diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
index f48e60d3..ab3a04fa 100644
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -45,8 +45,8 @@ RUN if [ "${INSTALL_AZURE_CLI}" = "true" ]; then bash /tmp/library-scripts/azcli
 
 # Install Terraform, tflint, Go, PowerShell, and other useful tools
 # TODO: move this into main "RUN" layer above
-ARG TERRAFORM_VERSION=0.14.9
-ARG TFLINT_VERSION=0.18.0
+ARG TERRAFORM_VERSION=1.0.0
+ARG TFLINT_VERSION=0.29.0
 RUN bash /tmp/library-scripts/terraform-debian.sh "${TERRAFORM_VERSION}" "${TFLINT_VERSION}" \
     && bash /tmp/library-scripts/powershell-debian.sh \
     && bash /tmp/library-scripts/kubectl-helm-debian.sh \
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 670c689d..a781456d 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -5,8 +5,8 @@
 	"build": {
 		"dockerfile": "Dockerfile",
 		"args": {
-			"TERRAFORM_VERSION": "0.14.9",
-			"TFLINT_VERSION": "0.22.0",
+			"TERRAFORM_VERSION": "1.0.0",
+			"TFLINT_VERSION": "0.29.0",
 			"INSTALL_AZURE_CLI": "true",
 			"INSTALL_DOCKER": "true",
 			"INSTALL_NODE": "true"
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a8d9a51e..56020276 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,3 +1,6 @@
+# build - github workflow
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
 # https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions
 name: build
 
@@ -58,12 +61,12 @@ env:
   TF_INPUT: "false"
   TF_PLAN: "tfplan"
   # https://github.com/hashicorp/terraform/releases
-  TF_VERSION: "0.14.9"
+  TF_VERSION: "1.0.3"
   TF_WORKING_DIR: ./terraform
   # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases
-  TFLINT_RULESET_AZURERM_VERSION: "v0.9.0"
+  TFLINT_RULESET_AZURERM_VERSION: "v0.11.0"
   # https://github.com/terraform-linters/tflint/releases
-  TFLINT_VERSION: "v0.25.0"
+  TFLINT_VERSION: "v0.30.0"
 
   # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below:
   # https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489
@@ -190,9 +193,11 @@ jobs:
         run: ./scripts/push_docker_images.sh
 
       # TODO: Remove once issue has been fixed
-      # https://github.com/terraform-providers/terraform-provider-azurerm/issues/8546
-      - name: Restart Function App
-        run: az functionapp restart --name "${{ env.PREFIX }}-funcapp" --resource-group "${{ env.PREFIX }}-rg-function-app"
+      - name: Fix Function App version
+        run: pwsh -command "./scripts/Fix-FunctionApp.ps1"
+        env:
+          FUNCTION_APP_NAME: "${{ env.PREFIX }}-funcapp"
+          FUNCTION_APP_RG: "${{ env.PREFIX }}-rg-function-app"
 
       # Pester tests
       - name: 🧪 Run Pester tests
diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml
index cac5aee2..65d47770 100644
--- a/.github/workflows/destroy.yml
+++ b/.github/workflows/destroy.yml
@@ -1,3 +1,6 @@
+# destroy - github workflow
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
 # https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions
 name: destroy
 
@@ -52,7 +55,7 @@ env:
   TF_LOG_PATH: terraform.log
   TF_LOG: TRACE
   # https://github.com/hashicorp/terraform/releases
-  TF_VERSION: "0.14.9"
+  TF_VERSION: "1.0.3"
   TF_WORKING_DIR: terraform
 
   # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below:
diff --git a/.vscode/launch.json b/.vscode/launch.json
index 4027c7e3..7c74a022 100644
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -1,13 +1,11 @@
 {
-  "version": "0.2.0",
   "configurations": [
-    {
-      "name": "Attach to PowerShell Functions",
-      "type": "PowerShell",
-      "request": "attach",
-      "customPipeName": "AzureFunctionsPSWorker",
-      "runspaceId": 1,
-      "preLaunchTask": "func: host start"
-    }
+  {
+    "name": "PowerShell Launch Current File",
+    "type": "PowerShell",
+    "request": "launch",
+    "script": "${file}",
+    "cwd": "${file}"
+  }
   ]
 }
diff --git a/function_app/profile.ps1 b/function_app/profile.ps1
index 0be26281..4ff91fd9 100644
--- a/function_app/profile.ps1
+++ b/function_app/profile.ps1
@@ -56,9 +56,10 @@ function Send-IftttAppNotification {
         value3 = $Value3
     }
 
-    Invoke-RestMethod -Method Get -Uri $webhookUrl -Body $body -ResponseHeadersVariable responseHeaders -StatusCodeVariable statusCode
+    # TEMP removal of "StatusCodeVariable" until PowerShell 7 function app issues are resolved
+    Invoke-RestMethod -Method Get -Uri $webhookUrl -Body $body -ResponseHeadersVariable responseHeaders #-StatusCodeVariable statusCode
 
-    Write-Host "Status Code: [$statusCode]"
+    # Write-Host "Status Code: [$statusCode]"
     Write-Host "Response Headers:`n"
     $responseHeaders | Out-String
 }
diff --git a/scripts/Fix-FunctionApp.ps1 b/scripts/Fix-FunctionApp.ps1
new file mode 100644
index 00000000..2ce126ff
--- /dev/null
+++ b/scripts/Fix-FunctionApp.ps1
@@ -0,0 +1,19 @@
+# source: https://github.com/terraform-providers/terraform-provider-azurerm/issues/8867#issuecomment-849842849
+
+# Fixes PowerShell function app stack version to 7
+
+# Change function app to PS 7
+Write-Host 'Change function app to PS 7'
+$function = az functionapp show --name $env:FUNCTION_APP_NAME --resource-group $env:FUNCTION_APP_RG | ConvertFrom-Json
+
+if ($function.siteConfig.powerShellVersion -ne "~7") {
+    Write-Host "Updating powershell version to ~7..."
+    az functionapp update --name $env:FUNCTION_APP_NAME --resource-group $env:FUNCTION_APP_RG --set "siteConfig.powerShellVersion=~7"
+
+    # Restart Function App
+    # az functionapp restart --name $env:FUNCTION_APP_NAME --resource-group $env:FUNCTION_APP_RG
+} else {
+    Write-Host "Powershell version already set to to ~7"
+}
+
+Write-Host ''
diff --git a/scripts/tflint.sh b/scripts/tflint.sh
index 57482d98..e6ad4489 100644
--- a/scripts/tflint.sh
+++ b/scripts/tflint.sh
@@ -9,8 +9,8 @@ trap "echo 'error: Script failed: see failed command above'" ERR
 
 # vars
 # Set local vars from env var, with default fallbacks
-TFLINT_VERSION="${TFLINT_VERSION:-v0.23.1}"
-TFLINT_RULESET_AZURERM_VERSION="${TFLINT_RULESET_AZURERM_VERSION:-v0.7.0}"
+TFLINT_VERSION="${TFLINT_VERSION:-v0.29.1}"
+TFLINT_RULESET_AZURERM_VERSION="${TFLINT_RULESET_AZURERM_VERSION:-v0.10.1}"
 TF_FLAGS=("$TF_WORKING_DIR")
 export TFLINT_LOG=debug
 # use empty array to skip adding disabled rules, eg: "DISABLED_RULES=()"
diff --git a/splunk/.terraform.lock.hcl b/splunk/.terraform.lock.hcl
new file mode 100644
index 00000000..3d921780
--- /dev/null
+++ b/splunk/.terraform.lock.hcl
@@ -0,0 +1,116 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/azuread" {
+  version     = "1.5.1"
+  constraints = "~> 1.0, ~> 1.5.1"
+  hashes = [
+    "h1:y98vgkLxJsyhyb5oZU1lM/EIQDixKcKAxgFYpQIH+kY=",
+    "zh:1a7a6313731ad4a1fbe9d52ae030a13b9b9ab9b155890872304dcb9daed402f5",
+    "zh:34cf80bc53f263ed79695a485331787cb7fb42c8617371599805e827079fe225",
+    "zh:3a9c68db7cd8c40472ac02ef3b42e81b6a8195c047e7d3dfa93c0458217efb89",
+    "zh:518a2139c0f0126e7bd43e1f92ad959164a065397de4b85e5650ab11221695e1",
+    "zh:743b4133d2ec47ec9d3706f5ae9848db4d27d09edacebcd18f878aaf79411cce",
+    "zh:8c2dfeee0cdfb873a0e8cf72e77ae4b747981d2efb6466a04abc0101ae27f5bc",
+    "zh:9a129fa81dcf8d49b8b66b11d4b207d173166b68e7a8322314ec81692478ef32",
+    "zh:c6d533931f79507cb4e497e9aec38d4ff2f2ba1102b9cdd7ed258ea70c7fe330",
+    "zh:d5c85d9e2b08aa445f07237e82644583261d9311efc749621af96b83879c0601",
+    "zh:f244da502572a9a2c657015af24239cdd798db8ceaa332b52d8e7c8bb770bc24",
+    "zh:f368f8dde9986196cf2fbd1dd53c6398c6ba243ce1d1709e7c8fa82b7775c5dc",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/azurerm" {
+  version     = "2.63.0"
+  constraints = "~> 2.0, ~> 2.63.0"
+  hashes = [
+    "h1:X/+2FPiqmwu/sZDl5FhY071o9uWHrZIlb4hr24GlN2E=",
+    "zh:050254861e4481c905945dc1ba0aa222373ae92d549a0168b7a271260497ca5b",
+    "zh:053f7de4ff0c6f3878e70c31258b5e23fc63905ef9f31d49440746b4a43a1971",
+    "zh:1afe053ff2807e5c78e8c95d79a9a1fda809836ec85c68533b109ce49eeb55ae",
+    "zh:2cad35e7bbbd02a4aefa369235ef4a5a563ff3dee05b6bf78b40aece205a8902",
+    "zh:3749ab4bad6108b6b0718c3cab05ff72b61e3eebaf37b5b4017ae938499f2b45",
+    "zh:4b6370d88fff833a33104b1c70df1992f7fdf2cdb21ae0719dbd9d0a3388ee55",
+    "zh:9e0f1f0432b61fa89d8358f869b405b539ffe63951b384b5d36456213a881e98",
+    "zh:b1de4dc52af843a265a7f7f5190a529bc70e77a684b10c855b9cf39b2c1bdcf2",
+    "zh:d9b6ac7b6a27c367a12bf86ce09bc4d1661de796f371c2da2c31e20ac0dce4a9",
+    "zh:f95256d93f41d1e6252bc090b2a2ababcb9ea7be9fe45706bccb21b859c3c04f",
+    "zh:fae8bb6f824f38088ce06f64dd0bbf506f70cc8ffdffd6b8a6ba6a678efcc596",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version     = "2.2.0"
+  constraints = "~> 2.2.0"
+  hashes = [
+    "h1:rxDS2QQuG/M9aRSKlvW2oHsp5eGAoB1J9KZthCOVbeQ=",
+    "zh:01341dd1e9cc7e7f6999e11e7473bcdca2dd72dd27f91beed1f4fb599a15dfba",
+    "zh:20e86c9eccd3a81ef5ac243af31b61fc4d2d679437384bd0870e92fa1b3ed6c9",
+    "zh:22a71127c5dbea4f62edb5bcf00b5c163de04aa19d45a7a1f621f973ffd09d20",
+    "zh:28ab7c84a5f8ed82fc520668db93d650571ddf59d98845cb18a1fa1a7888efc0",
+    "zh:3985a30929ad8fdc6b94f0e1cbd62a63db75ee961b8ba7db1cf4bfd29e8009ff",
+    "zh:477d92e26ba0c906087a5dd827ac3917dad7d5af770ee0ab4b08d0f273150586",
+    "zh:750928ec5ef54b2090bd6a6d8a19630a8712bbbccc0429251e88ccd361c1d3c0",
+    "zh:a615841fd90094bddc1269127e501fa60453c441b9548ff73752fe14efc38ed0",
+    "zh:e762aca7883374fa255efba50f5bdf791fece7d61e3920e593fb1a2cbb598981",
+    "zh:f76f372ead52948ca53610b371cb80c80ebcf058ef0a5c0ce9f0ce38dcc9a8eb",
+    "zh:fa36fe93ed977f4478cc6547ec3c45c28e56f10632e85446b0c3d71449f8c4bb",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version     = "2.3.2"
+  constraints = "~> 2.3.2"
+  hashes = [
+    "h1:X+wKrZNYF+qtoBNcMD3cL0+bXSWUDZ7RpHm+2vAwvhE=",
+    "zh:10f71c170be13538374a4b9553fcb3d98a6036bcd1ca5901877773116c3f828e",
+    "zh:11d2230e531b7480317e988207a73cb67b332f225b0892304983b19b6014ebe0",
+    "zh:3317387a9a6cc27fd7536b8f3cad4b8a9285e9461f125c5a15d192cef3281856",
+    "zh:458a9858362900fbe97e00432ae8a5bef212a4dacf97a57ede7534c164730da4",
+    "zh:50ea297007d9fe53e5411577f87a4b13f3877ce732089b42f938430e6aadff0d",
+    "zh:56705c959e4cbea3b115782d04c62c68ac75128c5c44ee7aa4043df253ffbfe3",
+    "zh:7eb3722f7f036e224824470c3e0d941f1f268fcd5fa2f8203e0eee425d0e1484",
+    "zh:9f408a6df4d74089e6ce18f9206b06b8107ddb57e2bc9b958a6b7dc352c62980",
+    "zh:aadd25ccc3021040808feb2645779962f638766eb583f586806e59f24dde81bb",
+    "zh:b101c3456e4309b09aab129b0118561178c92cb4be5d96dec553189c3084dca1",
+    "zh:ec08478573b4953764099fbfd670fae81dc24b60e467fb3b023e6fab50b70a9e",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version     = "2.3.1"
+  constraints = "~> 2.0"
+  hashes = [
+    "h1:bPBDLMpQzOjKhDlP9uH2UPIz9tSjcbCtLdiJ5ASmCx4=",
+    "zh:322ec2b56765162c193d0ff0f7634351bf4ca09d719558df82b92d31059995a1",
+    "zh:34c500857d14148bc6f7f21f9fc0d832ba31d00e1b911b0437d99dda29aeb108",
+    "zh:a3372514add474fcb07d2026a49b0c0d8a699e365f540e43e5f590eb924b95f7",
+    "zh:a54acd50f13f38a86454acad16b3487701608188fd2cc454fd48beee00127ae5",
+    "zh:b1285c47ab01fc11b6086f080da7d17b9155b3fac6a4175948a2abb5d52c60af",
+    "zh:c7e7bd46218cf504ca31d8a1e4eab5cad625c9951fb89d4f56861d5bddec9afb",
+    "zh:d9f95764480d7b884db7247a5ee9d1c72aaf1c1cde3d7b5e34bc33c4ef5ccf48",
+    "zh:ddf11fb807d61ff93c08206733129bf9668fc0c4adedf8a6ac38a7c382a24b35",
+    "zh:f631a0c1ffa94991d87cd5fe4e08c0dd6d36c780585f35a582c05ee2affb7e86",
+    "zh:fb5f5fb19e8a9ff73dbdee85a97f548099e480497a7a1f4ca4725c83db300b8d",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/tls" {
+  version     = "2.2.0"
+  constraints = "~> 2.0"
+  hashes = [
+    "h1:BRvNNW/32RAFXRcEAovtJWVbFt8zesIKkQm2N0GBCn8=",
+    "zh:0e99d1b3710f30df818cd662e2ea7b2005cec2a0c64cedd31c459b214f45e9b5",
+    "zh:43a97fd341c66113aeecfa2f976eb8f5e0b83a6a8824828fac2afef2682d9957",
+    "zh:501aa0ed294c7befb8bf6e00fd9d8cf4055e1135cb8872f83488ebcde9a89985",
+    "zh:51862aeed0f28092c877a5f64ddac55b8f6c05cf5278fb51afab5d20b3819934",
+    "zh:52c22bf8621a120080c7c8c11bfab51678ab9dc3e5c88dc89df8b2c0434a8c89",
+    "zh:658cce07951f8ba8f170b71198c198e526a82ba56cb74d27b24adf2574eb07b2",
+    "zh:80a7db37b00c5d9054f68dc62283ce11dcc83b714d550fc56e6b8544bc01d1a8",
+    "zh:935dd4f4995286c871162bb96ebb49c2d80ef09f2225be62a4ef06c0fcbd72d4",
+    "zh:af89f57dc41c4d09fd9b7d1277e5ad1d4989cd672f3e58e1891d59020015d21a",
+    "zh:d45870cf06ed9910d5956175c996cc7bb677f3a8edd94c66a48a3fb93c8d2a84",
+    "zh:de96c5fadb346adb5e39ea8901c93335b0f3408dd8d477a996b4eb845a8d2343",
+    "zh:e0f3c179975b7fa5898ebe9cc70621f9da301a14e5262399b074ccb675308bd3",
+  ]
+}
diff --git a/splunk/README.md b/splunk/README.md
new file mode 100644
index 00000000..83f27c28
--- /dev/null
+++ b/splunk/README.md
@@ -0,0 +1,113 @@
+# Splunk
+
+Used for Splunk related testing.
+
+## Installation
+
+### Terraform
+
+Build an AKS cluster:
+
+```bash
+# Init
+cd ./splunk
+terraform init #-upgrade
+
+# Apply
+terraform apply
+
+# Outputs
+terraform output
+
+---
+
+# Delete
+terraform destroy
+```
+
+### Splunk Operator
+
+There is a current issue with [Admin Installation for All Namespaces](https://github.com/splunk/splunk-operator/issues/206),
+so use the [non-admin user method](https://github.com/splunk/splunk-operator/blob/develop/docs/Install.md#installation-using-a-non-admin-user).
+
+#### Install
+
+Install the Splunk Operator as a non-admin user.
+
+```bash
+# create namespace
+kubectl create namespace splunk-operator
+
+# an admin needs to install the CRDs
+kubectl apply -f https://github.com/splunk/splunk-operator/releases/download/1.0.1/splunk-operator-crds.yaml
+
+# install splunk operator into namespace
+# v1.0.1 doesnt currently work - I've raised this issue: https://github.com/splunk/splunk-operator/issues/373
+kubectl apply -f https://github.com/splunk/splunk-operator/releases/download/1.0.1/splunk-operator-noadmin.yaml  --namespace splunk-operator
+
+
+# 1.0.0 works
+kubectl apply -f https://github.com/splunk/splunk-operator/releases/download/1.0.0/splunk-operator-crds.yaml
+kubectl apply -f https://github.com/splunk/splunk-operator/releases/download/1.0.0/splunk-operator-noadmin.yaml --namespace splunk-operator
+```
+
+### Splunk Deployments
+
+After deploying one of the methods below, [get the password](https://github.com/splunk/splunk-operator/blob/develop/docs/Examples.md#reading-global-kubernetes-secret-object)
+by running the following code:
+
+```bash
+# kubectl get secret splunk-<desired_namespace>-secret -o go-template=' {{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}'
+kubectl get secret --namespace splunk-operator splunk-splunk-operator-secret -o go-template=' {{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}'
+```
+
+You can then port-forward to the pod and view the web interface:
+
+```bash
+kubectl port-forward splunk-s1-standalone-0 8000
+kubectl port-forward --namespace splunk-operator splunk-single-standalone-0 8000
+```
+
+#### Standalone
+
+https://github.com/splunk/splunk-operator/blob/develop/docs/Examples.md#creating-a-clustered-deployment
+
+```bash
+cat <<EOF | kubectl apply --namespace splunk-operator -f -
+apiVersion: enterprise.splunk.com/v1
+kind: Standalone
+metadata:
+  name: single
+  finalizers:
+  - enterprise.splunk.com/delete-pvc
+EOF
+```
+
+#### Cluster Master and Indexers
+
+https://github.com/splunk/splunk-operator/blob/develop/docs/Examples.md#indexer-clusters
+
+```bash
+# Cluster Master
+cat <<EOF | kubectl apply -f -
+apiVersion: enterprise.splunk.com/v1
+kind: ClusterMaster
+metadata:
+  name: cm
+  finalizers:
+  - enterprise.splunk.com/delete-pvc
+EOF
+
+# Indexers
+cat <<EOF | kubectl apply -f -
+apiVersion: enterprise.splunk.com/v1
+kind: IndexerCluster
+metadata:
+  name: example
+  finalizers:
+  - enterprise.splunk.com/delete-pvc
+spec:
+  clusterMasterRef:
+    name: cm
+EOF
+```
diff --git a/splunk/main.tf b/splunk/main.tf
new file mode 100644
index 00000000..38681e24
--- /dev/null
+++ b/splunk/main.tf
@@ -0,0 +1,93 @@
+terraform {
+  required_version = ">= 0.13"
+
+  required_providers {
+    # https://github.com/terraform-providers/terraform-provider-azurerm/releases
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 2.64.0"
+    }
+
+    # https://github.com/terraform-providers/terraform-provider-azuread/releases
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "~> 1.5.1"
+    }
+
+    # https://github.com/hashicorp/terraform-provider-kubernetes/releases
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.3.2"
+    }
+
+    # https://github.com/hashicorp/terraform-provider-helm/releases
+    helm = {
+      source  = "hashicorp/helm"
+      version = "~> 2.2.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+
+resource "random_string" "aks" {
+  length  = 4
+  special = false
+  upper   = false
+}
+
+locals {
+  # version used for both main AKS API service, and default node pool
+  # https://github.com/Azure/AKS/releases
+  # az aks get-versions --location uksouth --output table
+  kubernetes_version  = "1.20.7"
+  location            = "uksouth"
+  # prefix              = "ar${random_string.aks.result}" # aks dns_prefix must start with a letter
+  prefix              = "arsplunk" # aks dns_prefix must start with a letter
+  resource_group_name = "${local.prefix}-rg-azurerm-kubernetes-cluster"
+  name                = "${local.prefix}-aks-cluster"
+
+  tags = {
+    App    = "splunk"
+    Env    = "Dev"
+    Owner  = "Adam Rush"
+    Source = "terraform"
+  }
+}
+
+resource "azurerm_resource_group" "aks" {
+  name     = local.resource_group_name
+  location = local.location
+  tags     = local.tags
+}
+
+module "aks" {
+  source = "adamrushuk/aks/azurerm"
+
+  kubernetes_version  = local.kubernetes_version
+  location            = azurerm_resource_group.aks.location
+  resource_group_name = azurerm_resource_group.aks.name
+  name                = local.name
+  tags                = local.tags
+
+  # Add existing group to the new AKS cluster admin group
+  aks_admin_group_member_name = "AKS-Admins"
+
+  # override defaults
+  default_node_pool = {
+    vm_size  = "Standard_D4s_v3"
+    count    = 1
+    max_pods = 99
+  }
+}
+
+output "aks_credentials_command" {
+  value = "az aks get-credentials --resource-group ${azurerm_resource_group.aks.name} --name ${module.aks.name} --overwrite-existing  --admin"
+}
+
+output "full_object" {
+  value     = module.aks.full_object
+  sensitive = true
+}
diff --git a/terraform/aad_pod_identity_helm.tf b/terraform/aad_pod_identity_helm.tf
index 8451639b..fd842115 100644
--- a/terraform/aad_pod_identity_helm.tf
+++ b/terraform/aad_pod_identity_helm.tf
@@ -47,6 +47,7 @@ resource "helm_release" "aad_pod_identity" {
   atomic     = true
 
   values = [
+    # see default values: /helm/aad_pod_identity_default_values.yaml
     file("helm/aad_pod_identity_values.yaml"),
     data.template_file.azureIdentities.rendered
   ]
diff --git a/terraform/aks.tf b/terraform/aks.tf
index 9ec36ccf..1bd41119 100644
--- a/terraform/aks.tf
+++ b/terraform/aks.tf
@@ -54,7 +54,7 @@ resource "azurerm_log_analytics_solution" "aks" {
 # https://registry.terraform.io/modules/adamrushuk/aks/azurerm/latest
 module "aks" {
   source  = "adamrushuk/aks/azurerm"
-  version = "0.8.0"
+  version = "~> 0.9.0"
 
   kubernetes_version   = var.kubernetes_version
   location             = azurerm_resource_group.aks.location
diff --git a/terraform/argocd_sso.tf b/terraform/argocd_sso.tf
index 25ce7ead..19ab3b5b 100644
--- a/terraform/argocd_sso.tf
+++ b/terraform/argocd_sso.tf
@@ -12,15 +12,20 @@ resource "random_password" "argocd" {
 
 # https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application
 resource "azuread_application" "argocd" {
-  display_name               = var.argocd_app_reg_name
-  prevent_duplicate_names    = true
-  homepage                   = "https://${var.argocd_fqdn}"
-  identifier_uris            = ["https://${var.argocd_app_reg_name}"]
-  reply_urls                 = ["https://${var.argocd_fqdn}/auth/callback"]
-  available_to_other_tenants = false
-  oauth2_allow_implicit_flow = false
-  # owners                     = []
+  display_name            = var.argocd_app_reg_name
+  identifier_uris         = ["https://${var.argocd_app_reg_name}"]
+  sign_in_audience        = "AzureADMyOrg"
   group_membership_claims = "All"
+  prevent_duplicate_names = true
+
+  web {
+    homepage_url  = "https://${var.argocd_fqdn}"
+    redirect_uris = ["https://${var.argocd_fqdn}/auth/callback"]
+
+    implicit_grant {
+      access_token_issuance_enabled = false
+    }
+  }
 
   # you can check manually created app reg info in the app reg manifest tab
   # reference: https://github.com/mjisaak/azure-active-directory/blob/master/README.md#well-known-appids
@@ -52,33 +57,25 @@ resource "azuread_application" "argocd" {
   }
 }
 
+# TODO: add "SelfServiceAppAccess" tag to enable self-service options in Enterprise App
+resource "azuread_service_principal" "argocd" {
+  application_id = azuread_application.argocd.application_id
+}
+
 # https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password
 resource "azuread_application_password" "argocd" {
   application_object_id = azuread_application.argocd.id
-  description           = "argocd_secret"
+  display_name          = "argocd_secret"
   value                 = random_password.argocd.result
   end_date              = "2099-01-01T01:02:03Z"
-}
 
-# TODO: add "SelfServiceAppAccess" tag to enable self-service options in Enterprise App
-resource "azuread_service_principal" "argocd" {
-  application_id = azuread_application.argocd.application_id
+  depends_on = [azuread_service_principal.argocd]
 }
 
-data "azurerm_client_config" "current" {
-}
+data "azurerm_client_config" "current" {}
 
 
 # argocd-cm patch
-# https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file
-data "template_file" "argocd_cm" {
-  template = file(var.argocd_cm_yaml_path)
-  vars = {
-    tenantId    = data.azurerm_client_config.current.tenant_id
-    appClientId = azuread_service_principal.argocd.application_id
-  }
-}
-
 # https://www.terraform.io/docs/provisioners/local-exec.html
 resource "null_resource" "argocd_cm" {
   triggers = {
@@ -90,9 +87,17 @@ resource "null_resource" "argocd_cm" {
     interpreter = ["/bin/bash", "-c"]
     environment = {
       KUBECONFIG = var.aks_config_path
+      ARGOCD_CM_PATCH_YAML = templatefile(
+        var.argocd_cm_yaml_path,
+        {
+          "tenantId"    = data.azurerm_client_config.current.tenant_id
+          "appClientId" = azuread_service_principal.argocd.application_id
+        }
+      )
     }
+    # https://www.terraform.io/docs/language/functions/templatefile.html
     command = <<EOT
-      kubectl patch configmap/argocd-cm --namespace argocd --type merge --patch "${data.template_file.argocd_cm.rendered}"
+      kubectl patch configmap/argocd-cm --namespace argocd --type merge --patch "$ARGOCD_CM_PATCH_YAML"
     EOT
   }
 
@@ -104,14 +109,6 @@ resource "null_resource" "argocd_cm" {
 
 
 # argocd-secret patch
-# https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file
-data "template_file" "argocd_secret" {
-  template = file(var.argocd_secret_yaml_path)
-  vars = {
-    clientSecretBase64 = base64encode(random_password.argocd.result)
-  }
-}
-
 # https://www.terraform.io/docs/provisioners/local-exec.html
 # * uses "experiments = [provider_sensitive_attrs]" to hide output
 # https://www.terraform.io/docs/language/expressions/references.html#sensitive-resource-attributes
@@ -125,9 +122,15 @@ resource "null_resource" "argocd_secret" {
     interpreter = ["/bin/bash", "-c"]
     environment = {
       KUBECONFIG = var.aks_config_path
+      ARGOCD_SECRET_PATCH_YAML = templatefile(
+        var.argocd_secret_yaml_path,
+        {
+          "clientSecretBase64" = base64encode(random_password.argocd.result)
+        }
+      )
     }
     command = <<EOT
-      kubectl patch secret/argocd-secret --namespace argocd --type merge --patch "${data.template_file.argocd_secret.rendered}"
+      kubectl patch secret/argocd-secret --namespace argocd --type merge --patch "$ARGOCD_SECRET_PATCH_YAML"
     EOT
   }
 
@@ -144,14 +147,6 @@ data "azuread_group" "argocd_admins" {
   security_enabled = true
 }
 
-# https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file
-data "template_file" "argocd_rbac_cm" {
-  template = file(var.argocd_rbac_cm_yaml_path)
-  vars = {
-    argoAdminGroupId = data.azuread_group.argocd_admins.id
-  }
-}
-
 # https://www.terraform.io/docs/provisioners/local-exec.html
 resource "null_resource" "argocd_rbac_cm" {
   triggers = {
@@ -163,9 +158,15 @@ resource "null_resource" "argocd_rbac_cm" {
     interpreter = ["/bin/bash", "-c"]
     environment = {
       KUBECONFIG = var.aks_config_path
+      ARGOCD_RBAC_CM_PATCH_YAML = templatefile(
+        var.argocd_rbac_cm_yaml_path,
+        {
+          "argoAdminGroupId" = data.azuread_group.argocd_admins.id
+        }
+      )
     }
     command = <<EOT
-      kubectl patch configmap/argocd-rbac-cm --namespace argocd --type merge --patch "${data.template_file.argocd_rbac_cm.rendered}"
+      kubectl patch configmap/argocd-rbac-cm --namespace argocd --type merge --patch "$ARGOCD_RBAC_CM_PATCH_YAML"
     EOT
   }
 
diff --git a/terraform/dns.tf b/terraform/dns.tf
index 7ccec545..83978950 100644
--- a/terraform/dns.tf
+++ b/terraform/dns.tf
@@ -43,18 +43,9 @@ resource "kubernetes_namespace" "external_dns" {
   depends_on = [module.aks]
 }
 
-data "template_file" "azureIdentity_external_dns" {
-  template = file(var.azureidentity_external_dns_yaml_path)
-  vars = {
-    managedIdentityResourceID = azurerm_user_assigned_identity.external_dns.id
-    managedIdentityClientID   = azurerm_user_assigned_identity.external_dns.client_id
-  }
-}
-
 # https://www.terraform.io/docs/provisioners/local-exec.html
 resource "null_resource" "azureIdentity_external_dns" {
   triggers = {
-    # always_run = "${timestamp()}"
     azureidentity_external_dns_yaml_contents = filemd5(var.azureidentity_external_dns_yaml_path)
   }
 
@@ -62,9 +53,16 @@ resource "null_resource" "azureIdentity_external_dns" {
     interpreter = ["/bin/bash", "-c"]
     environment = {
       KUBECONFIG = var.aks_config_path
+      AZUREIDENTITY_EXTERNAL_DNS_YAML = templatefile(
+        var.azureidentity_external_dns_yaml_path,
+        {
+          "managedIdentityResourceID" = azurerm_user_assigned_identity.external_dns.id
+          "managedIdentityClientID"   = azurerm_user_assigned_identity.external_dns.client_id
+        }
+      )
     }
     command = <<EOT
-      echo "${data.template_file.azureIdentity_external_dns.rendered}" | kubectl apply -f -
+      echo "$AZUREIDENTITY_EXTERNAL_DNS_YAML" | kubectl apply -f -
     EOT
   }
 
diff --git a/terraform/files/argocd-cm-patch.tmpl.yaml b/terraform/files/argocd-cm-patch.tmpl.yaml
index 3473549c..208dcfa7 100644
--- a/terraform/files/argocd-cm-patch.tmpl.yaml
+++ b/terraform/files/argocd-cm-patch.tmpl.yaml
@@ -3,7 +3,7 @@ data:
     name: Azure
     issuer: https://login.microsoftonline.com/${tenantId}/v2.0
     clientID: ${appClientId}
-    clientSecret: \$oidc.azure.clientSecret
+    clientSecret: $oidc.azure.clientSecret
     requestedIDTokenClaims:
       groups:
         essential: true
diff --git a/terraform/files/azureIdentities.yaml.tpl b/terraform/files/azureIdentities.yaml.tpl
index 345dfa9e..59a06cb8 100644
--- a/terraform/files/azureIdentities.yaml.tpl
+++ b/terraform/files/azureIdentities.yaml.tpl
@@ -1,5 +1,7 @@
 azureIdentities:
   "velero":
+    # if not defined, then the name of azure identity will be the same as the key
+    name: "velero"
     # if not defined, then the azure identity will be deployed in the same namespace as the chart
     namespace: ""
     # type 0: MSI, type 1: Service Principal
diff --git a/terraform/files/azureIdentity-external-dns.yaml.tpl b/terraform/files/azureIdentity-external-dns.yaml.tpl
index f699e043..556e1379 100644
--- a/terraform/files/azureIdentity-external-dns.yaml.tpl
+++ b/terraform/files/azureIdentity-external-dns.yaml.tpl
@@ -1,4 +1,5 @@
 # https://github.com/Azure/aad-pod-identity
+# https://azure.github.io/aad-pod-identity/docs/concepts/azureidentity/
 apiVersion: "aadpodidentity.k8s.io/v1"
 kind: AzureIdentity
 metadata:
@@ -9,6 +10,7 @@ spec:
   resourceID: ${managedIdentityResourceID}
   clientID: ${managedIdentityClientID}
 ---
+# https://azure.github.io/aad-pod-identity/docs/concepts/azureidentitybinding/
 apiVersion: "aadpodidentity.k8s.io/v1"
 kind: AzureIdentityBinding
 metadata:
diff --git a/terraform/files/scripts/argocd_config.sh b/terraform/files/scripts/argocd_config.sh
index aa79fb28..eced4e99 100644
--- a/terraform/files/scripts/argocd_config.sh
+++ b/terraform/files/scripts/argocd_config.sh
@@ -13,7 +13,7 @@ export ARGOCD_OPTS="--grpc-web"
 ARGOCD_HEALTH_CHECK_URL="https://$ARGOCD_FQDN/healthz"
 
 # Install
-VERSION="v1.8.2"
+VERSION="v2.0.5"
 curl -sSL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64"
 chmod +x "$ARGOCD_PATH"
 
@@ -29,9 +29,10 @@ echo "Showing Argo CD version info for [$ARGOCD_FQDN]..."
 "$ARGOCD_PATH" version --server "$ARGOCD_FQDN"
 
 # Get default admin password
-# default password is server pod name, eg: "argocd-server-89c6cd7d4-xxxxx"
+# Argo CD v1.9 and later: https://argoproj.github.io/argo-cd/getting_started/#4-login-using-the-cli
+# check secret called "argocd-initial-admin-secret"
 echo "Getting default admin password..."
-DEFAULT_ARGO_ADMIN_PASSWORD=$(kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2)
+DEFAULT_ARGO_ADMIN_PASSWORD=$(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d)
 
 # Login
 echo "Logging in to Argo CD with default password..."
diff --git a/terraform/helm/aad_pod_identity_default_values.yaml b/terraform/helm/aad_pod_identity_default_values.yaml
new file mode 100644
index 00000000..25a11b6f
--- /dev/null
+++ b/terraform/helm/aad_pod_identity_default_values.yaml
@@ -0,0 +1,285 @@
+# source: https://github.com/Azure/aad-pod-identity/blob/v1.8.0/charts/aad-pod-identity/values.yaml
+
+# Default values for aad-pod-identity-helm.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+nameOverride: ""
+fullnameOverride: ""
+
+image:
+  repository: mcr.microsoft.com/oss/azure/aad-pod-identity
+  imagePullPolicy: IfNotPresent
+
+# One or more secrets to be used when pulling images
+# imagePullSecrets:
+#   - name: myRegistryKeySecretName
+
+# https://github.com/Azure/aad-pod-identity#4-optional-match-pods-in-the-namespace
+# By default, AAD Pod Identity matches pods to identities across namespaces.
+# To match only pods in the namespace containing AzureIdentity set this to true.
+forceNamespaced: "false"
+
+# When NMI runs on a node where MIC is running, then MIC token request call is also
+# intercepted by NMI. MIC can't get a valid token as to initialize and then
+# assign the identity. Installing an exception for MIC would ensure all token requests
+# for MIC pods directly go to IMDS and not go through the pod-identity validation
+# https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.app-exception.md
+installMICException: "true"
+
+## If using a separate service principal for aad-pod-identity instead of cluster service principal specify the following
+## (The chart will perform the base64 encoding for you for values that are stored in secrets.)
+adminsecret: {}
+#   cloud: <cloud environment name>
+#   subscriptionID: <subscription id>
+#   resourceGroup: <node resource group>
+#   vmType: <`standard` for normal virtual machine nodes, and `vmss` for cluster deployed with a virtual machine scale set>
+#   tenantID: <service principal tenant id>
+#   clientID: <service principal client id. Set to `msi` when using a User Managed Identity>
+#   clientSecret: <service principal client secret. Set to `msi` when using a User Managed Identity>
+#   useMSI: <set to true when using a User Managed Identity>
+#   userAssignedMSIClientID: <client id for the User Managed Identity>
+# Operation mode for pod-identity. Default is standard mode that has MIC doing identity assignment
+# Allowed values: "standard", "managed"
+operationMode: "standard"
+
+mic:
+  image: mic
+  tag: v1.8.0
+
+  # ref: https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical
+  priorityClassName: ""
+
+  # log level. Uses V logs (klog)
+  logVerbosity: 0
+  loggingFormat: ""
+
+  replicas: 2
+
+  resources:
+    limits:
+      cpu: 200m
+      memory: 1024Mi
+    requests:
+      cpu: 100m
+      memory: 256Mi
+
+  podAnnotations: {}
+
+  podLabels: {}
+
+  ## Node labels for pod assignment
+  ## aad-pod-identity is currently only supported on linux
+  nodeSelector:
+    kubernetes.io/os: linux
+
+  tolerations: []
+    # - key: "CriticalAddonsOnly"
+    #   operator: "Exists"
+
+  # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
+  affinity: {}
+    # nodeAffinity:
+    #   preferredDuringSchedulingIgnoredDuringExecution:
+    #     - weight 1
+    #       preference:
+    #         matchExpressions:
+    #           - key: kubernetes.azure.com/mode
+    #             operator: In
+    #             values:
+    #               - system
+
+  # Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in.
+  # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+  topologySpreadConstraints: []
+    # - maxSkew: 1
+    #   topologyKey: failure-domain.beta.kubernetes.io/zone
+    #   whenUnsatisfiable: DoNotSchedule
+    #   labelSelector:
+    #     matchLabels:
+    #       app.kubernetes.io/component: mic
+
+  # Limit the number of concurrent disruptions that your application experiences,
+  # allowing for higher availability while permitting the cluster administrator to manage the clusters nodes.
+  # ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
+  podDisruptionBudget: {}
+    # minAvailable: 1
+
+  leaderElection:
+    # Override leader election instance name (default is 'hostname')
+    instance: ""
+    # Override the namespace to create leader election objects (default is default namespace)
+    namespace: ""
+    # Override leader election name (default is aad-pod-identity-mic)
+    name: ""
+    # Override leader election duration (default is 15s)
+    duration: ""
+
+  # Override http liveliness probe port (default is 8080)
+  probePort: ""
+
+  # Override interval in seconds at which sync loop should periodically check for errors and reconcile (default is 3600s)
+  syncRetryDuration: ""
+
+  # Override the defult value of immutable identities.
+  immutableUserMSIs: []
+    # Example of MSIs (should be replaced with the real client ids)
+    #- "00000000-0000-0000-0000-000000000000"
+    #- "11111111-1111-1111-1111-111111111111"
+
+  # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#batch-create-delete-flag
+  # default value is 20
+  createDeleteBatch: ""
+
+  # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#client-qps-flag
+  # default value is 5
+  clientQps: ""
+
+  # default value is 8888
+  # prometheus port for metrics
+  prometheusPort: ""
+
+  # cloud configuration used to authenticate with Azure
+  cloudConfig: "/etc/kubernetes/azure.json"
+
+  # The maximum retry of UpdateUserMSI call. MIC updates all the identities in a batch. If a single identity contains an error
+  # or is invalid, then the entire operation fails. Configuring this flag will make MIC retry by removing the erroneous identities
+  # returned in the error
+  # Default value is 2.
+  updateUserMSIMaxRetry: ""
+
+  # The duration to wait before retrying UpdateUserMSI (batch assigning/un-assigning identity from VM/VMSS) in case of errors
+  # Default value is 1s
+  updateUserMSIRetryInterval: ""
+
+  # The interval between reconciling identity assignment on Azure based on an existing list of AzureAssignedIdentities
+  # Default value is 3m
+  identityAssignmentReconcileInterval: ""
+
+nmi:
+  image: nmi
+  tag: v1.8.0
+
+  # ref: https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical
+  priorityClassName: ""
+
+  # log level. Uses V logs (klog)
+  logVerbosity: 0
+  loggingFormat: ""
+
+  resources:
+    limits:
+      cpu: 200m
+      memory: 512Mi
+    requests:
+      cpu: 100m
+      memory: 256Mi
+
+  podAnnotations: {}
+
+  podLabels: {}
+
+  ## Node labels for pod assignment
+  ## aad-pod-identity is currently only supported on linux
+  nodeSelector:
+    kubernetes.io/os: linux
+
+  tolerations: []
+    # - key: "CriticalAddonsOnly"
+    #   operator: "Exists"
+
+  # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
+  affinity: {}
+    # nodeAffinity:
+    #   preferredDuringSchedulingIgnoredDuringExecution:
+    #     - weight 1
+    #       preference:
+    #         matchExpressions:
+    #           - key: kubernetes.azure.com/mode
+    #             operator: In
+    #             values:
+    #               - system
+
+  # Override iptables update interval in seconds (default is 60)
+  ipTableUpdateTimeIntervalInSeconds: ""
+
+  # Override mic namespace to short circuit MIC token requests (default is default namespace)
+  micNamespace: ""
+
+  # Override http liveliness probe port (default is 8080)
+  probePort: "8085"
+
+  # Override number of retries in NMI to find assigned identity in CREATED state (default is 16)
+  retryAttemptsForCreated: ""
+
+  # Override number of retries in NMI to find assigned identity in ASSIGNED state (default is 4)
+  retryAttemptsForAssigned: ""
+
+  # Override retry interval to find assigned identities in seconds (default is 5)
+  findIdentityRetryIntervalInSeconds: ""
+
+  # Enable scale features - https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#enable-scale-features-flag
+  # Accepted values are true/false. Default is false.
+  enableScaleFeatures: ""
+
+  # default value is 9090
+  # prometheus port for metrics
+  prometheusPort: ""
+
+  # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#block-instance-metadata-flag
+  # default is false
+  blockInstanceMetadata: ""
+
+  # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#metadata-header-required-flag
+  # default is false
+  metadataHeaderRequired: ""
+
+  # enable running aad-pod-identity on clusters with kubenet
+  # default is false
+  allowNetworkPluginKubenet: false
+
+  # Path to kubelet default config.
+  # default is /etc/default/kubelet
+  kubeletConfig: "/etc/default/kubelet"
+
+rbac:
+  enabled: true
+  # NMI requires permissions to get secrets when service principal (type: 1) is used in AzureIdentity.
+  # If using only MSI (type: 0) in AzureIdentity, secret get permission can be disabled by setting this to false.
+  allowAccessToSecrets: true
+  pspEnabled: false
+  # If set to true, then view and edit cluster roles will be created with annotations
+  # that agrigate to the admin, edit and view built-in cluster roles. These roles will
+  # be able to create the necessary resources to allow pod identity binding on pods.
+  createUserFacingClusterRoles: false
+
+# Create azure identities and bindings
+# This is a map with the AzureIdentityName being the key and the rest of the blob as value in accordance
+# to helm best practices: https://helm.sh/docs/chart_best_practices/values/#consider-how-users-will-use-your-values
+azureIdentities:
+  # "azure-identity":
+  #   # if not defined, then the azure identity will be deployed in the same namespace as the chart
+  #   namespace: ""
+  #   # if not defined, then the name of azure identity will be the same as the key
+  #   name: ""
+  #   # type 0: User-assigned identity, type 1: Service Principal, type 2: Service principal with certificate
+  #   type: 0
+  #   # /subscriptions/subscription-id/resourcegroups/resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-name
+  #   # Required for type 0
+  #   resourceID: ""
+  #   # Required for type 0, 1 and 2
+  #   clientID: ""
+  #   # Required for type 1 and 2
+  #   tenantID: ""
+  #   # Required for type 1 and 2
+  #   clientPassword: "{\"name\":\"<secret name>\",\"namespace\":\"<secret namespace>\"}"
+  #   # Optional for type 1 and 2 (multi-tenant)
+  #   auxiliaryTenantIDs: []
+  #   binding:
+  #     name: "azure-identity-binding"
+  #     # The selector will also need to be included in labels for app deployment
+  #     selector: "demo"
+
+# If provided, the userAgent string will be appended to the pod identity user agents for all
+# ADAL, ARM and Kube API server requests.
+customUserAgent: ""
diff --git a/terraform/helm/aad_pod_identity_values.yaml b/terraform/helm/aad_pod_identity_values.yaml
index 153206f1..7593e87d 100644
--- a/terraform/helm/aad_pod_identity_values.yaml
+++ b/terraform/helm/aad_pod_identity_values.yaml
@@ -1,277 +1,5 @@
-# source: https://github.com/Azure/aad-pod-identity/blob/v1.7.5/charts/aad-pod-identity/values.yaml
-
-# Default values for aad-pod-identity-helm.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-nameOverride: ""
-fullnameOverride: ""
-
-image:
-  repository: mcr.microsoft.com/oss/azure/aad-pod-identity
-  imagePullPolicy: Always
-
-# One or more secrets to be used when pulling images
-# imagePullSecrets:
-#   - name: myRegistryKeySecretName
-
-# https://github.com/Azure/aad-pod-identity#4-optional-match-pods-in-the-namespace
-# By default, AAD Pod Identity matches pods to identities across namespaces.
-# To match only pods in the namespace containing AzureIdentity set this to true.
-forceNamespaced: "false"
-
-# When NMI runs on a node where MIC is running, then MIC token request call is also
-# intercepted by NMI. MIC can't get a valid token as to initialize and then
-# assign the identity. Installing an exception for MIC would ensure all token requests
-# for MIC pods directly go to IMDS and not go through the pod-identity validation
-# https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.app-exception.md
-installMICException: "true"
-
-## If using a separate service principal for aad-pod-identity instead of cluster service principal specify the following
-## (The chart will perform the base64 encoding for you for values that are stored in secrets.)
-adminsecret: {}
-#   cloud: <cloud environment name>
-#   subscriptionID: <subscription id>
-#   resourceGroup: <node resource group>
-#   vmType: <`standard` for normal virtual machine nodes, and `vmss` for cluster deployed with a virtual machine scale set>
-#   tenantID: <service principal tenant id>
-#   clientID: <service principal client id. Set to `msi` when using a User Managed Identity>
-#   clientSecret: <service principal client secret. Set to `msi` when using a User Managed Identity>
-#   useMSI: <set to true when using a User Managed Identity>
-#   userAssignedMSIClientID: <client id for the User Managed Identity>
-# Operation mode for pod-identity. Default is standard mode that has MIC doing identity assignment
-# Allowed values: "standard", "managed"
-operationMode: "standard"
+# source: https://github.com/Azure/aad-pod-identity/blob/v1.8.0/charts/aad-pod-identity/values.yaml
 
+# only use 1 replica during testing
 mic:
-  image: mic
-  tag: v1.7.5
-
-  # ref: https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical
-  priorityClassName: ""
-
-  # log level. Uses V logs (klog)
-  logVerbosity: 0
-  loggingFormat: ""
-
-  resources:
-    limits:
-      cpu: 200m
-      memory: 1024Mi
-    requests:
-      cpu: 100m
-      memory: 256Mi
-
-  podAnnotations: {}
-
-  podLabels: {}
-
-  ## Node labels for pod assignment
-  ## aad-pod-identity is currently only supported on linux
-  nodeSelector:
-    kubernetes.io/os: linux
-
-  tolerations: []
-    # - key: "CriticalAddonsOnly"
-    #   operator: "Exists"
-
-  # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
-  affinity: {}
-    # nodeAffinity:
-    #   preferredDuringSchedulingIgnoredDuringExecution:
-    #     - weight 1
-    #       preference:
-    #         matchExpressions:
-    #           - key: kubernetes.azure.com/mode
-    #             operator: In
-    #             values:
-    #               - system
-
-  # Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in.
-  # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
-  topologySpreadConstraints: []
-    # - maxSkew: 1
-    #   topologyKey: failure-domain.beta.kubernetes.io/zone
-    #   whenUnsatisfiable: DoNotSchedule
-    #   labelSelector:
-    #     matchLabels:
-    #       app.kubernetes.io/component: mic
-
-  # Limit the number of concurrent disruptions that your application experiences,
-  # allowing for higher availability while permitting the cluster administrator to manage the clusters nodes.
-  # ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
-  podDisruptionBudget: {}
-    # minAvailable: 1
-
-  leaderElection:
-    # Override leader election instance name (default is 'hostname')
-    instance: ""
-    # Override the namespace to create leader election objects (default is default namespace)
-    namespace: ""
-    # Override leader election name (default is aad-pod-identity-mic)
-    name: ""
-    # Override leader election duration (default is 15s)
-    duration: ""
-
-  # Override http liveliness probe port (default is 8080)
-  probePort: ""
-
-  # Override interval in seconds at which sync loop should periodically check for errors and reconcile (default is 3600s)
-  syncRetryDuration: ""
-
-  # Override the defult value of immutable identities.
-  immutableUserMSIs: []
-    # Example of MSIs (should be replaced with the real client ids)
-    #- "00000000-0000-0000-0000-000000000000"
-    #- "11111111-1111-1111-1111-111111111111"
-
-  # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#batch-create-delete-flag
-  # default value is 20
-  createDeleteBatch: ""
-
-  # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#client-qps-flag
-  # default value is 5
-  clientQps: ""
-
-  # default value is 8888
-  # prometheus port for metrics
-  prometheusPort: ""
-
-  # cloud configuration used to authenticate with Azure
-  cloudConfig: "/etc/kubernetes/azure.json"
-
-  # The maximum retry of UpdateUserMSI call. MIC updates all the identities in a batch. If a single identity contains an error
-  # or is invalid, then the entire operation fails. Configuring this flag will make MIC retry by removing the erroneous identities
-  # returned in the error
-  # Default value is 2.
-  updateUserMSIMaxRetry: ""
-
-  # The duration to wait before retrying UpdateUserMSI (batch assigning/un-assigning identity from VM/VMSS) in case of errors
-  # Default value is 1s
-  updateUserMSIRetryInterval: ""
-
-  # The interval between reconciling identity assignment on Azure based on an existing list of AzureAssignedIdentities
-  # Default value is 3m
-  identityAssignmentReconcileInterval: ""
-
-nmi:
-  image: nmi
-  tag: v1.7.5
-
-  # ref: https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical
-  priorityClassName: ""
-
-  # log level. Uses V logs (klog)
-  logVerbosity: 0
-  loggingFormat: ""
-
-  resources:
-    limits:
-      cpu: 200m
-      memory: 512Mi
-    requests:
-      cpu: 100m
-      memory: 256Mi
-
-  podAnnotations: {}
-
-  podLabels: {}
-
-  ## Node labels for pod assignment
-  ## aad-pod-identity is currently only supported on linux
-  nodeSelector:
-    kubernetes.io/os: linux
-
-  tolerations: []
-    # - key: "CriticalAddonsOnly"
-    #   operator: "Exists"
-
-  # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
-  affinity: {}
-    # nodeAffinity:
-    #   preferredDuringSchedulingIgnoredDuringExecution:
-    #     - weight 1
-    #       preference:
-    #         matchExpressions:
-    #           - key: kubernetes.azure.com/mode
-    #             operator: In
-    #             values:
-    #               - system
-
-  # Override iptables update interval in seconds (default is 60)
-  ipTableUpdateTimeIntervalInSeconds: ""
-
-  # Override mic namespace to short circuit MIC token requests (default is default namespace)
-  micNamespace: ""
-
-  # Override http liveliness probe port (default is 8080)
-  probePort: "8085"
-
-  # Override number of retries in NMI to find assigned identity in CREATED state (default is 16)
-  retryAttemptsForCreated: ""
-
-  # Override number of retries in NMI to find assigned identity in ASSIGNED state (default is 4)
-  retryAttemptsForAssigned: ""
-
-  # Override retry interval to find assigned identities in seconds (default is 5)
-  findIdentityRetryIntervalInSeconds: ""
-
-  # Enable scale features - https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#enable-scale-features-flag
-  # Accepted values are true/false. Default is false.
-  enableScaleFeatures: ""
-
-  # default value is 9090
-  # prometheus port for metrics
-  prometheusPort: ""
-
-  # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#block-instance-metadata-flag
-  # default is false
-  blockInstanceMetadata: ""
-
-  # https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#metadata-header-required-flag
-  # default is false
-  metadataHeaderRequired: ""
-
-  # enable running aad-pod-identity on clusters with kubenet
-  # default is false
-  allowNetworkPluginKubenet: false
-
-  # Path to kubelet default config.
-  # default is /etc/default/kubelet
-  kubeletConfig: "/etc/default/kubelet"
-
-rbac:
-  enabled: true
-  # NMI requires permissions to get secrets when service principal (type: 1) is used in AzureIdentity.
-  # If using only MSI (type: 0) in AzureIdentity, secret get permission can be disabled by setting this to false.
-  allowAccessToSecrets: true
-  pspEnabled: false
-
-# Create azure identities and bindings
-# This is a map with the AzureIdentityName being the key and the rest of the blob as value in accordance
-# to helm best practices: https://helm.sh/docs/chart_best_practices/values/#consider-how-users-will-use-your-values
-azureIdentities:
-  # "azure-identity":
-  #   # if not defined, then the azure identity will be deployed in the same namespace as the chart
-  #   namespace: ""
-  #   # type 0: User-assigned identity, type 1: Service Principal, type 2: Service principal with certificate
-  #   type: 0
-  #   # /subscriptions/subscription-id/resourcegroups/resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-name
-  #   # Required for type 0
-  #   resourceID: ""
-  #   # Required for type 0, 1 and 2
-  #   clientID: ""
-  #   # Required for type 1 and 2
-  #   tenantID: ""
-  #   # Required for type 1 and 2
-  #   clientPassword: "{\"name\":\"<secret name>\",\"namespace\":\"<secret namespace>\"}"
-  #   # Optional for type 1 and 2 (multi-tenant)
-  #   auxiliaryTenantIDs: []
-  #   binding:
-  #     name: "azure-identity-binding"
-  #     # The selector will also need to be included in labels for app deployment
-  #     selector: "demo"
-
-# If provided, the userAgent string will be appended to the pod identity user agents for all
-# ADAL, ARM and Kube API server requests.
-customUserAgent: ""
+  replicas: 1
diff --git a/terraform/helm/velero_default_values.yaml b/terraform/helm/velero_default_values.yaml
new file mode 100644
index 00000000..191ec44e
--- /dev/null
+++ b/terraform/helm/velero_default_values.yaml
@@ -0,0 +1,382 @@
+# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.21.0/charts/velero/values.yaml
+
+##
+## Configuration settings that directly affect the Velero deployment YAML.
+##
+
+# Details of the container image to use in the Velero deployment & daemonset (if
+# enabling restic). Required.
+image:
+  repository: velero/velero
+  tag: v1.6.2
+  # Digest value example: sha256:d238835e151cec91c6a811fe3a89a66d3231d9f64d09e5f3c49552672d271f38.
+  # If used, it will take precedence over the image.tag.
+  # digest:
+  pullPolicy: IfNotPresent
+  # One or more secrets to be used when pulling images
+  imagePullSecrets: []
+  # - registrySecretName
+
+# Annotations to add to the Velero deployment's. Optional.
+#
+# If you are using reloader use the following annotation with your VELERO_SECRET_NAME
+annotations: {}
+# secret.reloader.stakater.com/reload: "<VELERO_SECRET_NAME>"
+
+# Labels to add to the Velero deployment's. Optional.
+labels: {}
+
+# Annotations to add to the Velero deployment's pod template. Optional.
+#
+# If using kube2iam or kiam, use the following annotation with your AWS_ACCOUNT_ID
+# and VELERO_ROLE_NAME filled in:
+podAnnotations: {}
+  #  iam.amazonaws.com/role: "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<VELERO_ROLE_NAME>"
+
+# Additional pod labels for Velero deployment's template. Optional
+# ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+podLabels: {}
+
+# Resource requests/limits to specify for the Velero deployment.
+# https://velero.io/docs/v1.6/customize-installation/#customize-resource-requests-and-limits
+resources:
+  requests:
+    cpu: 500m
+    memory: 128Mi
+  limits:
+    cpu: 1000m
+    memory: 512Mi
+
+# Configure the dnsPolicy of the Velero deployment
+# See: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
+dnsPolicy: ClusterFirst
+
+# Init containers to add to the Velero deployment's pod spec. At least one plugin provider image is required.
+initContainers: []
+  # - name: velero-plugin-for-aws
+  #   image: velero/velero-plugin-for-aws:v1.2.0
+  #   imagePullPolicy: IfNotPresent
+  #   volumeMounts:
+  #     - mountPath: /target
+  #       name: plugins
+
+# SecurityContext to use for the Velero deployment. Optional.
+# Set fsGroup for `AWS IAM Roles for Service Accounts`
+# see more informations at: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
+podSecurityContext: {}
+  # fsGroup: 1337
+
+# Container Level Security Context for the 'velero' container of the Velero deployment. Optional.
+# See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+containerSecurityContext: {}
+  # allowPrivilegeEscalation: false
+  # capabilities:
+  #   drop: ["ALL"]
+  #   add: []
+  # readOnlyRootFilesystem: true
+
+# Pod priority class name to use for the Velero deployment. Optional.
+priorityClassName: ""
+
+# Tolerations to use for the Velero deployment. Optional.
+tolerations: []
+
+# Affinity to use for the Velero deployment. Optional.
+affinity: {}
+
+# Node selector to use for the Velero deployment. Optional.
+nodeSelector: {}
+
+# Extra volumes for the Velero deployment. Optional.
+extraVolumes: []
+
+# Extra volumeMounts for the Velero deployment. Optional.
+extraVolumeMounts: []
+
+# Settings for Velero's prometheus metrics. Enabled by default.
+metrics:
+  enabled: true
+  scrapeInterval: 30s
+  scrapeTimeout: 10s
+
+  # service metdata if metrics are enabled
+  service:
+    annotations: {}
+    labels: {}
+
+  # Pod annotations for Prometheus
+  podAnnotations:
+    prometheus.io/scrape: "true"
+    prometheus.io/port: "8085"
+    prometheus.io/path: "/metrics"
+
+  serviceMonitor:
+    enabled: false
+    additionalLabels: {}
+    # ServiceMonitor namespace. Default to Velero namespace.
+    # namespace:
+
+kubectl:
+  image:
+    repository: docker.io/bitnami/kubectl
+    tag: 1.14.3
+    # Digest value example: sha256:d238835e151cec91c6a811fe3a89a66d3231d9f64d09e5f3c49552672d271f38.
+    # If used, it will take precedence over the kubectl.image.tag.
+    # digest:
+  # Annotations to set for the upgrade/cleanup job. Optional.
+  annotations: {}
+  # Labels to set for the upgrade/cleanup job. Optional.
+  labels: {}
+
+# This job upgrades the CRDs.
+upgradeCRDs: true
+
+# This job is meant primarily for cleaning up CRDs on CI systems.
+# Using this on production systems, especially those that have multiple releases of Velero, will be destructive.
+cleanUpCRDs: false
+
+##
+## End of deployment-related settings.
+##
+
+
+##
+## Parameters for the `default` BackupStorageLocation and VolumeSnapshotLocation,
+## and additional server settings.
+##
+configuration:
+  # Cloud provider being used (e.g. aws, azure, gcp).
+  provider:
+
+  # Parameters for the `default` BackupStorageLocation. See
+  # https://velero.io/docs/v1.6/api-types/backupstoragelocation/
+  backupStorageLocation:
+    # name is the name of the backup storage location where backups should be stored. If a name is not provided,
+    # a backup storage location will be created with the name "default". Optional.
+    name:
+    # provider is the name for the backup storage location provider. If omitted
+    # `configuration.provider` will be used instead.
+    provider:
+    # bucket is the name of the bucket to store backups in. Required.
+    bucket:
+    # caCert defines a base64 encoded CA bundle to use when verifying TLS connections to the provider. Optional.
+    caCert:
+    # prefix is the directory under which all Velero data should be stored within the bucket. Optional.
+    prefix:
+    # default indicates this location is the default backup storage location. Optional.
+    default:
+    # Additional provider-specific configuration. See link above
+    # for details of required/optional fields for your provider.
+    config: {}
+    #  region:
+    #  s3ForcePathStyle:
+    #  s3Url:
+    #  kmsKeyId:
+    #  resourceGroup:
+    #  The ID of the subscription containing the storage account, if different from the cluster’s subscription. (Azure only)
+    #  subscriptionId:
+    #  storageAccount:
+    #  publicUrl:
+    #  Name of the GCP service account to use for this backup storage location. Specify the
+    #  service account here if you want to use workload identity instead of providing the key file.(GCP only)
+    #  serviceAccount:
+
+  # Parameters for the `default` VolumeSnapshotLocation. See
+  # https://velero.io/docs/v1.6/api-types/volumesnapshotlocation/
+  volumeSnapshotLocation:
+    # name is the name of the volume snapshot location where snapshots are being taken. Required.
+    name:
+    # provider is the name for the volume snapshot provider. If omitted
+    # `configuration.provider` will be used instead.
+    provider:
+    # Additional provider-specific configuration. See link above
+    # for details of required/optional fields for your provider.
+    config: {}
+  #    region:
+  #    apiTimeout:
+  #    resourceGroup:
+  #    The ID of the subscription where volume snapshots should be stored, if different from the cluster’s subscription. If specified, also requires `configuration.volumeSnapshotLocation.config.resourceGroup`to be set. (Azure only)
+  #    subscriptionId:
+  #    incremental:
+  #    snapshotLocation:
+  #    project:
+
+  # These are server-level settings passed as CLI flags to the `velero server` command. Velero
+  # uses default values if they're not passed in, so they only need to be explicitly specified
+  # here if using a non-default value. The `velero server` default values are shown in the
+  # comments below.
+  # --------------------
+  # `velero server` default: 1m
+  backupSyncPeriod:
+  # `velero server` default: 1h
+  resticTimeout:
+  # `velero server` default: namespaces,persistentvolumes,persistentvolumeclaims,secrets,configmaps,serviceaccounts,limitranges,pods
+  restoreResourcePriorities:
+  # `velero server` default: false
+  restoreOnlyMode:
+  # `velero server` default: 20.0
+  clientQPS:
+  # `velero server` default: 30
+  clientBurst:
+  # `velero server` default: empty
+  disableControllers:
+  #
+
+  # additional key/value pairs to be used as environment variables such as "AWS_CLUSTER_NAME: 'yourcluster.domain.tld'"
+  extraEnvVars: {}
+
+  # Comma separated list of velero feature flags. default: empty
+  features:
+
+  # Set log-level for Velero pod. Default: info. Other options: debug, warning, error, fatal, panic.
+  logLevel:
+
+  # Set log-format for Velero pod. Default: text. Other option: json.
+  logFormat:
+
+  # Set true for backup all pod volumes without having to apply annotation on the pod when used restic Default: false. Other option: false.
+  defaultVolumesToRestic:
+
+##
+## End of backup/snapshot location settings.
+##
+
+
+##
+## Settings for additional Velero resources.
+##
+
+rbac:
+  # Whether to create the Velero role and role binding to give all permissions to the namespace to Velero.
+  create: true
+  # Whether to create the cluster role binding to give administrator permissions to Velero
+  clusterAdministrator: true
+
+# Information about the Kubernetes service account Velero uses.
+serviceAccount:
+  server:
+    create: true
+    name:
+    annotations:
+    labels:
+
+# Info about the secret to be used by the Velero deployment, which
+# should contain credentials for the cloud provider IAM account you've
+# set up for Velero.
+credentials:
+  # Whether a secret should be used as the source of IAM account
+  # credentials. Set to false if, for example, using kube2iam or
+  # kiam to provide IAM credentials for the Velero pod.
+  useSecret: true
+  # Name of the secret to create if `useSecret` is true and `existingSecret` is empty
+  name:
+  # Name of a pre-existing secret (if any) in the Velero namespace
+  # that should be used to get IAM account credentials. Optional.
+  existingSecret:
+  # Data to be stored in the Velero secret, if `useSecret` is true and `existingSecret` is empty.
+  # As of the current Velero release, Velero only uses one secret key/value at a time.
+  # The key must be named `cloud`, and the value corresponds to the entire content of your IAM credentials file.
+  # Note that the format will be different for different providers, please check their documentation.
+  # Here is a list of documentation for plugins maintained by the Velero team:
+  # [AWS] https://github.com/vmware-tanzu/velero-plugin-for-aws/blob/main/README.md
+  # [GCP] https://github.com/vmware-tanzu/velero-plugin-for-gcp/blob/main/README.md
+  # [Azure] https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure/blob/main/README.md
+  secretContents: {}
+  #  cloud: |
+  #    [default]
+  #    aws_access_key_id=<REDACTED>
+  #    aws_secret_access_key=<REDACTED>
+  # additional key/value pairs to be used as environment variables such as "DIGITALOCEAN_TOKEN: <your-key>". Values will be stored in the secret.
+  extraEnvVars: {}
+  # Name of a pre-existing secret (if any) in the Velero namespace
+  # that will be used to load environment variables into velero and restic.
+  # Secret should be in format - https://kubernetes.io/docs/concepts/configuration/secret/#use-case-as-container-environment-variables
+  extraSecretRef: ""
+
+# Whether to create backupstoragelocation crd, if false => do not create a default backup location
+backupsEnabled: true
+# Whether to create volumesnapshotlocation crd, if false => disable snapshot feature
+snapshotsEnabled: true
+
+# Whether to deploy the restic daemonset.
+deployRestic: false
+
+restic:
+  podVolumePath: /var/lib/kubelet/pods
+  privileged: false
+  # Pod priority class name to use for the Restic daemonset. Optional.
+  priorityClassName: ""
+  # Resource requests/limits to specify for the Restic daemonset deployment. Optional.
+  # https://velero.io/docs/v1.6/customize-installation/#customize-resource-requests-and-limits
+  resources:
+    requests:
+      cpu: 500m
+      memory: 512Mi
+    limits:
+      cpu: 1000m
+      memory: 1024Mi
+
+  # Tolerations to use for the Restic daemonset. Optional.
+  tolerations: []
+
+  # Annotations to set for the Restic daemonset. Optional.
+  annotations: {}
+
+  # labels to set for the Restic daemonset. Optional.
+  labels: {}
+
+  # Extra volumes for the Restic daemonset. Optional.
+  extraVolumes: []
+
+  # Extra volumeMounts for the Restic daemonset. Optional.
+  extraVolumeMounts: []
+
+  # Configure the dnsPolicy of the Restic daemonset
+  # See: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
+  dnsPolicy: ClusterFirst
+
+  # SecurityContext to use for the Velero deployment. Optional.
+  # Set fsGroup for `AWS IAM Roles for Service Accounts`
+  # see more informations at: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
+  podSecurityContext:
+    runAsUser: 0
+    # fsGroup: 1337
+
+  # Container Level Security Context for the 'restic' container of the restic DaemonSet. Optional.
+  # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+  containerSecurityContext: {}
+
+  # Node selector to use for the Restic daemonset. Optional.
+  nodeSelector: {}
+
+# Backup schedules to create.
+# Eg:
+# schedules:
+#   mybackup:
+#     disabled: false
+#     labels:
+#       myenv: foo
+#     annotations:
+#       myenv: foo
+#     schedule: "0 0 * * *"
+#     useOwnerReferencesInBackup: true
+#     template:
+#       ttl: "240h"
+#       includedNamespaces:
+#       - foo
+schedules: {}
+
+# Velero ConfigMaps.
+# Eg:
+# configMaps:
+#   restic-restore-action-config:
+#     labels:
+#       velero.io/plugin-config: ""
+#       velero.io/restic: RestoreItemAction
+#     data:
+#       image: velero/velero-restic-restore-helper:v1.6.2
+configMaps: {}
+
+##
+## End of additional Velero resource settings.
+##
diff --git a/terraform/helm/velero_values.yaml b/terraform/helm/velero_values.yaml
index a8065857..6c59cc21 100644
--- a/terraform/helm/velero_values.yaml
+++ b/terraform/helm/velero_values.yaml
@@ -1,329 +1,27 @@
-# source: https://github.com/vmware-tanzu/helm-charts/blob/velero-2.15.0/charts/velero/values.yaml
+# velero helm values
+# source (with full comments): https://github.com/vmware-tanzu/helm-charts/blob/velero-2.17.0/charts/velero/values.yaml
 
-##
-## Configuration settings that directly affect the Velero deployment YAML.
-##
-
-# Details of the container image to use in the Velero deployment & daemonset (if
-# enabling restic). Required.
-image:
-  # https://hub.docker.com/r/velero/velero/tags
-  repository: velero/velero
-  tag: v1.5.3
-  # Digest value example: sha256:d238835e151cec91c6a811fe3a89a66d3231d9f64d09e5f3c49552672d271f38. If used, it will
-  # take precedence over the image.tag.
-  # digest:
-  pullPolicy: IfNotPresent
-  # One or more secrets to be used when pulling images
-  imagePullSecrets: []
-  # - registrySecretName
-
-# Annotations to add to the Velero deployment's. Optional.
-#
-# If you are using reloader use the following annotation with your VELERO_SECRET_NAME
-annotations: {}
-# secret.reloader.stakater.com/reload: "<VELERO_SECRET_NAME>"
-
-# Labels to add to the Velero deployment's. Optional.
-labels: {}
-
-# Annotations to add to the Velero deployment's pod template. Optional.
-#
-# If using kube2iam or kiam, use the following annotation with your AWS_ACCOUNT_ID
-# and VELERO_ROLE_NAME filled in:
-podAnnotations: {}
-  #  iam.amazonaws.com/role: "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<VELERO_ROLE_NAME>"
-
-# Additional pod labels for Velero deployment's template. Optional
-# ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
-podLabels: {}
-
-# Resource requests/limits to specify for the Velero deployment. Optional.
-resources: {}
-
-# Configure the dnsPolicy of the Velero deployment
-# See: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
-dnsPolicy: ClusterFirst
-
-# Init containers to add to the Velero deployment's pod spec. At least one plugin provider image is required.
 # https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure/releases
 initContainers:
   - name: velero-plugin-for-microsoft-azure
     # https://hub.docker.com/r/velero/velero-plugin-for-microsoft-azure/tags
-    image: velero/velero-plugin-for-microsoft-azure:v1.1.2
+    image: velero/velero-plugin-for-microsoft-azure:v1.2.1
     imagePullPolicy: IfNotPresent
     volumeMounts:
       - mountPath: /target
         name: plugins
 
-# SecurityContext to use for the Velero deployment. Optional.
-# Set fsGroup for `AWS IAM Roles for Service Accounts`
-# see more informations at: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
-securityContext: {}
-  # fsGroup: 1337
-
-# Pod priority class name to use for the Velero deployment. Optional.
-priorityClassName: ""
-
-# Tolerations to use for the Velero deployment. Optional.
-tolerations: []
-
-# Affinity to use for the Velero deployment. Optional.
-affinity: {}
-
-# Node selector to use for the Velero deployment. Optional.
-nodeSelector: {}
 
-# Extra volumes for the Velero deployment. Optional.
-extraVolumes: []
-
-# Extra volumeMounts for the Velero deployment. Optional.
-extraVolumeMounts: []
-
-# Settings for Velero's prometheus metrics. Enabled by default.
-metrics:
-  enabled: true
-  scrapeInterval: 30s
-  scrapeTimeout: 10s
-
-  # service metdata if metrics are enabled
-  service:
-    annotations: {}
-    labels: {}
-
-  # Pod annotations for Prometheus
-  podAnnotations:
-    prometheus.io/scrape: "true"
-    prometheus.io/port: "8085"
-    prometheus.io/path: "/metrics"
-
-  serviceMonitor:
-    enabled: false
-    additionalLabels: {}
-    # ServiceMonitor namespace. Default to Velero namespace.
-    # namespace:
-
-##
-## End of deployment-related settings.
-##
-
-
-##
-## Parameters for the `default` BackupStorageLocation and VolumeSnapshotLocation,
-## and additional server settings.
-##
+# BackupStorageLocation and VolumeSnapshotLocation
 configuration:
-  # Cloud provider being used (e.g. aws, azure, gcp).
   provider: azure
-
-  # Parameters for the `default` BackupStorageLocation. See
-  # https://velero.io/docs/v1.5/api-types/backupstoragelocation/
   backupStorageLocation:
-    # name is the name of the backup storage location where backups should be stored. If a name is not provided,
-    # a backup storage location will be created with the name "default". Optional.
     name: default
-    # provider is the name for the backup storage location provider. If omitted
-    # `configuration.provider` will be used instead.
     provider:
-    # bucket is the name of the bucket to store backups in. Required.
     bucket: velero
-    # caCert defines a base64 encoded CA bundle to use when verifying TLS connections to the provider.
-    caCert:
-    # prefix is the directory under which all Velero data should be stored within the bucket. Optional.
-    prefix:
-    # Additional provider-specific configuration. See link above
-    # for details of required/optional fields for your provider.
-    config: {}
-    #  region:
-    #  s3ForcePathStyle:
-    #  s3Url:
-    #  kmsKeyId:
-    #  resourceGroup:
-    #  The ID of the subscription containing the storage account, if different from the cluster’s subscription. (Azure only)
-    #  subscriptionId:
-    #  storageAccount:
-    #  publicUrl:
-    #  Name of the GCP service account to use for this backup storage location. Specify the
-    #  service account here if you want to use workload identity instead of providing the key file.(GCP only)
-    #  serviceAccount:
-
-  # Parameters for the `default` VolumeSnapshotLocation. See
-  # https://velero.io/docs/v1.5/api-types/volumesnapshotlocation/
   volumeSnapshotLocation:
-    # name is the name of the volume snapshot location where snapshots are being taken. Required.
     name: default
-    # provider is the name for the volume snapshot provider. If omitted
-    # `configuration.provider` will be used instead.
-    provider:
-    # Additional provider-specific configuration. See link above
-    # for details of required/optional fields for your provider.
-    config: {}
-  #    region:
-  #    apitimeout:
-  #    resourceGroup:
-  #    The ID of the subscription where volume snapshots should be stored, if different from the cluster’s subscription. If specified, also requires `configuration.volumeSnapshotLocation.config.resourceGroup`to be set. (Azure only)
-  #    subscriptionId:
-  #    snapshotLocation:
-  #    project:
-
-  # These are server-level settings passed as CLI flags to the `velero server` command. Velero
-  # uses default values if they're not passed in, so they only need to be explicitly specified
-  # here if using a non-default value. The `velero server` default values are shown in the
-  # comments below.
-  # --------------------
-  # `velero server` default: 1m
-  backupSyncPeriod:
-  # `velero server` default: 1h
-  resticTimeout:
-  # `velero server` default: namespaces,persistentvolumes,persistentvolumeclaims,secrets,configmaps,serviceaccounts,limitranges,pods
-  restoreResourcePriorities:
-  # `velero server` default: false
-  restoreOnlyMode:
-  # `velero server` default: 20.0
-  clientQPS:
-  # `velero server` default: 30
-  clientBurst:
-  #
 
-  # additional key/value pairs to be used as environment variables such as "AWS_CLUSTER_NAME: 'yourcluster.domain.tld'"
-  extraEnvVars: {}
-
-  # Comma separated list of velero feature flags. default: empty
-  features:
-
-  # Set log-level for Velero pod. Default: info. Other options: debug, warning, error, fatal, panic.
-  logLevel:
-
-  # Set log-format for Velero pod. Default: text. Other option: json.
-  logFormat:
-
-  # Set true for backup all pod volumes without having to apply annotation on the pod when used restic Default: false. Other option: false.
-  defaultVolumesToRestic:
-
-##
-## End of backup/snapshot location settings.
-##
-
-
-##
-## Settings for additional Velero resources.
-##
-
-rbac:
-  # Whether to create the Velero role and role binding to give all permissions to the namespace to Velero.
-  create: true
-  # Whether to create the cluster role binding to give administrator permissions to Velero
-  clusterAdministrator: true
-
-# Information about the Kubernetes service account Velero uses.
-serviceAccount:
-  server:
-    create: true
-    name:
-    annotations:
-
-# Info about the secret to be used by the Velero deployment, which
-# should contain credentials for the cloud provider IAM account you've
-# set up for Velero.
 credentials:
-  # Whether a secret should be used as the source of IAM account
-  # credentials. Set to false if, for example, using kube2iam or
-  # kiam to provide IAM credentials for the Velero pod.
   useSecret: true
-  # Name of the secret to create if `useSecret` is true and `existingSecret` is empty
-  name:
-  # Name of a pre-existing secret (if any) in the Velero namespace
-  # that should be used to get IAM account credentials. Optional.
   existingSecret: velero-credentials
-  # Data to be stored in the Velero secret, if `useSecret` is true and `existingSecret` is empty.
-  # As of the current Velero release, Velero only uses one secret key/value at a time.
-  # The key must be named `cloud`, and the value corresponds to the entire content of your IAM credentials file.
-  # Note that the format will be different for different providers, please check their documentation.
-  # Here is a list of documentation for plugins maintained by the Velero team:
-  # [AWS] https://github.com/vmware-tanzu/velero-plugin-for-aws/blob/main/README.md
-  # [GCP] https://github.com/vmware-tanzu/velero-plugin-for-gcp/blob/main/README.md
-  # [Azure] https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure/blob/main/README.md
-  secretContents: {}
-  #  cloud: |
-  #    [default]
-  #    aws_access_key_id=<REDACTED>
-  #    aws_secret_access_key=<REDACTED>
-  # additional key/value pairs to be used as environment variables such as "DIGITALOCEAN_TOKEN: <your-key>". Values will be stored in the secret.
-  extraEnvVars: {}
-  # Name of a pre-existing secret (if any) in the Velero namespace
-  # that will be used to load environment variables into velero and restic.
-  # Secret should be in format - https://kubernetes.io/docs/concepts/configuration/secret/#use-case-as-container-environment-variables
-  extraSecretRef: ""
-
-# Whether to create backupstoragelocation crd, if false => do not create a default backup location
-backupsEnabled: true
-# Whether to create volumesnapshotlocation crd, if false => disable snapshot feature
-snapshotsEnabled: true
-
-# Whether to deploy the restic daemonset.
-deployRestic: false
-
-restic:
-  podVolumePath: /var/lib/kubelet/pods
-  privileged: false
-  # Pod priority class name to use for the Restic daemonset. Optional.
-  priorityClassName: ""
-  # Resource requests/limits to specify for the Restic daemonset deployment. Optional.
-  resources: {}
-  # Tolerations to use for the Restic daemonset. Optional.
-  tolerations: []
-
-  # Annotations to set for the Restic daemonset. Optional.
-  annotations: {}
-
-  # labels to set for the Restic daemonset. Optional.
-  labels: {}
-
-  # Extra volumes for the Restic daemonset. Optional.
-  extraVolumes: []
-
-  # Extra volumeMounts for the Restic daemonset. Optional.
-  extraVolumeMounts: []
-
-  # Configure the dnsPolicy of the Restic daemonset
-  # See: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
-  dnsPolicy: ClusterFirst
-
-  # SecurityContext to use for the Velero deployment. Optional.
-  # Set fsGroup for `AWS IAM Roles for Service Accounts`
-  # see more informations at: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
-  securityContext: {}
-    # fsGroup: 1337
-
-  # Node selector to use for the Restic daemonset. Optional.
-  nodeSelector: {}
-
-# Backup schedules to create.
-# Eg:
-# schedules:
-#   mybackup:
-#     labels:
-#       myenv: foo
-#     annotations:
-#       myenv: foo
-#     schedule: "0 0 * * *"
-#     template:
-#       ttl: "240h"
-#       includedNamespaces:
-#       - foo
-schedules: {}
-
-# Velero ConfigMaps.
-# Eg:
-# configMaps:
-#   restic-restore-action-config:
-#     labels:
-#       velero.io/plugin-config: ""
-#       velero.io/restic: RestoreItemAction
-#     data:
-#       image: velero/velero-restic-restore-helper:v1.3.1
-configMaps: {}
-
-##
-## End of additional Velero resource settings.
-##
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 2e89be36..0c7be55a 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -4,9 +4,9 @@
 #region Versions
 # version used for both main AKS API service, and default node pool
 # https://github.com/Azure/AKS/releases
-# az aks get-versions --location uksouth --output table
+# az aks get-versions --location eastus --output table
 variable "kubernetes_version" {
-  default = "1.18.14"
+  default = "1.19.11"
 }
 
 # Helm charts
@@ -19,32 +19,31 @@ variable "kubernetes_version" {
 #
 # helm repo update
 # helm search repo ingress-nginx/ingress-nginx
-# * also update terraform/helm/nginx_values.yaml
 variable "nginx_chart_version" {
-  default = "3.26.0"
+  default = "3.34.0"
 }
 
 # https://hub.helm.sh/charts/jetstack/cert-manager
 # helm search repo jetstack/cert-manager
 variable "cert_manager_chart_version" {
-  default = "v1.2.0"
+  default = "v1.4.1"
 }
 
 # https://github.com/vmware-tanzu/helm-charts/releases
 # helm search repo vmware-tanzu/velero
 # * also update terraform/helm/velero_values.yaml
 variable "velero_chart_version" {
-  default = "2.15.0"
+  default = "2.23.5"
 }
 
 # https://hub.docker.com/r/velero/velero/tags
 variable "velero_image_tag" {
-  default = "v1.5.4"
+  default = "v1.6.2"
 }
 
 # https://hub.docker.com/r/sonatype/nexus3/tags
 variable "nexus_image_tag" {
-  default = "3.30.0"
+  default = "3.32.0"
 }
 
 # https://github.com/adamrushuk/charts/releases
@@ -59,31 +58,31 @@ variable "nexus_chart_version" {
 # https://github.com/SparebankenVest/public-helm-charts/blob/master/stable/akv2k8s/Chart.yaml#L5
 # helm search repo spv-charts/akv2k8s
 variable "akv2k8s_chart_version" {
-  default = "2.0.10"
+  default = "2.0.11"
 }
 
 # https://github.com/Azure/aad-pod-identity/blob/master/charts/aad-pod-identity/Chart.yaml#L4
 # helm search repo aad-pod-identity/aad-pod-identity
 variable "aad_pod_identity_chart_version" {
-  default = "4.0.0"
+  default = "4.1.3"
 }
 
 # https://bitnami.com/stack/external-dns/helm
 # https://github.com/bitnami/charts/blob/master/bitnami/external-dns/Chart.yaml#L21
 # helm search repo bitnami/external-dns
 variable "external_dns_chart_version" {
-  default = "4.9.4"
+  default = "5.2.2"
 }
 
 # https://github.com/weaveworks/kured/tree/master/charts/kured
 # helm search repo kured/kured
 variable "kured_chart_version" {
-  default = "2.4.1"
+  default = "2.8.0"
 }
 
 # https://github.com/weaveworks/kured#kubernetes--os-compatibility
 variable "kured_image_tag" {
-  default = "1.6.1"
+  default = "1.7.0"
 }
 
 
@@ -91,12 +90,13 @@ variable "kured_image_tag" {
 # https://github.com/argoproj/argo-helm/blob/master/charts/argo-cd/Chart.yaml#L5
 # helm search repo argo/argo-cd
 variable "argocd_chart_version" {
-  default = "2.17.5"
+  default = "3.11.1"
 }
 
 # https://hub.docker.com/r/argoproj/argocd/tags
+# * also update cli version: terraform/files/scripts/argocd_config.sh#L16
 variable "argocd_image_tag" {
-  default = "v1.8.7"
+  default = "v2.0.5"
 }
 #endregion Versions
 
diff --git a/terraform/versions.tf b/terraform/versions.tf
index 37fc53cc..3a55fef7 100644
--- a/terraform/versions.tf
+++ b/terraform/versions.tf
@@ -23,50 +23,50 @@ terraform {
     # https://github.com/terraform-providers/terraform-provider-azurerm/releases
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~> 2.54.0"
+      version = "~> 2.70.0"
     }
 
     # https://github.com/terraform-providers/terraform-provider-azuread/releases
     azuread = {
       source  = "hashicorp/azuread"
-      version = "~> 1.4.0"
+      version = "~> 1.6.0"
     }
 
     # https://github.com/hashicorp/terraform-provider-kubernetes/releases
     kubernetes = {
       source  = "hashicorp/kubernetes"
-      version = "~> 2.0.3"
+      version = "~> 2.3.2"
     }
 
     # https://github.com/hashicorp/terraform-provider-helm/releases
     helm = {
       source  = "hashicorp/helm"
-      version = "~> 2.1.0"
+      version = "~> 2.2.0"
     }
 
     random = {
       source  = "hashicorp/random"
-      version = "~> 2.2"
+      version = "~> 3.1"
     }
 
     tls = {
       source  = "hashicorp/tls"
-      version = "~> 2.1"
+      version = "~> 3.1"
     }
 
     local = {
       source  = "hashicorp/local"
-      version = "~> 2.0"
+      version = "~> 2.1"
     }
 
     null = {
       source  = "hashicorp/null"
-      version = "~> 3.0"
+      version = "~> 3.1"
     }
 
     template = {
       source  = "hashicorp/template"
-      version = "~> 2.0"
+      version = "~> 2.2"
     }
   }
 }