diff --git a/CHANGELOG.md b/CHANGELOG.md
index 46ee18a6..62a368a4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,14 @@
+# master
+
+* The update to the version of Terraform AWS VPC module will require the following manual edits to the state file:
+
+```bash
+terraform state rm module.odc_eks.module.vpc[0].aws_vpc_endpoint_route_table_association.private_s3
+terraform state rm module.odc_eks.module.vpc[0].aws_vpc_endpoint_route_table_association.public_s3
+```
+
+See Terraform AWS VPC module upgrade instructions at https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/fbd4ff646b4caaa6fcc1fb71bc88d377cc8b3b48/UPGRADE-3.0.md?plain=1#L25.
+
 # v1.10.0 odc_eks - Optional vpc creation update procedure
 
 Making VPC creation optional has added a `count` to the `module.odc_eks.module.vpc` resource path.
@@ -50,4 +61,4 @@ terraform state mv module.odc_eks.module.vpc.aws_vpc_endpoint_route_table_associ
 terraform state mv module.odc_eks.module.vpc.aws_vpc_endpoint_route_table_association.private_s3[1] module.odc_eks.module.vpc[0].aws_vpc_endpoint_route_table_association.private_s3[1]
 terraform state mv module.odc_eks.module.vpc.aws_vpc_endpoint_route_table_association.private_s3[2] module.odc_eks.module.vpc[0].aws_vpc_endpoint_route_table_association.private_s3[2]
 terraform state mv module.odc_eks.module.vpc.aws_vpc_endpoint_route_table_association.public_s3[0] module.odc_eks.module.vpc[0].aws_vpc_endpoint_route_table_association.public_s3[0]
-```
\ No newline at end of file
+```
diff --git a/odc_eks/README.md b/odc_eks/README.md
index 28b2db61..88088489 100644
--- a/odc_eks/README.md
+++ b/odc_eks/README.md
@@ -20,7 +20,7 @@ Terraform module designed to provision an Open Data Cube EKS cluster on AWS.
 
 The module provisions the following resources:
 
-- Creates AWS EKS cluster in a VPC with subnets
+- Creates AWS EKS cluster in a VPC with subnets, and optionally VPC Flow Logs (S3)
 - (Optionally) Creates VPC resources using [terraform-aws-vpc](https://github.com/terraform-aws-modules/terraform-aws-vpc) module with the default configuration and internet facing resources, _or_
 - (Optionally) Use a supplied VPC and subnets configured and _tagged_ as required by AWS EKS - see [VPC considerations](https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html) and the requirements on subnet tagging for the [Application load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html)
 
@@ -98,65 +98,86 @@ module "odc_eks" {
   waf_enable_url_whitelist_string_match_set = true
   waf_url_whitelist_uri_prefix              = "/user"
   waf_url_whitelist_url_host                = app.example.domain.com
+
+  # VPC Flow Logs
+  create_flow_log                   = true
+  flow_log_max_aggregation_interval = 60
+  flow_log_traffic_type             = "ALL"
+  flow_log_file_format              = "plain-text"
+  create_flow_log_s3_bucket         = false
+  flow_log_s3_bucket_name           = "dea-test-vpc-logs"
+  flow_log_s3_bucket_prefix         = "a-prefix"
 }
 ```
 
 ## Variables
 
 ### Inputs
-| Name                            | Description                                                                                                                                                                                                            | Type         | Default                                          | Required |
-| ---------------------------- | -------------                                                                                                                                                                                                          | :----:       | :-----:                                          | :-----:  |
-| owner                           | The owner of the environment                                                                                                                                                                                           | string       |                                                  | Yes      |
-| namespace                       | The unique namespace for the environment, which could be your organization name or abbreviation, e.g. 'odc'                                                                                                            | string       |                                                  | Yes      |
-| environment                     | The name of the environment - e.g. dev, stage                                                                                                                                                                          | string       |                                                  | Yes      |
-| region                          | The AWS region to provision resources                                                                                                                                                                                  | string       | "ap-southeast-2"                                 | No       |
-| cluster_id                      | The name of your cluster. Used for the resource naming as identifier                                                                                                                                                   | string       |                                                  | Yes      |
-| cluster_version                 | EKS Cluster version to use                                                                                                                                                                                             | string       |                                                  | Yes      |
-| admin_access_CIDRs              | Locks ssh and api access to these IPs                                                                                                                                                                                  | map(string)  | {}                                               | No       |
-| user_custom_policy              | The IAM custom policy to create and attach to EKS user role                                                                                                                                                            | string       | ""                                               | No       |
-| user_additional_policy_arn      | The list of pre-defined IAM policy required to EKS user role                                                                                                                                                           | list(string) | []                                               | No       |
-| domain_name                     | The domain name to be used by applications deployed to the cluster and using ingress                                                                                                                                   | string       |                                                  | Yes      |
-| create_vpc                      | Create a default VPC and subnet configuration                                                                                                                                                                          | bool         | true                                             | No       |
-| vpc_cidr                        | The network CIDR you wish to use for the VPC module subnets. Default is set to 10.0.0.0/16 for most use-cases. Requires create_vpc = true                                                                              | string       | "10.0.0.0/16"                                    | No       |
-| secondary_cidr_blocks           | Secondary VPC CIDRs, optional, default no secondary CIDRs                                                                                                                                                              | list(string)     | []                                               | No       |
-| public_subnet_cidrs             | List of public cidrs, for all available availability zones. Used by VPC module to set up public subnets. Requires create_vpc = true                                                                                    | list(string) | ["10.0.0.0/22", "10.0.4.0/22", "10.0.8.0/22"]    | No       |
-| private_subnet_cidrs            | List of private cidrs, for all available availability zones. Used by VPC module to set up private subnets. Requires create_vpc = true                                                                                  | list(string) | ["10.0.32.0/19", "10.0.64.0/19", "10.0.96.0/19"] | No       |
-| database_subnet_cidrs           | List of database cidrs, for all available availability zones. Used by VPC module to set up database subnets. Requires create_vpc = true                                                                                | list(string) | ["10.0.20.0/22", "10.0.24.0/22", "10.0.28.0/22"] | No       |
-| private_subnet_elb_role         | ELB role for private subnets                                                                                                                                                                                           | string       | "internal-elb"                               | No       |
-| public_subnet_elb_role          | ELB role for public subnets                                                                                                                                                                                            | string       | "elb"                                        | No       |
-| vpc_id                          | Supplied VPC to use. Requires create_vpc = false                                                                                                                                                                       | string       | ""                                               | No       |
-| private_subnets                 | Private subnet ids for supplied VPC. Requires create_vpc = false                                                                                                                                                       | list(string) | []                                               | No       |
-| public_subnets                  | Public subnet ids for supplied VPC. Requires create_vpc = false                                                                                                                                                        | list(string) | []                                               | No       |
-| database_subnets                | Supplied VPC to use. Requires create_vpc = false                                                                                                                                                                       | list(string) | []                                               | No       |
-| public_route_table_ids          | List of public_route_table_ids for supplied VPC. Requires create_vpc = false                                                                                                                                           | list(string)       | []                                               | No       |
-| private_route_table_ids         | List of private_route_table_ids for supplied VPC. Requires create_vpc = false                                                                                                                                          | list(string)       | []                                               | No       |
-| map_public_ip_on_launch         | Should be false if you do not want to auto-assign public IP on launch                                                                                                                                                  | bool | true | No |
-| enable_s3_endpoint              | Whether to provision an S3 endpoint to the VPC. Default is set to 'true'                                                                                                                                               | bool         | true                                             | No       |
-| enable_nat_gateway              | Whether to provision a NAT Gateway in the VPC. Default is set to 'true'                                                                                                                                                | bool         | true                                             | No       |
-| create_igw                      | Whether to provision an Internet Gateway in the VPC. Default is true (False for private routing)                                                                                                                       | bool         | true                                             | No       |
-| enable_ec2_ssm                  | Enables the IAM policy required for AWS EC2 System Manager in the EKS Node IAM role created                                                                                                                            | bool         | true                                             | No       |
-| ami_image_id                    | This variable can be used to deploy a patched / customised version of the Amazon EKS image                                                                                                                             | string       | ""                                               | No       |
-| node_group_name                 | Autoscaling node group name. This name is used to tag instances and ASGs                                                                                                                                               | string       | "eks"                                            | No       |
-| default_worker_instance_type    | The Worker instance type that the cluster nodes will run, for production we recommend something with a good network capability, as most of the Open Data Cube work is I/O bound, For example r4.4xlarge or c5n.4xlarge | string       |                                                  | Yes      |
-| min_nodes                       | The minimum number of on-demand nodes to run                                                                                                                                                                           | number       | 0                                                | No       |
-| desired_nodes                   | Desired number of nodes only used when first launching the cluster afterwards you should scale with something like cluster-autoscaler                                                                                  | number       | 0                                                | No       |
-| max_nodes                       | Max number of nodes you want to run, useful for controlling max cost of the cluster                                                                                                                                    | number       | 0                                                | No       |
-| spot_nodes_enabled              | Creates a second set of Autoscaling groups (one per AZ) that are configured to run Spot instances, these instances are cheaper but can be removed any-time. Useful for fault tolerant processing work                  | bool         | false                                            | No       |
-| min_spot_nodes                  | The minimum number of spot nodes to run                                                                                                                                                                                | bool         | 0                                                | No       |
-| max_spot_nodes                  | Max number of spot you want to run, useful for controlling max cost of the cluster                                                                                                                                     | number       | 0                                                | No       |
-| max_spot_price                  | The max in USD you want to pay for each spot instance per hour. Check market price for your instance type to set its value                                                                                             | string       | "0.40"                                           | No       |
-| volume_size                     | The Disk size for your on-demand nodes. If you're getting pods evicted for ephemeral storage saving, you should increase this.                                                                                         | number       | 20                                               | No       |
-| volume_type                     | Override EBS volume type for your root ebs volume e.g. gp2, gp3. If not provided, defaults to GP2 in all regions.                                                                                                      | string       | ""                                               | No       |
-| volume_encrypted                | Whether to encrypt the root EBS volume for nodes. Falls back on AWS EC2 default if not provided.                                                                                                                       | bool         | null                                               | No       |
-| spot_volume_size                | The Disk size for your spot nodes. If you're getting pods evicted for ephemeral storage saving, you should increase this.                                                                                              | number       | 20                                               | No       |
-| extra_kubelet_args              | Additional kubelet command-line arguments                                                                                                                                                                              | string       | "--arg1=value --arg2"                            | No       |
-| extra_bootstrap_args            | Additional bootstrap command-line arguments                                                                                                                                                                              | string       | "--arg1 value --arg2=value --arg3"                            | No       |
-| extra_userdata                  | Additional EC2 user data commands that will be passed to EKS nodes                                                                                                                                                     | string       | <<USERDATA echo "" USERDATA                      | No       |
-| tags                            | Additional tags - e.g. `map('StackName','XYZ')`                                                                                                                                                                        | map(string)  | {}                                               | No       |
-| enabled_cluster_log_types       | List of the desired control plane logging to enable, defaults to none                                                                                                                                                  | list(string) | []                                               | No       |
-| enable_custom_cluster_log_group | Create a custom CloudWatch Log Group for the cluster. If you supply `enabled_cluster_log_types` but leave this false, EKS will create a log group automatically with default retention values.                                                                                                                                                  | bool | false                                               | No       |
-| log_retention_period            | Specifies the number of days to retain cluster log event in CloudWatch, if enabled by `enable_custom_cluster_log_group`                                                                                                        | number       | 30                                               | No       |
-| metadata_options                | Metadata options for the EKS node launch templates. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options.                                                                                                      | object(...)       | {http_endpoint="enabled", http_tokens="required"}                                               | No       |
+| Name                              | Description                                                                                                                                                                                                            | Type         | Default                                                         | Required |
+| --------------------------------- | -------------                                                                                                                                                                                                          | :----:       | :-----:                                                         | :-----:  |
+| owner                             | The owner of the environment                                                                                                                                                                                           | string       |                                                                 | Yes      |
+| namespace                         | The unique namespace for the environment, which could be your organization name or abbreviation, e.g. 'odc'                                                                                                            | string       |                                                                 | Yes      |
+| environment                       | The name of the environment - e.g. dev, stage                                                                                                                                                                          | string       |                                                                 | Yes      |
+| region                            | The AWS region to provision resources                                                                                                                                                                                  | string       | "ap-southeast-2"                                                | No       |
+| cluster_id                        | The name of your cluster. Used for the resource naming as identifier                                                                                                                                                   | string       |                                                                 | Yes      |
+| cluster_version                   | EKS Cluster version to use                                                                                                                                                                                             | string       |                                                                 | Yes      |
+| admin_access_CIDRs                | Locks ssh and api access to these IPs                                                                                                                                                                                  | map(string)  | {}                                                              | No       |
+| user_custom_policy                | The IAM custom policy to create and attach to EKS user role                                                                                                                                                            | string       | ""                                                              | No       |
+| user_additional_policy_arn        | The list of pre-defined IAM policy required to EKS user role                                                                                                                                                           | list(string) | []                                                              | No       |
+| domain_name                       | The domain name to be used by applications deployed to the cluster and using ingress                                                                                                                                   | string       |                                                                 | Yes      |
+| create_vpc                        | Create a default VPC and subnet configuration                                                                                                                                                                          | bool         | true                                                            | No       |
+| vpc_cidr                          | The network CIDR you wish to use for the VPC module subnets. Default is set to 10.0.0.0/16 for most use-cases. Requires create_vpc = true                                                                              | string       | "10.0.0.0/16"                                                   | No       |
+| secondary_cidr_blocks             | Secondary VPC CIDRs, optional, default no secondary CIDRs                                                                                                                                                              | list(string) | []                                                              | No       |
+| public_subnet_cidrs               | List of public cidrs, for all available availability zones. Used by VPC module to set up public subnets. Requires create_vpc = true                                                                                    | list(string) | ["10.0.0.0/22", "10.0.4.0/22", "10.0.8.0/22"]                   | No       |
+| private_subnet_cidrs              | List of private cidrs, for all available availability zones. Used by VPC module to set up private subnets. Requires create_vpc = true                                                                                  | list(string) | ["10.0.32.0/19", "10.0.64.0/19", "10.0.96.0/19"]                | No       |
+| database_subnet_cidrs             | List of database cidrs, for all available availability zones. Used by VPC module to set up database subnets. Requires create_vpc = true                                                                                | list(string) | ["10.0.20.0/22", "10.0.24.0/22", "10.0.28.0/22"]                | No       |
+| public_subnet_names               | List of names for each public subnet. For each subnet, creates the tag Name=<name>. Requires create_vpc = true                                                                                                         | list(string) | ["public-subnet-a", "public-subnet-b", "public-subnet-c"]       | No       |
+| private_subnet_names              | List of names for each private subnet. For each subnet, creates the tag Name=<name>. Requires create_vpc = true                                                                                                        | list(string) | ["private-subnet-a", "private-subnet-b", "private-subnet-c"]    | No       |
+| database_subnet_names             | List of names for each database subnet. For each subnet, creates the tag Name=<name>. Requires create_vpc = true                                                                                                       | list(string) | ["database-subnet-a", "database-subnet-b", "database-subnet-c"] | No       |
+| private_subnet_elb_role           | ELB role for private subnets                                                                                                                                                                                           | string       | "internal-elb"                                                  | No       |
+| public_subnet_elb_role            | ELB role for public subnets                                                                                                                                                                                            | string       | "elb"                                                           | No       |
+| vpc_id                            | Supplied VPC to use. Requires create_vpc = false                                                                                                                                                                       | string       | ""                                                              | No       |
+| private_subnets                   | Private subnet ids for supplied VPC. Requires create_vpc = false                                                                                                                                                       | list(string) | []                                                              | No       |
+| public_subnets                    | Public subnet ids for supplied VPC. Requires create_vpc = false                                                                                                                                                        | list(string) | []                                                              | No       |
+| database_subnets                  | Supplied VPC to use. Requires create_vpc = false                                                                                                                                                                       | list(string) | []                                                              | No       |
+| public_route_table_ids            | List of public_route_table_ids for supplied VPC. Requires create_vpc = false                                                                                                                                           | list(string) | []                                                              | No       |
+| private_route_table_ids           | List of private_route_table_ids for supplied VPC. Requires create_vpc = false                                                                                                                                          | list(string) | []                                                              | No       |
+| map_public_ip_on_launch           | Should be false if you do not want to auto-assign public IP on launch                                                                                                                                                  | bool         | true                                                            | No       |
+| enable_s3_endpoint                | Whether to provision an S3 endpoint to the VPC. Default is set to 'true'                                                                                                                                               | bool         | true                                                            | No       |
+| enable_nat_gateway                | Whether to provision a NAT Gateway in the VPC. Default is set to 'true'                                                                                                                                                | bool         | true                                                            | No       |
+| single_nat_gateway                | Should be true if you want to provision a single shared NAT Gateway across all of your private networks                                                                                                                | bool         | false                                                           | No       |
+| create_igw                        | Whether to provision an Internet Gateway in the VPC. Default is true (False for private routing)                                                                                                                       | bool         | true                                                            | No       |
+| enable_ec2_ssm                    | Enables the IAM policy required for AWS EC2 System Manager in the EKS Node IAM role created                                                                                                                            | bool         | true                                                            | No       |
+| ami_image_id                      | This variable can be used to deploy a patched / customised version of the Amazon EKS image                                                                                                                             | string       | ""                                                              | No       |
+| node_group_name                   | Autoscaling node group name. This name is used to tag instances and ASGs                                                                                                                                               | string       | "eks"                                                           | No       |
+| default_worker_instance_type      | The Worker instance type that the cluster nodes will run, for production we recommend something with a good network capability, as most of the Open Data Cube work is I/O bound, For example r4.4xlarge or c5n.4xlarge | string       |                                                                 | Yes      |
+| min_nodes                         | The minimum number of on-demand nodes to run                                                                                                                                                                           | number       | 0                                                               | No       |
+| desired_nodes                     | Desired number of nodes only used when first launching the cluster afterwards you should scale with something like cluster-autoscaler                                                                                  | number       | 0                                                               | No       |
+| max_nodes                         | Max number of nodes you want to run, useful for controlling max cost of the cluster                                                                                                                                    | number       | 0                                                               | No       |
+| spot_nodes_enabled                | Creates a second set of Autoscaling groups (one per AZ) that are configured to run Spot instances, these instances are cheaper but can be removed any-time. Useful for fault tolerant processing work                  | bool         | false                                                           | No       |
+| min_spot_nodes                    | The minimum number of spot nodes to run                                                                                                                                                                                | bool         | 0                                                               | No       |
+| max_spot_nodes                    | Max number of spot you want to run, useful for controlling max cost of the cluster                                                                                                                                     | number       | 0                                                               | No       |
+| max_spot_price                    | The max in USD you want to pay for each spot instance per hour. Check market price for your instance type to set its value                                                                                             | string       | "0.40"                                                          | No       |
+| volume_size                       | The Disk size for your on-demand nodes. If you're getting pods evicted for ephemeral storage saving, you should increase this.                                                                                         | number       | 20                                                              | No       |
+| volume_type                       | Override EBS volume type for your root ebs volume e.g. gp2, gp3. If not provided, defaults to GP2 in all regions.                                                                                                      | string       | ""                                                              | No       |
+| volume_encrypted                  | Whether to encrypt the root EBS volume for nodes. Falls back on AWS EC2 default if not provided.                                                                                                                       | bool         | null                                                            | No       |
+| spot_volume_size                  | The Disk size for your spot nodes. If you're getting pods evicted for ephemeral storage saving, you should increase this.                                                                                              | number       | 20                                                              | No       |
+| extra_kubelet_args                | Additional kubelet command-line arguments                                                                                                                                                                              | string       | "--arg1=value --arg2"                                           | No       |
+| extra_bootstrap_args              | Additional bootstrap command-line arguments                                                                                                                                                                            | string       | "--arg1 value --arg2=value --arg3"                              | No       |
+| extra_userdata                    | Additional EC2 user data commands that will be passed to EKS nodes                                                                                                                                                     | string       | <<USERDATA echo "" USERDATA                                     | No       |
+| tags                              | Additional tags - e.g. `map('StackName','XYZ')`                                                                                                                                                                        | map(string)  | {}                                                              | No       |
+| enabled_cluster_log_types         | List of the desired control plane logging to enable, defaults to none                                                                                                                                                  | list(string) | []                                                              | No       |
+| enable_custom_cluster_log_group   | Create a custom CloudWatch Log Group for the cluster. If you supply `enabled_cluster_log_types` but leave this false, EKS will create a log group automatically with default retention values.                         | bool         | false                                                           | No       |
+| log_retention_period              | Specifies the number of days to retain cluster log event in CloudWatch, if enabled by `enable_custom_cluster_log_group`                                                                                                | number       | 30                                                              | No       |
+| metadata_options                  | Metadata options for the EKS node launch templates. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options.                                                  | object(...)  | {}                                                              | No       |
+| create_flow_log                   | Whether to create VPC flow logs.                                                                                                                                                                                       | bool         | false                                                           | No       |
+| flow_log_max_aggregation_interval | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds                                                             | number       | 600                                                             | No       |
+| flow_log_traffic_type             | The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL                                                                                                                                                      | string       | ALL                                                             | No       |
+| flow_log_file_format              | The format for the flow log. Valid values: `plain-text`, `parquet`                                                                                                                                                     | string       | plain-text                                                      | No       |
+| create_flow_log_s3_bucket         | Whether to create a S3 bucket for the vpc flow logs.                                                                                                                                                                   | bool         | false                                                           | No       |
+| flow_log_s3_bucket_name           | The name of the bucket used to store the logs                                                                                                                                                                          | string       | ""                                                              | No       |
+| flow_log_s3_bucket_prefix         | The name of the prefix used to store the logs on S3                                                                                                                                                                    | string       | ""                                                              | No       |
+
 
 ### Outputs
 | Name                   | Description                                                                          | Sensitive   |
@@ -207,25 +228,25 @@ module "odc_eks" {
 ### Input - Extensions
 
 #### CloudFront Distribution
-| Name                       | Description                                                                                                                                                                                | Type         | Default                                                      | Required |
-| ------                     | -------------                                                                                                                                                                              | :----:       | :-----:                                                      | :-----:  |
-| cf_enable                  | Whether the cloudfront distribution should be created                                                                                                                                      | bool         | false                                                        | No       |
-| cf_dns_record              | The domain used by point to cloudfront                                                                                                                                                     | string       | ""                                                           | No       |
-| cf_origin_dns_record       | The domain of load balancer that will be created by kubernetes                                                                                                                             | string       | ""                                                           | No       |
-| cf_custom_aliases          | Extra CNAMEs (alternate domain names), if any, for this distribution                                                                                                                       | list(string) | []                                                           | No       |
-| cf_certificate_create      | Whether to create a certificate for cloudfront distribution                                                                                                                                | bool         | true                                                         | No       |
-| cf_certificate_arn         | Provide your own us-east-1 certificate ARN when setting additional aliases. Needed when `cf_certificate_create` set to false                                                               | string       | ""                                                           | No       |
-| cf_log_bucket_create       | Whether to create cloudfront log bucket                                                                                                                                                    | bool         | false                                                        | No       |
-| cf_log_bucket              | Name of your cloudfront log bucket                                                                                                                                                         | string       | ""                                                           | No       |
-| cf_origin_protocol_policy  | Which protocol is used to connect to origin, http-only, https-only, match-viewer                                                                                                           | string       | "http-only"                                                  | No       |
-| cf_origin_timeout          | The time cloudfront will wait for a response                                                                                                                                               | number       | 60                                                           | No       |
-| cf_default_allowed_methods | Controls which HTTP methods CloudFront processes and forwards to your Amazon S3 bucket or your custom origin                                                                               | list(string) | ["GET", "HEAD", "POST", "OPTIONS", "PUT", "PATCH", "DELETE"] | No       |
-| cf_default_cached_methods  | Controls whether CloudFront caches the response to requests using the specified HTTP methods                                                                                               | list(string) | ["GET", "HEAD"]                                              | No       |
-| cf_default_forwarded_headers  | Sets what headers are forwarded to the backend application                                                                                               | list(string) | ["Host"]                                              | No       |
-| cf_min_ttl                 | The minimum amount of time that you want objects to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated                             | bool         | 0                                                            | No       |
-| cf_max_ttl                 | The maximum amount of time (in seconds) that an object is in a CloudFront cache before CloudFront forwards another request to your origin to determine whether the object has been updated | number       | 31536000                                                     | No       |
-| cf_default_ttl             | The default amount of time (in seconds) that an object is in a CloudFront cache before CloudFront forwards another request in the absence of an Cache-Control max-age or Expires header    | number       | 86400                                                        | No       |
-| cf_price_class             | The Price class for this distribution, can be PriceClass_100, PriceClass_200 or PriceClass_All                                                                                             | string       | "PriceClass_All"                                             | No       |
+| Name                          | Description                                                                                                                                                                                | Type         | Default                                                      | Required |
+| ------                        | -------------                                                                                                                                                                              | :----:       | :-----:                                                      | :-----:  |
+| cf_enable                     | Whether the cloudfront distribution should be created                                                                                                                                      | bool         | false                                                        | No       |
+| cf_dns_record                 | The domain used by point to cloudfront                                                                                                                                                     | string       | ""                                                           | No       |
+| cf_origin_dns_record          | The domain of load balancer that will be created by kubernetes                                                                                                                             | string       | ""                                                           | No       |
+| cf_custom_aliases             | Extra CNAMEs (alternate domain names), if any, for this distribution                                                                                                                       | list(string) | []                                                           | No       |
+| cf_certificate_create         | Whether to create a certificate for cloudfront distribution                                                                                                                                | bool         | true                                                         | No       |
+| cf_certificate_arn            | Provide your own us-east-1 certificate ARN when setting additional aliases. Needed when `cf_certificate_create` set to false                                                               | string       | ""                                                           | No       |
+| cf_log_bucket_create          | Whether to create cloudfront log bucket                                                                                                                                                    | bool         | false                                                        | No       |
+| cf_log_bucket                 | Name of your cloudfront log bucket                                                                                                                                                         | string       | ""                                                           | No       |
+| cf_origin_protocol_policy     | Which protocol is used to connect to origin, http-only, https-only, match-viewer                                                                                                           | string       | "http-only"                                                  | No       |
+| cf_origin_timeout             | The time cloudfront will wait for a response                                                                                                                                               | number       | 60                                                           | No       |
+| cf_default_allowed_methods    | Controls which HTTP methods CloudFront processes and forwards to your Amazon S3 bucket or your custom origin                                                                               | list(string) | ["GET", "HEAD", "POST", "OPTIONS", "PUT", "PATCH", "DELETE"] | No       |
+| cf_default_cached_methods     | Controls whether CloudFront caches the response to requests using the specified HTTP methods                                                                                               | list(string) | ["GET", "HEAD"]                                              | No       |
+| cf_default_forwarded_headers  | Sets what headers are forwarded to the backend application                                                                                                                                 | list(string) | ["Host"]                                                     | No       |
+| cf_min_ttl                    | The minimum amount of time that you want objects to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated                             | bool         | 0                                                            | No       |
+| cf_max_ttl                    | The maximum amount of time (in seconds) that an object is in a CloudFront cache before CloudFront forwards another request to your origin to determine whether the object has been updated | number       | 31536000                                                     | No       |
+| cf_default_ttl                | The default amount of time (in seconds) that an object is in a CloudFront cache before CloudFront forwards another request in the absence of an Cache-Control max-age or Expires header    | number       | 86400                                                        | No       |
+| cf_price_class                | The Price class for this distribution, can be PriceClass_100, PriceClass_200 or PriceClass_All                                                                                             | string       | "PriceClass_All"                                             | No       |
 
 #### WAF
 | Name                                                                | Description                                                                                                                               | Type   | Default     | Required |
diff --git a/odc_eks/main.tf b/odc_eks/main.tf
index f56b24dd..525d9e1b 100644
--- a/odc_eks/main.tf
+++ b/odc_eks/main.tf
@@ -13,19 +13,32 @@ module "odc_eks_label" {
 
 locals {
   cluster_id = (var.cluster_id != "") ? var.cluster_id : module.odc_eks_label.id
-}
 
-module "vpc" {
-  source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v2.70.0"
+  tags = merge(
+    {
+      Name        = "${local.cluster_id}-vpc"
+      owner       = var.owner
+      namespace   = var.namespace
+      environment = var.environment
+    },
+    var.tags
+  )
 
-  count = var.create_vpc ? 1 : 0
+}
 
-  name             = "${local.cluster_id}-vpc"
-  cidr             = var.vpc_cidr
-  azs              = data.aws_availability_zones.available.names
-  public_subnets   = var.public_subnet_cidrs
-  private_subnets  = var.private_subnet_cidrs
-  database_subnets = var.database_subnet_cidrs
+module "vpc" {
+  source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v5.5.2"
+  count  = var.create_vpc ? 1 : 0
+
+  name                  = "${local.cluster_id}-vpc"
+  cidr                  = var.vpc_cidr
+  azs                   = data.aws_availability_zones.available.names
+  public_subnets        = var.public_subnet_cidrs
+  private_subnets       = var.private_subnet_cidrs
+  database_subnets      = var.database_subnet_cidrs
+  public_subnet_names   = (length(var.public_subnet_names) == length(var.public_subnet_cidrs)) ? var.public_subnet_names : null
+  private_subnet_names  = (length(var.private_subnet_names) == length(var.private_subnet_cidrs)) ? var.private_subnet_names : null
+  database_subnet_names = (length(var.database_subnet_names) == length(var.database_subnet_cidrs)) ? var.database_subnet_names : null
 
   secondary_cidr_blocks   = var.secondary_cidr_blocks
   map_public_ip_on_launch = var.map_public_ip_on_launch
@@ -51,13 +64,24 @@ module "vpc" {
   enable_dns_support   = true
 
   enable_nat_gateway           = var.enable_nat_gateway
+  single_nat_gateway           = var.single_nat_gateway
   create_igw                   = var.create_igw
   create_database_subnet_group = true
-  enable_s3_endpoint           = var.enable_s3_endpoint
 
-  tags = merge(
+  manage_default_security_group = false
+  manage_default_network_acl    = false
+  manage_default_route_table    = false
+
+  enable_flow_log                   = var.create_flow_log
+  flow_log_destination_type         = "s3"
+  flow_log_max_aggregation_interval = (var.create_flow_log) ? var.flow_log_max_aggregation_interval : null
+  flow_log_traffic_type             = (var.create_flow_log) ? var.flow_log_traffic_type : null
+  flow_log_file_format              = (var.create_flow_log) ? var.flow_log_file_format : null
+  flow_log_destination_arn          = (var.create_flow_log) ? (var.create_flow_log_s3_bucket ? "${module.s3_bucket[0].s3_bucket_arn}/${var.flow_log_s3_bucket_prefix}" : "arn:aws:s3:::${var.flow_log_s3_bucket_name}/${var.flow_log_s3_bucket_prefix}") : null
+
+  vpc_flow_log_tags = merge(
     {
-      Name        = "${local.cluster_id}-vpc"
+      Name        = "${local.cluster_id}-vpc-flow-logs"
       owner       = var.owner
       namespace   = var.namespace
       environment = var.environment
@@ -66,6 +90,33 @@ module "vpc" {
   )
 }
 
+moved {
+  from = module.vpc[0].aws_vpc_endpoint.s3[0]
+  to   = module.vpc_endpoints[0].aws_vpc_endpoint.this["s3"]
+}
+
+module "vpc_endpoints" {
+  source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git//modules/vpc-endpoints?ref=v5.1.1"
+  count  = var.create_vpc && var.enable_s3_endpoint ? 1 : 0
+
+  vpc_id             = module.vpc[0].vpc_id
+  security_group_ids = [module.vpc[0].default_security_group_id]
+
+  endpoints = {
+    s3 = {
+      service      = "s3"
+      service_type = "Gateway"
+
+      route_table_ids = flatten([
+        module.vpc[0].private_route_table_ids,
+        module.vpc[0].public_route_table_ids
+      ])
+    }
+  }
+
+  tags = local.tags
+}
+
 # Creates network and Kuberenetes master nodes
 module "eks" {
   source             = "./modules/eks"
diff --git a/odc_eks/modules/eks/main.tf b/odc_eks/modules/eks/main.tf
index bf8a78a4..810944a6 100644
--- a/odc_eks/modules/eks/main.tf
+++ b/odc_eks/modules/eks/main.tf
@@ -10,6 +10,11 @@ resource "aws_eks_cluster" "eks" {
     subnet_ids         = var.eks_subnet_ids
   }
 
+  access_config {
+    authentication_mode                         = "API_AND_CONFIG_MAP"
+    bootstrap_cluster_creator_admin_permissions = true
+  }
+
   depends_on = [
     aws_iam_role_policy_attachment.eks-cluster-AmazonEKSClusterPolicy,
     aws_iam_role_policy_attachment.eks-cluster-AmazonEKSServicePolicy,
@@ -26,6 +31,14 @@ resource "aws_eks_cluster" "eks" {
     },
     var.tags
   )
+
+  lifecycle {
+    ignore_changes = [
+      # When the access_config was added recently it defaulted to false but didn't affect the cluster setting.
+      # Changing this from false to true will cause and existing cluster to be recreated so let's ignore this change to avoid that.
+      access_config[0].bootstrap_cluster_creator_admin_permissions,
+    ]
+  }
 }
 
 resource "null_resource" "wait_for_cluster" {
diff --git a/odc_eks/modules/eks/variables.tf b/odc_eks/modules/eks/variables.tf
index f365ba1c..2d7f80fb 100644
--- a/odc_eks/modules/eks/variables.tf
+++ b/odc_eks/modules/eks/variables.tf
@@ -138,6 +138,12 @@ variable "log_retention_period" {
   default     = 30
 }
 
+variable "enable_ecr_pullthough_cache_permissions" {
+  type        = bool
+  description = "Create additional cluster node IAM permissions to allow cluster to use ecr pull-through cache rules."
+  default     = false
+}
+
 #--------------------------------------------------------------
 # Tags
 #--------------------------------------------------------------
diff --git a/odc_eks/modules/eks/worker_image.tf b/odc_eks/modules/eks/worker_image.tf
index 09a9cc38..70e8b7f8 100644
--- a/odc_eks/modules/eks/worker_image.tf
+++ b/odc_eks/modules/eks/worker_image.tf
@@ -92,11 +92,11 @@ resource "aws_launch_template" "spot" {
   instance_type = var.default_worker_instance_type
 
   metadata_options {
-    http_endpoint               = var.metadata_options.http_endpoint
-    http_tokens                 = var.metadata_options.http_tokens
-    http_put_response_hop_limit = var.metadata_options.http_put_response_hop_limit
-    http_protocol_ipv6          = var.metadata_options.http_protocol_ipv6
-    instance_metadata_tags      = var.metadata_options.instance_metadata_tags
+    http_endpoint               = lookup(var.metadata_options, "http_endpoint", null)
+    http_tokens                 = lookup(var.metadata_options, "http_tokens", null)
+    http_put_response_hop_limit = lookup(var.metadata_options, "http_put_response_hop_limit", null)
+    http_protocol_ipv6          = lookup(var.metadata_options, "http_protocol_ipv6", null)
+    instance_metadata_tags      = lookup(var.metadata_options, "instance_metadata_tags", null)
   }
 
   iam_instance_profile {
diff --git a/odc_eks/modules/eks/worker_policy.tf b/odc_eks/modules/eks/worker_policy.tf
index 3a480909..d824f87b 100644
--- a/odc_eks/modules/eks/worker_policy.tf
+++ b/odc_eks/modules/eks/worker_policy.tf
@@ -49,11 +49,43 @@ resource "aws_iam_policy" "eks_kube2iam" {
 
 }
 
+resource "aws_iam_policy" "ecr_pullthrough_cache" {
+  count       = (var.enable_ecr_pullthough_cache_permissions ? 1 : 0)
+  name        = "${var.cluster_id}-ecr-pull-through-cache"
+  path        = "/"
+  description = "Enables cluster to use ecr pull-through cache."
+
+  policy = <<-EOF
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Action": [
+            "ecr:BatchImportUpstreamImage",
+            "ecr:CreateRepository",
+            "ecr:TagResource",
+            "ecr:CreatePullThroughCacheRule"
+          ],
+          "Effect": "Allow",
+          "Resource": "*"
+        }
+      ]
+    }
+  EOF
+
+}
+
 resource "aws_iam_role_policy_attachment" "eks_node_kube2iam" {
   policy_arn = aws_iam_policy.eks_kube2iam.arn
   role       = aws_iam_role.eks_node.name
 }
 
+resource "aws_iam_role_policy_attachment" "eks_node_pullthrough" {
+  count      = (var.enable_ecr_pullthough_cache_permissions ? 1 : 0)
+  policy_arn = aws_iam_policy.ecr_pullthrough_cache[0].arn
+  role       = aws_iam_role.eks_node.name
+}
+
 resource "aws_iam_role_policy_attachment" "eks_node_AmazonEKSWorkerNodePolicy" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
   role       = aws_iam_role.eks_node.name
diff --git a/odc_eks/variables.tf b/odc_eks/variables.tf
index 6ef1a0ca..71d20ca5 100644
--- a/odc_eks/variables.tf
+++ b/odc_eks/variables.tf
@@ -126,6 +126,12 @@ variable "public_subnet_cidrs" {
   default     = []
 }
 
+variable "public_subnet_names" {
+  type        = list(string)
+  description = "list of public subnet names to use"
+  default     = []
+}
+
 variable "map_public_ip_on_launch" {
   description = "Should be false if you do not want to auto-assign public IP on launch"
   type        = bool
@@ -138,12 +144,24 @@ variable "private_subnet_cidrs" {
   default     = []
 }
 
+variable "private_subnet_names" {
+  type        = list(string)
+  description = "list of private subnet names to use"
+  default     = []
+}
+
 variable "database_subnet_cidrs" {
   description = "List of database cidrs, for all available availability zones. Example: 10.0.0.0/24 and 10.0.1.0/24"
   type        = list(string)
   default     = []
 }
 
+variable "database_subnet_names" {
+  type        = list(string)
+  description = "list of database subnet names to use"
+  default     = []
+}
+
 variable "private_subnet_elb_role" {
   type        = string
   description = "ELB role for private subnets "
@@ -168,6 +186,11 @@ variable "enable_nat_gateway" {
   default     = true
 }
 
+variable "single_nat_gateway" {
+  description = "Should be true if you want to provision a single shared NAT Gateway across all of your private networks"
+  type        = bool
+  default     = false
+}
 
 variable "create_igw" {
   type        = bool
@@ -175,6 +198,48 @@ variable "create_igw" {
   default     = true
 }
 
+variable "create_flow_log" {
+  type        = bool
+  description = "Whether to create VPC flow logs. Default is set to 'false'"
+  default     = false
+}
+
+variable "flow_log_max_aggregation_interval" {
+  description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds"
+  type        = number
+  default     = 600
+}
+
+variable "flow_log_traffic_type" {
+  description = "The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL"
+  type        = string
+  default     = "ALL"
+}
+
+variable "flow_log_file_format" {
+  description = "(Optional) The format for the flow log. Valid values: `plain-text`, `parquet`"
+  type        = string
+  default     = "plain-text"
+}
+
+variable "create_flow_log_s3_bucket" {
+  type        = bool
+  description = "Whether to create a S3 bucket for the vpc flow logs. Default is set to 'false'"
+  default     = false
+}
+
+variable "flow_log_s3_bucket_name" {
+  description = "The name of the bucket used to store the logs"
+  type        = string
+  default     = ""
+}
+
+variable "flow_log_s3_bucket_prefix" {
+  description = "The name of the prefix used to store the logs on S3"
+  type        = string
+  default     = ""
+}
+
 
 # EC2 Worker Roles
 # ==================
@@ -333,7 +398,7 @@ variable "addon_vpccni_resolve_create" {
   description = "How to resolve conflicts on add-on creation (NONE, OVERWRITE)"
   type        = string
   default     = "OVERWRITE"
-  
+
   validation {
     condition     = contains(["NONE", "OVERWRITE"], var.addon_vpccni_resolve_create)
     error_message = "The addon_vpccni_resolve_create value must be one of ('NONE', 'OVERWRITE')"
@@ -344,7 +409,7 @@ variable "addon_vpccni_resolve_update" {
   description = "How to resolve conflicts on add-on update (NONE, OVERWRITE, PRESERVE)"
   type        = string
   default     = "OVERWRITE"
-  
+
   validation {
     condition     = contains(["NONE", "OVERWRITE", "PRESERVE"], var.addon_vpccni_resolve_update)
     error_message = "The addon_vpccni_resolve_update value must be one of ('NONE', 'OVERWRITE', 'PRESERVE')"
@@ -377,7 +442,7 @@ variable "addon_kubeproxy_resolve_create" {
   description = "How to resolve conflicts on add-on creation (NONE, OVERWRITE)"
   type        = string
   default     = "OVERWRITE"
-  
+
   validation {
     condition     = contains(["NONE", "OVERWRITE"], var.addon_kubeproxy_resolve_create)
     error_message = "The addon_kubeproxy_resolve_create value must be one of ('NONE', 'OVERWRITE')"
@@ -388,7 +453,7 @@ variable "addon_kubeproxy_resolve_update" {
   description = "How to resolve conflicts on add-on update (NONE, OVERWRITE, PRESERVE)"
   type        = string
   default     = "OVERWRITE"
-  
+
   validation {
     condition     = contains(["NONE", "OVERWRITE", "PRESERVE"], var.addon_kubeproxy_resolve_update)
     error_message = "The addon_kubeproxy_resolve_update value must be one of ('NONE', 'OVERWRITE', 'PRESERVE')"
@@ -417,7 +482,7 @@ variable "addon_coredns_resolve_create" {
   description = "How to resolve conflicts on add-on creation (NONE, OVERWRITE)"
   type        = string
   default     = "OVERWRITE"
-  
+
   validation {
     condition     = contains(["NONE", "OVERWRITE"], var.addon_coredns_resolve_create)
     error_message = "The addon_coredns_resolve_create value must be one of ('NONE', 'OVERWRITE')"
@@ -428,7 +493,7 @@ variable "addon_coredns_resolve_update" {
   description = "How to resolve conflicts on add-on update (NONE, OVERWRITE, PRESERVE)"
   type        = string
   default     = "OVERWRITE"
-  
+
   validation {
     condition     = contains(["NONE", "OVERWRITE", "PRESERVE"], var.addon_coredns_resolve_update)
     error_message = "The addon_coredns_resolve_update value must be one of ('NONE', 'OVERWRITE', 'PRESERVE')"
diff --git a/odc_eks/vpc_support.tf b/odc_eks/vpc_support.tf
new file mode 100644
index 00000000..7838ffd2
--- /dev/null
+++ b/odc_eks/vpc_support.tf
@@ -0,0 +1,50 @@
+################################################################################
+# Supporting Resources
+################################################################################
+resource "random_pet" "this" {
+  length = 2
+}
+
+# S3 Bucket
+module "s3_bucket" {
+  count   = (var.create_flow_log && var.create_flow_log_s3_bucket) ? 1 : 0
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = "~> 3.0"
+
+  bucket = var.flow_log_s3_bucket_name
+  attach_policy = true
+  policy = data.aws_iam_policy_document.flow_log_s3[0].json
+
+  force_destroy = true
+
+  tags = var.tags
+}
+
+data "aws_iam_policy_document" "flow_log_s3" {
+  count = (var.create_flow_log && var.create_flow_log_s3_bucket) ? 1 : 0
+  statement {
+    sid = "AWSLogDeliveryWrite"
+
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+
+    actions = ["s3:PutObject"]
+
+    resources = ["arn:aws:s3:::${var.flow_log_s3_bucket_name}/${var.flow_log_s3_bucket_prefix}/AWSLogs/*"]
+  }
+
+  statement {
+    sid = "AWSLogDeliveryAclCheck"
+
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+
+    actions = ["s3:GetBucketAcl"]
+
+    resources = ["arn:aws:s3:::${var.flow_log_s3_bucket_name}"]
+  }
+}
\ No newline at end of file
diff --git a/odc_eks/waf.tf b/odc_eks/waf.tf
index e3c6c9a9..104d8fde 100644
--- a/odc_eks/waf.tf
+++ b/odc_eks/waf.tf
@@ -433,8 +433,8 @@ resource "aws_kinesis_firehose_delivery_stream" "waf_delivery_stream" {
     role_arn   = aws_iam_role.waf_firehose_role[0].arn
     bucket_arn = data.aws_s3_bucket.waf_log_bucket[0].arn
 
-    buffer_size     = var.waf_firehose_buffer_size
-    buffer_interval = var.waf_firehose_buffer_interval
+    buffering_size     = var.waf_firehose_buffer_size
+    buffering_interval = var.waf_firehose_buffer_interval
 
     prefix              = "logs/year=!{timestamp:yyyy}/month=!{timestamp:MM}/day=!{timestamp:dd}/hour=!{timestamp:HH}/"
     error_output_prefix = "errors/year=!{timestamp:yyyy}/month=!{timestamp:MM}/day=!{timestamp:dd}/hour=!{timestamp:HH}/!{firehose:error-output-type}"
@@ -522,4 +522,4 @@ resource "aws_wafregional_web_acl_association" "alb" {
   resource_arn = "arn:aws:elasticloadbalancing:ap-southeast-1:<account-id>:loadbalancer/app/<lb-name>/<lb-id>" # ARN of the ALB
   web_acl_id   = "${aws_wafregional_web_acl.waf_webacl.id}"
 }
-*/
\ No newline at end of file
+*/