ## Outputs
 

From ab41c4cec21caf78233d84e89aec39cac2d348e9 Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Sat, 23 Nov 2024 09:33:34 -0300
Subject: [PATCH 18/28] Fix naming

---
 examples/amazon-opensearch-domain/ec2.tf  | 1 +
 examples/amazon-opensearch-domain/main.tf | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/examples/amazon-opensearch-domain/ec2.tf b/examples/amazon-opensearch-domain/ec2.tf
index 9a956dc4..582b371c 100644
--- a/examples/amazon-opensearch-domain/ec2.tf
+++ b/examples/amazon-opensearch-domain/ec2.tf
@@ -43,6 +43,7 @@ resource "aws_vpc_security_group_egress_rule" "allow_all_traffic_ipv4" {
 }
 
 resource "aws_launch_template" "reverse_proxy" {
+  name          = "reverse_proxy"
   image_id      = data.aws_ami.reverse_proxy.id
   instance_type = "t2.medium"
   network_interfaces {
diff --git a/examples/amazon-opensearch-domain/main.tf b/examples/amazon-opensearch-domain/main.tf
index 4ce28a1c..bc741021 100644
--- a/examples/amazon-opensearch-domain/main.tf
+++ b/examples/amazon-opensearch-domain/main.tf
@@ -49,7 +49,7 @@ locals {
 }
 
 resource "aws_ssm_parameter" "opensearch_master_user_name" {
-  name  = "/terraform-accelerator/opensearch-master-user-name"
+  name  = "/terraform-accelerator/opensearch/master-user-name"
   type  = "SecureString"
   value = local.opensearch_master_user_name
 

From 4cdfd0b66fa317eb1d5ad062dbb90031b1f824d4 Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Sat, 23 Nov 2024 10:00:21 -0300
Subject: [PATCH 19/28] Add OpenSearch example doc

---
 docs/helpers/amazon-opensearch.md | 134 ++++++++++++++++++++++++++++++
 mkdocs.yml                        |   1 +
 2 files changed, 135 insertions(+)
 create mode 100644 docs/helpers/amazon-opensearch.md

diff --git a/docs/helpers/amazon-opensearch.md b/docs/helpers/amazon-opensearch.md
new file mode 100644
index 00000000..b5fbbe99
--- /dev/null
+++ b/docs/helpers/amazon-opensearch.md
@@ -0,0 +1,134 @@
+# Creating a new Amazon OpenSearch Domain
+
+This example creates an Amazon OpenSearch Domain within a VPC,
+including an EC2 proxy instance to grant access to the domain Dashboards page
+from outside of the VPC. It serves the purpose of demonstrating a minimal OpenSearch
+domain that will receive observability signals using AWS Distro for FluentBit or
+AWS Distro for OpenTelemetry. Mind that a production deployment of Amazon OpenSearch would
+require elements that are not present in this example.
+
+## Prerequisites
+
+!!! note
+    Make sure to complete the [prerequisites section](https://aws-observability.github.io/terraform-aws-observability-accelerator/concepts/#prerequisites) before proceeding.
+    This example is designed to be deployed at the same VPC of the EKS cluster that will be observed. It expects the private and public subnets to have a `Name` tag, with any value that includes either `private` or `public`.
+
+## Setup
+
+### 1. Download sources and initialize Terraform
+
+```
+git clone https://github.com/aws-observability/terraform-aws-observability-accelerator.git
+cd terraform-aws-observability-accelerator/examples/managed-grafana-workspace
+terraform init
+```
+
+### 2. AWS Region
+
+Specify the AWS Region where the resources will be deployed:
+
+```bash
+export TF_VAR_aws_region=xxx
+```
+
+### 3. VPC ID
+
+Specify the id of the VPC where the resources will be deployed:
+
+```bash
+export TF_VAR_vpc_id=xxx
+```
+
+## Deploy
+
+Simply run this command to deploy the example
+
+```bash
+terraform apply
+```
+
+## Accessing OpenSearch Dashboards
+
+Get reverse proxy instance public DNS name:
+
+```bash
+aws ec2 describe-instances --filter Name=tag:"aws:autoscaling:groupName",Values="reverse_proxy" \
+  --output json --query 'Reservations[0].Instances[0].PublicDnsName' --region <region> --no-cli-pager
+```
+
+Retrieve OpenSearch Dashboards access credentials:
+
+```bash
+# Master user name
+aws ssm get-parameter --with-decryption  --output json --no-cli-pager \
+  --query "Parameter.Value" --name /terraform-accelerator/opensearch/master-user-name
+
+# Master user password
+aws ssm get-parameter --with-decryption  --output json --no-cli-pager \
+  --query "Parameter.Value" --name /terraform-accelerator/opensearch/master-user-password
+```
+
+Access the URL from Public DNS name and open OpenSearch Dashboards using the retrieved credentials.
+
+## Granting access to FluentBit
+
+To allow FluentBit to ingest logs into the Amazon OpenSearch domain, follow the instructions bellow.
+
+Get FluentBit Role ARN:
+
+```bash
+SA=$(
+  kubectl -n aws-for-fluent-bit get daemonset aws-for-fluent-bit -o json |
+    jq -r .spec.template.spec.serviceAccount)
+kubectl -n aws-for-fluent-bit get sa $SA -o json |
+  jq -r .metadata.annotations.'"eks.amazonaws.com/role-arn"'
+```
+
+Add FluentBut Role ARN as a backend role in OpenSearch:
+
+1. Access OpenSearch Dashboards. In the left menu, select **Security**.
+2. In Security, select **Roles**.
+3. In Roles, select **all access**.
+4. In All access, select the tab **Mapped Users**, and them **Manage mapping**.
+5. In Backend roles, click in **Add another backend role**. In the empty field, enter the FluentBit Role ARN retrieved before.
+
+## Granting access to Amazon Managed Grafana
+
+To allow Amazon Managed Grafana to access Amazon OpenSearch domain datasource, follow the instructions bellow.
+
+1. Connect the workspace to the VPC following [these instructions](https://docs.aws.amazon.com/grafana/latest/userguide/AMG-configure-vpc.html).
+2. Add access to OpenSearch datasources by following [these instructions](https://docs.aws.amazon.com/grafana/latest/userguide/ES-adding-AWS-config.html).
+3. Include the policy for listing OpenSearch collections:
+
+  ```bash
+  GRAFANA_WORKSPACE_ID=<grafana workspace id>
+  GRAFANA_ROLE=$(
+    aws grafana describe-workspace --workspace-id $GRAFANA_WORKSPACE_ID \
+      --output json --no-cli-pager | jq -r .workspace.workspaceRoleArn | cut -d / -f 3)
+  cat <<EOF > policy.json
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": [
+            "aoss:ListCollections"
+          ],
+          "Resource": "*"
+        }
+      ]
+    }
+  EOF
+  
+  aws iam put-role-policy --role-name $GRAFANA_ROLE \
+    --policy-name OpenSearchCollections --policy-document file://policy.json
+  ```
+4. Enable the OpenSearch plugin by following [these instructions](https://docs.aws.amazon.com/grafana/latest/userguide/aws-datasources-plugin.html).
+
+## Cleanup
+
+To clean up your environment, destroy the Terraform example by running
+
+```sh
+terraform destroy
+```
diff --git a/mkdocs.yml b/mkdocs.yml
index 359fc6e7..c50bc1a9 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -51,6 +51,7 @@ nav:
       - EKS Cluster with VPC: helpers/new-eks-cluster.md
       - Amazon Managed Grafana setup: helpers/managed-grafana.md
       - ECS Cluster with VPC: helpers/ecs-cluster-with-vpc.md
+      - Amazon OpenSearch setup: helpers/amazon-opensearch.md
   - Support & Feedback: support.md
   - Contributors: contributors.md
 

From 5ff020d5e02d565db6203ae41648e6a3d9041d47 Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Sat, 23 Nov 2024 10:10:42 -0300
Subject: [PATCH 20/28] Include steps to grant Grafana access to OpenSearch

---
 .tflint.hcl                                   |  2 +-
 docs/helpers/amazon-opensearch.md             | 12 ++++--
 modules/eks-monitoring/README.md              | 33 ++++++++-------
 .../add-ons/adot-operator/README.md           |  4 +-
 .../add-ons/aws-for-fluentbit/README.md       |  2 +-
 .../add-ons/external-secrets/README.md        |  2 +-
 modules/eks-monitoring/dashboards.tf          | 25 +++++++++++
 modules/eks-monitoring/locals.tf              | 38 ++++++++++++-----
 .../eks-monitoring/patterns/istio/README.md   |  2 +-
 .../eks-monitoring/patterns/java/README.md    |  2 +-
 .../eks-monitoring/patterns/nginx/README.md   |  2 +-
 modules/eks-monitoring/variables.tf           | 42 +++++++++++++++----
 12 files changed, 120 insertions(+), 46 deletions(-)

diff --git a/.tflint.hcl b/.tflint.hcl
index 26c436d1..c6aee4ce 100644
--- a/.tflint.hcl
+++ b/.tflint.hcl
@@ -8,7 +8,7 @@ plugin "aws" {
 }
 
 config {
-  module = true
+  call_module_type = true
   force  = false
 }
 
diff --git a/docs/helpers/amazon-opensearch.md b/docs/helpers/amazon-opensearch.md
index b5fbbe99..d91b063b 100644
--- a/docs/helpers/amazon-opensearch.md
+++ b/docs/helpers/amazon-opensearch.md
@@ -99,12 +99,12 @@ To allow Amazon Managed Grafana to access Amazon OpenSearch domain datasource, f
 1. Connect the workspace to the VPC following [these instructions](https://docs.aws.amazon.com/grafana/latest/userguide/AMG-configure-vpc.html).
 2. Add access to OpenSearch datasources by following [these instructions](https://docs.aws.amazon.com/grafana/latest/userguide/ES-adding-AWS-config.html).
 3. Include the policy for listing OpenSearch collections:
-
   ```bash
   GRAFANA_WORKSPACE_ID=<grafana workspace id>
-  GRAFANA_ROLE=$(
+  GRAFANA_ROLE_ARN=$(
     aws grafana describe-workspace --workspace-id $GRAFANA_WORKSPACE_ID \
-      --output json --no-cli-pager | jq -r .workspace.workspaceRoleArn | cut -d / -f 3)
+      --output json --no-cli-pager | jq -r .workspace.workspaceRoleArn)
+  GRAFANA_ROLE=$(echo $GRAFANA_ROLE_ARN | cut -d/ -f3)
   cat <<EOF > policy.json
     {
       "Version": "2012-10-17",
@@ -123,7 +123,13 @@ To allow Amazon Managed Grafana to access Amazon OpenSearch domain datasource, f
   aws iam put-role-policy --role-name $GRAFANA_ROLE \
     --policy-name OpenSearchCollections --policy-document file://policy.json
   ```
+
 4. Enable the OpenSearch plugin by following [these instructions](https://docs.aws.amazon.com/grafana/latest/userguide/aws-datasources-plugin.html).
+5. Access OpenSearch Dashboards. In the left menu, select **Security**.
+6. In Security, select **Roles**.
+7. In Roles, select **all access**.
+8. In All access, select the tab **Mapped Users**, and them **Manage mapping**.
+9. In Backend roles, click in **Add another backend role**. In the empty field, enter the Grafana Role ARN retrieved before.
 
 ## Cleanup
 
diff --git a/modules/eks-monitoring/README.md b/modules/eks-monitoring/README.md
index 06f799c8..a9f2c0d1 100644
--- a/modules/eks-monitoring/README.md
+++ b/modules/eks-monitoring/README.md
@@ -73,9 +73,9 @@ See examples using this Terraform modules in the **Amazon EKS** section of [this
 |------|-------------|------|---------|:--------:|
 | <a name="input_adot_loglevel"></a> [adot\_loglevel](#input\_adot\_loglevel) | Verbosity level for ADOT collector logs. This accepts (detailed\|normal\|basic), see https://aws-otel.github.io/docs/components/misc-exporters for more info. | `string` | `"normal"` | no |
 | <a name="input_adot_service_telemetry_loglevel"></a> [adot\_service\_telemetry\_loglevel](#input\_adot\_service\_telemetry\_loglevel) | Verbosity level for ADOT service telemetry logs. See https://opentelemetry.io/docs/collector/configuration/#telemetry for more info. | `string` | `"INFO"` | no |
-| <a name="input_adothealth_monitoring_config"></a> [adothealth\_monitoring\_config](#input\_adothealth\_monitoring\_config) | Config object for ADOT health monitoring | <pre>object({<br>    flux_gitrepository_name   = string<br>    flux_gitrepository_url    = string<br>    flux_gitrepository_branch = string<br>    flux_kustomization_name   = string<br>    flux_kustomization_path   = string<br><br>    dashboards = object({<br>      health = string<br>    })<br>  })</pre> | `null` | no |
-| <a name="input_apiserver_monitoring_config"></a> [apiserver\_monitoring\_config](#input\_apiserver\_monitoring\_config) | Config object for API server monitoring | <pre>object({<br>    flux_gitrepository_name   = string<br>    flux_gitrepository_url    = string<br>    flux_gitrepository_branch = string<br>    flux_kustomization_name   = string<br>    flux_kustomization_path   = string<br><br>    dashboards = object({<br>      basic           = string<br>      advanced        = string<br>      troubleshooting = string<br>    })<br>  })</pre> | `null` | no |
-| <a name="input_custom_metrics_config"></a> [custom\_metrics\_config](#input\_custom\_metrics\_config) | Configuration object to enable custom metrics collection | <pre>map(object({<br>    enableBasicAuth       = bool<br>    path                  = string<br>    basicAuthUsername     = string<br>    basicAuthPassword     = string<br>    ports                 = string<br>    droppedSeriesPrefixes = string<br>  }))</pre> | `null` | no |
+| <a name="input_adothealth_monitoring_config"></a> [adothealth\_monitoring\_config](#input\_adothealth\_monitoring\_config) | Config object for ADOT health monitoring | <pre>object({<br/>    flux_gitrepository_name   = string<br/>    flux_gitrepository_url    = string<br/>    flux_gitrepository_branch = string<br/>    flux_kustomization_name   = string<br/>    flux_kustomization_path   = string<br/><br/>    dashboards = object({<br/>      health = string<br/>    })<br/>  })</pre> | `null` | no |
+| <a name="input_apiserver_monitoring_config"></a> [apiserver\_monitoring\_config](#input\_apiserver\_monitoring\_config) | Config object for API server monitoring | <pre>object({<br/>    flux_gitrepository_name   = string<br/>    flux_gitrepository_url    = string<br/>    flux_gitrepository_branch = string<br/>    flux_kustomization_name   = string<br/>    flux_kustomization_path   = string<br/><br/>    dashboards = object({<br/>      basic           = string<br/>      advanced        = string<br/>      troubleshooting = string<br/>    })<br/>  })</pre> | `null` | no |
+| <a name="input_custom_metrics_config"></a> [custom\_metrics\_config](#input\_custom\_metrics\_config) | Configuration object to enable custom metrics collection | <pre>map(object({<br/>    enableBasicAuth       = bool<br/>    path                  = string<br/>    basicAuthUsername     = string<br/>    basicAuthPassword     = string<br/>    ports                 = string<br/>    droppedSeriesPrefixes = string<br/>  }))</pre> | `null` | no |
 | <a name="input_eks_cluster_id"></a> [eks\_cluster\_id](#input\_eks\_cluster\_id) | EKS Cluster Id | `string` | n/a | yes |
 | <a name="input_enable_adotcollector_metrics"></a> [enable\_adotcollector\_metrics](#input\_enable\_adotcollector\_metrics) | Enables collection of ADOT collector metrics | `bool` | `true` | no |
 | <a name="input_enable_alerting_rules"></a> [enable\_alerting\_rules](#input\_enable\_alerting\_rules) | Enables or disables Managed Prometheus alerting rules | `bool` | `true` | no |
@@ -98,13 +98,13 @@ See examples using this Terraform modules in the **Amazon EKS** section of [this
 | <a name="input_enable_nvidia_monitoring"></a> [enable\_nvidia\_monitoring](#input\_enable\_nvidia\_monitoring) | Enables monitoring of nvidia metrics | `bool` | `true` | no |
 | <a name="input_enable_recording_rules"></a> [enable\_recording\_rules](#input\_enable\_recording\_rules) | Enables or disables Managed Prometheus recording rules | `bool` | `true` | no |
 | <a name="input_enable_tracing"></a> [enable\_tracing](#input\_enable\_tracing) | Enables tracing with OTLP traces receiver to X-Ray | `bool` | `true` | no |
-| <a name="input_flux_config"></a> [flux\_config](#input\_flux\_config) | FluxCD configuration | <pre>object({<br>    create_namespace   = optional(bool, true)<br>    k8s_namespace      = optional(string, "flux-system")<br>    helm_chart_name    = optional(string, "flux2")<br>    helm_chart_version = optional(string, "2.12.2")<br>    helm_release_name  = optional(string, "observability-fluxcd-addon")<br>    helm_repo_url      = optional(string, "https://fluxcd-community.github.io/helm-charts")<br>    helm_settings      = optional(map(string), {})<br>    helm_values        = optional(map(any), {})<br>  })</pre> | `{}` | no |
+| <a name="input_flux_config"></a> [flux\_config](#input\_flux\_config) | FluxCD configuration | <pre>object({<br/>    create_namespace   = optional(bool, true)<br/>    k8s_namespace      = optional(string, "flux-system")<br/>    helm_chart_name    = optional(string, "flux2")<br/>    helm_chart_version = optional(string, "2.12.2")<br/>    helm_release_name  = optional(string, "observability-fluxcd-addon")<br/>    helm_repo_url      = optional(string, "https://fluxcd-community.github.io/helm-charts")<br/>    helm_settings      = optional(map(string), {})<br/>    helm_values        = optional(map(any), {})<br/>  })</pre> | `{}` | no |
 | <a name="input_flux_gitrepository_branch"></a> [flux\_gitrepository\_branch](#input\_flux\_gitrepository\_branch) | Flux GitRepository Branch | `string` | `"v0.3.2"` | no |
 | <a name="input_flux_gitrepository_name"></a> [flux\_gitrepository\_name](#input\_flux\_gitrepository\_name) | Flux GitRepository name | `string` | `"aws-observability-accelerator"` | no |
 | <a name="input_flux_gitrepository_url"></a> [flux\_gitrepository\_url](#input\_flux\_gitrepository\_url) | Flux GitRepository URL | `string` | `"https://github.com/aws-observability/aws-observability-accelerator"` | no |
 | <a name="input_flux_kustomization_name"></a> [flux\_kustomization\_name](#input\_flux\_kustomization\_name) | Flux Kustomization name | `string` | `"grafana-dashboards-infrastructure"` | no |
 | <a name="input_flux_kustomization_path"></a> [flux\_kustomization\_path](#input\_flux\_kustomization\_path) | Flux Kustomization Path | `string` | `"./artifacts/grafana-operator-manifests/eks/infrastructure"` | no |
-| <a name="input_go_config"></a> [go\_config](#input\_go\_config) | Grafana Operator configuration | <pre>object({<br>    create_namespace   = optional(bool, true)<br>    helm_chart         = optional(string, "oci://ghcr.io/grafana-operator/helm-charts/grafana-operator")<br>    helm_name          = optional(string, "grafana-operator")<br>    k8s_namespace      = optional(string, "grafana-operator")<br>    helm_release_name  = optional(string, "grafana-operator")<br>    helm_chart_version = optional(string, "v5.5.2")<br>  })</pre> | `{}` | no |
+| <a name="input_go_config"></a> [go\_config](#input\_go\_config) | Grafana Operator configuration | <pre>object({<br/>    create_namespace   = optional(bool, true)<br/>    helm_chart         = optional(string, "oci://ghcr.io/grafana-operator/helm-charts/grafana-operator")<br/>    helm_name          = optional(string, "grafana-operator")<br/>    k8s_namespace      = optional(string, "grafana-operator")<br/>    helm_release_name  = optional(string, "grafana-operator")<br/>    helm_chart_version = optional(string, "v5.5.2")<br/>  })</pre> | `{}` | no |
 | <a name="input_grafana_api_key"></a> [grafana\_api\_key](#input\_grafana\_api\_key) | Grafana API key for the Amazon Managed Grafana workspace. Required if `enable_external_secrets = true` | `string` | `""` | no |
 | <a name="input_grafana_cluster_dashboard_url"></a> [grafana\_cluster\_dashboard\_url](#input\_grafana\_cluster\_dashboard\_url) | Dashboard URL for Cluster Grafana Dashboard JSON | `string` | `"https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/cluster.json"` | no |
 | <a name="input_grafana_kubelet_dashboard_url"></a> [grafana\_kubelet\_dashboard\_url](#input\_grafana\_kubelet\_dashboard\_url) | Dashboard URL for Kubelet Grafana Dashboard JSON | `string` | `"https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/kubelet.json"` | no |
@@ -119,23 +119,26 @@ See examples using this Terraform modules in the **Amazon EKS** section of [this
 | <a name="input_irsa_iam_permissions_boundary"></a> [irsa\_iam\_permissions\_boundary](#input\_irsa\_iam\_permissions\_boundary) | IAM permissions boundary for IRSA roles | `string` | `null` | no |
 | <a name="input_irsa_iam_role_name"></a> [irsa\_iam\_role\_name](#input\_irsa\_iam\_role\_name) | IAM role name for IRSA roles | `string` | `""` | no |
 | <a name="input_irsa_iam_role_path"></a> [irsa\_iam\_role\_path](#input\_irsa\_iam\_role\_path) | IAM role path for IRSA roles | `string` | `"/"` | no |
-| <a name="input_istio_config"></a> [istio\_config](#input\_istio\_config) | Configuration object for ISTIO monitoring | <pre>object({<br>    enable_alerting_rules  = bool<br>    enable_recording_rules = bool<br>    enable_dashboards      = bool<br>    scrape_sample_limit    = number<br><br>    flux_gitrepository_name   = string<br>    flux_gitrepository_url    = string<br>    flux_gitrepository_branch = string<br>    flux_kustomization_name   = string<br>    flux_kustomization_path   = string<br><br>    managed_prometheus_workspace_id = string<br>    prometheus_metrics_endpoint     = string<br><br>    dashboards = object({<br>      cp          = string<br>      mesh        = string<br>      performance = string<br>      service     = string<br>    })<br>  })</pre> | `null` | no |
-| <a name="input_java_config"></a> [java\_config](#input\_java\_config) | Configuration object for Java/JMX monitoring | <pre>object({<br>    enable_alerting_rules  = bool<br>    enable_recording_rules = bool<br>    enable_dashboards      = bool<br>    scrape_sample_limit    = number<br><br><br>    flux_gitrepository_name   = string<br>    flux_gitrepository_url    = string<br>    flux_gitrepository_branch = string<br>    flux_kustomization_name   = string<br>    flux_kustomization_path   = string<br><br>    grafana_dashboard_url = string<br><br>    prometheus_metrics_endpoint = string<br>  })</pre> | `null` | no |
-| <a name="input_ksm_config"></a> [ksm\_config](#input\_ksm\_config) | Kube State metrics configuration | <pre>object({<br>    create_namespace   = optional(bool, true)<br>    k8s_namespace      = optional(string, "kube-system")<br>    helm_chart_name    = optional(string, "kube-state-metrics")<br>    helm_chart_version = optional(string, "5.15.2")<br>    helm_release_name  = optional(string, "kube-state-metrics")<br>    helm_repo_url      = optional(string, "https://prometheus-community.github.io/helm-charts")<br>    helm_settings      = optional(map(string), {})<br>    helm_values        = optional(map(any), {})<br><br>    scrape_interval = optional(string, "60s")<br>    scrape_timeout  = optional(string, "15s")<br>  })</pre> | `{}` | no |
-| <a name="input_kubeproxy_monitoring_config"></a> [kubeproxy\_monitoring\_config](#input\_kubeproxy\_monitoring\_config) | Config object for kube-proxy monitoring | <pre>object({<br>    flux_gitrepository_name   = string<br>    flux_gitrepository_url    = string<br>    flux_gitrepository_branch = string<br>    flux_kustomization_name   = string<br>    flux_kustomization_path   = string<br><br>    dashboards = object({<br>      default = string<br>    })<br>  })</pre> | `null` | no |
-| <a name="input_logs_config"></a> [logs\_config](#input\_logs\_config) | Configuration object for logs collection | <pre>object({<br>    cw_log_retention_days = number<br>  })</pre> | <pre>{<br>  "cw_log_retention_days": 90<br>}</pre> | no |
+| <a name="input_istio_config"></a> [istio\_config](#input\_istio\_config) | Configuration object for ISTIO monitoring | <pre>object({<br/>    enable_alerting_rules  = bool<br/>    enable_recording_rules = bool<br/>    enable_dashboards      = bool<br/>    scrape_sample_limit    = number<br/><br/>    flux_gitrepository_name   = string<br/>    flux_gitrepository_url    = string<br/>    flux_gitrepository_branch = string<br/>    flux_kustomization_name   = string<br/>    flux_kustomization_path   = string<br/><br/>    managed_prometheus_workspace_id = string<br/>    prometheus_metrics_endpoint     = string<br/><br/>    dashboards = object({<br/>      cp          = string<br/>      mesh        = string<br/>      performance = string<br/>      service     = string<br/>    })<br/>  })</pre> | `null` | no |
+| <a name="input_java_config"></a> [java\_config](#input\_java\_config) | Configuration object for Java/JMX monitoring | <pre>object({<br/>    enable_alerting_rules  = bool<br/>    enable_recording_rules = bool<br/>    enable_dashboards      = bool<br/>    scrape_sample_limit    = number<br/><br/><br/>    flux_gitrepository_name   = string<br/>    flux_gitrepository_url    = string<br/>    flux_gitrepository_branch = string<br/>    flux_kustomization_name   = string<br/>    flux_kustomization_path   = string<br/><br/>    grafana_dashboard_url = string<br/><br/>    prometheus_metrics_endpoint = string<br/>  })</pre> | `null` | no |
+| <a name="input_ksm_config"></a> [ksm\_config](#input\_ksm\_config) | Kube State metrics configuration | <pre>object({<br/>    create_namespace   = optional(bool, true)<br/>    k8s_namespace      = optional(string, "kube-system")<br/>    helm_chart_name    = optional(string, "kube-state-metrics")<br/>    helm_chart_version = optional(string, "5.15.2")<br/>    helm_release_name  = optional(string, "kube-state-metrics")<br/>    helm_repo_url      = optional(string, "https://prometheus-community.github.io/helm-charts")<br/>    helm_settings      = optional(map(string), {})<br/>    helm_values        = optional(map(any), {})<br/><br/>    scrape_interval = optional(string, "60s")<br/>    scrape_timeout  = optional(string, "15s")<br/>  })</pre> | `{}` | no |
+| <a name="input_kubeproxy_monitoring_config"></a> [kubeproxy\_monitoring\_config](#input\_kubeproxy\_monitoring\_config) | Config object for kube-proxy monitoring | <pre>object({<br/>    flux_gitrepository_name   = string<br/>    flux_gitrepository_url    = string<br/>    flux_gitrepository_branch = string<br/>    flux_kustomization_name   = string<br/>    flux_kustomization_path   = string<br/><br/>    dashboards = object({<br/>      default = string<br/>    })<br/>  })</pre> | `null` | no |
+| <a name="input_logs_config"></a> [logs\_config](#input\_logs\_config) | Configuration object for logs collection | <pre>object({<br/>    cw_log_retention_days = number<br/>  })</pre> | <pre>{<br/>  "cw_log_retention_days": 90<br/>}</pre> | no |
 | <a name="input_managed_prometheus_cross_account_role"></a> [managed\_prometheus\_cross\_account\_role](#input\_managed\_prometheus\_cross\_account\_role) | Amazon Managed Prometheus Workspace's Account Role Arn | `string` | `""` | no |
 | <a name="input_managed_prometheus_workspace_endpoint"></a> [managed\_prometheus\_workspace\_endpoint](#input\_managed\_prometheus\_workspace\_endpoint) | Amazon Managed Prometheus Workspace Endpoint | `string` | `""` | no |
 | <a name="input_managed_prometheus_workspace_id"></a> [managed\_prometheus\_workspace\_id](#input\_managed\_prometheus\_workspace\_id) | Amazon Managed Prometheus Workspace ID | `string` | `null` | no |
 | <a name="input_managed_prometheus_workspace_region"></a> [managed\_prometheus\_workspace\_region](#input\_managed\_prometheus\_workspace\_region) | Amazon Managed Prometheus Workspace's Region | `string` | `null` | no |
-| <a name="input_ne_config"></a> [ne\_config](#input\_ne\_config) | Node exporter configuration | <pre>object({<br>    create_namespace   = optional(bool, true)<br>    k8s_namespace      = optional(string, "prometheus-node-exporter")<br>    helm_chart_name    = optional(string, "prometheus-node-exporter")<br>    helm_chart_version = optional(string, "4.24.0")<br>    helm_release_name  = optional(string, "prometheus-node-exporter")<br>    helm_repo_url      = optional(string, "https://prometheus-community.github.io/helm-charts")<br>    helm_settings      = optional(map(string), {})<br>    helm_values        = optional(map(any), {})<br><br>    scrape_interval = optional(string, "60s")<br>    scrape_timeout  = optional(string, "60s")<br>  })</pre> | `{}` | no |
-| <a name="input_nginx_config"></a> [nginx\_config](#input\_nginx\_config) | Configuration object for NGINX monitoring | <pre>object({<br>    enable_alerting_rules  = optional(bool)<br>    enable_recording_rules = optional(bool)<br>    enable_dashboards      = optional(bool)<br>    scrape_sample_limit    = optional(number)<br><br>    flux_gitrepository_name   = optional(string)<br>    flux_gitrepository_url    = optional(string)<br>    flux_gitrepository_branch = optional(string)<br>    flux_kustomization_name   = optional(string)<br>    flux_kustomization_path   = optional(string)<br><br>    grafana_dashboard_url = optional(string)<br><br>    prometheus_metrics_endpoint = optional(string)<br>  })</pre> | `{}` | no |
-| <a name="input_nvidia_monitoring_config"></a> [nvidia\_monitoring\_config](#input\_nvidia\_monitoring\_config) | Config object for nvidia monitoring | <pre>object({<br>    flux_gitrepository_name   = string<br>    flux_gitrepository_url    = string<br>    flux_gitrepository_branch = string<br>    flux_kustomization_name   = string<br>    flux_kustomization_path   = string<br>  })</pre> | `null` | no |
-| <a name="input_prometheus_config"></a> [prometheus\_config](#input\_prometheus\_config) | Controls default values such as scrape interval, timeouts and ports globally | <pre>object({<br>    global_scrape_interval = optional(string, "120s")<br>    global_scrape_timeout  = optional(string, "15s")<br>  })</pre> | `{}` | no |
+| <a name="input_ne_config"></a> [ne\_config](#input\_ne\_config) | Node exporter configuration | <pre>object({<br/>    create_namespace   = optional(bool, true)<br/>    k8s_namespace      = optional(string, "prometheus-node-exporter")<br/>    helm_chart_name    = optional(string, "prometheus-node-exporter")<br/>    helm_chart_version = optional(string, "4.24.0")<br/>    helm_release_name  = optional(string, "prometheus-node-exporter")<br/>    helm_repo_url      = optional(string, "https://prometheus-community.github.io/helm-charts")<br/>    helm_settings      = optional(map(string), {})<br/>    helm_values        = optional(map(any), {})<br/><br/>    scrape_interval = optional(string, "60s")<br/>    scrape_timeout  = optional(string, "60s")<br/>  })</pre> | `{}` | no |
+| <a name="input_nginx_config"></a> [nginx\_config](#input\_nginx\_config) | Configuration object for NGINX monitoring | <pre>object({<br/>    enable_alerting_rules  = optional(bool)<br/>    enable_recording_rules = optional(bool)<br/>    enable_dashboards      = optional(bool)<br/>    scrape_sample_limit    = optional(number)<br/><br/>    flux_gitrepository_name   = optional(string)<br/>    flux_gitrepository_url    = optional(string)<br/>    flux_gitrepository_branch = optional(string)<br/>    flux_kustomization_name   = optional(string)<br/>    flux_kustomization_path   = optional(string)<br/><br/>    grafana_dashboard_url = optional(string)<br/><br/>    prometheus_metrics_endpoint = optional(string)<br/>  })</pre> | `{}` | no |
+| <a name="input_nvidia_monitoring_config"></a> [nvidia\_monitoring\_config](#input\_nvidia\_monitoring\_config) | Config object for nvidia monitoring | <pre>object({<br/>    flux_gitrepository_name   = string<br/>    flux_gitrepository_url    = string<br/>    flux_gitrepository_branch = string<br/>    flux_kustomization_name   = string<br/>    flux_kustomization_path   = string<br/>  })</pre> | `null` | no |
+| <a name="input_os_logs_enabled"></a> [os\_logs\_enabled](#input\_os\_logs\_enabled) | FluentBit OpenSearch enable | `bool` | `false` | no |
+| <a name="input_os_logs_host"></a> [os\_logs\_host](#input\_os\_logs\_host) | FluentBit OpenSearch | `string` | `""` | no |
+| <a name="input_os_logs_index"></a> [os\_logs\_index](#input\_os\_logs\_index) | FluentBit OpenSearch | `string` | `"observability-accelerator"` | no |
+| <a name="input_prometheus_config"></a> [prometheus\_config](#input\_prometheus\_config) | Controls default values such as scrape interval, timeouts and ports globally | <pre>object({<br/>    global_scrape_interval = optional(string, "120s")<br/>    global_scrape_timeout  = optional(string, "15s")<br/>  })</pre> | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit`,`XYZ`) | `map(string)` | `{}` | no |
 | <a name="input_target_secret_name"></a> [target\_secret\_name](#input\_target\_secret\_name) | Target secret in Kubernetes to store the Grafana API Key Secret | `string` | `"grafana-admin-credentials"` | no |
 | <a name="input_target_secret_namespace"></a> [target\_secret\_namespace](#input\_target\_secret\_namespace) | Target namespace of secret in Kubernetes to store the Grafana API Key Secret | `string` | `"grafana-operator"` | no |
-| <a name="input_tracing_config"></a> [tracing\_config](#input\_tracing\_config) | Configuration object for traces collection to AWS X-Ray | <pre>object({<br>    otlp_grpc_endpoint = optional(string, "0.0.0.0:4317")<br>    otlp_http_endpoint = optional(string, "0.0.0.0:4318")<br>    send_batch_size    = optional(number, 50)<br>    timeout            = optional(string, "30s")<br>  })</pre> | `{}` | no |
+| <a name="input_tracing_config"></a> [tracing\_config](#input\_tracing\_config) | Configuration object for traces collection to AWS X-Ray | <pre>object({<br/>    otlp_grpc_endpoint = optional(string, "0.0.0.0:4317")<br/>    otlp_http_endpoint = optional(string, "0.0.0.0:4318")<br/>    send_batch_size    = optional(number, 50)<br/>    timeout            = optional(string, "30s")<br/>  })</pre> | `{}` | no |
 
 ## Outputs
 
diff --git a/modules/eks-monitoring/add-ons/adot-operator/README.md b/modules/eks-monitoring/add-ons/adot-operator/README.md
index f7e6aa49..b6c23054 100644
--- a/modules/eks-monitoring/add-ons/adot-operator/README.md
+++ b/modules/eks-monitoring/add-ons/adot-operator/README.md
@@ -60,9 +60,9 @@ the ADOT Operator.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_addon_config"></a> [addon\_config](#input\_addon\_config) | Amazon EKS Managed ADOT Add-on config | `any` | `{}` | no |
-| <a name="input_addon_context"></a> [addon\_context](#input\_addon\_context) | Input configuration for the addon | <pre>object({<br>    aws_caller_identity_account_id = string<br>    aws_caller_identity_arn        = string<br>    aws_eks_cluster_endpoint       = string<br>    aws_partition_id               = string<br>    aws_region_name                = string<br>    eks_cluster_id                 = string<br>    eks_oidc_issuer_url            = string<br>    eks_oidc_provider_arn          = string<br>    irsa_iam_role_path             = string<br>    irsa_iam_permissions_boundary  = string<br>    tags                           = map(string)<br>  })</pre> | n/a | yes |
+| <a name="input_addon_context"></a> [addon\_context](#input\_addon\_context) | Input configuration for the addon | <pre>object({<br/>    aws_caller_identity_account_id = string<br/>    aws_caller_identity_arn        = string<br/>    aws_eks_cluster_endpoint       = string<br/>    aws_partition_id               = string<br/>    aws_region_name                = string<br/>    eks_cluster_id                 = string<br/>    eks_oidc_issuer_url            = string<br/>    eks_oidc_provider_arn          = string<br/>    irsa_iam_role_path             = string<br/>    irsa_iam_permissions_boundary  = string<br/>    tags                           = map(string)<br/>  })</pre> | n/a | yes |
 | <a name="input_enable_cert_manager"></a> [enable\_cert\_manager](#input\_enable\_cert\_manager) | Enable cert-manager, a requirement for ADOT Operator | `bool` | `true` | no |
-| <a name="input_helm_config"></a> [helm\_config](#input\_helm\_config) | Helm provider config for cert-manager | `any` | <pre>{<br>  "version": "v1.8.2"<br>}</pre> | no |
+| <a name="input_helm_config"></a> [helm\_config](#input\_helm\_config) | Helm provider config for cert-manager | `any` | <pre>{<br/>  "version": "v1.8.2"<br/>}</pre> | no |
 | <a name="input_kubernetes_version"></a> [kubernetes\_version](#input\_kubernetes\_version) | EKS Cluster version | `string` | n/a | yes |
 
 ## Outputs
diff --git a/modules/eks-monitoring/add-ons/aws-for-fluentbit/README.md b/modules/eks-monitoring/add-ons/aws-for-fluentbit/README.md
index ae067221..1afb8fda 100644
--- a/modules/eks-monitoring/add-ons/aws-for-fluentbit/README.md
+++ b/modules/eks-monitoring/add-ons/aws-for-fluentbit/README.md
@@ -37,7 +37,7 @@ See this [Helm Chart](https://github.com/aws/eks-charts/tree/master/stable/aws-f
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_addon_context"></a> [addon\_context](#input\_addon\_context) | Input configuration for the addon | <pre>object({<br>    aws_caller_identity_account_id = string<br>    aws_caller_identity_arn        = string<br>    aws_eks_cluster_endpoint       = string<br>    aws_partition_id               = string<br>    aws_region_name                = string<br>    eks_cluster_id                 = string<br>    eks_oidc_issuer_url            = string<br>    eks_oidc_provider_arn          = string<br>    tags                           = map(string)<br>    irsa_iam_role_path             = string<br>    irsa_iam_permissions_boundary  = string<br>  })</pre> | n/a | yes |
+| <a name="input_addon_context"></a> [addon\_context](#input\_addon\_context) | Input configuration for the addon | <pre>object({<br/>    aws_caller_identity_account_id = string<br/>    aws_caller_identity_arn        = string<br/>    aws_eks_cluster_endpoint       = string<br/>    aws_partition_id               = string<br/>    aws_region_name                = string<br/>    eks_cluster_id                 = string<br/>    eks_oidc_issuer_url            = string<br/>    eks_oidc_provider_arn          = string<br/>    tags                           = map(string)<br/>    irsa_iam_role_path             = string<br/>    irsa_iam_permissions_boundary  = string<br/>  })</pre> | n/a | yes |
 | <a name="input_cw_log_retention_days"></a> [cw\_log\_retention\_days](#input\_cw\_log\_retention\_days) | FluentBit CloudWatch Log group retention period | `number` | `90` | no |
 | <a name="input_cw_logs_enabled"></a> [cw\_logs\_enabled](#input\_cw\_logs\_enabled) | FluentBit CloudWatch Log enable | `bool` | `true` | no |
 | <a name="input_helm_config"></a> [helm\_config](#input\_helm\_config) | Helm provider config aws\_for\_fluent\_bit. | `any` | `{}` | no |
diff --git a/modules/eks-monitoring/add-ons/external-secrets/README.md b/modules/eks-monitoring/add-ons/external-secrets/README.md
index 2d8f32d3..3f188ca5 100644
--- a/modules/eks-monitoring/add-ons/external-secrets/README.md
+++ b/modules/eks-monitoring/add-ons/external-secrets/README.md
@@ -44,7 +44,7 @@ This deploys an EKS Cluster with the External Secrets Operator. The cluster is p
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_addon_context"></a> [addon\_context](#input\_addon\_context) | Input configuration for the addon | <pre>object({<br>    aws_caller_identity_account_id = string<br>    aws_caller_identity_arn        = string<br>    aws_eks_cluster_endpoint       = string<br>    aws_partition_id               = string<br>    aws_region_name                = string<br>    eks_cluster_id                 = string<br>    eks_oidc_issuer_url            = string<br>    eks_oidc_provider_arn          = string<br>    irsa_iam_role_path             = string<br>    irsa_iam_permissions_boundary  = string<br>    tags                           = map(string)<br>  })</pre> | n/a | yes |
+| <a name="input_addon_context"></a> [addon\_context](#input\_addon\_context) | Input configuration for the addon | <pre>object({<br/>    aws_caller_identity_account_id = string<br/>    aws_caller_identity_arn        = string<br/>    aws_eks_cluster_endpoint       = string<br/>    aws_partition_id               = string<br/>    aws_region_name                = string<br/>    eks_cluster_id                 = string<br/>    eks_oidc_issuer_url            = string<br/>    eks_oidc_provider_arn          = string<br/>    irsa_iam_role_path             = string<br/>    irsa_iam_permissions_boundary  = string<br/>    tags                           = map(string)<br/>  })</pre> | n/a | yes |
 | <a name="input_enable_external_secrets"></a> [enable\_external\_secrets](#input\_enable\_external\_secrets) | Enable external-secrets | `bool` | `true` | no |
 | <a name="input_grafana_api_key"></a> [grafana\_api\_key](#input\_grafana\_api\_key) | Grafana API key for the Amazon Managed Grafana workspace | `string` | n/a | yes |
 | <a name="input_helm_config"></a> [helm\_config](#input\_helm\_config) | Helm provider config for external secrets | `any` | `{}` | no |
diff --git a/modules/eks-monitoring/dashboards.tf b/modules/eks-monitoring/dashboards.tf
index 80b98b5c..6dea06b5 100644
--- a/modules/eks-monitoring/dashboards.tf
+++ b/modules/eks-monitoring/dashboards.tf
@@ -72,6 +72,31 @@ YAML
   depends_on = [module.external_secrets]
 }
 
+# opensearch dashboards
+resource "kubectl_manifest" "opensearch_dashboards" {
+  yaml_body  = <<YAML
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: ${local.opensearch_config.flux_kustomization_name}
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  path: ${local.opensearch_config.flux_kustomization_path}
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: ${local.opensearch_config.flux_gitrepository_name}
+  postBuild:
+    substitute:
+      AMG_AWS_REGION: ${local.opensearch_domain_region}
+      GRAFANA_OPENSEARCH_LOGS_DASH_URL: ${local.opensearch_config.dashboards.logs}
+      OPENSEARCH_DOMAIN_URL: ${local.opensearch_domain_url}
+YAML
+  count      = var.os_logs_enabled ? 1 : 0
+  depends_on = [module.external_secrets]
+}
+
 # adot health dashboards
 resource "kubectl_manifest" "adothealth_monitoring_dashboards" {
   yaml_body  = <<YAML
diff --git a/modules/eks-monitoring/locals.tf b/modules/eks-monitoring/locals.tf
index 72cd3a9e..0d1e587f 100644
--- a/modules/eks-monitoring/locals.tf
+++ b/modules/eks-monitoring/locals.tf
@@ -22,6 +22,9 @@ locals {
   eks_cluster_endpoint = data.aws_eks_cluster.eks_cluster.endpoint
   eks_cluster_version  = data.aws_eks_cluster.eks_cluster.version
 
+  opensearch_domain_url    = "https://${var.os_logs_host}/"
+  opensearch_domain_region = coalesce(var.os_logs_region, data.aws_region.current.name)
+
   context = {
     aws_caller_identity_account_id = data.aws_caller_identity.current.account_id
     aws_caller_identity_arn        = data.aws_caller_identity.current.arn
@@ -54,7 +57,7 @@ locals {
     managed_prometheus_workspace_id = local.managed_prometheus_workspace_id
     prometheus_metrics_endpoint     = "/metrics"
 
-    grafana_dashboard_url = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/java/default.json"
+    grafana_dashboard_url = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.0.2-i/artifacts/grafana-dashboards/eks/java/default.json"
   }
 
   nginx_pattern_config_defaults = {
@@ -75,7 +78,7 @@ locals {
     managed_prometheus_workspace_id = local.managed_prometheus_workspace_id
     prometheus_metrics_endpoint     = "/metrics"
 
-    grafana_dashboard_url = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/nginx/nginx.json"
+    grafana_dashboard_url = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.0.2-i/artifacts/grafana-dashboards/eks/nginx/nginx.json"
   }
 
   nginx_pattern_config = {
@@ -102,10 +105,10 @@ locals {
     prometheus_metrics_endpoint     = "/metrics"
 
     dashboards = {
-      cp          = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/istio/istio-control-plane-dashboard.json"
-      mesh        = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/istio/istio-mesh-dashboard.json"
-      performance = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/istio/istio-performance-dashboard.json"
-      service     = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/istio/istio-service-dashboard.json"
+      cp          = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.0.2-i/artifacts/grafana-dashboards/eks/istio/istio-control-plane-dashboard.json"
+      mesh        = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.0.2-i/artifacts/grafana-dashboards/eks/istio/istio-mesh-dashboard.json"
+      performance = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.0.2-i/artifacts/grafana-dashboards/eks/istio/istio-performance-dashboard.json"
+      service     = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.0.2-i/artifacts/grafana-dashboards/eks/istio/istio-service-dashboard.json"
     }
   }
 
@@ -118,9 +121,22 @@ locals {
     flux_kustomization_path   = try(var.apiserver_monitoring_config.flux_kustomization_path, "./artifacts/grafana-operator-manifests/eks/apiserver")
 
     dashboards = {
-      basic           = try(var.apiserver_monitoring_config.dashboards.basic, "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/apiserver/apiserver-basic.json")
-      advanced        = try(var.apiserver_monitoring_config.dashboards.advanced, "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/apiserver/apiserver-advanced.json")
-      troubleshooting = try(var.apiserver_monitoring_config.dashboards.troubleshooting, "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/apiserver/apiserver-troubleshooting.json")
+      basic           = try(var.apiserver_monitoring_config.dashboards.basic, "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.0.2-i/artifacts/grafana-dashboards/eks/apiserver/apiserver-basic.json")
+      advanced        = try(var.apiserver_monitoring_config.dashboards.advanced, "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.0.2-i/artifacts/grafana-dashboards/eks/apiserver/apiserver-advanced.json")
+      troubleshooting = try(var.apiserver_monitoring_config.dashboards.troubleshooting, "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.0.2-i/artifacts/grafana-dashboards/eks/apiserver/apiserver-troubleshooting.json")
+    }
+  }
+
+  opensearch_config = {
+    # can be overriden by providing a config
+    flux_gitrepository_name   = try(var.opensearch_config.flux_gitrepository_name, var.flux_gitrepository_name)
+    flux_gitrepository_url    = try(var.opensearch_config.flux_gitrepository_url, var.flux_gitrepository_url)
+    flux_gitrepository_branch = try(var.opensearch_config.flux_gitrepository_branch, var.flux_gitrepository_branch)
+    flux_kustomization_name   = try(var.opensearch_config.flux_kustomization_name, "grafana-dashboards-opensearch")
+    flux_kustomization_path   = try(var.opensearch_config.flux_kustomization_path, "./artifacts/grafana-operator-manifests/eks/opensearch")
+
+    dashboards = {
+      logs = try(var.opensearch_config.dashboards.logs, "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.0.2-i/artifacts/grafana-dashboards/eks/opensearch/opensearch-logs.json")
     }
   }
 
@@ -133,7 +149,7 @@ locals {
     flux_kustomization_path   = try(var.adothealth_monitoring_config.flux_kustomization_path, "./artifacts/grafana-operator-manifests/eks/adot")
 
     dashboards = {
-      health = try(var.adothealth_monitoring_config.dashboards.health, "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/adot/adothealth.json")
+      health = try(var.adothealth_monitoring_config.dashboards.health, "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.0.2-i/artifacts/grafana-dashboards/adot/adothealth.json")
     }
   }
 
@@ -155,7 +171,7 @@ locals {
     flux_kustomization_path   = try(var.kubeproxy_monitoring_config.flux_kustomization_path, "./artifacts/grafana-operator-manifests/eks/kube-proxy")
 
     dashboards = {
-      default = try(var.kubeproxy_monitoring_config.dashboards.default, "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/kube-proxy/kube-proxy.json")
+      default = try(var.kubeproxy_monitoring_config.dashboards.default, "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.0.2-i/artifacts/grafana-dashboards/eks/kube-proxy/kube-proxy.json")
     }
   }
 }
diff --git a/modules/eks-monitoring/patterns/istio/README.md b/modules/eks-monitoring/patterns/istio/README.md
index 6a3de8ca..e7001ae9 100644
--- a/modules/eks-monitoring/patterns/istio/README.md
+++ b/modules/eks-monitoring/patterns/istio/README.md
@@ -39,7 +39,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_pattern_config"></a> [pattern\_config](#input\_pattern\_config) | Configuration object for ISTIO monitoring | <pre>object({<br>    enable_alerting_rules  = bool<br>    enable_recording_rules = bool<br>    enable_dashboards      = bool<br>    scrape_sample_limit    = number<br><br>    flux_gitrepository_name   = string<br>    flux_gitrepository_url    = string<br>    flux_gitrepository_branch = string<br>    flux_kustomization_name   = string<br>    flux_kustomization_path   = string<br><br>    managed_prometheus_workspace_id = string<br>    prometheus_metrics_endpoint     = string<br><br>    dashboards = object({<br>      cp          = string<br>      mesh        = string<br>      performance = string<br>      service     = string<br>    })<br>  })</pre> | n/a | yes |
+| <a name="input_pattern_config"></a> [pattern\_config](#input\_pattern\_config) | Configuration object for ISTIO monitoring | <pre>object({<br/>    enable_alerting_rules  = bool<br/>    enable_recording_rules = bool<br/>    enable_dashboards      = bool<br/>    scrape_sample_limit    = number<br/><br/>    flux_gitrepository_name   = string<br/>    flux_gitrepository_url    = string<br/>    flux_gitrepository_branch = string<br/>    flux_kustomization_name   = string<br/>    flux_kustomization_path   = string<br/><br/>    managed_prometheus_workspace_id = string<br/>    prometheus_metrics_endpoint     = string<br/><br/>    dashboards = object({<br/>      cp          = string<br/>      mesh        = string<br/>      performance = string<br/>      service     = string<br/>    })<br/>  })</pre> | n/a | yes |
 
 ## Outputs
 
diff --git a/modules/eks-monitoring/patterns/java/README.md b/modules/eks-monitoring/patterns/java/README.md
index 42028a06..1c187bee 100644
--- a/modules/eks-monitoring/patterns/java/README.md
+++ b/modules/eks-monitoring/patterns/java/README.md
@@ -39,7 +39,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_pattern_config"></a> [pattern\_config](#input\_pattern\_config) | Configuration object for Java/JMX monitoring | <pre>object({<br>    enable_alerting_rules  = bool<br>    enable_recording_rules = bool<br>    scrape_sample_limit    = number<br><br>    enable_dashboards = bool<br><br>    flux_gitrepository_name   = string<br>    flux_gitrepository_url    = string<br>    flux_gitrepository_branch = string<br>    flux_kustomization_name   = string<br>    flux_kustomization_path   = string<br><br>    managed_prometheus_workspace_id = string<br>    prometheus_metrics_endpoint     = string<br><br>    grafana_dashboard_url = string<br>  })</pre> | n/a | yes |
+| <a name="input_pattern_config"></a> [pattern\_config](#input\_pattern\_config) | Configuration object for Java/JMX monitoring | <pre>object({<br/>    enable_alerting_rules  = bool<br/>    enable_recording_rules = bool<br/>    scrape_sample_limit    = number<br/><br/>    enable_dashboards = bool<br/><br/>    flux_gitrepository_name   = string<br/>    flux_gitrepository_url    = string<br/>    flux_gitrepository_branch = string<br/>    flux_kustomization_name   = string<br/>    flux_kustomization_path   = string<br/><br/>    managed_prometheus_workspace_id = string<br/>    prometheus_metrics_endpoint     = string<br/><br/>    grafana_dashboard_url = string<br/>  })</pre> | n/a | yes |
 
 ## Outputs
 
diff --git a/modules/eks-monitoring/patterns/nginx/README.md b/modules/eks-monitoring/patterns/nginx/README.md
index e221a804..24c9972c 100644
--- a/modules/eks-monitoring/patterns/nginx/README.md
+++ b/modules/eks-monitoring/patterns/nginx/README.md
@@ -39,7 +39,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_pattern_config"></a> [pattern\_config](#input\_pattern\_config) | Configuration object for Java/JMX monitoring | <pre>object({<br>    enable_alerting_rules  = bool<br>    enable_recording_rules = bool<br>    scrape_sample_limit    = number<br><br>    enable_dashboards = bool<br><br>    flux_gitrepository_name   = string<br>    flux_gitrepository_url    = string<br>    flux_gitrepository_branch = string<br>    flux_kustomization_name   = string<br>    flux_kustomization_path   = string<br><br>    managed_prometheus_workspace_id = string<br>    prometheus_metrics_endpoint     = string<br><br>    grafana_dashboard_url = string<br>  })</pre> | n/a | yes |
+| <a name="input_pattern_config"></a> [pattern\_config](#input\_pattern\_config) | Configuration object for Java/JMX monitoring | <pre>object({<br/>    enable_alerting_rules  = bool<br/>    enable_recording_rules = bool<br/>    scrape_sample_limit    = number<br/><br/>    enable_dashboards = bool<br/><br/>    flux_gitrepository_name   = string<br/>    flux_gitrepository_url    = string<br/>    flux_gitrepository_branch = string<br/>    flux_kustomization_name   = string<br/>    flux_kustomization_path   = string<br/><br/>    managed_prometheus_workspace_id = string<br/>    prometheus_metrics_endpoint     = string<br/><br/>    grafana_dashboard_url = string<br/>  })</pre> | n/a | yes |
 
 ## Outputs
 
diff --git a/modules/eks-monitoring/variables.tf b/modules/eks-monitoring/variables.tf
index 059af0aa..dafe3215 100644
--- a/modules/eks-monitoring/variables.tf
+++ b/modules/eks-monitoring/variables.tf
@@ -126,13 +126,13 @@ variable "flux_gitrepository_name" {
 variable "flux_gitrepository_url" {
   description = "Flux GitRepository URL"
   type        = string
-  default     = "https://github.com/aws-observability/aws-observability-accelerator"
+  default     = "https://github.com/pelgrim/aws-observability-accelerator"
 }
 
 variable "flux_gitrepository_branch" {
   description = "Flux GitRepository Branch"
   type        = string
-  default     = "v0.3.2"
+  default     = "v0.0.2-i"
 }
 
 variable "flux_kustomization_path" {
@@ -236,6 +236,24 @@ variable "apiserver_monitoring_config" {
   default = null
 }
 
+variable "opensearch_config" {
+  description = "Config object for API server monitoring"
+  type = object({
+    flux_gitrepository_name   = string
+    flux_gitrepository_url    = string
+    flux_gitrepository_branch = string
+    flux_kustomization_name   = string
+    flux_kustomization_path   = string
+
+    dashboards = object({
+      logs = string
+    })
+  })
+
+  # defaults are pre-computed in locals.tf, provide a full definition to override
+  default = null
+}
+
 variable "enable_tracing" {
   description = "Enables tracing with OTLP traces receiver to X-Ray"
   type        = bool
@@ -394,6 +412,12 @@ variable "os_logs_index" {
   default     = "observability-accelerator"
 }
 
+variable "os_logs_region" {
+  description = "OpenSearch Domain Region"
+  type        = string
+  default     = null
+}
+
 variable "logs_config" {
   description = "Configuration object for logs collection"
   type = object({
@@ -471,43 +495,43 @@ variable "grafana_url" {
 variable "grafana_cluster_dashboard_url" {
   description = "Dashboard URL for Cluster Grafana Dashboard JSON"
   type        = string
-  default     = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/cluster.json"
+  default     = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/cluster.json"
 }
 
 variable "grafana_kubelet_dashboard_url" {
   description = "Dashboard URL for Kubelet Grafana Dashboard JSON"
   type        = string
-  default     = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/kubelet.json"
+  default     = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/kubelet.json"
 }
 
 variable "grafana_kubeproxy_dashboard_url" {
   description = "Dashboard URL for kube-proxy Grafana Dashboard JSON"
   type        = string
-  default     = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/kube-proxy/kube-proxy.json"
+  default     = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/kube-proxy/kube-proxy.json"
 }
 
 variable "grafana_namespace_workloads_dashboard_url" {
   description = "Dashboard URL for Namespace Workloads Grafana Dashboard JSON"
   type        = string
-  default     = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/namespace-workloads.json"
+  default     = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/namespace-workloads.json"
 }
 
 variable "grafana_node_exporter_dashboard_url" {
   description = "Dashboard URL for Node Exporter Grafana Dashboard JSON"
   type        = string
-  default     = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/nodeexporter-nodes.json"
+  default     = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/nodeexporter-nodes.json"
 }
 
 variable "grafana_nodes_dashboard_url" {
   description = "Dashboard URL for Nodes Grafana Dashboard JSON"
   type        = string
-  default     = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/nodes.json"
+  default     = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/nodes.json"
 }
 
 variable "grafana_workloads_dashboard_url" {
   description = "Dashboard URL for Workloads Grafana Dashboard JSON"
   type        = string
-  default     = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/workloads.json"
+  default     = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/workloads.json"
 }
 
 variable "target_secret_name" {

From e9cf8d4e69503e3a688a2ac456f8e08b3c505685 Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Sat, 23 Nov 2024 10:18:16 -0300
Subject: [PATCH 21/28] Disable OpenSearch dashboards waiting for gitops repo
 update

---
 modules/eks-monitoring/dashboards.tf | 46 ++++++++++++++--------------
 modules/eks-monitoring/locals.tf     | 24 +++++++--------
 modules/eks-monitoring/variables.tf  | 18 +++++------
 3 files changed, 44 insertions(+), 44 deletions(-)

diff --git a/modules/eks-monitoring/dashboards.tf b/modules/eks-monitoring/dashboards.tf
index 6dea06b5..5aa77ab2 100644
--- a/modules/eks-monitoring/dashboards.tf
+++ b/modules/eks-monitoring/dashboards.tf
@@ -73,29 +73,29 @@ YAML
 }
 
 # opensearch dashboards
-resource "kubectl_manifest" "opensearch_dashboards" {
-  yaml_body  = <<YAML
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: ${local.opensearch_config.flux_kustomization_name}
-  namespace: flux-system
-spec:
-  interval: 1m0s
-  path: ${local.opensearch_config.flux_kustomization_path}
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: ${local.opensearch_config.flux_gitrepository_name}
-  postBuild:
-    substitute:
-      AMG_AWS_REGION: ${local.opensearch_domain_region}
-      GRAFANA_OPENSEARCH_LOGS_DASH_URL: ${local.opensearch_config.dashboards.logs}
-      OPENSEARCH_DOMAIN_URL: ${local.opensearch_domain_url}
-YAML
-  count      = var.os_logs_enabled ? 1 : 0
-  depends_on = [module.external_secrets]
-}
+# resource "kubectl_manifest" "opensearch_dashboards" {
+#   yaml_body  = <<YAML
+# apiVersion: kustomize.toolkit.fluxcd.io/v1
+# kind: Kustomization
+# metadata:
+#   name: ${local.opensearch_config.flux_kustomization_name}
+#   namespace: flux-system
+# spec:
+#   interval: 1m0s
+#   path: ${local.opensearch_config.flux_kustomization_path}
+#   prune: true
+#   sourceRef:
+#     kind: GitRepository
+#     name: ${local.opensearch_config.flux_gitrepository_name}
+#   postBuild:
+#     substitute:
+#       AMG_AWS_REGION: ${local.opensearch_domain_region}
+#       GRAFANA_OPENSEARCH_LOGS_DASH_URL: ${local.opensearch_config.dashboards.logs}
+#       OPENSEARCH_DOMAIN_URL: ${local.opensearch_domain_url}
+# YAML
+#   count      = var.os_logs_enabled ? 1 : 0
+#   depends_on = [module.external_secrets]
+# }
 
 # adot health dashboards
 resource "kubectl_manifest" "adothealth_monitoring_dashboards" {
diff --git a/modules/eks-monitoring/locals.tf b/modules/eks-monitoring/locals.tf
index 0d1e587f..389084be 100644
--- a/modules/eks-monitoring/locals.tf
+++ b/modules/eks-monitoring/locals.tf
@@ -57,7 +57,7 @@ locals {
     managed_prometheus_workspace_id = local.managed_prometheus_workspace_id
     prometheus_metrics_endpoint     = "/metrics"
 
-    grafana_dashboard_url = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.0.2-i/artifacts/grafana-dashboards/eks/java/default.json"
+    grafana_dashboard_url = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/java/default.json"
   }
 
   nginx_pattern_config_defaults = {
@@ -78,7 +78,7 @@ locals {
     managed_prometheus_workspace_id = local.managed_prometheus_workspace_id
     prometheus_metrics_endpoint     = "/metrics"
 
-    grafana_dashboard_url = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.0.2-i/artifacts/grafana-dashboards/eks/nginx/nginx.json"
+    grafana_dashboard_url = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/nginx/nginx.json"
   }
 
   nginx_pattern_config = {
@@ -105,10 +105,10 @@ locals {
     prometheus_metrics_endpoint     = "/metrics"
 
     dashboards = {
-      cp          = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.0.2-i/artifacts/grafana-dashboards/eks/istio/istio-control-plane-dashboard.json"
-      mesh        = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.0.2-i/artifacts/grafana-dashboards/eks/istio/istio-mesh-dashboard.json"
-      performance = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.0.2-i/artifacts/grafana-dashboards/eks/istio/istio-performance-dashboard.json"
-      service     = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.0.2-i/artifacts/grafana-dashboards/eks/istio/istio-service-dashboard.json"
+      cp          = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/istio/istio-control-plane-dashboard.json"
+      mesh        = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/istio/istio-mesh-dashboard.json"
+      performance = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/istio/istio-performance-dashboard.json"
+      service     = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/istio/istio-service-dashboard.json"
     }
   }
 
@@ -121,9 +121,9 @@ locals {
     flux_kustomization_path   = try(var.apiserver_monitoring_config.flux_kustomization_path, "./artifacts/grafana-operator-manifests/eks/apiserver")
 
     dashboards = {
-      basic           = try(var.apiserver_monitoring_config.dashboards.basic, "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.0.2-i/artifacts/grafana-dashboards/eks/apiserver/apiserver-basic.json")
-      advanced        = try(var.apiserver_monitoring_config.dashboards.advanced, "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.0.2-i/artifacts/grafana-dashboards/eks/apiserver/apiserver-advanced.json")
-      troubleshooting = try(var.apiserver_monitoring_config.dashboards.troubleshooting, "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.0.2-i/artifacts/grafana-dashboards/eks/apiserver/apiserver-troubleshooting.json")
+      basic           = try(var.apiserver_monitoring_config.dashboards.basic, "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/apiserver/apiserver-basic.json")
+      advanced        = try(var.apiserver_monitoring_config.dashboards.advanced, "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/apiserver/apiserver-advanced.json")
+      troubleshooting = try(var.apiserver_monitoring_config.dashboards.troubleshooting, "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/apiserver/apiserver-troubleshooting.json")
     }
   }
 
@@ -136,7 +136,7 @@ locals {
     flux_kustomization_path   = try(var.opensearch_config.flux_kustomization_path, "./artifacts/grafana-operator-manifests/eks/opensearch")
 
     dashboards = {
-      logs = try(var.opensearch_config.dashboards.logs, "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.0.2-i/artifacts/grafana-dashboards/eks/opensearch/opensearch-logs.json")
+      logs = try(var.opensearch_config.dashboards.logs, "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/opensearch/opensearch-logs.json")
     }
   }
 
@@ -149,7 +149,7 @@ locals {
     flux_kustomization_path   = try(var.adothealth_monitoring_config.flux_kustomization_path, "./artifacts/grafana-operator-manifests/eks/adot")
 
     dashboards = {
-      health = try(var.adothealth_monitoring_config.dashboards.health, "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.0.2-i/artifacts/grafana-dashboards/adot/adothealth.json")
+      health = try(var.adothealth_monitoring_config.dashboards.health, "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/adot/adothealth.json")
     }
   }
 
@@ -171,7 +171,7 @@ locals {
     flux_kustomization_path   = try(var.kubeproxy_monitoring_config.flux_kustomization_path, "./artifacts/grafana-operator-manifests/eks/kube-proxy")
 
     dashboards = {
-      default = try(var.kubeproxy_monitoring_config.dashboards.default, "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.0.2-i/artifacts/grafana-dashboards/eks/kube-proxy/kube-proxy.json")
+      default = try(var.kubeproxy_monitoring_config.dashboards.default, "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/kube-proxy/kube-proxy.json")
     }
   }
 }
diff --git a/modules/eks-monitoring/variables.tf b/modules/eks-monitoring/variables.tf
index dafe3215..1572fdd4 100644
--- a/modules/eks-monitoring/variables.tf
+++ b/modules/eks-monitoring/variables.tf
@@ -126,13 +126,13 @@ variable "flux_gitrepository_name" {
 variable "flux_gitrepository_url" {
   description = "Flux GitRepository URL"
   type        = string
-  default     = "https://github.com/pelgrim/aws-observability-accelerator"
+  default     = "https://github.com/aws-observability/aws-observability-accelerator"
 }
 
 variable "flux_gitrepository_branch" {
   description = "Flux GitRepository Branch"
   type        = string
-  default     = "v0.0.2-i"
+  default     = "v0.2.0"
 }
 
 variable "flux_kustomization_path" {
@@ -495,43 +495,43 @@ variable "grafana_url" {
 variable "grafana_cluster_dashboard_url" {
   description = "Dashboard URL for Cluster Grafana Dashboard JSON"
   type        = string
-  default     = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/cluster.json"
+  default     = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/cluster.json"
 }
 
 variable "grafana_kubelet_dashboard_url" {
   description = "Dashboard URL for Kubelet Grafana Dashboard JSON"
   type        = string
-  default     = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/kubelet.json"
+  default     = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/kubelet.json"
 }
 
 variable "grafana_kubeproxy_dashboard_url" {
   description = "Dashboard URL for kube-proxy Grafana Dashboard JSON"
   type        = string
-  default     = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/kube-proxy/kube-proxy.json"
+  default     = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/kube-proxy/kube-proxy.json"
 }
 
 variable "grafana_namespace_workloads_dashboard_url" {
   description = "Dashboard URL for Namespace Workloads Grafana Dashboard JSON"
   type        = string
-  default     = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/namespace-workloads.json"
+  default     = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/namespace-workloads.json"
 }
 
 variable "grafana_node_exporter_dashboard_url" {
   description = "Dashboard URL for Node Exporter Grafana Dashboard JSON"
   type        = string
-  default     = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/nodeexporter-nodes.json"
+  default     = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/nodeexporter-nodes.json"
 }
 
 variable "grafana_nodes_dashboard_url" {
   description = "Dashboard URL for Nodes Grafana Dashboard JSON"
   type        = string
-  default     = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/nodes.json"
+  default     = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/nodes.json"
 }
 
 variable "grafana_workloads_dashboard_url" {
   description = "Dashboard URL for Workloads Grafana Dashboard JSON"
   type        = string
-  default     = "https://raw.githubusercontent.com/pelgrim/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/workloads.json"
+  default     = "https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/workloads.json"
 }
 
 variable "target_secret_name" {

From 6421278ba627eb1600e03dc34850220592731da1 Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Sat, 23 Nov 2024 10:25:55 -0300
Subject: [PATCH 22/28] Remove credentials from example

---
 .../eks-managed-open-source-observability/README.md   |  2 --
 .../variables.tf                                      | 11 -----------
 2 files changed, 13 deletions(-)

diff --git a/examples/eks-managed-open-source-observability/README.md b/examples/eks-managed-open-source-observability/README.md
index 4875b71b..a0a904fe 100644
--- a/examples/eks-managed-open-source-observability/README.md
+++ b/examples/eks-managed-open-source-observability/README.md
@@ -72,8 +72,6 @@ View the full documentation for this example [here](https://aws-observability.gi
 | <a name="input_managed_grafana_workspace_id"></a> [managed\_grafana\_workspace\_id](#input\_managed\_grafana\_workspace\_id) | Amazon Managed Grafana Workspace ID | `string` | n/a | yes |
 | <a name="input_managed_prometheus_workspace_id"></a> [managed\_prometheus\_workspace\_id](#input\_managed\_prometheus\_workspace\_id) | Amazon Managed Service for Prometheus Workspace ID | `string` | `""` | no |
 | <a name="input_os_logs_host"></a> [os\_logs\_host](#input\_os\_logs\_host) | OpenSearch domain URL for logs | `string` | `""` | no |
-| <a name="input_os_logs_password"></a> [os\_logs\_password](#input\_os\_logs\_password) | OpenSearch domain password | `string` | n/a | yes |
-| <a name="input_os_logs_username"></a> [os\_logs\_username](#input\_os\_logs\_username) | OpenSearch domain username | `string` | n/a | yes |
 
 ## Outputs
 
diff --git a/examples/eks-managed-open-source-observability/variables.tf b/examples/eks-managed-open-source-observability/variables.tf
index 9f6de39f..e14404b8 100644
--- a/examples/eks-managed-open-source-observability/variables.tf
+++ b/examples/eks-managed-open-source-observability/variables.tf
@@ -37,14 +37,3 @@ variable "os_logs_host" {
   type        = string
   default     = ""
 }
-
-variable "os_logs_username" {
-  description = "OpenSearch domain username"
-  type        = string
-}
-
-variable "os_logs_password" {
-  description = "OpenSearch domain password"
-  type        = string
-  sensitive   = true
-}

From d0731575752243942bc85137bcca36c09df06fd1 Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Sat, 23 Nov 2024 10:26:52 -0300
Subject: [PATCH 23/28] Remove duplicated instructions for FluentBit

---
 .../README.md                                     | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/examples/eks-managed-open-source-observability/README.md b/examples/eks-managed-open-source-observability/README.md
index a0a904fe..0e73d195 100644
--- a/examples/eks-managed-open-source-observability/README.md
+++ b/examples/eks-managed-open-source-observability/README.md
@@ -13,23 +13,8 @@ configuration options on the cluster infrastructure.
 
 In addition, logs are shipped to an OpenSearch domain.
 
-## Allow FluentBit to send logs to OpenSearch
-
-After provisioning the example, get the FluentBit IAM role:
-
-```
-terraform output -json | jq -r '.fluentbit_irsa_arn.value'
-```
-
-Access the OpenSearch dashboards directly or using a proxy and add the IAM Role as a
-backend role to the desired role. Althought the `all_access` role will work, it is
-safer to restrict access in production environments. Check the
-[service documentation](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html)
-for more information.
-
 View the full documentation for this example [here](https://aws-observability.github.io/terraform-aws-observability-accelerator/eks/)
 
-
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 

From bd04dd0921e58ad9157121682b794c3f7bb584b9 Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Sat, 23 Nov 2024 10:30:04 -0300
Subject: [PATCH 24/28] Link to OpenSearch instructions

---
 examples/eks-managed-open-source-observability/README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/examples/eks-managed-open-source-observability/README.md b/examples/eks-managed-open-source-observability/README.md
index 0e73d195..f5acb9fa 100644
--- a/examples/eks-managed-open-source-observability/README.md
+++ b/examples/eks-managed-open-source-observability/README.md
@@ -15,6 +15,8 @@ In addition, logs are shipped to an OpenSearch domain.
 
 View the full documentation for this example [here](https://aws-observability.github.io/terraform-aws-observability-accelerator/eks/)
 
+For an implemantion of Amazon OpenSearch that will work with this example, follow [these instructions](https://aws-observability.github.io/terraform-aws-observability-accelerator/helpers/amazon-opensearch/).
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 

From ecead1c3102876b386d8c7076982554bcaa31891 Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Sat, 23 Nov 2024 10:37:06 -0300
Subject: [PATCH 25/28] Fix flux repository release version

---
 modules/eks-monitoring/variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/eks-monitoring/variables.tf b/modules/eks-monitoring/variables.tf
index 1572fdd4..18d8bcb1 100644
--- a/modules/eks-monitoring/variables.tf
+++ b/modules/eks-monitoring/variables.tf
@@ -132,7 +132,7 @@ variable "flux_gitrepository_url" {
 variable "flux_gitrepository_branch" {
   description = "Flux GitRepository Branch"
   type        = string
-  default     = "v0.2.0"
+  default     = "v0.3.2"
 }
 
 variable "flux_kustomization_path" {

From c3ca53128c749ba01c99a29a6ebd7ae3a9b92f96 Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Sat, 23 Nov 2024 17:42:56 -0300
Subject: [PATCH 26/28] Fix opensearch credentials defaults

---
 examples/amazon-opensearch-domain/locals.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/examples/amazon-opensearch-domain/locals.tf b/examples/amazon-opensearch-domain/locals.tf
index d1a8ee51..0fbcf6bd 100644
--- a/examples/amazon-opensearch-domain/locals.tf
+++ b/examples/amazon-opensearch-domain/locals.tf
@@ -5,7 +5,7 @@ resource "random_password" "opensearch_master_password" {
 }
 
 locals {
-  opensearch_master_user_name     = var.master_user_name == "" ? "observability-accelerator" : var.master_user_name
-  opensearch_master_user_password = var.master_user_password
+  opensearch_master_user_name     = var.master_user_name
+  opensearch_master_user_password = var.master_user_password == "" ? random_password.opensearch_master_password.result : var.master_user_password 
   availability_zone               = var.availability_zone == "" ? "${var.aws_region}a" : var.availability_zone
 }

From 25ff83c5e1e1ba8ba37013a4776a83af84b6f8a1 Mon Sep 17 00:00:00 2001
From: Lucas Vieira <lvieiras@amazon.com>
Date: Sat, 23 Nov 2024 18:50:27 -0300
Subject: [PATCH 27/28] Fix indentation in Grafana OpenSearch policy

---
 docs/helpers/amazon-opensearch.md | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/docs/helpers/amazon-opensearch.md b/docs/helpers/amazon-opensearch.md
index d91b063b..5b96e343 100644
--- a/docs/helpers/amazon-opensearch.md
+++ b/docs/helpers/amazon-opensearch.md
@@ -106,18 +106,18 @@ To allow Amazon Managed Grafana to access Amazon OpenSearch domain datasource, f
       --output json --no-cli-pager | jq -r .workspace.workspaceRoleArn)
   GRAFANA_ROLE=$(echo $GRAFANA_ROLE_ARN | cut -d/ -f3)
   cat <<EOF > policy.json
-    {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Action": [
-            "aoss:ListCollections"
-          ],
-          "Resource": "*"
-        }
-      ]
-    }
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": [
+          "aoss:ListCollections"
+        ],
+        "Resource": "*"
+      }
+    ]
+  }
   EOF
   
   aws iam put-role-policy --role-name $GRAFANA_ROLE \

From c97d8a9a1457a019aaf472ce6a9d4403c7ddab7c Mon Sep 17 00:00:00 2001
From: Rodrigue Koffi <bonclay7@users.noreply.github.com>
Date: Tue, 26 Nov 2024 12:30:14 +0100
Subject: [PATCH 28/28] Run pre-commit

---
 docs/helpers/amazon-opensearch.md             |  2 +-
 examples/amazon-opensearch-domain/locals.tf   |  2 +-
 modules/eks-monitoring/README.md              | 32 ++++++++++---------
 .../add-ons/adot-operator/README.md           |  4 +--
 .../add-ons/aws-for-fluentbit/README.md       |  2 +-
 .../add-ons/external-secrets/README.md        |  2 +-
 .../eks-monitoring/patterns/istio/README.md   |  2 +-
 .../eks-monitoring/patterns/java/README.md    |  2 +-
 .../eks-monitoring/patterns/nginx/README.md   |  2 +-
 9 files changed, 26 insertions(+), 24 deletions(-)

diff --git a/docs/helpers/amazon-opensearch.md b/docs/helpers/amazon-opensearch.md
index 5b96e343..9b56501a 100644
--- a/docs/helpers/amazon-opensearch.md
+++ b/docs/helpers/amazon-opensearch.md
@@ -119,7 +119,7 @@ To allow Amazon Managed Grafana to access Amazon OpenSearch domain datasource, f
     ]
   }
   EOF
-  
+
   aws iam put-role-policy --role-name $GRAFANA_ROLE \
     --policy-name OpenSearchCollections --policy-document file://policy.json
   ```
diff --git a/examples/amazon-opensearch-domain/locals.tf b/examples/amazon-opensearch-domain/locals.tf
index 0fbcf6bd..bb1c1e5e 100644
--- a/examples/amazon-opensearch-domain/locals.tf
+++ b/examples/amazon-opensearch-domain/locals.tf
@@ -6,6 +6,6 @@ resource "random_password" "opensearch_master_password" {
 
 locals {
   opensearch_master_user_name     = var.master_user_name
-  opensearch_master_user_password = var.master_user_password == "" ? random_password.opensearch_master_password.result : var.master_user_password 
+  opensearch_master_user_password = var.master_user_password == "" ? random_password.opensearch_master_password.result : var.master_user_password
   availability_zone               = var.availability_zone == "" ? "${var.aws_region}a" : var.availability_zone
 }
diff --git a/modules/eks-monitoring/README.md b/modules/eks-monitoring/README.md
index a9f2c0d1..7bd6eb0c 100644
--- a/modules/eks-monitoring/README.md
+++ b/modules/eks-monitoring/README.md
@@ -73,9 +73,9 @@ See examples using this Terraform modules in the **Amazon EKS** section of [this
 |------|-------------|------|---------|:--------:|
 | <a name="input_adot_loglevel"></a> [adot\_loglevel](#input\_adot\_loglevel) | Verbosity level for ADOT collector logs. This accepts (detailed\|normal\|basic), see https://aws-otel.github.io/docs/components/misc-exporters for more info. | `string` | `"normal"` | no |
 | <a name="input_adot_service_telemetry_loglevel"></a> [adot\_service\_telemetry\_loglevel](#input\_adot\_service\_telemetry\_loglevel) | Verbosity level for ADOT service telemetry logs. See https://opentelemetry.io/docs/collector/configuration/#telemetry for more info. | `string` | `"INFO"` | no |
-| <a name="input_adothealth_monitoring_config"></a> [adothealth\_monitoring\_config](#input\_adothealth\_monitoring\_config) | Config object for ADOT health monitoring | <pre>object({<br/>    flux_gitrepository_name   = string<br/>    flux_gitrepository_url    = string<br/>    flux_gitrepository_branch = string<br/>    flux_kustomization_name   = string<br/>    flux_kustomization_path   = string<br/><br/>    dashboards = object({<br/>      health = string<br/>    })<br/>  })</pre> | `null` | no |
-| <a name="input_apiserver_monitoring_config"></a> [apiserver\_monitoring\_config](#input\_apiserver\_monitoring\_config) | Config object for API server monitoring | <pre>object({<br/>    flux_gitrepository_name   = string<br/>    flux_gitrepository_url    = string<br/>    flux_gitrepository_branch = string<br/>    flux_kustomization_name   = string<br/>    flux_kustomization_path   = string<br/><br/>    dashboards = object({<br/>      basic           = string<br/>      advanced        = string<br/>      troubleshooting = string<br/>    })<br/>  })</pre> | `null` | no |
-| <a name="input_custom_metrics_config"></a> [custom\_metrics\_config](#input\_custom\_metrics\_config) | Configuration object to enable custom metrics collection | <pre>map(object({<br/>    enableBasicAuth       = bool<br/>    path                  = string<br/>    basicAuthUsername     = string<br/>    basicAuthPassword     = string<br/>    ports                 = string<br/>    droppedSeriesPrefixes = string<br/>  }))</pre> | `null` | no |
+| <a name="input_adothealth_monitoring_config"></a> [adothealth\_monitoring\_config](#input\_adothealth\_monitoring\_config) | Config object for ADOT health monitoring | <pre>object({<br>    flux_gitrepository_name   = string<br>    flux_gitrepository_url    = string<br>    flux_gitrepository_branch = string<br>    flux_kustomization_name   = string<br>    flux_kustomization_path   = string<br><br>    dashboards = object({<br>      health = string<br>    })<br>  })</pre> | `null` | no |
+| <a name="input_apiserver_monitoring_config"></a> [apiserver\_monitoring\_config](#input\_apiserver\_monitoring\_config) | Config object for API server monitoring | <pre>object({<br>    flux_gitrepository_name   = string<br>    flux_gitrepository_url    = string<br>    flux_gitrepository_branch = string<br>    flux_kustomization_name   = string<br>    flux_kustomization_path   = string<br><br>    dashboards = object({<br>      basic           = string<br>      advanced        = string<br>      troubleshooting = string<br>    })<br>  })</pre> | `null` | no |
+| <a name="input_custom_metrics_config"></a> [custom\_metrics\_config](#input\_custom\_metrics\_config) | Configuration object to enable custom metrics collection | <pre>map(object({<br>    enableBasicAuth       = bool<br>    path                  = string<br>    basicAuthUsername     = string<br>    basicAuthPassword     = string<br>    ports                 = string<br>    droppedSeriesPrefixes = string<br>  }))</pre> | `null` | no |
 | <a name="input_eks_cluster_id"></a> [eks\_cluster\_id](#input\_eks\_cluster\_id) | EKS Cluster Id | `string` | n/a | yes |
 | <a name="input_enable_adotcollector_metrics"></a> [enable\_adotcollector\_metrics](#input\_enable\_adotcollector\_metrics) | Enables collection of ADOT collector metrics | `bool` | `true` | no |
 | <a name="input_enable_alerting_rules"></a> [enable\_alerting\_rules](#input\_enable\_alerting\_rules) | Enables or disables Managed Prometheus alerting rules | `bool` | `true` | no |
@@ -98,13 +98,13 @@ See examples using this Terraform modules in the **Amazon EKS** section of [this
 | <a name="input_enable_nvidia_monitoring"></a> [enable\_nvidia\_monitoring](#input\_enable\_nvidia\_monitoring) | Enables monitoring of nvidia metrics | `bool` | `true` | no |
 | <a name="input_enable_recording_rules"></a> [enable\_recording\_rules](#input\_enable\_recording\_rules) | Enables or disables Managed Prometheus recording rules | `bool` | `true` | no |
 | <a name="input_enable_tracing"></a> [enable\_tracing](#input\_enable\_tracing) | Enables tracing with OTLP traces receiver to X-Ray | `bool` | `true` | no |
-| <a name="input_flux_config"></a> [flux\_config](#input\_flux\_config) | FluxCD configuration | <pre>object({<br/>    create_namespace   = optional(bool, true)<br/>    k8s_namespace      = optional(string, "flux-system")<br/>    helm_chart_name    = optional(string, "flux2")<br/>    helm_chart_version = optional(string, "2.12.2")<br/>    helm_release_name  = optional(string, "observability-fluxcd-addon")<br/>    helm_repo_url      = optional(string, "https://fluxcd-community.github.io/helm-charts")<br/>    helm_settings      = optional(map(string), {})<br/>    helm_values        = optional(map(any), {})<br/>  })</pre> | `{}` | no |
+| <a name="input_flux_config"></a> [flux\_config](#input\_flux\_config) | FluxCD configuration | <pre>object({<br>    create_namespace   = optional(bool, true)<br>    k8s_namespace      = optional(string, "flux-system")<br>    helm_chart_name    = optional(string, "flux2")<br>    helm_chart_version = optional(string, "2.12.2")<br>    helm_release_name  = optional(string, "observability-fluxcd-addon")<br>    helm_repo_url      = optional(string, "https://fluxcd-community.github.io/helm-charts")<br>    helm_settings      = optional(map(string), {})<br>    helm_values        = optional(map(any), {})<br>  })</pre> | `{}` | no |
 | <a name="input_flux_gitrepository_branch"></a> [flux\_gitrepository\_branch](#input\_flux\_gitrepository\_branch) | Flux GitRepository Branch | `string` | `"v0.3.2"` | no |
 | <a name="input_flux_gitrepository_name"></a> [flux\_gitrepository\_name](#input\_flux\_gitrepository\_name) | Flux GitRepository name | `string` | `"aws-observability-accelerator"` | no |
 | <a name="input_flux_gitrepository_url"></a> [flux\_gitrepository\_url](#input\_flux\_gitrepository\_url) | Flux GitRepository URL | `string` | `"https://github.com/aws-observability/aws-observability-accelerator"` | no |
 | <a name="input_flux_kustomization_name"></a> [flux\_kustomization\_name](#input\_flux\_kustomization\_name) | Flux Kustomization name | `string` | `"grafana-dashboards-infrastructure"` | no |
 | <a name="input_flux_kustomization_path"></a> [flux\_kustomization\_path](#input\_flux\_kustomization\_path) | Flux Kustomization Path | `string` | `"./artifacts/grafana-operator-manifests/eks/infrastructure"` | no |
-| <a name="input_go_config"></a> [go\_config](#input\_go\_config) | Grafana Operator configuration | <pre>object({<br/>    create_namespace   = optional(bool, true)<br/>    helm_chart         = optional(string, "oci://ghcr.io/grafana-operator/helm-charts/grafana-operator")<br/>    helm_name          = optional(string, "grafana-operator")<br/>    k8s_namespace      = optional(string, "grafana-operator")<br/>    helm_release_name  = optional(string, "grafana-operator")<br/>    helm_chart_version = optional(string, "v5.5.2")<br/>  })</pre> | `{}` | no |
+| <a name="input_go_config"></a> [go\_config](#input\_go\_config) | Grafana Operator configuration | <pre>object({<br>    create_namespace   = optional(bool, true)<br>    helm_chart         = optional(string, "oci://ghcr.io/grafana-operator/helm-charts/grafana-operator")<br>    helm_name          = optional(string, "grafana-operator")<br>    k8s_namespace      = optional(string, "grafana-operator")<br>    helm_release_name  = optional(string, "grafana-operator")<br>    helm_chart_version = optional(string, "v5.5.2")<br>  })</pre> | `{}` | no |
 | <a name="input_grafana_api_key"></a> [grafana\_api\_key](#input\_grafana\_api\_key) | Grafana API key for the Amazon Managed Grafana workspace. Required if `enable_external_secrets = true` | `string` | `""` | no |
 | <a name="input_grafana_cluster_dashboard_url"></a> [grafana\_cluster\_dashboard\_url](#input\_grafana\_cluster\_dashboard\_url) | Dashboard URL for Cluster Grafana Dashboard JSON | `string` | `"https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/cluster.json"` | no |
 | <a name="input_grafana_kubelet_dashboard_url"></a> [grafana\_kubelet\_dashboard\_url](#input\_grafana\_kubelet\_dashboard\_url) | Dashboard URL for Kubelet Grafana Dashboard JSON | `string` | `"https://raw.githubusercontent.com/aws-observability/aws-observability-accelerator/v0.2.0/artifacts/grafana-dashboards/eks/infrastructure/kubelet.json"` | no |
@@ -119,26 +119,28 @@ See examples using this Terraform modules in the **Amazon EKS** section of [this
 | <a name="input_irsa_iam_permissions_boundary"></a> [irsa\_iam\_permissions\_boundary](#input\_irsa\_iam\_permissions\_boundary) | IAM permissions boundary for IRSA roles | `string` | `null` | no |
 | <a name="input_irsa_iam_role_name"></a> [irsa\_iam\_role\_name](#input\_irsa\_iam\_role\_name) | IAM role name for IRSA roles | `string` | `""` | no |
 | <a name="input_irsa_iam_role_path"></a> [irsa\_iam\_role\_path](#input\_irsa\_iam\_role\_path) | IAM role path for IRSA roles | `string` | `"/"` | no |
-| <a name="input_istio_config"></a> [istio\_config](#input\_istio\_config) | Configuration object for ISTIO monitoring | <pre>object({<br/>    enable_alerting_rules  = bool<br/>    enable_recording_rules = bool<br/>    enable_dashboards      = bool<br/>    scrape_sample_limit    = number<br/><br/>    flux_gitrepository_name   = string<br/>    flux_gitrepository_url    = string<br/>    flux_gitrepository_branch = string<br/>    flux_kustomization_name   = string<br/>    flux_kustomization_path   = string<br/><br/>    managed_prometheus_workspace_id = string<br/>    prometheus_metrics_endpoint     = string<br/><br/>    dashboards = object({<br/>      cp          = string<br/>      mesh        = string<br/>      performance = string<br/>      service     = string<br/>    })<br/>  })</pre> | `null` | no |
-| <a name="input_java_config"></a> [java\_config](#input\_java\_config) | Configuration object for Java/JMX monitoring | <pre>object({<br/>    enable_alerting_rules  = bool<br/>    enable_recording_rules = bool<br/>    enable_dashboards      = bool<br/>    scrape_sample_limit    = number<br/><br/><br/>    flux_gitrepository_name   = string<br/>    flux_gitrepository_url    = string<br/>    flux_gitrepository_branch = string<br/>    flux_kustomization_name   = string<br/>    flux_kustomization_path   = string<br/><br/>    grafana_dashboard_url = string<br/><br/>    prometheus_metrics_endpoint = string<br/>  })</pre> | `null` | no |
-| <a name="input_ksm_config"></a> [ksm\_config](#input\_ksm\_config) | Kube State metrics configuration | <pre>object({<br/>    create_namespace   = optional(bool, true)<br/>    k8s_namespace      = optional(string, "kube-system")<br/>    helm_chart_name    = optional(string, "kube-state-metrics")<br/>    helm_chart_version = optional(string, "5.15.2")<br/>    helm_release_name  = optional(string, "kube-state-metrics")<br/>    helm_repo_url      = optional(string, "https://prometheus-community.github.io/helm-charts")<br/>    helm_settings      = optional(map(string), {})<br/>    helm_values        = optional(map(any), {})<br/><br/>    scrape_interval = optional(string, "60s")<br/>    scrape_timeout  = optional(string, "15s")<br/>  })</pre> | `{}` | no |
-| <a name="input_kubeproxy_monitoring_config"></a> [kubeproxy\_monitoring\_config](#input\_kubeproxy\_monitoring\_config) | Config object for kube-proxy monitoring | <pre>object({<br/>    flux_gitrepository_name   = string<br/>    flux_gitrepository_url    = string<br/>    flux_gitrepository_branch = string<br/>    flux_kustomization_name   = string<br/>    flux_kustomization_path   = string<br/><br/>    dashboards = object({<br/>      default = string<br/>    })<br/>  })</pre> | `null` | no |
-| <a name="input_logs_config"></a> [logs\_config](#input\_logs\_config) | Configuration object for logs collection | <pre>object({<br/>    cw_log_retention_days = number<br/>  })</pre> | <pre>{<br/>  "cw_log_retention_days": 90<br/>}</pre> | no |
+| <a name="input_istio_config"></a> [istio\_config](#input\_istio\_config) | Configuration object for ISTIO monitoring | <pre>object({<br>    enable_alerting_rules  = bool<br>    enable_recording_rules = bool<br>    enable_dashboards      = bool<br>    scrape_sample_limit    = number<br><br>    flux_gitrepository_name   = string<br>    flux_gitrepository_url    = string<br>    flux_gitrepository_branch = string<br>    flux_kustomization_name   = string<br>    flux_kustomization_path   = string<br><br>    managed_prometheus_workspace_id = string<br>    prometheus_metrics_endpoint     = string<br><br>    dashboards = object({<br>      cp          = string<br>      mesh        = string<br>      performance = string<br>      service     = string<br>    })<br>  })</pre> | `null` | no |
+| <a name="input_java_config"></a> [java\_config](#input\_java\_config) | Configuration object for Java/JMX monitoring | <pre>object({<br>    enable_alerting_rules  = bool<br>    enable_recording_rules = bool<br>    enable_dashboards      = bool<br>    scrape_sample_limit    = number<br><br><br>    flux_gitrepository_name   = string<br>    flux_gitrepository_url    = string<br>    flux_gitrepository_branch = string<br>    flux_kustomization_name   = string<br>    flux_kustomization_path   = string<br><br>    grafana_dashboard_url = string<br><br>    prometheus_metrics_endpoint = string<br>  })</pre> | `null` | no |
+| <a name="input_ksm_config"></a> [ksm\_config](#input\_ksm\_config) | Kube State metrics configuration | <pre>object({<br>    create_namespace   = optional(bool, true)<br>    k8s_namespace      = optional(string, "kube-system")<br>    helm_chart_name    = optional(string, "kube-state-metrics")<br>    helm_chart_version = optional(string, "5.15.2")<br>    helm_release_name  = optional(string, "kube-state-metrics")<br>    helm_repo_url      = optional(string, "https://prometheus-community.github.io/helm-charts")<br>    helm_settings      = optional(map(string), {})<br>    helm_values        = optional(map(any), {})<br><br>    scrape_interval = optional(string, "60s")<br>    scrape_timeout  = optional(string, "15s")<br>  })</pre> | `{}` | no |
+| <a name="input_kubeproxy_monitoring_config"></a> [kubeproxy\_monitoring\_config](#input\_kubeproxy\_monitoring\_config) | Config object for kube-proxy monitoring | <pre>object({<br>    flux_gitrepository_name   = string<br>    flux_gitrepository_url    = string<br>    flux_gitrepository_branch = string<br>    flux_kustomization_name   = string<br>    flux_kustomization_path   = string<br><br>    dashboards = object({<br>      default = string<br>    })<br>  })</pre> | `null` | no |
+| <a name="input_logs_config"></a> [logs\_config](#input\_logs\_config) | Configuration object for logs collection | <pre>object({<br>    cw_log_retention_days = number<br>  })</pre> | <pre>{<br>  "cw_log_retention_days": 90<br>}</pre> | no |
 | <a name="input_managed_prometheus_cross_account_role"></a> [managed\_prometheus\_cross\_account\_role](#input\_managed\_prometheus\_cross\_account\_role) | Amazon Managed Prometheus Workspace's Account Role Arn | `string` | `""` | no |
 | <a name="input_managed_prometheus_workspace_endpoint"></a> [managed\_prometheus\_workspace\_endpoint](#input\_managed\_prometheus\_workspace\_endpoint) | Amazon Managed Prometheus Workspace Endpoint | `string` | `""` | no |
 | <a name="input_managed_prometheus_workspace_id"></a> [managed\_prometheus\_workspace\_id](#input\_managed\_prometheus\_workspace\_id) | Amazon Managed Prometheus Workspace ID | `string` | `null` | no |
 | <a name="input_managed_prometheus_workspace_region"></a> [managed\_prometheus\_workspace\_region](#input\_managed\_prometheus\_workspace\_region) | Amazon Managed Prometheus Workspace's Region | `string` | `null` | no |
-| <a name="input_ne_config"></a> [ne\_config](#input\_ne\_config) | Node exporter configuration | <pre>object({<br/>    create_namespace   = optional(bool, true)<br/>    k8s_namespace      = optional(string, "prometheus-node-exporter")<br/>    helm_chart_name    = optional(string, "prometheus-node-exporter")<br/>    helm_chart_version = optional(string, "4.24.0")<br/>    helm_release_name  = optional(string, "prometheus-node-exporter")<br/>    helm_repo_url      = optional(string, "https://prometheus-community.github.io/helm-charts")<br/>    helm_settings      = optional(map(string), {})<br/>    helm_values        = optional(map(any), {})<br/><br/>    scrape_interval = optional(string, "60s")<br/>    scrape_timeout  = optional(string, "60s")<br/>  })</pre> | `{}` | no |
-| <a name="input_nginx_config"></a> [nginx\_config](#input\_nginx\_config) | Configuration object for NGINX monitoring | <pre>object({<br/>    enable_alerting_rules  = optional(bool)<br/>    enable_recording_rules = optional(bool)<br/>    enable_dashboards      = optional(bool)<br/>    scrape_sample_limit    = optional(number)<br/><br/>    flux_gitrepository_name   = optional(string)<br/>    flux_gitrepository_url    = optional(string)<br/>    flux_gitrepository_branch = optional(string)<br/>    flux_kustomization_name   = optional(string)<br/>    flux_kustomization_path   = optional(string)<br/><br/>    grafana_dashboard_url = optional(string)<br/><br/>    prometheus_metrics_endpoint = optional(string)<br/>  })</pre> | `{}` | no |
-| <a name="input_nvidia_monitoring_config"></a> [nvidia\_monitoring\_config](#input\_nvidia\_monitoring\_config) | Config object for nvidia monitoring | <pre>object({<br/>    flux_gitrepository_name   = string<br/>    flux_gitrepository_url    = string<br/>    flux_gitrepository_branch = string<br/>    flux_kustomization_name   = string<br/>    flux_kustomization_path   = string<br/>  })</pre> | `null` | no |
+| <a name="input_ne_config"></a> [ne\_config](#input\_ne\_config) | Node exporter configuration | <pre>object({<br>    create_namespace   = optional(bool, true)<br>    k8s_namespace      = optional(string, "prometheus-node-exporter")<br>    helm_chart_name    = optional(string, "prometheus-node-exporter")<br>    helm_chart_version = optional(string, "4.24.0")<br>    helm_release_name  = optional(string, "prometheus-node-exporter")<br>    helm_repo_url      = optional(string, "https://prometheus-community.github.io/helm-charts")<br>    helm_settings      = optional(map(string), {})<br>    helm_values        = optional(map(any), {})<br><br>    scrape_interval = optional(string, "60s")<br>    scrape_timeout  = optional(string, "60s")<br>  })</pre> | `{}` | no |
+| <a name="input_nginx_config"></a> [nginx\_config](#input\_nginx\_config) | Configuration object for NGINX monitoring | <pre>object({<br>    enable_alerting_rules  = optional(bool)<br>    enable_recording_rules = optional(bool)<br>    enable_dashboards      = optional(bool)<br>    scrape_sample_limit    = optional(number)<br><br>    flux_gitrepository_name   = optional(string)<br>    flux_gitrepository_url    = optional(string)<br>    flux_gitrepository_branch = optional(string)<br>    flux_kustomization_name   = optional(string)<br>    flux_kustomization_path   = optional(string)<br><br>    grafana_dashboard_url = optional(string)<br><br>    prometheus_metrics_endpoint = optional(string)<br>  })</pre> | `{}` | no |
+| <a name="input_nvidia_monitoring_config"></a> [nvidia\_monitoring\_config](#input\_nvidia\_monitoring\_config) | Config object for nvidia monitoring | <pre>object({<br>    flux_gitrepository_name   = string<br>    flux_gitrepository_url    = string<br>    flux_gitrepository_branch = string<br>    flux_kustomization_name   = string<br>    flux_kustomization_path   = string<br>  })</pre> | `null` | no |
+| <a name="input_opensearch_config"></a> [opensearch\_config](#input\_opensearch\_config) | Config object for API server monitoring | <pre>object({<br>    flux_gitrepository_name   = string<br>    flux_gitrepository_url    = string<br>    flux_gitrepository_branch = string<br>    flux_kustomization_name   = string<br>    flux_kustomization_path   = string<br><br>    dashboards = object({<br>      logs = string<br>    })<br>  })</pre> | `null` | no |
 | <a name="input_os_logs_enabled"></a> [os\_logs\_enabled](#input\_os\_logs\_enabled) | FluentBit OpenSearch enable | `bool` | `false` | no |
 | <a name="input_os_logs_host"></a> [os\_logs\_host](#input\_os\_logs\_host) | FluentBit OpenSearch | `string` | `""` | no |
 | <a name="input_os_logs_index"></a> [os\_logs\_index](#input\_os\_logs\_index) | FluentBit OpenSearch | `string` | `"observability-accelerator"` | no |
-| <a name="input_prometheus_config"></a> [prometheus\_config](#input\_prometheus\_config) | Controls default values such as scrape interval, timeouts and ports globally | <pre>object({<br/>    global_scrape_interval = optional(string, "120s")<br/>    global_scrape_timeout  = optional(string, "15s")<br/>  })</pre> | `{}` | no |
+| <a name="input_os_logs_region"></a> [os\_logs\_region](#input\_os\_logs\_region) | OpenSearch Domain Region | `string` | `null` | no |
+| <a name="input_prometheus_config"></a> [prometheus\_config](#input\_prometheus\_config) | Controls default values such as scrape interval, timeouts and ports globally | <pre>object({<br>    global_scrape_interval = optional(string, "120s")<br>    global_scrape_timeout  = optional(string, "15s")<br>  })</pre> | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit`,`XYZ`) | `map(string)` | `{}` | no |
 | <a name="input_target_secret_name"></a> [target\_secret\_name](#input\_target\_secret\_name) | Target secret in Kubernetes to store the Grafana API Key Secret | `string` | `"grafana-admin-credentials"` | no |
 | <a name="input_target_secret_namespace"></a> [target\_secret\_namespace](#input\_target\_secret\_namespace) | Target namespace of secret in Kubernetes to store the Grafana API Key Secret | `string` | `"grafana-operator"` | no |
-| <a name="input_tracing_config"></a> [tracing\_config](#input\_tracing\_config) | Configuration object for traces collection to AWS X-Ray | <pre>object({<br/>    otlp_grpc_endpoint = optional(string, "0.0.0.0:4317")<br/>    otlp_http_endpoint = optional(string, "0.0.0.0:4318")<br/>    send_batch_size    = optional(number, 50)<br/>    timeout            = optional(string, "30s")<br/>  })</pre> | `{}` | no |
+| <a name="input_tracing_config"></a> [tracing\_config](#input\_tracing\_config) | Configuration object for traces collection to AWS X-Ray | <pre>object({<br>    otlp_grpc_endpoint = optional(string, "0.0.0.0:4317")<br>    otlp_http_endpoint = optional(string, "0.0.0.0:4318")<br>    send_batch_size    = optional(number, 50)<br>    timeout            = optional(string, "30s")<br>  })</pre> | `{}` | no |
 
 ## Outputs
 
diff --git a/modules/eks-monitoring/add-ons/adot-operator/README.md b/modules/eks-monitoring/add-ons/adot-operator/README.md
index b6c23054..f7e6aa49 100644
--- a/modules/eks-monitoring/add-ons/adot-operator/README.md
+++ b/modules/eks-monitoring/add-ons/adot-operator/README.md
@@ -60,9 +60,9 @@ the ADOT Operator.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_addon_config"></a> [addon\_config](#input\_addon\_config) | Amazon EKS Managed ADOT Add-on config | `any` | `{}` | no |
-| <a name="input_addon_context"></a> [addon\_context](#input\_addon\_context) | Input configuration for the addon | <pre>object({<br/>    aws_caller_identity_account_id = string<br/>    aws_caller_identity_arn        = string<br/>    aws_eks_cluster_endpoint       = string<br/>    aws_partition_id               = string<br/>    aws_region_name                = string<br/>    eks_cluster_id                 = string<br/>    eks_oidc_issuer_url            = string<br/>    eks_oidc_provider_arn          = string<br/>    irsa_iam_role_path             = string<br/>    irsa_iam_permissions_boundary  = string<br/>    tags                           = map(string)<br/>  })</pre> | n/a | yes |
+| <a name="input_addon_context"></a> [addon\_context](#input\_addon\_context) | Input configuration for the addon | <pre>object({<br>    aws_caller_identity_account_id = string<br>    aws_caller_identity_arn        = string<br>    aws_eks_cluster_endpoint       = string<br>    aws_partition_id               = string<br>    aws_region_name                = string<br>    eks_cluster_id                 = string<br>    eks_oidc_issuer_url            = string<br>    eks_oidc_provider_arn          = string<br>    irsa_iam_role_path             = string<br>    irsa_iam_permissions_boundary  = string<br>    tags                           = map(string)<br>  })</pre> | n/a | yes |
 | <a name="input_enable_cert_manager"></a> [enable\_cert\_manager](#input\_enable\_cert\_manager) | Enable cert-manager, a requirement for ADOT Operator | `bool` | `true` | no |
-| <a name="input_helm_config"></a> [helm\_config](#input\_helm\_config) | Helm provider config for cert-manager | `any` | <pre>{<br/>  "version": "v1.8.2"<br/>}</pre> | no |
+| <a name="input_helm_config"></a> [helm\_config](#input\_helm\_config) | Helm provider config for cert-manager | `any` | <pre>{<br>  "version": "v1.8.2"<br>}</pre> | no |
 | <a name="input_kubernetes_version"></a> [kubernetes\_version](#input\_kubernetes\_version) | EKS Cluster version | `string` | n/a | yes |
 
 ## Outputs
diff --git a/modules/eks-monitoring/add-ons/aws-for-fluentbit/README.md b/modules/eks-monitoring/add-ons/aws-for-fluentbit/README.md
index 1afb8fda..ae067221 100644
--- a/modules/eks-monitoring/add-ons/aws-for-fluentbit/README.md
+++ b/modules/eks-monitoring/add-ons/aws-for-fluentbit/README.md
@@ -37,7 +37,7 @@ See this [Helm Chart](https://github.com/aws/eks-charts/tree/master/stable/aws-f
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_addon_context"></a> [addon\_context](#input\_addon\_context) | Input configuration for the addon | <pre>object({<br/>    aws_caller_identity_account_id = string<br/>    aws_caller_identity_arn        = string<br/>    aws_eks_cluster_endpoint       = string<br/>    aws_partition_id               = string<br/>    aws_region_name                = string<br/>    eks_cluster_id                 = string<br/>    eks_oidc_issuer_url            = string<br/>    eks_oidc_provider_arn          = string<br/>    tags                           = map(string)<br/>    irsa_iam_role_path             = string<br/>    irsa_iam_permissions_boundary  = string<br/>  })</pre> | n/a | yes |
+| <a name="input_addon_context"></a> [addon\_context](#input\_addon\_context) | Input configuration for the addon | <pre>object({<br>    aws_caller_identity_account_id = string<br>    aws_caller_identity_arn        = string<br>    aws_eks_cluster_endpoint       = string<br>    aws_partition_id               = string<br>    aws_region_name                = string<br>    eks_cluster_id                 = string<br>    eks_oidc_issuer_url            = string<br>    eks_oidc_provider_arn          = string<br>    tags                           = map(string)<br>    irsa_iam_role_path             = string<br>    irsa_iam_permissions_boundary  = string<br>  })</pre> | n/a | yes |
 | <a name="input_cw_log_retention_days"></a> [cw\_log\_retention\_days](#input\_cw\_log\_retention\_days) | FluentBit CloudWatch Log group retention period | `number` | `90` | no |
 | <a name="input_cw_logs_enabled"></a> [cw\_logs\_enabled](#input\_cw\_logs\_enabled) | FluentBit CloudWatch Log enable | `bool` | `true` | no |
 | <a name="input_helm_config"></a> [helm\_config](#input\_helm\_config) | Helm provider config aws\_for\_fluent\_bit. | `any` | `{}` | no |
diff --git a/modules/eks-monitoring/add-ons/external-secrets/README.md b/modules/eks-monitoring/add-ons/external-secrets/README.md
index 3f188ca5..2d8f32d3 100644
--- a/modules/eks-monitoring/add-ons/external-secrets/README.md
+++ b/modules/eks-monitoring/add-ons/external-secrets/README.md
@@ -44,7 +44,7 @@ This deploys an EKS Cluster with the External Secrets Operator. The cluster is p
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_addon_context"></a> [addon\_context](#input\_addon\_context) | Input configuration for the addon | <pre>object({<br/>    aws_caller_identity_account_id = string<br/>    aws_caller_identity_arn        = string<br/>    aws_eks_cluster_endpoint       = string<br/>    aws_partition_id               = string<br/>    aws_region_name                = string<br/>    eks_cluster_id                 = string<br/>    eks_oidc_issuer_url            = string<br/>    eks_oidc_provider_arn          = string<br/>    irsa_iam_role_path             = string<br/>    irsa_iam_permissions_boundary  = string<br/>    tags                           = map(string)<br/>  })</pre> | n/a | yes |
+| <a name="input_addon_context"></a> [addon\_context](#input\_addon\_context) | Input configuration for the addon | <pre>object({<br>    aws_caller_identity_account_id = string<br>    aws_caller_identity_arn        = string<br>    aws_eks_cluster_endpoint       = string<br>    aws_partition_id               = string<br>    aws_region_name                = string<br>    eks_cluster_id                 = string<br>    eks_oidc_issuer_url            = string<br>    eks_oidc_provider_arn          = string<br>    irsa_iam_role_path             = string<br>    irsa_iam_permissions_boundary  = string<br>    tags                           = map(string)<br>  })</pre> | n/a | yes |
 | <a name="input_enable_external_secrets"></a> [enable\_external\_secrets](#input\_enable\_external\_secrets) | Enable external-secrets | `bool` | `true` | no |
 | <a name="input_grafana_api_key"></a> [grafana\_api\_key](#input\_grafana\_api\_key) | Grafana API key for the Amazon Managed Grafana workspace | `string` | n/a | yes |
 | <a name="input_helm_config"></a> [helm\_config](#input\_helm\_config) | Helm provider config for external secrets | `any` | `{}` | no |
diff --git a/modules/eks-monitoring/patterns/istio/README.md b/modules/eks-monitoring/patterns/istio/README.md
index e7001ae9..6a3de8ca 100644
--- a/modules/eks-monitoring/patterns/istio/README.md
+++ b/modules/eks-monitoring/patterns/istio/README.md
@@ -39,7 +39,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_pattern_config"></a> [pattern\_config](#input\_pattern\_config) | Configuration object for ISTIO monitoring | <pre>object({<br/>    enable_alerting_rules  = bool<br/>    enable_recording_rules = bool<br/>    enable_dashboards      = bool<br/>    scrape_sample_limit    = number<br/><br/>    flux_gitrepository_name   = string<br/>    flux_gitrepository_url    = string<br/>    flux_gitrepository_branch = string<br/>    flux_kustomization_name   = string<br/>    flux_kustomization_path   = string<br/><br/>    managed_prometheus_workspace_id = string<br/>    prometheus_metrics_endpoint     = string<br/><br/>    dashboards = object({<br/>      cp          = string<br/>      mesh        = string<br/>      performance = string<br/>      service     = string<br/>    })<br/>  })</pre> | n/a | yes |
+| <a name="input_pattern_config"></a> [pattern\_config](#input\_pattern\_config) | Configuration object for ISTIO monitoring | <pre>object({<br>    enable_alerting_rules  = bool<br>    enable_recording_rules = bool<br>    enable_dashboards      = bool<br>    scrape_sample_limit    = number<br><br>    flux_gitrepository_name   = string<br>    flux_gitrepository_url    = string<br>    flux_gitrepository_branch = string<br>    flux_kustomization_name   = string<br>    flux_kustomization_path   = string<br><br>    managed_prometheus_workspace_id = string<br>    prometheus_metrics_endpoint     = string<br><br>    dashboards = object({<br>      cp          = string<br>      mesh        = string<br>      performance = string<br>      service     = string<br>    })<br>  })</pre> | n/a | yes |
 
 ## Outputs
 
diff --git a/modules/eks-monitoring/patterns/java/README.md b/modules/eks-monitoring/patterns/java/README.md
index 1c187bee..42028a06 100644
--- a/modules/eks-monitoring/patterns/java/README.md
+++ b/modules/eks-monitoring/patterns/java/README.md
@@ -39,7 +39,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_pattern_config"></a> [pattern\_config](#input\_pattern\_config) | Configuration object for Java/JMX monitoring | <pre>object({<br/>    enable_alerting_rules  = bool<br/>    enable_recording_rules = bool<br/>    scrape_sample_limit    = number<br/><br/>    enable_dashboards = bool<br/><br/>    flux_gitrepository_name   = string<br/>    flux_gitrepository_url    = string<br/>    flux_gitrepository_branch = string<br/>    flux_kustomization_name   = string<br/>    flux_kustomization_path   = string<br/><br/>    managed_prometheus_workspace_id = string<br/>    prometheus_metrics_endpoint     = string<br/><br/>    grafana_dashboard_url = string<br/>  })</pre> | n/a | yes |
+| <a name="input_pattern_config"></a> [pattern\_config](#input\_pattern\_config) | Configuration object for Java/JMX monitoring | <pre>object({<br>    enable_alerting_rules  = bool<br>    enable_recording_rules = bool<br>    scrape_sample_limit    = number<br><br>    enable_dashboards = bool<br><br>    flux_gitrepository_name   = string<br>    flux_gitrepository_url    = string<br>    flux_gitrepository_branch = string<br>    flux_kustomization_name   = string<br>    flux_kustomization_path   = string<br><br>    managed_prometheus_workspace_id = string<br>    prometheus_metrics_endpoint     = string<br><br>    grafana_dashboard_url = string<br>  })</pre> | n/a | yes |
 
 ## Outputs
 
diff --git a/modules/eks-monitoring/patterns/nginx/README.md b/modules/eks-monitoring/patterns/nginx/README.md
index 24c9972c..e221a804 100644
--- a/modules/eks-monitoring/patterns/nginx/README.md
+++ b/modules/eks-monitoring/patterns/nginx/README.md
@@ -39,7 +39,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_pattern_config"></a> [pattern\_config](#input\_pattern\_config) | Configuration object for Java/JMX monitoring | <pre>object({<br/>    enable_alerting_rules  = bool<br/>    enable_recording_rules = bool<br/>    scrape_sample_limit    = number<br/><br/>    enable_dashboards = bool<br/><br/>    flux_gitrepository_name   = string<br/>    flux_gitrepository_url    = string<br/>    flux_gitrepository_branch = string<br/>    flux_kustomization_name   = string<br/>    flux_kustomization_path   = string<br/><br/>    managed_prometheus_workspace_id = string<br/>    prometheus_metrics_endpoint     = string<br/><br/>    grafana_dashboard_url = string<br/>  })</pre> | n/a | yes |
+| <a name="input_pattern_config"></a> [pattern\_config](#input\_pattern\_config) | Configuration object for Java/JMX monitoring | <pre>object({<br>    enable_alerting_rules  = bool<br>    enable_recording_rules = bool<br>    scrape_sample_limit    = number<br><br>    enable_dashboards = bool<br><br>    flux_gitrepository_name   = string<br>    flux_gitrepository_url    = string<br>    flux_gitrepository_branch = string<br>    flux_kustomization_name   = string<br>    flux_kustomization_path   = string<br><br>    managed_prometheus_workspace_id = string<br>    prometheus_metrics_endpoint     = string<br><br>    grafana_dashboard_url = string<br>  })</pre> | n/a | yes |
 
 ## Outputs