diff --git a/terraform/layer1-aws/README.md b/terraform/layer1-aws/README.md
index 33b167b..ebd9da7 100644
--- a/terraform/layer1-aws/README.md
+++ b/terraform/layer1-aws/README.md
@@ -43,7 +43,7 @@
 | [aws_sns_topic_policy.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/sns_topic_policy) | resource |
 | [aws_sns_topic_subscription.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/sns_topic_subscription) | resource |
 | [aws_acm_certificate.main](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/acm_certificate) | data source |
-| [aws_ami.eks_default_bottlerocket](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/ami) | data source |
+| [aws_ami.eks_default_arm64](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/ami) | data source |
 | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/availability_zones) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/caller_identity) | data source |
 | [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/eks_cluster_auth) | data source |
@@ -72,15 +72,10 @@
 | <a name="input_eks_cluster_endpoint_public_access"></a> [eks\_cluster\_endpoint\_public\_access](#input\_eks\_cluster\_endpoint\_public\_access) | Enable or not public access to cluster endpoint | `bool` | `true` | no |
 | <a name="input_eks_cluster_version"></a> [eks\_cluster\_version](#input\_eks\_cluster\_version) | Version of the EKS K8S cluster | `string` | `"1.25"` | no |
 | <a name="input_eks_map_roles"></a> [eks\_map\_roles](#input\_eks\_map\_roles) | Additional IAM roles to add to the aws-auth configmap. | <pre>list(object({<br>    rolearn  = string<br>    username = string<br>    groups   = list(string)<br>  }))</pre> | `[]` | no |
-| <a name="input_eks_workers_additional_policies"></a> [eks\_workers\_additional\_policies](#input\_eks\_workers\_additional\_policies) | Additional IAM policy attached to EKS worker nodes | `map(string)` | <pre>{<br>  "additional": "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"<br>}</pre> | no |
-| <a name="input_eks_write_kubeconfig"></a> [eks\_write\_kubeconfig](#input\_eks\_write\_kubeconfig) | Flag for eks module to write kubeconfig | `bool` | `false` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | Env name in case workspace wasn't used | `string` | `"demo"` | no |
 | <a name="input_is_this_payment_account"></a> [is\_this\_payment\_account](#input\_is\_this\_payment\_account) | Set it to false if a target account isn't a payer account. This variable is used to apply a configuration for cost allocation tags | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Project name, required to create unique resource names | `any` | n/a | yes |
-| <a name="input_node_group_br"></a> [node\_group\_br](#input\_node\_group\_br) | Bottlerocket node group configuration | <pre>object({<br>    instance_type              = string<br>    max_capacity               = number<br>    min_capacity               = number<br>    desired_capacity           = number<br>    capacity_rebalance         = bool<br>    use_mixed_instances_policy = bool<br>    mixed_instances_policy     = any<br>  })</pre> | <pre>{<br>  "capacity_rebalance": true,<br>  "desired_capacity": 0,<br>  "instance_type": "t3.medium",<br>  "max_capacity": 5,<br>  "min_capacity": 0,<br>  "mixed_instances_policy": {<br>    "instances_distribution": {<br>      "on_demand_base_capacity": 0,<br>      "on_demand_percentage_above_base_capacity": 0<br>    },<br>    "override": [<br>      {<br>        "instance_type": "t3.medium"<br>      },<br>      {<br>        "instance_type": "t3a.medium"<br>      }<br>    ]<br>  },<br>  "use_mixed_instances_policy": true<br>}</pre> | no |
-| <a name="input_node_group_ci"></a> [node\_group\_ci](#input\_node\_group\_ci) | CI node group configuration | <pre>object({<br>    instance_type              = string<br>    max_capacity               = number<br>    min_capacity               = number<br>    desired_capacity           = number<br>    capacity_rebalance         = bool<br>    use_mixed_instances_policy = bool<br>    mixed_instances_policy     = any<br>  })</pre> | <pre>{<br>  "capacity_rebalance": false,<br>  "desired_capacity": 0,<br>  "instance_type": "t3.medium",<br>  "max_capacity": 5,<br>  "min_capacity": 0,<br>  "mixed_instances_policy": {<br>    "instances_distribution": {<br>      "on_demand_base_capacity": 0,<br>      "on_demand_percentage_above_base_capacity": 0<br>    },<br>    "override": [<br>      {<br>        "instance_type": "t3.medium"<br>      },<br>      {<br>        "instance_type": "t3a.medium"<br>      }<br>    ]<br>  },<br>  "use_mixed_instances_policy": true<br>}</pre> | no |
-| <a name="input_node_group_ondemand"></a> [node\_group\_ondemand](#input\_node\_group\_ondemand) | Default ondemand node group configuration | <pre>object({<br>    instance_type              = string<br>    max_capacity               = number<br>    min_capacity               = number<br>    desired_capacity           = number<br>    capacity_rebalance         = bool<br>    use_mixed_instances_policy = bool<br>    mixed_instances_policy     = any<br>  })</pre> | <pre>{<br>  "capacity_rebalance": false,<br>  "desired_capacity": 1,<br>  "instance_type": "t3a.medium",<br>  "max_capacity": 5,<br>  "min_capacity": 1,<br>  "mixed_instances_policy": null,<br>  "use_mixed_instances_policy": false<br>}</pre> | no |
-| <a name="input_node_group_spot"></a> [node\_group\_spot](#input\_node\_group\_spot) | Spot node group configuration | <pre>object({<br>    instance_type              = string<br>    max_capacity               = number<br>    min_capacity               = number<br>    desired_capacity           = number<br>    capacity_rebalance         = bool<br>    use_mixed_instances_policy = bool<br>    mixed_instances_policy     = any<br>  })</pre> | <pre>{<br>  "capacity_rebalance": true,<br>  "desired_capacity": 1,<br>  "instance_type": "t3.medium",<br>  "max_capacity": 5,<br>  "min_capacity": 0,<br>  "mixed_instances_policy": {<br>    "instances_distribution": {<br>      "on_demand_base_capacity": 0,<br>      "on_demand_percentage_above_base_capacity": 0<br>    },<br>    "override": [<br>      {<br>        "instance_type": "t3.medium"<br>      },<br>      {<br>        "instance_type": "t3a.medium"<br>      }<br>    ]<br>  },<br>  "use_mixed_instances_policy": true<br>}</pre> | no |
+| <a name="input_node_group_default"></a> [node\_group\_default](#input\_node\_group\_default) | Default node group configuration | <pre>object({<br>    instance_type              = string<br>    max_capacity               = number<br>    min_capacity               = number<br>    desired_capacity           = number<br>    capacity_rebalance         = bool<br>    use_mixed_instances_policy = bool<br>    mixed_instances_policy     = any<br>  })</pre> | <pre>{<br>  "capacity_rebalance": true,<br>  "desired_capacity": 2,<br>  "instance_type": "t4g.medium",<br>  "max_capacity": 3,<br>  "min_capacity": 2,<br>  "mixed_instances_policy": {<br>    "instances_distribution": {<br>      "on_demand_base_capacity": 0,<br>      "on_demand_percentage_above_base_capacity": 0<br>    },<br>    "override": [<br>      {<br>        "instance_type": "t4g.small"<br>      },<br>      {<br>        "instance_type": "t4g.medium"<br>      }<br>    ]<br>  },<br>  "use_mixed_instances_policy": true<br>}</pre> | no |
 | <a name="input_pritunl_vpn_access_cidr_blocks"></a> [pritunl\_vpn\_access\_cidr\_blocks](#input\_pritunl\_vpn\_access\_cidr\_blocks) | IP address that will have access to the web console | `string` | `"127.0.0.1/32"` | no |
 | <a name="input_pritunl_vpn_server_enable"></a> [pritunl\_vpn\_server\_enable](#input\_pritunl\_vpn\_server\_enable) | Indicates whether or not the Pritunl VPN server is deployed. | `bool` | `false` | no |
 | <a name="input_region"></a> [region](#input\_region) | Default infrastructure region | `string` | `"us-east-1"` | no |
@@ -103,6 +98,8 @@
 | <a name="output_env"></a> [env](#output\_env) | Suffix for the hostname depending on workspace |
 | <a name="output_name"></a> [name](#output\_name) | Project name, required to form unique resource names |
 | <a name="output_name_wo_region"></a> [name\_wo\_region](#output\_name\_wo\_region) | Project name, required to form unique resource names without short region |
+| <a name="output_node_group_default_iam_role_arn"></a> [node\_group\_default\_iam\_role\_arn](#output\_node\_group\_default\_iam\_role\_arn) | n/a |
+| <a name="output_node_group_default_iam_role_name"></a> [node\_group\_default\_iam\_role\_name](#output\_node\_group\_default\_iam\_role\_name) | n/a |
 | <a name="output_region"></a> [region](#output\_region) | Target region for all infrastructure resources |
 | <a name="output_route53_zone_id"></a> [route53\_zone\_id](#output\_route53\_zone\_id) | ID of domain zone |
 | <a name="output_short_region"></a> [short\_region](#output\_short\_region) | The abbreviated name of the region, required to form unique resource names |
diff --git a/terraform/layer2-k8s/README.md b/terraform/layer2-k8s/README.md
index 909031c..6922c3b 100644
--- a/terraform/layer2-k8s/README.md
+++ b/terraform/layer2-k8s/README.md
@@ -25,7 +25,6 @@
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_aws_iam_autoscaler"></a> [aws\_iam\_autoscaler](#module\_aws\_iam\_autoscaler) | ../modules/aws-iam-eks-trusted | n/a |
 | <a name="module_aws_iam_aws_loadbalancer_controller"></a> [aws\_iam\_aws\_loadbalancer\_controller](#module\_aws\_iam\_aws\_loadbalancer\_controller) | ../modules/aws-iam-eks-trusted | n/a |
 | <a name="module_aws_iam_cert_manager"></a> [aws\_iam\_cert\_manager](#module\_aws\_iam\_cert\_manager) | ../modules/aws-iam-eks-trusted | n/a |
 | <a name="module_aws_iam_elastic_stack"></a> [aws\_iam\_elastic\_stack](#module\_aws\_iam\_elastic\_stack) | ../modules/aws-iam-user-with-policy | n/a |
@@ -34,9 +33,7 @@
 | <a name="module_aws_iam_kube_prometheus_stack_grafana"></a> [aws\_iam\_kube\_prometheus\_stack\_grafana](#module\_aws\_iam\_kube\_prometheus\_stack\_grafana) | ../modules/aws-iam-eks-trusted | n/a |
 | <a name="module_aws_iam_victoria_metrics_k8s_stack_grafana"></a> [aws\_iam\_victoria\_metrics\_k8s\_stack\_grafana](#module\_aws\_iam\_victoria\_metrics\_k8s\_stack\_grafana) | ../modules/aws-iam-eks-trusted | n/a |
 | <a name="module_aws_load_balancer_controller_namespace"></a> [aws\_load\_balancer\_controller\_namespace](#module\_aws\_load\_balancer\_controller\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
-| <a name="module_aws_node_termination_handler_namespace"></a> [aws\_node\_termination\_handler\_namespace](#module\_aws\_node\_termination\_handler\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
 | <a name="module_certmanager_namespace"></a> [certmanager\_namespace](#module\_certmanager\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
-| <a name="module_cluster_autoscaler_namespace"></a> [cluster\_autoscaler\_namespace](#module\_cluster\_autoscaler\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
 | <a name="module_elastic_tls"></a> [elastic\_tls](#module\_elastic\_tls) | ../modules/self-signed-certificate | n/a |
 | <a name="module_elk_namespace"></a> [elk\_namespace](#module\_elk\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
 | <a name="module_external_dns_namespace"></a> [external\_dns\_namespace](#module\_external\_dns\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
@@ -45,6 +42,8 @@
 | <a name="module_gitlab_runner_namespace"></a> [gitlab\_runner\_namespace](#module\_gitlab\_runner\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
 | <a name="module_ingress_nginx_namespace"></a> [ingress\_nginx\_namespace](#module\_ingress\_nginx\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
 | <a name="module_istio_system_namespace"></a> [istio\_system\_namespace](#module\_istio\_system\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
+| <a name="module_karpenter"></a> [karpenter](#module\_karpenter) | terraform-aws-modules/eks/aws//modules/karpenter | 19.21.0 |
+| <a name="module_karpenter_namespace"></a> [karpenter\_namespace](#module\_karpenter\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
 | <a name="module_keda_namespace"></a> [keda\_namespace](#module\_keda\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
 | <a name="module_kiali_namespace"></a> [kiali\_namespace](#module\_kiali\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
 | <a name="module_kube_prometheus_stack_namespace"></a> [kube\_prometheus\_stack\_namespace](#module\_kube\_prometheus\_stack\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
@@ -67,10 +66,8 @@
 | [aws_s3_bucket_server_side_encryption_configuration.elastic_stack_encryption](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.gitlab_runner_encryption](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [helm_release.aws_loadbalancer_controller](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
-| [helm_release.aws_node_termination_handler](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
 | [helm_release.cert_manager](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
 | [helm_release.certificate](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
-| [helm_release.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
 | [helm_release.cluster_issuer](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
 | [helm_release.elk](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
 | [helm_release.external_dns](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
@@ -79,6 +76,7 @@
 | [helm_release.ingress_nginx](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
 | [helm_release.istio_base](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
 | [helm_release.istiod](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
+| [helm_release.karpenter](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
 | [helm_release.kedacore](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
 | [helm_release.kiali](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
 | [helm_release.loki_stack](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
@@ -87,6 +85,10 @@
 | [helm_release.victoria_metrics_k8s_stack](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
 | [kubectl_manifest.istio_prometheus_service_monitor_cp](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |
 | [kubectl_manifest.istio_prometheus_service_monitor_dp](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |
+| [kubectl_manifest.karpenter_ec2nodeclass_private](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |
+| [kubectl_manifest.karpenter_ec2nodeclass_public](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |
+| [kubectl_manifest.karpenter_nodepool_ci](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |
+| [kubectl_manifest.karpenter_nodepool_default](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |
 | [kubectl_manifest.kube_prometheus_stack_operator_crds](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |
 | [kubernetes_ingress_v1.default](https://registry.terraform.io/providers/hashicorp/kubernetes/2.19.0/docs/resources/ingress_v1) | resource |
 | [kubernetes_secret.elasticsearch_certificates](https://registry.terraform.io/providers/hashicorp/kubernetes/2.19.0/docs/resources/secret) | resource |
@@ -105,6 +107,7 @@
 | [tls_private_key.aws_loadbalancer_controller_webhook_ca](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
 | [tls_self_signed_cert.aws_loadbalancer_controller_webhook_ca](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/caller_identity) | data source |
+| [aws_ecrpublic_authorization_token.token](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/ecrpublic_authorization_token) | data source |
 | [aws_eks_cluster.main](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/eks_cluster) | data source |
 | [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/eks_cluster_auth) | data source |
 | [aws_secretsmanager_secret.infra](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/secretsmanager_secret) | data source |
@@ -127,6 +130,8 @@
 | <a name="input_helm_release_history_size"></a> [helm\_release\_history\_size](#input\_helm\_release\_history\_size) | How much helm releases to store | `number` | `5` | no |
 | <a name="input_name"></a> [name](#input\_name) | Project name, required to create unique resource names | `any` | n/a | yes |
 | <a name="input_nginx_ingress_ssl_terminator"></a> [nginx\_ingress\_ssl\_terminator](#input\_nginx\_ingress\_ssl\_terminator) | Select SSL termination type | `string` | `"lb"` | no |
+| <a name="input_node_group_default_iam_role_arn"></a> [node\_group\_default\_iam\_role\_arn](#input\_node\_group\_default\_iam\_role\_arn) | The IAM Role ARN of a default nodegroup | `string` | `""` | no |
+| <a name="input_node_group_default_iam_role_name"></a> [node\_group\_default\_iam\_role\_name](#input\_node\_group\_default\_iam\_role\_name) | The IAM Role name of a default nodegroup | `string` | `""` | no |
 | <a name="input_region"></a> [region](#input\_region) | Default infrastructure region | `string` | `"us-east-1"` | no |
 | <a name="input_short_region"></a> [short\_region](#input\_short\_region) | The abbreviated name of the region, required to form unique resource names | `map` | <pre>{<br>  "ap-east-1": "ape1",<br>  "ap-northeast-1": "apn1",<br>  "ap-northeast-2": "apn2",<br>  "ap-south-1": "aps1",<br>  "ap-southeast-1": "apse1",<br>  "ap-southeast-2": "apse2",<br>  "ca-central-1": "cac1",<br>  "cn-north-1": "cnn1",<br>  "cn-northwest-1": "cnnw1",<br>  "eu-central-1": "euc1",<br>  "eu-north-1": "eun1",<br>  "eu-west-1": "euw1",<br>  "eu-west-2": "euw2",<br>  "eu-west-3": "euw3",<br>  "sa-east-1": "sae1",<br>  "us-east-1": "use1",<br>  "us-east-2": "use2",<br>  "us-gov-east-1": "usge1",<br>  "us-gov-west-1": "usgw1",<br>  "us-west-1": "usw1",<br>  "us-west-2": "usw2"<br>}</pre> | no |
 | <a name="input_ssl_certificate_arn"></a> [ssl\_certificate\_arn](#input\_ssl\_certificate\_arn) | ARN of ACM SSL certificate | `any` | n/a | yes |