diff --git a/.terraform-docs.yml b/.terraform-docs.yml
new file mode 100644
index 0000000..b306bba
--- /dev/null
+++ b/.terraform-docs.yml
@@ -0,0 +1,50 @@
+formatter: "markdown table"
+
+version: ""
+
+header-from: main.tf
+footer-from: ""
+
+recursive:
+  enabled: true
+  path: modules
+
+sections:
+  hide: []
+  show: []
+
+  hide-all: false # deprecated in v0.13.0, removed in v0.15.0
+  show-all: true  # deprecated in v0.13.0, removed in v0.15.0
+
+content: ""
+
+output:
+  file: "README.md"
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
+
+output-values:
+  enabled: false
+  from: ""
+
+sort:
+  enabled: true
+  by: name
+
+settings:
+  anchor: true
+  color: true
+  default: true
+  description: false
+  escape: true
+  hide-empty: false
+  html: true
+  indent: 2
+  lockfile: true
+  read-comments: true
+  required: true
+  sensitive: true
+  type: true
diff --git a/README.md b/README.md
index aa94426..6d8247a 100644
--- a/README.md
+++ b/README.md
@@ -18,7 +18,7 @@ Changes have been introduced as of March 2023 that are not compatible with user-
   - 99_post.sh
 
   If you are using additional cloud-init scripts, ensure that their numbering will run in the order you expect.
--When setting the 'asg' variable, you now must also set the 'termination_policy' value.  
+-When setting the 'asg' variable, you now must also set the 'termination_policy' value.
 
 ## Usage
 
@@ -147,72 +147,111 @@ Optional policies have the option of being created by default, but are specified
 * AWS Cluster Autoscaler: will configure `rke2` to autoscale based off kubernetes resource requests
     * [agents](./modules/agent-nodepool/data.tf#27)
 
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| terraform | >= 0.13 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.4 |
+| <a name="requirement_cloudinit"></a> [cloudinit](#requirement\_cloudinit) | ~> 2.3 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.5 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | n/a |
-| random | n/a |
-| cloudinit | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.11.0 |
+| <a name="provider_cloudinit"></a> [cloudinit](#provider\_cloudinit) | 2.3.2 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.5.1 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_cp_lb"></a> [cp\_lb](#module\_cp\_lb) | ./modules/nlb | n/a |
+| <a name="module_iam"></a> [iam](#module\_iam) | ./modules/policies | n/a |
+| <a name="module_init"></a> [init](#module\_init) | ./modules/userdata | n/a |
+| <a name="module_servers"></a> [servers](#module\_servers) | ./modules/nodepool | n/a |
+| <a name="module_statestore"></a> [statestore](#module\_statestore) | ./modules/statestore | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_role_policy.aws_ccm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.aws_required](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.get_token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.put_kubeconfig](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_security_group.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group.server](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group_rule.cluster_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.cluster_shared](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.server_cp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.server_cp_supervisor](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [random_password.token](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
+| [random_string.uid](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
+| [aws_iam_policy_document.aws_ccm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.aws_required](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [cloudinit_config.this](https://registry.terraform.io/providers/hashicorp/cloudinit/latest/docs/data-sources/config) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| ami | Server pool ami | `string` | n/a | yes |
-| block\_device\_mappings | Server pool block device mapping configuration | `map(string)` | <pre>{<br>  "encrypted": false,<br>  "size": 30<br>}</pre> | no |
-| cluster\_name | Name of the rkegov cluster to create | `string` | n/a | yes |
-| controlplane\_access\_logs\_bucket | Set to bucket name to log requests to load balancer | `string` | `"disabled"` | no |
-| controlplane\_allowed\_cidrs | Server pool security group allowed cidr ranges | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
-| controlplane\_enable\_cross\_zone\_load\_balancing | Toggle between controlplane cross zone load balancing | `bool` | `true` | no |
-| controlplane\_internal | Toggle between public or private control plane load balancer | `bool` | `true` | no |
-| download | Toggle best effort download of rke2 dependencies (rke2 and aws cli), if disabled, dependencies are assumed to exist in $PATH | `bool` | `true` | no |
-| enable\_ccm | Toggle enabling the cluster as aws aware, this will ensure the appropriate IAM policies are present | `bool` | `false` | no |
-| extra\_block\_device\_mappings | Additional server pool block device mappings configuration | `list(map(string))` | `[]` | no |
-| iam\_instance\_profile | Server pool IAM Instance Profile, created if left blank (default behavior) | `string` | `""` | no |
-| iam\_permissions\_boundary | If provided, the IAM role created for the servers will be created with this permissions boundary attached. | `string` | `null` | no |
-| extra\_security\_group\_ids | List of additional security group IDs | `list(string)` | `[]` | no |
-| instance\_type | Server pool instance type | `string` | `"t3a.medium"` | no |
-| post\_userdata | Custom userdata to run immediately after rke2 node attempts to join cluster | `string` | `""` | no |
-| pre\_userdata | Custom userdata to run immediately before rke2 node attempts to join cluster, after required rke2, dependencies are installed | `string` | `""` | no |
-| rke2\_config | Server pool additional configuration passed as rke2 config file, see https://docs.rke2.io/install/install_options/server_config for full list of options | `string` | `""` | no |
-| rke2\_version | Version to use for RKE2 server nodes | `string` | `"v1.18.12+rke2r2"` | no |
-| servers | Number of servers to create | `number` | `1` | no |
-| spot | Toggle spot requests for server pool | `bool` | `false` | no |
-| ssh\_authorized\_keys | Server pool list of public keys to add as authorized ssh keys | `list(string)` | `[]` | no |
-| subnets | List of subnet IDs to create resources in | `list(string)` | n/a | yes |
-| tags | Map of tags to add to all resources created | `map(string)` | `{}` | no |
-| unique\_suffix | Enables/disables generation of a unique suffix to cluster name | `bool` | `true` | yes |
-| vpc\_id | VPC ID to create resources in | `string` | n/a | yes |
-| wait_for_capacity_timeout | How long Terraform should wait for ASG instances to be healthy before timing out. | `string` | `"10m"` | no |
-| metadata_options | Instance Metadata Options | `map` | <pre>{<br>  http_endpoint: "enabled",<br>  http_tokens: "required",<br>  http_put_response_hop_limit: 1,<br>  instance_metadata_tags: "disabled"}</pre> | no |
-| ccm_external | Set kubelet arg 'cloud-provider-name' value to 'external'.  Requires manual install of CCM. | `bool` | `false` | no
-| rke2_start | Start/Stop value for the rke2-server/agent service.  True=start, False= don't start. | `bool` | `true` | no
-| rke2_install_script_url | URL for RKE2 install script | `string` | `"https://get.rke2.io"` | no
-| awscli_url | URL for awscli zip file | `string` | `"https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"` | no
-| unzip_rpm_url | URL path to unzip rpm | `string` | `""` | no
-| termination_policies | List of policies to decide how the instances in the Auto Scaling Group should be terminated | `list(string)` | `["Default"]` | no
-| statestore_attach_deny_insecure_transport_policy | Toggle for enabling s3 policy to reject non-SSL requests | `bool` | `true` | yes |
+| <a name="input_ami"></a> [ami](#input\_ami) | Server pool ami | `string` | n/a | yes |
+| <a name="input_associate_public_ip_address"></a> [associate\_public\_ip\_address](#input\_associate\_public\_ip\_address) | n/a | `bool` | `false` | no |
+| <a name="input_awscli_url"></a> [awscli\_url](#input\_awscli\_url) | URL for awscli zip file | `string` | `"https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"` | no |
+| <a name="input_block_device_mappings"></a> [block\_device\_mappings](#input\_block\_device\_mappings) | Server pool block device mapping configuration | `map(string)` | <pre>{<br>  "encrypted": false,<br>  "size": 30<br>}</pre> | no |
+| <a name="input_ccm_external"></a> [ccm\_external](#input\_ccm\_external) | Set kubelet arg 'cloud-provider-name' value to 'external'.  Requires manual install of CCM. | `bool` | `false` | no |
+| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the rkegov cluster to create | `string` | n/a | yes |
+| <a name="input_controlplane_access_logs_bucket"></a> [controlplane\_access\_logs\_bucket](#input\_controlplane\_access\_logs\_bucket) | Bucket name for logging requests to control plane load balancer | `string` | `"disabled"` | no |
+| <a name="input_controlplane_allowed_cidrs"></a> [controlplane\_allowed\_cidrs](#input\_controlplane\_allowed\_cidrs) | Server pool security group allowed cidr ranges | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_controlplane_enable_cross_zone_load_balancing"></a> [controlplane\_enable\_cross\_zone\_load\_balancing](#input\_controlplane\_enable\_cross\_zone\_load\_balancing) | Toggle between controlplane cross zone load balancing | `bool` | `true` | no |
+| <a name="input_controlplane_internal"></a> [controlplane\_internal](#input\_controlplane\_internal) | Toggle between public or private control plane load balancer | `bool` | `true` | no |
+| <a name="input_create_acl"></a> [create\_acl](#input\_create\_acl) | Toggle creation of ACL for statestore bucket | `bool` | `true` | no |
+| <a name="input_download"></a> [download](#input\_download) | Toggle best effort download of rke2 dependencies (rke2 and aws cli), if disabled, dependencies are assumed to exist in $PATH | `bool` | `true` | no |
+| <a name="input_enable_ccm"></a> [enable\_ccm](#input\_enable\_ccm) | Toggle enabling the cluster as aws aware, this will ensure the appropriate IAM policies are present | `bool` | `false` | no |
+| <a name="input_extra_block_device_mappings"></a> [extra\_block\_device\_mappings](#input\_extra\_block\_device\_mappings) | Used to specify additional block device mapping configurations | `list(map(string))` | `[]` | no |
+| <a name="input_extra_cloud_config_config"></a> [extra\_cloud\_config\_config](#input\_extra\_cloud\_config\_config) | extra config to append to cloud-config | `string` | `""` | no |
+| <a name="input_extra_security_group_ids"></a> [extra\_security\_group\_ids](#input\_extra\_security\_group\_ids) | List of additional security group IDs | `list(string)` | `[]` | no |
+| <a name="input_iam_instance_profile"></a> [iam\_instance\_profile](#input\_iam\_instance\_profile) | Server pool IAM Instance Profile, created if left blank (default behavior) | `string` | `""` | no |
+| <a name="input_iam_permissions_boundary"></a> [iam\_permissions\_boundary](#input\_iam\_permissions\_boundary) | If provided, the IAM role created for the servers will be created with this permissions boundary attached. | `string` | `null` | no |
+| <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | Server pool instance type | `string` | `"t3a.medium"` | no |
+| <a name="input_metadata_options"></a> [metadata\_options](#input\_metadata\_options) | Instance Metadata Options | `map(any)` | <pre>{<br>  "http_endpoint": "enabled",<br>  "http_put_response_hop_limit": 2,<br>  "http_tokens": "required",<br>  "instance_metadata_tags": "disabled"<br>}</pre> | no |
+| <a name="input_post_userdata"></a> [post\_userdata](#input\_post\_userdata) | Custom userdata to run immediately after rke2 node attempts to join cluster | `string` | `""` | no |
+| <a name="input_pre_userdata"></a> [pre\_userdata](#input\_pre\_userdata) | Custom userdata to run immediately before rke2 node attempts to join cluster, after required rke2, dependencies are installed | `string` | `""` | no |
+| <a name="input_rke2_config"></a> [rke2\_config](#input\_rke2\_config) | Server pool additional configuration passed as rke2 config file, see https://docs.rke2.io/install/install_options/server_config for full list of options | `string` | `""` | no |
+| <a name="input_rke2_install_script_url"></a> [rke2\_install\_script\_url](#input\_rke2\_install\_script\_url) | URL for RKE2 install script | `string` | `"https://get.rke2.io"` | no |
+| <a name="input_rke2_start"></a> [rke2\_start](#input\_rke2\_start) | Start/Stop value for the rke2-server/agent service.  This will prevent the service from starting until the next reboot. True=start, False= don't start. | `bool` | `true` | no |
+| <a name="input_rke2_version"></a> [rke2\_version](#input\_rke2\_version) | Version to use for RKE2 server nodes | `string` | `"v1.19.7+rke2r1"` | no |
+| <a name="input_servers"></a> [servers](#input\_servers) | Number of servers to create | `number` | `3` | no |
+| <a name="input_spot"></a> [spot](#input\_spot) | Toggle spot requests for server pool | `bool` | `false` | no |
+| <a name="input_ssh_authorized_keys"></a> [ssh\_authorized\_keys](#input\_ssh\_authorized\_keys) | Server pool list of public keys to add as authorized ssh keys | `list(string)` | `[]` | no |
+| <a name="input_statestore_attach_deny_insecure_transport_policy"></a> [statestore\_attach\_deny\_insecure\_transport\_policy](#input\_statestore\_attach\_deny\_insecure\_transport\_policy) | Toggle for enabling s3 policy to reject non-SSL requests | `bool` | `true` | no |
+| <a name="input_subnets"></a> [subnets](#input\_subnets) | List of subnet IDs to create resources in | `list(string)` | n/a | yes |
+| <a name="input_suspended_processes"></a> [suspended\_processes](#input\_suspended\_processes) | List of processes to suspend in the autoscaling service | `list(string)` | `[]` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Map of tags to add to all resources created | `map(string)` | `{}` | no |
+| <a name="input_termination_policies"></a> [termination\_policies](#input\_termination\_policies) | List of policies to decide how the instances in the Auto Scaling Group should be terminated | `list(string)` | <pre>[<br>  "Default"<br>]</pre> | no |
+| <a name="input_unique_suffix"></a> [unique\_suffix](#input\_unique\_suffix) | Enables/disables generation of a unique suffix to cluster name | `bool` | `true` | no |
+| <a name="input_unzip_rpm_url"></a> [unzip\_rpm\_url](#input\_unzip\_rpm\_url) | URL path to unzip rpm | `string` | `""` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID to create resources in | `string` | n/a | yes |
+| <a name="input_wait_for_capacity_timeout"></a> [wait\_for\_capacity\_timeout](#input\_wait\_for\_capacity\_timeout) | How long Terraform should wait for ASG instances to be healthy before timing out. | `string` | `"10m"` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| cluster\_data | Map of cluster data required by agent pools for joining cluster, do not modify this |
-| cluster\_name | Name of the rke2 cluster |
-| cluster\_sg | Security group shared by cluster nodes, this is different than nodepool security groups |
-| iam\_instance\_profile | IAM instance profile attached to server nodes |
-| iam\_role | IAM role of server nodes |
-| iam\_role\_arn | IAM role arn of server nodes |
-| kubeconfig\_path | n/a |
-| server\_nodepool\_arn | n/a |
-| server\_nodepool\_id | n/a |
-| server\_nodepool\_name | n/a |
-| server\_sg | n/a |
-| server\_url | n/a |
+| <a name="output_cluster_data"></a> [cluster\_data](#output\_cluster\_data) | Map of cluster data required by agent pools for joining cluster, do not modify this |
+| <a name="output_cluster_name"></a> [cluster\_name](#output\_cluster\_name) | Name of the rke2 cluster |
+| <a name="output_cluster_sg"></a> [cluster\_sg](#output\_cluster\_sg) | Security group shared by cluster nodes, this is different than nodepool security groups |
+| <a name="output_iam_instance_profile"></a> [iam\_instance\_profile](#output\_iam\_instance\_profile) | IAM instance profile attached to server nodes |
+| <a name="output_iam_role"></a> [iam\_role](#output\_iam\_role) | IAM role of server nodes |
+| <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | IAM role arn of server nodes |
+| <a name="output_kubeconfig_path"></a> [kubeconfig\_path](#output\_kubeconfig\_path) | n/a |
+| <a name="output_server_nodepool_arn"></a> [server\_nodepool\_arn](#output\_server\_nodepool\_arn) | n/a |
+| <a name="output_server_nodepool_id"></a> [server\_nodepool\_id](#output\_server\_nodepool\_id) | n/a |
+| <a name="output_server_nodepool_name"></a> [server\_nodepool\_name](#output\_server\_nodepool\_name) | n/a |
+| <a name="output_server_sg"></a> [server\_sg](#output\_server\_sg) | n/a |
+| <a name="output_server_url"></a> [server\_url](#output\_server\_url) | n/a |
+<!-- END_TF_DOCS -->
diff --git a/main.tf b/main.tf
index 69caa1a..4793b1a 100644
--- a/main.tf
+++ b/main.tf
@@ -191,7 +191,6 @@ module "servers" {
   extra_block_device_mappings = var.extra_block_device_mappings
   vpc_security_group_ids      = concat([aws_security_group.server.id, aws_security_group.cluster.id, module.cp_lb.security_group], var.extra_security_group_ids)
   spot                        = var.spot
-  #load_balancers              = [module.cp_lb.name]
   target_group_arns           = local.target_group_arns
   wait_for_capacity_timeout   = var.wait_for_capacity_timeout
   metadata_options            = var.metadata_options
@@ -202,7 +201,13 @@ module "servers" {
   iam_instance_profile = var.iam_instance_profile == "" ? module.iam[0].iam_instance_profile : var.iam_instance_profile
 
   # Don't allow something not recommended within etcd scaling, set max deliberately and only control desired
-  asg = { min : 1, max : 7, desired : var.servers, termination_policies : var.termination_policies }
+  asg = {
+    min                  = 1
+    max                  = 7
+    desired              = var.servers
+    suspended_processes  = var.suspended_processes
+    termination_policies = var.termination_policies
+  }
 
   # TODO: Ideally set this to `length(var.servers)`, but currently blocked by: https://github.com/rancher/rke2/issues/349
   min_elb_capacity = 1
diff --git a/modules/agent-nodepool/README.md b/modules/agent-nodepool/README.md
index f2e49f8..b76ac24 100644
--- a/modules/agent-nodepool/README.md
+++ b/modules/agent-nodepool/README.md
@@ -1,41 +1,80 @@
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| terraform | >= 0.13, < 0.14 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_cloudinit"></a> [cloudinit](#provider\_cloudinit) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_iam"></a> [iam](#module\_iam) | ../policies | n/a |
+| <a name="module_init"></a> [init](#module\_init) | ../userdata | n/a |
+| <a name="module_nodepool"></a> [nodepool](#module\_nodepool) | ../nodepool | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_role_policy.aws_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.aws_ccm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.get_token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_policy_document.aws_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.aws_ccm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [cloudinit_config.init](https://registry.terraform.io/providers/hashicorp/cloudinit/latest/docs/data-sources/config) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| ami | Node pool ami | `string` | `""` | no |
-| asg | Node pool AutoScalingGroup scaling definition | <pre>object({<br>    min     = number<br>    max     = number<br>    desired = number<br>  })</pre> | <pre>{<br>  "desired": 1,<br>  "max": 10,<br>  "min": 1<br>}</pre> | no |
-| block\_device\_mappings | Node pool block device mapping configuration | `map(string)` | <pre>{<br>  "size": 30,<br>  "type": "gp2"<br>}</pre> | no |
-| cluster\_data | Required data relevant to joining an existing rke2 cluster, sourced from main rke2 module, do NOT modify | <pre>object({<br>    name       = string<br>    server_url = string<br>    cluster_sg = string<br>    token = object({<br>      bucket          = string<br>      bucket_arn      = string<br>      object          = string<br>      policy_document = string<br>    })<br>  })</pre> | n/a | yes |
-| enable\_autoscaler | Toggle configure the nodepool for cluster autoscaler, this will ensure the appropriate IAM policies are present, you are still responsible for ensuring cluster autoscaler is installed | `bool` | `false` | no |
-| enable\_ccm | Toggle enabling the cluster as aws aware, this will ensure the appropriate IAM policies are present | `bool` | `false` | no |
-| extra\_block\_device\_mappings | Additional node pool block device mappings configuration | `list(map(string))` | `[]` | no |
-| extra\_security\_group\_ids | List of additional security group IDs | `list(string)` | `[]` | no |
-| iam\_instance\_profile | Node pool IAM Instance Profile, created if node specified | `string` | `""` | no |
-| instance\_type | Node pool instance type | `string` | `"t3.medium"` | no |
-| name | Nodepool name | `string` | n/a | yes |
-| post\_userdata | Custom userdata to run immediately after rke2 node attempts to join cluster | `string` | `""` | no |
-| pre\_userdata | Custom userdata to run immediately before rke2 node attempts to join cluster, after required rke2, dependencies are installed | `string` | `""` | no |
-| rke2\_config | Node pool additional configuration passed as rke2 config file, see https://docs.rke2.io/install/install_options/agent_config for full list of options | `string` | `""` | no |
-| rke2\_version | Version to use for RKE2 server nodepool | `string` | `"v1.18.10+rke2r1"` | no |
-| ssh\_authorized\_keys | Node pool list of public keys to add as authorized ssh keys, not required | `list(string)` | `[]` | no |
-| subnets | List of subnet IDs to create resources in | `list(string)` | n/a | yes |
-| tags | Map of additional tags to add to all resources created | `map(string)` | `{}` | no |
-| vpc\_id | VPC ID to create resources in | `string` | n/a | yes |
-| wait_for_capacity_timeout | How long Terraform should wait for ASG instances to be healthy before timing out. | `string` | `"10m"` | no |
-| metadata_options | Instance Metadata Options | `map` | <pre>{<br>  http_endpoint: "enabled",<br>  http_tokens: "required",<br>  http_put_response_hop_limit: 1,<br>  instance_metadata_tags: "disabled"}</pre> | no |
+| <a name="input_ami"></a> [ami](#input\_ami) | Node pool ami | `string` | `""` | no |
+| <a name="input_asg"></a> [asg](#input\_asg) | Node pool AutoScalingGroup scaling definition | <pre>object({<br>    min                  = number<br>    max                  = number<br>    desired              = number<br>    suspended_processes  = list(string)<br>    termination_policies = list(string)<br>  })</pre> | <pre>{<br>  "desired": 1,<br>  "max": 10,<br>  "min": 1,<br>  "suspended_processes": [],<br>  "termination_policies": [<br>    "Default"<br>  ]<br>}</pre> | no |
+| <a name="input_awscli_url"></a> [awscli\_url](#input\_awscli\_url) | URL for awscli zip file | `string` | `"https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"` | no |
+| <a name="input_block_device_mappings"></a> [block\_device\_mappings](#input\_block\_device\_mappings) | Node pool block device mapping configuration | `map(string)` | <pre>{<br>  "size": 30,<br>  "type": "gp2"<br>}</pre> | no |
+| <a name="input_ccm_external"></a> [ccm\_external](#input\_ccm\_external) | Set kubelet arg 'cloud-provider-name' value to 'external'.  Requires manual install of CCM. | `bool` | `false` | no |
+| <a name="input_cluster_data"></a> [cluster\_data](#input\_cluster\_data) | Required data relevant to joining an existing rke2 cluster, sourced from main rke2 module, do NOT modify | <pre>object({<br>    name       = string<br>    server_url = string<br>    cluster_sg = string<br>    token = object({<br>      bucket          = string<br>      bucket_arn      = string<br>      object          = string<br>      policy_document = string<br>    })<br>  })</pre> | n/a | yes |
+| <a name="input_download"></a> [download](#input\_download) | Toggle best effort download of rke2 dependencies (rke2 and aws cli), if disabled, dependencies are assumed to exist in $PATH | `bool` | `true` | no |
+| <a name="input_enable_autoscaler"></a> [enable\_autoscaler](#input\_enable\_autoscaler) | Toggle configure the nodepool for cluster autoscaler, this will ensure the appropriate IAM policies are present, you are still responsible for ensuring cluster autoscaler is installed | `bool` | `false` | no |
+| <a name="input_enable_ccm"></a> [enable\_ccm](#input\_enable\_ccm) | Toggle enabling the cluster as aws aware, this will ensure the appropriate IAM policies are present | `bool` | `false` | no |
+| <a name="input_extra_block_device_mappings"></a> [extra\_block\_device\_mappings](#input\_extra\_block\_device\_mappings) | Used to specify additional block device mapping configurations | `list(map(string))` | `[]` | no |
+| <a name="input_extra_cloud_config_config"></a> [extra\_cloud\_config\_config](#input\_extra\_cloud\_config\_config) | extra config to append to cloud-config | `string` | `""` | no |
+| <a name="input_extra_security_group_ids"></a> [extra\_security\_group\_ids](#input\_extra\_security\_group\_ids) | List of additional security group IDs | `list(string)` | `[]` | no |
+| <a name="input_iam_instance_profile"></a> [iam\_instance\_profile](#input\_iam\_instance\_profile) | Node pool IAM Instance Profile, created if left blank (default behavior) | `string` | `""` | no |
+| <a name="input_iam_permissions_boundary"></a> [iam\_permissions\_boundary](#input\_iam\_permissions\_boundary) | If provided, the IAM role created for the nodepool will be created with this permissions boundary attached. | `string` | `null` | no |
+| <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | Node pool instance type | `string` | `"t3.medium"` | no |
+| <a name="input_metadata_options"></a> [metadata\_options](#input\_metadata\_options) | Instance Metadata Options | `map(any)` | <pre>{<br>  "http_endpoint": "enabled",<br>  "http_put_response_hop_limit": 2,<br>  "http_tokens": "required",<br>  "instance_metadata_tags": "disabled"<br>}</pre> | no |
+| <a name="input_name"></a> [name](#input\_name) | Nodepool name | `string` | n/a | yes |
+| <a name="input_post_userdata"></a> [post\_userdata](#input\_post\_userdata) | Custom userdata to run immediately after rke2 node attempts to join cluster | `string` | `""` | no |
+| <a name="input_pre_userdata"></a> [pre\_userdata](#input\_pre\_userdata) | Custom userdata to run immediately before rke2 node attempts to join cluster, after required rke2, dependencies are installed | `string` | `""` | no |
+| <a name="input_rke2_config"></a> [rke2\_config](#input\_rke2\_config) | Node pool additional configuration passed as rke2 config file, see https://docs.rke2.io/install/install_options/agent_config for full list of options | `string` | `""` | no |
+| <a name="input_rke2_install_script_url"></a> [rke2\_install\_script\_url](#input\_rke2\_install\_script\_url) | URL for RKE2 install script | `string` | `"https://get.rke2.io"` | no |
+| <a name="input_rke2_start"></a> [rke2\_start](#input\_rke2\_start) | Start/Stop value for the rke2-server/agent service.  True=start, False= don't start. | `bool` | `true` | no |
+| <a name="input_rke2_version"></a> [rke2\_version](#input\_rke2\_version) | Version to use for RKE2 server nodepool | `string` | `"v1.19.7+rke2r1"` | no |
+| <a name="input_spot"></a> [spot](#input\_spot) | Toggle spot requests for node pool | `bool` | `false` | no |
+| <a name="input_ssh_authorized_keys"></a> [ssh\_authorized\_keys](#input\_ssh\_authorized\_keys) | Node pool list of public keys to add as authorized ssh keys, not required | `list(string)` | `[]` | no |
+| <a name="input_subnets"></a> [subnets](#input\_subnets) | List of subnet IDs to create resources in | `list(string)` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | Map of additional tags to add to all resources created | `map(string)` | `{}` | no |
+| <a name="input_unzip_rpm_url"></a> [unzip\_rpm\_url](#input\_unzip\_rpm\_url) | URL path to unzip rpm | `string` | `""` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID to create resources in | `string` | n/a | yes |
+| <a name="input_wait_for_capacity_timeout"></a> [wait\_for\_capacity\_timeout](#input\_wait\_for\_capacity\_timeout) | How long Terraform should wait for ASG instances to be healthy before timing out. | `string` | `"10m"` | no |
+
+## Outputs
 
 | Name | Description |
 |------|-------------|
-| iam\_instance\_profile | IAM instance profile attached to nodes in nodepool |
-| iam\_role | IAM role of node pool |
-| nodepool\_arn | n/a |
-| nodepool\_id | n/a |
-| nodepool\_name | n/a |
-| security\_group | n/a |
-
+| <a name="output_iam_instance_profile"></a> [iam\_instance\_profile](#output\_iam\_instance\_profile) | IAM instance profile attached to nodes in nodepool |
+| <a name="output_iam_role"></a> [iam\_role](#output\_iam\_role) | IAM role of node pool |
+| <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | IAM role arn of node pool |
+| <a name="output_nodepool_arn"></a> [nodepool\_arn](#output\_nodepool\_arn) | n/a |
+| <a name="output_nodepool_id"></a> [nodepool\_id](#output\_nodepool\_id) | n/a |
+| <a name="output_nodepool_name"></a> [nodepool\_name](#output\_nodepool\_name) | n/a |
+| <a name="output_security_group"></a> [security\_group](#output\_security\_group) | n/a |
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/modules/agent-nodepool/variables.tf b/modules/agent-nodepool/variables.tf
index 1af33ab..c3bd8c9 100644
--- a/modules/agent-nodepool/variables.tf
+++ b/modules/agent-nodepool/variables.tf
@@ -80,13 +80,15 @@ variable "asg" {
     min                  = number
     max                  = number
     desired              = number
-    termination_policies = list(string)
+    suspended_processes  = optional(list(string))
+    termination_policies = optional(list(string))
   })
 
   default = {
     min                  = 1
     max                  = 10
     desired              = 1
+    suspended_processes  = []
     termination_policies = ["Default"]
   }
 }
diff --git a/modules/common/README.md b/modules/common/README.md
new file mode 100644
index 0000000..ef2fa69
--- /dev/null
+++ b/modules/common/README.md
@@ -0,0 +1,25 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+No modules.
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/modules/elb/README.md b/modules/elb/README.md
new file mode 100644
index 0000000..1910f6e
--- /dev/null
+++ b/modules/elb/README.md
@@ -0,0 +1,50 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_elb.controlplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elb) | resource |
+| [aws_security_group.controlplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group_rule.apiserver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.supervisor](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_access_logs_bucket"></a> [access\_logs\_bucket](#input\_access\_logs\_bucket) | n/a | `string` | `"disabled"` | no |
+| <a name="input_cp_ingress_cidr_blocks"></a> [cp\_ingress\_cidr\_blocks](#input\_cp\_ingress\_cidr\_blocks) | n/a | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_cp_port"></a> [cp\_port](#input\_cp\_port) | n/a | `number` | `6443` | no |
+| <a name="input_cp_supervisor_ingress_cidr_blocks"></a> [cp\_supervisor\_ingress\_cidr\_blocks](#input\_cp\_supervisor\_ingress\_cidr\_blocks) | n/a | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_cp_supervisor_port"></a> [cp\_supervisor\_port](#input\_cp\_supervisor\_port) | n/a | `number` | `9345` | no |
+| <a name="input_enable_cross_zone_load_balancing"></a> [enable\_cross\_zone\_load\_balancing](#input\_enable\_cross\_zone\_load\_balancing) | n/a | `bool` | `true` | no |
+| <a name="input_internal"></a> [internal](#input\_internal) | n/a | `bool` | `true` | no |
+| <a name="input_name"></a> [name](#input\_name) | n/a | `string` | n/a | yes |
+| <a name="input_subnets"></a> [subnets](#input\_subnets) | n/a | `list(string)` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | n/a | `map(string)` | `{}` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | n/a | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_dns"></a> [dns](#output\_dns) | n/a |
+| <a name="output_id"></a> [id](#output\_id) | n/a |
+| <a name="output_name"></a> [name](#output\_name) | n/a |
+| <a name="output_security_group"></a> [security\_group](#output\_security\_group) | n/a |
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/modules/nlb/README.md b/modules/nlb/README.md
new file mode 100644
index 0000000..ecdacf2
--- /dev/null
+++ b/modules/nlb/README.md
@@ -0,0 +1,56 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_lb.controlplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource |
+| [aws_lb_listener.apiserver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |
+| [aws_lb_listener.supervisor](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |
+| [aws_lb_target_group.apiserver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |
+| [aws_lb_target_group.supervisor](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |
+| [aws_security_group.controlplane](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group_rule.apiserver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_security_group_rule.supervisor](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_access_logs_bucket"></a> [access\_logs\_bucket](#input\_access\_logs\_bucket) | n/a | `string` | `"disabled"` | no |
+| <a name="input_cp_ingress_cidr_blocks"></a> [cp\_ingress\_cidr\_blocks](#input\_cp\_ingress\_cidr\_blocks) | n/a | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_cp_port"></a> [cp\_port](#input\_cp\_port) | n/a | `number` | `6443` | no |
+| <a name="input_cp_supervisor_ingress_cidr_blocks"></a> [cp\_supervisor\_ingress\_cidr\_blocks](#input\_cp\_supervisor\_ingress\_cidr\_blocks) | n/a | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| <a name="input_cp_supervisor_port"></a> [cp\_supervisor\_port](#input\_cp\_supervisor\_port) | n/a | `number` | `9345` | no |
+| <a name="input_enable_cross_zone_load_balancing"></a> [enable\_cross\_zone\_load\_balancing](#input\_enable\_cross\_zone\_load\_balancing) | n/a | `bool` | `true` | no |
+| <a name="input_internal"></a> [internal](#input\_internal) | n/a | `bool` | `true` | no |
+| <a name="input_name"></a> [name](#input\_name) | n/a | `string` | n/a | yes |
+| <a name="input_subnets"></a> [subnets](#input\_subnets) | n/a | `list(string)` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | n/a | `map(string)` | `{}` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | n/a | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_arn"></a> [arn](#output\_arn) | n/a |
+| <a name="output_dns"></a> [dns](#output\_dns) | n/a |
+| <a name="output_id"></a> [id](#output\_id) | n/a |
+| <a name="output_name"></a> [name](#output\_name) | n/a |
+| <a name="output_security_group"></a> [security\_group](#output\_security\_group) | n/a |
+| <a name="output_target_group_arns"></a> [target\_group\_arns](#output\_target\_group\_arns) | n/a |
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/modules/nodepool/README.md b/modules/nodepool/README.md
new file mode 100644
index 0000000..d77e733
--- /dev/null
+++ b/modules/nodepool/README.md
@@ -0,0 +1,60 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_autoscaling_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) | resource |
+| [aws_launch_template.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |
+| [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_ami"></a> [ami](#input\_ami) | n/a | `string` | `""` | no |
+| <a name="input_asg"></a> [asg](#input\_asg) | n/a | <pre>object({<br>    min                  = number<br>    max                  = number<br>    desired              = number<br>    suspended_processes  = list(string)<br>    termination_policies = list(string)<br>  })</pre> | <pre>{<br>  "desired": 3,<br>  "max": 7,<br>  "min": 1,<br>  "suspended_processes": [],<br>  "termination_policies": []<br>}</pre> | no |
+| <a name="input_associate_public_ip_address"></a> [associate\_public\_ip\_address](#input\_associate\_public\_ip\_address) | n/a | `bool` | `false` | no |
+| <a name="input_block_device_mappings"></a> [block\_device\_mappings](#input\_block\_device\_mappings) | n/a | `map(string)` | <pre>{<br>  "size": 30,<br>  "type": "gp2"<br>}</pre> | no |
+| <a name="input_extra_block_device_mappings"></a> [extra\_block\_device\_mappings](#input\_extra\_block\_device\_mappings) | n/a | `list(map(string))` | `[]` | no |
+| <a name="input_extra_cloud_config_config"></a> [extra\_cloud\_config\_config](#input\_extra\_cloud\_config\_config) | extra config to append to cloud-config | `string` | `""` | no |
+| <a name="input_health_check_type"></a> [health\_check\_type](#input\_health\_check\_type) | n/a | `string` | `"EC2"` | no |
+| <a name="input_iam_instance_profile"></a> [iam\_instance\_profile](#input\_iam\_instance\_profile) | n/a | `string` | `""` | no |
+| <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | n/a | `string` | `"t3.medium"` | no |
+| <a name="input_load_balancers"></a> [load\_balancers](#input\_load\_balancers) | n/a | `list(string)` | `[]` | no |
+| <a name="input_metadata_options"></a> [metadata\_options](#input\_metadata\_options) | Instance Metadata Options | `map(any)` | n/a | yes |
+| <a name="input_min_elb_capacity"></a> [min\_elb\_capacity](#input\_min\_elb\_capacity) | n/a | `number` | `null` | no |
+| <a name="input_name"></a> [name](#input\_name) | n/a | `string` | n/a | yes |
+| <a name="input_spot"></a> [spot](#input\_spot) | n/a | `bool` | `false` | no |
+| <a name="input_subnets"></a> [subnets](#input\_subnets) | n/a | `list(string)` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | n/a | `map(string)` | `{}` | no |
+| <a name="input_target_group_arns"></a> [target\_group\_arns](#input\_target\_group\_arns) | n/a | `list(string)` | `[]` | no |
+| <a name="input_userdata"></a> [userdata](#input\_userdata) | n/a | `string` | `""` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | n/a | `string` | n/a | yes |
+| <a name="input_vpc_security_group_ids"></a> [vpc\_security\_group\_ids](#input\_vpc\_security\_group\_ids) | n/a | `list(string)` | `[]` | no |
+| <a name="input_wait_for_capacity_timeout"></a> [wait\_for\_capacity\_timeout](#input\_wait\_for\_capacity\_timeout) | How long Terraform should wait for ASG instances to be healthy before timing out. | `string` | `"10m"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_asg_arn"></a> [asg\_arn](#output\_asg\_arn) | n/a |
+| <a name="output_asg_id"></a> [asg\_id](#output\_asg\_id) | n/a |
+| <a name="output_asg_name"></a> [asg\_name](#output\_asg\_name) | n/a |
+| <a name="output_launch_template_id"></a> [launch\_template\_id](#output\_launch\_template\_id) | n/a |
+| <a name="output_launch_template_name"></a> [launch\_template\_name](#output\_launch\_template\_name) | n/a |
+| <a name="output_security_group"></a> [security\_group](#output\_security\_group) | n/a |
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/modules/nodepool/main.tf b/modules/nodepool/main.tf
index 1e8970c..f47b47f 100644
--- a/modules/nodepool/main.tf
+++ b/modules/nodepool/main.tf
@@ -73,6 +73,7 @@ resource "aws_autoscaling_group" "this" {
   min_size             = var.asg.min
   max_size             = var.asg.max
   desired_capacity     = var.asg.desired
+  suspended_processes  = var.asg.suspended_processes
   termination_policies = var.asg.termination_policies
 
   # Health check and target groups dependent on whether we're a server or not (identified via rke2_url)
diff --git a/modules/nodepool/variables.tf b/modules/nodepool/variables.tf
index 6f63395..7610e1b 100644
--- a/modules/nodepool/variables.tf
+++ b/modules/nodepool/variables.tf
@@ -80,8 +80,16 @@ variable "asg" {
     min                  = number
     max                  = number
     desired              = number
+    suspended_processes  = list(string)
     termination_policies = list(string)
   })
+  default = {
+    min                  = 1
+    max                  = 7
+    desired              = 3
+    suspended_processes  = []
+    termination_policies = []
+  }
 }
 
 variable "spot" {
diff --git a/modules/policies/README.md b/modules/policies/README.md
new file mode 100644
index 0000000..4922956
--- /dev/null
+++ b/modules/policies/README.md
@@ -0,0 +1,39 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_instance_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
+| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_policy_document.ec2_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_name"></a> [name](#input\_name) | n/a | `string` | n/a | yes |
+| <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | If provided, all IAM roles will be created with this permissions boundary attached. | `string` | `null` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | n/a | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_iam_instance_profile"></a> [iam\_instance\_profile](#output\_iam\_instance\_profile) | n/a |
+| <a name="output_role"></a> [role](#output\_role) | n/a |
+| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | n/a |
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/modules/statestore/README.md b/modules/statestore/README.md
new file mode 100644
index 0000000..6126be8
--- /dev/null
+++ b/modules/statestore/README.md
@@ -0,0 +1,48 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_s3_bucket.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_acl.acl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_ownership_controls.bucket_ownership_controls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
+| [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.ssec](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_object.token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource |
+| [aws_iam_policy_document.deny_insecure_transport](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.getter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.setter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_attach_deny_insecure_transport_policy"></a> [attach\_deny\_insecure\_transport\_policy](#input\_attach\_deny\_insecure\_transport\_policy) | n/a | `bool` | n/a | yes |
+| <a name="input_create_acl"></a> [create\_acl](#input\_create\_acl) | n/a | `bool` | `true` | no |
+| <a name="input_name"></a> [name](#input\_name) | n/a | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | n/a | `map(string)` | `{}` | no |
+| <a name="input_token"></a> [token](#input\_token) | n/a | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_bucket"></a> [bucket](#output\_bucket) | n/a |
+| <a name="output_kubeconfig_put_policy"></a> [kubeconfig\_put\_policy](#output\_kubeconfig\_put\_policy) | n/a |
+| <a name="output_token"></a> [token](#output\_token) | n/a |
+| <a name="output_token_object"></a> [token\_object](#output\_token\_object) | n/a |
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/modules/userdata/README.md b/modules/userdata/README.md
new file mode 100644
index 0000000..265205a
--- /dev/null
+++ b/modules/userdata/README.md
@@ -0,0 +1,40 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+No modules.
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_agent"></a> [agent](#input\_agent) | Toggle server or agent init, defaults to agent | `bool` | `true` | no |
+| <a name="input_ccm"></a> [ccm](#input\_ccm) | Toggle cloud controller manager | `bool` | `false` | no |
+| <a name="input_ccm_external"></a> [ccm\_external](#input\_ccm\_external) | Set kubelet arg 'cloud-provider-name' value to 'external'.  Requires manual install of CCM. | `bool` | `false` | no |
+| <a name="input_config"></a> [config](#input\_config) | RKE2 config file yaml contents | `string` | `""` | no |
+| <a name="input_post_userdata"></a> [post\_userdata](#input\_post\_userdata) | Custom userdata to run immediately after rke2 node attempts to join cluster | `string` | `""` | no |
+| <a name="input_pre_userdata"></a> [pre\_userdata](#input\_pre\_userdata) | Custom userdata to run immediately before rke2 node attempts to join cluster, after required rke2, dependencies are installed | `string` | `""` | no |
+| <a name="input_rke2_start"></a> [rke2\_start](#input\_rke2\_start) | Start/Stop value for the rke2-server/agent service.  This will prevent the service from starting until the next reboot. True=start, False= don't start. | `bool` | `true` | no |
+| <a name="input_server_url"></a> [server\_url](#input\_server\_url) | rke2 server url | `string` | n/a | yes |
+| <a name="input_token_bucket"></a> [token\_bucket](#input\_token\_bucket) | Bucket name where token is located | `string` | n/a | yes |
+| <a name="input_token_object"></a> [token\_object](#input\_token\_object) | Object name of token in bucket | `string` | `"token"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_post_templated"></a> [post\_templated](#output\_post\_templated) | n/a |
+| <a name="output_pre_templated"></a> [pre\_templated](#output\_pre\_templated) | n/a |
+| <a name="output_rke2_templated"></a> [rke2\_templated](#output\_rke2\_templated) | n/a |
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index c41412b..644b5d7 100644
--- a/variables.tf
+++ b/variables.tf
@@ -67,6 +67,12 @@ variable "extra_block_device_mappings" {
   ]
 }
 
+variable "extra_security_group_ids" {
+  description = "List of additional security group IDs"
+  type        = list(string)
+  default     = []
+}
+
 variable "servers" {
   description = "Number of servers to create"
   type        = number
@@ -85,12 +91,18 @@ variable "ssh_authorized_keys" {
   default     = []
 }
 
-variable "extra_security_group_ids" {
-  description = "List of additional security group IDs"
+variable "suspended_processes" {
+  description = "List of processes to suspend in the autoscaling service"
   type        = list(string)
   default     = []
 }
 
+variable "termination_policies" {
+  description = "List of policies to decide how the instances in the Auto Scaling Group should be terminated"
+  type        = list(string)
+  default     = ["Default"]
+}
+
 #
 # Controlplane Variables
 #
@@ -215,12 +227,6 @@ variable "rke2_start" {
   default     = true
 }
 
-variable "termination_policies" {
-  description = "List of policies to decide how the instances in the Auto Scaling Group should be terminated"
-  type        = list(string)
-  default     = ["Default"]
-}
-
 #
 ### Statestore Variables
 #
diff --git a/versions.tf b/versions.tf
index 684b365..c3c2658 100644
--- a/versions.tf
+++ b/versions.tf
@@ -1,3 +1,18 @@
 terraform {
   required_version = ">= 0.13"
-}
\ No newline at end of file
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.6"
+    }
+    cloudinit = {
+      source  = "hashicorp/cloudinit"
+      version = ">= 2"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3"
+    }
+  }
+}
