diff --git a/modules/app_eks/add-ons.tf b/modules/app_eks/add-ons.tf
new file mode 100644
index 00000000..9cfd3d9d
--- /dev/null
+++ b/modules/app_eks/add-ons.tf
@@ -0,0 +1,21 @@
+#########################################
+# OIDC stuff for VPC CNI
+#########################################
+data "tls_certificate" "vpc_cni" {
+  url = module.eks.cluster_oidc_issuer_url
+}
+
+resource "aws_eks_addon" "vpc_cni" {
+  depends_on   = [
+    module.eks,
+    aws_iam_openid_connect_provider.eks,
+    aws_iam_role_policy_attachment.vpc_cni
+  ]
+
+  addon_name   = "vpc-cni"
+  addon_version = "v1.13.0-eksbuild.1"
+  cluster_name = var.namespace
+  preserve = false
+  resolve_conflicts = "OVERWRITE"
+  service_account_role_arn = aws_iam_role.node.arn
+}
diff --git a/modules/app_eks/iam-role-attachments.tf b/modules/app_eks/iam-role-attachments.tf
index e82fe63b..69a14448 100644
--- a/modules/app_eks/iam-role-attachments.tf
+++ b/modules/app_eks/iam-role-attachments.tf
@@ -13,6 +13,11 @@ resource "aws_iam_role_policy_attachment" "node_kms" {
   policy_arn = aws_iam_policy.node_kms.arn
 }
 
+resource "aws_iam_role_policy_attachment" "node_secrets_manager" {
+  role       = aws_iam_role.node.name
+  policy_arn = aws_iam_policy.secrets_manager.arn
+}
+
 resource "aws_iam_role_policy_attachment" "node_sqs" {
   role       = aws_iam_role.node.name
   policy_arn = aws_iam_policy.node_sqs.arn
@@ -23,6 +28,16 @@ resource "aws_iam_role_policy_attachment" "node_s3" {
   policy_arn = aws_iam_policy.node_s3.arn
 }
 
+resource "aws_iam_role_policy_attachment" "ebs_csi" {
+  role       = aws_iam_role.node.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
+}
+
+resource "aws_iam_role_policy_attachment" "ec2_container_registry" {
+  role       = aws_iam_role.node.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+}
+
 resource "aws_iam_role_policy_attachment" "eks_cni" {
   role       = aws_iam_role.node.name
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
@@ -38,17 +53,6 @@ resource "aws_iam_role_policy_attachment" "eks_worker_node" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
 }
 
-resource "aws_iam_role_policy_attachment" "ec2_container_registry" {
-  role       = aws_iam_role.node.name
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
-}
 
-resource "aws_iam_role_policy_attachment" "ebs_csi" {
-  role       = aws_iam_role.node.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
-}
 
-resource "aws_iam_role_policy_attachment" "node_secrets_manager" {
-  role       = aws_iam_role.node.name
-  policy_arn = aws_iam_policy.secrets_manager.arn
-}
+
diff --git a/modules/app_eks/iam-role-policies.tf b/modules/app_eks/iam-role-policies.tf
index e9e26264..7c7e94c8 100644
--- a/modules/app_eks/iam-role-policies.tf
+++ b/modules/app_eks/iam-role-policies.tf
@@ -9,5 +9,21 @@ data "aws_iam_policy_document" "node_assume" {
       identifiers = ["ec2.amazonaws.com"]
     }
   }
+
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    condition {
+      test     = "StringEquals"
+      variable = "${replace(aws_iam_openid_connect_provider.eks.url, "https://", "")}:sub"
+      values   = ["system:serviceaccount:kube-system:aws-node"]
+    }
+
+    principals {
+      identifiers = [aws_iam_openid_connect_provider.eks.arn]
+      type        = "Federated"
+    }
+  }  
 }
 
diff --git a/modules/app_eks/iam-roles.tf b/modules/app_eks/iam-roles.tf
index 19e99e92..b44640b0 100644
--- a/modules/app_eks/iam-roles.tf
+++ b/modules/app_eks/iam-roles.tf
@@ -1,7 +1,6 @@
 resource "aws_iam_role" "node" {
   name               = "${var.namespace}-node"
   assume_role_policy = data.aws_iam_policy_document.node_assume.json
-
 }
 
 
diff --git a/modules/app_eks/main.tf b/modules/app_eks/main.tf
index 063ff729..42a2b702 100644
--- a/modules/app_eks/main.tf
+++ b/modules/app_eks/main.tf
@@ -4,36 +4,14 @@ locals {
   mysql_port         = 3306
   redis_port         = 6379
   encrypt_ebs_volume = true
-}
-
-
-resource "aws_eks_addon" "eks" {
-  cluster_name = var.namespace
-  addon_name   = "aws-ebs-csi-driver"
-  depends_on = [
-    module.eks
-  ]
-}
 
-resource "aws_eks_addon" "efs" {
-  cluster_name      = module.eks.cluster_id
-  addon_name        = "aws-efs-csi-driver"
-  addon_version     = "v1.7.1-eksbuild.1" # Ensure this version is compatible
-  resolve_conflicts = "OVERWRITE"
-  depends_on = [
-    module.eks
-  ]
+  managed_policy_arns = concat([
+    "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
+    "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
+    "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
+  ], var.eks_policy_arns)
 }
 
-# removed due to conflict with 
-# AWS Load Balancer Controller
-# being installed with Helm.
-# See: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.6/
-#resource "aws_eks_addon" "vpc_cni" {
-#  cluster_name = var.namespace
-#  addon_name   = "vpc-cni"
-#  depends_on   = [module.eks]
-#}
 
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"