diff --git a/modules/common/cert_manager/standard/1.0/README.md b/modules/common/cert_manager/standard/1.0/README.md
index d422c12c..d362e261 100644
--- a/modules/common/cert_manager/standard/1.0/README.md
+++ b/modules/common/cert_manager/standard/1.0/README.md
@@ -14,7 +14,7 @@ This module adapts to different cloud environments:
 - **Azure**: Uses existing DNS credentials for certificate validation  
 - **GCP**: Integrates with Google Cloud DNS for certificate validation and supports GTS certificates
 
-The module automatically detects the cloud provider from `var.cc_metadata.cc_tenant_provider` and configures appropriate DNS solvers and authentication mechanisms.
+The module automatically detects the cloud provider from the `external_dns_details` input (if provided) or from `kubernetes_details.attributes.cloud_provider` and configures appropriate DNS solvers and authentication mechanisms.
 
 ## Nodepool Integration
 
diff --git a/modules/common/cert_manager/standard/1.0/facets.yaml b/modules/common/cert_manager/standard/1.0/facets.yaml
index cb69b427..b7b6ab39 100644
--- a/modules/common/cert_manager/standard/1.0/facets.yaml
+++ b/modules/common/cert_manager/standard/1.0/facets.yaml
@@ -1,6 +1,6 @@
 intent: cert_manager
 flavor: standard
-version: '1.0'
+version: '2.0'
 description: Deploys Cert Manager for managing ssl certificates
 clouds:
 - aws
@@ -30,6 +30,12 @@ inputs:
     type: '@facets/kubernetes_nodepool'
     displayName: Node Pool
     optional: false
+  external_dns_details:
+    type: '@facets/external_dns'
+    displayName: External DNS
+    optional: true
+    description: External DNS module providing DNS credentials for cert-manager DNS-01
+      challenges
 outputs:
   default:
     type: '@facets/cert_manager'
@@ -85,10 +91,12 @@ sample:
   flavor: standard
   disabled: true
   metadata: {}
-  version: '1.0'
+  version: '2.0'
   spec:
     cname_strategy: Follow
     cert_manager: {}
 iac:
   validated_files:
+  - main.tf
   - variables.tf
+  - outputs.tf
diff --git a/modules/common/cert_manager/standard/1.0/locals.tf b/modules/common/cert_manager/standard/1.0/locals.tf
index efb5f48c..15773f02 100644
--- a/modules/common/cert_manager/standard/1.0/locals.tf
+++ b/modules/common/cert_manager/standard/1.0/locals.tf
@@ -1,39 +1,70 @@
 # Define your locals here
 locals {
-  tenant_provider           = lower(try(var.cc_metadata.cc_tenant_provider, "aws"))
-  spec                      = lookup(var.instance, "spec", {})
-  user_supplied_helm_values = try(local.spec.cert_manager.values, try(var.instance.advanced.cert_manager.values, {}))
-  cert_manager              = lookup(local.spec, "cert_manager", try(var.instance.advanced.cert_manager, {}))
+  # Determine tenant provider from external_dns module output (primary) or kubernetes_details (cluster module output)
+  tenant_provider = lower(
+    try(var.inputs.external_dns_details.attributes.provider,
+    try(var.inputs.kubernetes_details.attributes.cloud_provider, "aws"))
+  )
+
+  spec     = lookup(var.instance, "spec", {})
+  advanced = lookup(var.instance, "advanced", {})
+
+  # Helm values configuration
+  cert_manager_advanced     = lookup(local.advanced, "cert_manager", {})
+  user_supplied_helm_values = lookup(local.cert_manager_advanced, "values", {})
   cert_mgr_namespace        = "cert-manager"
-  advanced                  = lookup(lookup(var.instance, "advanced", {}), "cert_manager", {})
-  cnameStrategy             = lookup(local.spec, "cname_strategy", "Follow")
-  disable_dns_validation    = lookup(local.spec, "disable_dns_validation", lookup(local.advanced, "disable_dns_validation", false))
-  user_defined_tags         = try(local.cert_manager.tags, {})
-  deploy_aws_resources      = local.tenant_provider == "aws" ? local.disable_dns_validation ? false : true : false
-  dns_providers = {
-    aws = {
+
+  # DNS validation settings
+  cnameStrategy          = lookup(local.spec, "cname_strategy", "Follow")
+  disable_dns_validation = lookup(local.spec, "disable_dns_validation", false)
+
+  # External DNS configuration (if provided)
+  external_dns     = try(var.inputs.external_dns_details.attributes, null)
+  has_external_dns = local.external_dns != null && !local.disable_dns_validation
+
+  # Build DNS provider configuration from external_dns input
+  # This creates the provider-specific configuration block for cert-manager
+  dns_providers = local.has_external_dns ? merge(
+    local.external_dns.provider == "aws" ? {
       route53 = {
-        region = try(var.cc_metadata.cc_region, null)
+        region = local.external_dns.region
         accessKeyIDSecretRef = {
-          key  = "access-key-id"
-          name = local.disable_dns_validation ? "na" : kubernetes_secret.cert_manager_r53_secret[0].metadata[0].name
+          name      = local.external_dns.secret_name
+          key       = local.external_dns.aws_access_key_id_key
+          namespace = local.external_dns.secret_namespace
         }
         secretAccessKeySecretRef = {
-          key  = "secret-access-key"
-          name = local.disable_dns_validation ? "na" : kubernetes_secret.cert_manager_r53_secret[0].metadata[0].name
+          name      = local.external_dns.secret_name
+          key       = local.external_dns.aws_secret_access_key_key
+          namespace = local.external_dns.secret_namespace
         }
       }
-    }
-    google = {
+    } : {},
+    local.external_dns.provider == "gcp" ? {
       cloudDNS = {
-        project = lookup(try(data.kubernetes_secret_v1.dns[0].data, {}), "project", "")
+        project = local.external_dns.project_id
         serviceAccountSecretRef = {
-          key  = "credentials.json"
-          name = local.disable_dns_validation ? "na" : kubernetes_secret.cert_manager_r53_secret[0].metadata[0].name
+          name      = local.external_dns.secret_name
+          key       = local.external_dns.gcp_credentials_json_key
+          namespace = local.external_dns.secret_namespace
         }
       }
-    }
-  }
+    } : {},
+    local.external_dns.provider == "azure" ? {
+      azureDNS = {
+        subscriptionID    = local.external_dns.subscription_id
+        tenantID          = local.external_dns.tenant_id
+        clientID          = local.external_dns.client_id
+        resourceGroupName = local.external_dns.resource_group_name
+        clientSecretSecretRef = {
+          name      = local.external_dns.secret_name
+          key       = local.external_dns.azure_credentials_json_key
+          namespace = local.external_dns.secret_namespace
+        }
+      }
+    } : {}
+  ) : {}
+  # Let's Encrypt DNS01 validation cluster issuers
   dns01_validations = {
     staging = {
       name = "letsencrypt-staging"
@@ -41,8 +72,8 @@ locals {
       solvers = [
         {
           dns01 = merge({
-            cnameStrategy = "Follow"
-          }, lookup(local.dns_providers, local.tenant_provider, {}))
+            cnameStrategy = local.cnameStrategy
+          }, local.dns_providers)
         },
       ]
     }
@@ -52,12 +83,14 @@ locals {
       solvers = [
         {
           dns01 = merge({
-            cnameStrategy = "Follow"
-          }, lookup(local.dns_providers, local.tenant_provider, {}))
+            cnameStrategy = local.cnameStrategy
+          }, local.dns_providers)
         },
       ]
     }
   }
+
+  # Let's Encrypt HTTP01 validation cluster issuers
   http_validations = {
     staging-http01 = {
       name = "letsencrypt-staging-http01"
@@ -68,8 +101,8 @@ locals {
             ingress = {
               podTemplate = {
                 spec = {
-                  nodeSelector = local.nodepool_labels
-                  tolerations  = local.nodepool_tolerations
+                  nodeSelector = local.nodeSelector
+                  tolerations  = local.tolerations
                 }
               }
             }
@@ -86,8 +119,8 @@ locals {
             ingress = {
               podTemplate = {
                 spec = {
-                  nodeSelector = local.nodepool_labels
-                  tolerations  = local.nodepool_tolerations
+                  nodeSelector = local.nodeSelector
+                  tolerations  = local.tolerations
                 }
               }
             }
@@ -96,12 +129,25 @@ locals {
       ]
     }
   }
-  environments = merge(local.http_validations, local.disable_dns_validation ? {} : local.dns01_validations)
+
+  # Combine HTTP and DNS validations (skip DNS if disabled)
+  environments = merge(
+    local.http_validations,
+    local.disable_dns_validation ? {} : local.dns01_validations
+  )
 
   # Nodepool configuration from inputs
-  nodepool_config      = lookup(var.inputs, "kubernetes_node_pool_details", null)
-  nodepool_tolerations = lookup(local.nodepool_config, "taints", [])
-  nodepool_labels      = lookup(local.nodepool_config, "node_selector", {})
+  nodepool_config = try(var.inputs.kubernetes_node_pool_details.attributes, null)
+
+  # Handle taints: convert null/object to empty list, ensure it's always a list
+  # taints can come as: null, {}, [], or list of objects with {key, value, effect}
+  # Check if taints exists and is a list, otherwise return empty list
+  # Use can() to safely check if we can convert to list (works for lists, fails for objects)
+  nodepool_tolerations = local.nodepool_config != null && local.nodepool_config.taints != null ? (
+    can(tolist(local.nodepool_config.taints)) ? tolist(local.nodepool_config.taints) : []
+  ) : []
+
+  nodepool_labels = local.nodepool_config != null ? try(local.nodepool_config.node_selector, {}) : {}
 
   # Use only nodepool configuration (no fallback to default tolerations)
   tolerations  = local.nodepool_tolerations
@@ -110,14 +156,5 @@ locals {
   # GTS and ACME configuration
   use_gts         = lookup(local.spec, "use_gts", false)
   gts_private_key = lookup(local.spec, "gts_private_key", "")
-  acme_email      = lookup(local.spec, "acme_email", "") != "" ? lookup(local.spec, "acme_email", "") : try(var.cluster.createdBy, null)
-}
-
-data "kubernetes_secret_v1" "dns" {
-  count = local.tenant_provider == "aws" ? 0 : 1
-  metadata {
-    name      = "facets-tenant-dns"
-    namespace = "default"
-  }
-  provider = kubernetes.release-pod
+  acme_email      = lookup(local.spec, "acme_email", "") != "" ? lookup(local.spec, "acme_email", "") : null
 }
diff --git a/modules/common/cert_manager/standard/1.0/main.tf b/modules/common/cert_manager/standard/1.0/main.tf
index 0b03b402..39654d18 100644
--- a/modules/common/cert_manager/standard/1.0/main.tf
+++ b/modules/common/cert_manager/standard/1.0/main.tf
@@ -1,92 +1,10 @@
 # Define your terraform resources here
-module "iam_user_name" {
-  count           = local.disable_dns_validation ? 0 : 1
-  source          = "github.com/Facets-cloud/facets-utility-modules//name"
-  environment     = var.environment
-  limit           = 64
-  globally_unique = false
-  resource_name   = var.inputs.kubernetes_details.attributes.cluster_name
-  resource_type   = ""
-  is_k8s          = false
-}
-
-module "iam_policy_name" {
-  count           = local.disable_dns_validation ? 0 : 1
-  source          = "github.com/Facets-cloud/facets-utility-modules//name"
-  environment     = var.environment
-  limit           = 128
-  globally_unique = false
-  resource_name   = var.inputs.kubernetes_details.attributes.cluster_name
-  resource_type   = ""
-  is_k8s          = false
-}
-
-resource "aws_iam_user" "cert_manager_iam_user" {
-  count    = local.deploy_aws_resources ? 1 : 0
-  provider = "aws3tooling"
-  name     = lower(module.iam_user_name[0].name)
-  tags     = merge(local.user_defined_tags, var.environment.cloud_tags)
-}
-
-resource "aws_iam_user_policy" "cert_manager_r53_policy" {
-  count    = local.deploy_aws_resources ? 1 : 0
-  provider = "aws3tooling"
-  name     = lower(module.iam_policy_name[0].name)
-  user     = try(aws_iam_user.cert_manager_iam_user[0].name, "na")
-  policy   = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": "route53:GetChange",
-      "Resource": "arn:aws:route53:::change/*"
-    },
-    {
-      "Effect": "Allow",
-      "Action": [
-        "route53:ChangeResourceRecordSets",
-        "route53:ListResourceRecordSets"
-      ],
-      "Resource": "arn:aws:route53:::hostedzone/${try(var.cc_metadata.tenant_base_domain_id, "*")}"
-    },
-    {
-      "Effect": "Allow",
-      "Action": "route53:ListHostedZonesByName",
-      "Resource": "*"
-    }
-  ]
-}
-EOF
-}
-
-resource "aws_iam_access_key" "cert_manager_access_key" {
-  count    = local.deploy_aws_resources ? 1 : 0
-  provider = "aws3tooling"
-  user     = try(aws_iam_user.cert_manager_iam_user[0].name, "na")
-}
-
 resource "kubernetes_namespace" "namespace" {
   metadata {
     name = local.cert_mgr_namespace
   }
 }
 
-resource "kubernetes_secret" "cert_manager_r53_secret" {
-  count      = local.disable_dns_validation ? 0 : 1
-  depends_on = [kubernetes_namespace.namespace]
-  metadata {
-    name      = "${lower(module.iam_user_name[0].name)}-secret"
-    namespace = local.cert_mgr_namespace
-  }
-  data = jsondecode(local.tenant_provider == "aws" ? jsonencode({
-    "access-key-id"     = aws_iam_access_key.cert_manager_access_key[0].id
-    "secret-access-key" = aws_iam_access_key.cert_manager_access_key[0].secret
-    }) : jsonencode({
-    "credentials.json" = lookup(lookup(try(data.kubernetes_secret_v1.dns[0], {}), "data", {}), "credentials.json", "{}")
-  }))
-}
-
 resource "helm_release" "cert_manager" {
   depends_on = [kubernetes_namespace.namespace]
   name       = "cert-manager"
@@ -94,18 +12,15 @@ resource "helm_release" "cert_manager" {
   chart            = "${path.module}/cert-manager-v1.17.1.tgz"
   namespace        = local.cert_mgr_namespace
   create_namespace = false
-  # version          = lookup(local.cert_manager, "version", "1.13.3")
-  cleanup_on_fail = lookup(local.cert_manager, "cleanup_on_fail", true)
-  wait            = lookup(local.cert_manager, "wait", true)
-  atomic          = lookup(local.cert_manager, "atomic", false)
-  timeout         = lookup(local.cert_manager, "timeout", 600)
-  recreate_pods   = lookup(local.cert_manager, "recreate_pods", false)
+  # version          = lookup(local.cert_manager_advanced, "version", "1.13.3")
+  cleanup_on_fail = lookup(local.cert_manager_advanced, "cleanup_on_fail", true)
+  wait            = lookup(local.cert_manager_advanced, "wait", true)
+  atomic          = lookup(local.cert_manager_advanced, "atomic", false)
+  timeout         = lookup(local.cert_manager_advanced, "timeout", 600)
+  recreate_pods   = lookup(local.cert_manager_advanced, "recreate_pods", false)
 
   values = [
-    <<EOF
-prometheus_id: ${try(var.inputs.prometheus_details.attributes.helm_release_id, "")}
-EOF
-    , yamlencode({
+    yamlencode({
       installCRDs  = true
       nodeSelector = local.nodeSelector
       tolerations  = local.tolerations
@@ -195,7 +110,7 @@ module "cluster-issuer-gts-prod" {
     spec = {
       acme = {
         email                       = local.acme_email
-        server                      = local.use_gts ? "https://dv.acme-v02.api.pki.goog/directory" : "https://acme-v02.api.letsencrypt.org/directory"
+        server                      = "https://dv.acme-v02.api.pki.goog/directory"
         disableAccountKeyGeneration = true
         privateKeySecretRef = {
           name = kubernetes_secret.google-trust-services-prod-account-key[0].metadata[0].name
@@ -204,7 +119,7 @@ module "cluster-issuer-gts-prod" {
           {
             dns01 = merge({
               cnameStrategy = local.cnameStrategy
-            }, lookup(local.dns_providers, local.tenant_provider, {}))
+            }, local.dns_providers)
           },
         ]
       }
diff --git a/modules/common/cert_manager/standard/1.0/outputs.tf b/modules/common/cert_manager/standard/1.0/outputs.tf
index dd293c2e..41f8132d 100644
--- a/modules/common/cert_manager/standard/1.0/outputs.tf
+++ b/modules/common/cert_manager/standard/1.0/outputs.tf
@@ -1,10 +1,26 @@
 locals {
   output_attributes = {
+    # Primary cluster issuers for DNS01 and HTTP01 validation
     cluster_issuer_dns  = local.use_gts ? "gts-production" : "letsencrypt-prod"
     cluster_issuer_http = local.use_gts ? "gts-production-http01" : "letsencrypt-prod-http01"
-    use_gts             = local.use_gts
-    namespace           = local.cert_mgr_namespace
-  }
-  output_interfaces = {
+
+    # All available cluster issuers
+    cluster_issuers = {
+      dns_staging     = local.use_gts ? null : "letsencrypt-staging"
+      dns_production  = local.use_gts ? "gts-production" : "letsencrypt-prod"
+      http_staging    = "letsencrypt-staging-http01"
+      http_production = local.use_gts ? "gts-production-http01" : "letsencrypt-prod-http01"
+    }
+
+    # Configuration details
+    namespace          = local.cert_mgr_namespace
+    use_gts            = local.use_gts
+    has_dns_validation = local.has_external_dns
+    dns_provider       = local.has_external_dns ? local.external_dns.provider : null
+
+    # Helm release information
+    helm_release_name = helm_release.cert_manager.name
+    helm_release_id   = helm_release.cert_manager.id
   }
+  output_interfaces = {}
 }
\ No newline at end of file
diff --git a/modules/common/cert_manager/standard/1.0/variables.tf b/modules/common/cert_manager/standard/1.0/variables.tf
index a3502d27..a212aa09 100644
--- a/modules/common/cert_manager/standard/1.0/variables.tf
+++ b/modules/common/cert_manager/standard/1.0/variables.tf
@@ -1,29 +1,100 @@
-variable "instance" {
-  type = any
-
-  validation {
-    condition     = contains(["Follow", "None"], var.instance.spec.cname_strategy)
-    error_message = "cname_strategy must be either 'Follow' or 'None'."
-  }
-
-  validation {
-    condition     = lookup(var.instance.spec, "use_gts", false) ? lookup(var.instance.spec, "gts_private_key", "") != "" : true
-    error_message = "gts_private_key is required when use_gts is enabled."
-  }
-}
-
 variable "instance_name" {
-  type    = string
-  default = "test_instance"
+  description = "The architectural name for the resource as added in the Facets blueprint designer."
+  type        = string
+  default     = "cert-manager"
 }
 
 variable "environment" {
-  type = any
+  description = "An object containing details about the environment."
+  type = object({
+    name        = optional(string)
+    unique_name = optional(string)
+    namespace   = optional(string, "default")
+  })
   default = {
     namespace = "default"
   }
 }
 
+variable "instance" {
+  description = "The cert-manager resource instance configuration"
+  type = object({
+    kind     = optional(string)
+    flavor   = optional(string)
+    version  = optional(string)
+    disabled = optional(bool, false)
+    spec = optional(object({
+      # ACME configuration
+      acme_email             = optional(string, "")
+      cname_strategy         = optional(string, "Follow")
+      disable_dns_validation = optional(bool, false)
+      # Google Trust Services (GTS) configuration
+      use_gts         = optional(bool, false)
+      gts_private_key = optional(string, "")
+    }), {})
+    advanced = optional(object({
+      cert_manager = optional(object({
+        cleanup_on_fail = optional(bool, true)
+        wait            = optional(bool, true)
+        atomic          = optional(bool, false)
+        timeout         = optional(number, 600)
+        recreate_pods   = optional(bool, false)
+        values          = optional(map(any), {})
+      }), {})
+    }), {})
+  })
+  default = {}
+}
+
 variable "inputs" {
-  type = any
+  description = "Input dependencies from other modules"
+  type = object({
+    # Kubernetes cluster details (required)
+    kubernetes_details = object({
+      attributes = object({
+        cluster_name        = string
+        cluster_endpoint    = optional(string)
+        cloud_provider      = optional(string)
+        resource_group_name = optional(string) # Azure resource group name (Azure only)
+      })
+      interfaces = optional(any)
+    })
+    # External DNS details (optional - required for DNS01 validation)
+    external_dns_details = optional(object({
+      attributes = object({
+        provider         = string # "aws", "gcp", or "azure"
+        secret_name      = string
+        secret_namespace = string
+        region           = optional(string, "")
+        # AWS-specific fields
+        aws_access_key_id_key     = optional(string, "")
+        aws_secret_access_key_key = optional(string, "")
+        hosted_zone_id            = optional(string, "")
+        # GCP-specific fields
+        gcp_credentials_json_key = optional(string, "")
+        project_id               = optional(string, "")
+        # Azure-specific fields
+        azure_credentials_json_key = optional(string, "")
+        subscription_id            = optional(string, "")
+        tenant_id                  = optional(string, "")
+        client_id                  = optional(string, "")
+        resource_group_name        = optional(string, "")
+      })
+    }), null)
+    # Prometheus details (optional - for monitoring)
+    prometheus_details = optional(object({
+      attributes = object({
+        helm_release_id = optional(string, "")
+      })
+    }), null)
+    # Node pool details (optional - for dedicated scheduling)
+    kubernetes_node_pool_details = optional(object({
+      attributes = optional(object({
+        node_selector = optional(map(string), {})
+        # taints can be null, empty list, or list of taint objects
+        # Using any type to handle all cases, conversion happens in locals.tf
+        taints = optional(any, null)
+      }), {})
+    }), null)
+  })
 }
diff --git a/modules/external_dns/aws/1.0/facets.yaml b/modules/external_dns/aws/1.0/facets.yaml
new file mode 100644
index 00000000..159368d4
--- /dev/null
+++ b/modules/external_dns/aws/1.0/facets.yaml
@@ -0,0 +1,49 @@
+intent: external_dns
+flavor: aws
+version: '1.0'
+description: Manages DNS credentials and IAM resources for Route53 DNS operations
+  in Kubernetes clusters
+clouds:
+- aws
+inputs:
+  kubernetes_details:
+    optional: false
+    type: '@facets/kubernetes-details'
+    displayName: Kubernetes Cluster
+    default:
+      resource_type: kubernetes_cluster
+      resource_name: default
+    providers:
+    - kubernetes
+  cloud_account:
+    optional: false
+    type: '@facets/aws_cloud_account'
+    displayName: AWS Cloud Account
+    providers:
+    - aws
+spec:
+  title: External DNS Controller for AWS Route53
+  description: Manages DNS credentials and IAM resources for Route53 DNS operations
+  type: object
+  properties:
+    hosted_zone_id:
+      type: string
+      title: Route53 Hosted Zone ID
+      description: AWS Route53 hosted zone ID for DNS operations
+      x-ui-overrides-only: true
+  required: []
+outputs:
+  default:
+    type: '@facets/external_dns'
+    title: External DNS Details
+sample:
+  kind: external_dns
+  flavor: aws
+  version: '1.0'
+  disabled: true
+  spec: {}
+iac:
+  validated_files:
+  - main.tf
+  - variables.tf
+  - outputs.tf
diff --git a/modules/external_dns/aws/1.0/locals.tf b/modules/external_dns/aws/1.0/locals.tf
new file mode 100644
index 00000000..2f87d7bb
--- /dev/null
+++ b/modules/external_dns/aws/1.0/locals.tf
@@ -0,0 +1,49 @@
+locals {
+  spec    = lookup(var.instance, "spec", {})
+  advanced = lookup(var.instance, "advanced", {})
+
+  # DNS configuration
+  hosted_zone_id = lookup(local.spec, "hosted_zone_id", "*")
+  domain_filters = lookup(local.spec, "domain_filters", [])
+  zone_type      = lookup(local.spec, "zone_type", "public")
+
+  # Cluster details
+  cluster_name   = var.inputs.kubernetes_details.attributes.cluster_name
+  aws_region     = var.inputs.cloud_account.attributes.aws_region
+
+  # Namespace and secret
+  namespace      = "external-dns"
+  secret_name    = "${lower(var.instance_name)}-dns-secret"
+
+  # Helm configuration
+  externaldns               = lookup(local.advanced, "externaldns", {})
+  helm_version              = lookup(local.externaldns, "version", "6.28.5")
+  cleanup_on_fail           = lookup(local.externaldns, "cleanup_on_fail", true)
+  wait                      = lookup(local.externaldns, "wait", false)
+  atomic                    = lookup(local.externaldns, "atomic", false)
+  timeout                   = lookup(local.externaldns, "timeout", 300)
+  recreate_pods             = lookup(local.externaldns, "recreate_pods", false)
+  user_supplied_helm_values = lookup(local.externaldns, "values", {})
+
+  # Chart source configuration (configurable with fallback)
+  chart_path       = lookup(local.externaldns, "chart_path", "")
+  use_local_chart  = local.chart_path != ""
+  chart_source     = local.use_local_chart ? local.chart_path : "external-dns"
+  chart_repository = lookup(local.externaldns, "chart_repository", "oci://registry-1.docker.io/bitnamicharts")
+
+  # Image configuration (configurable with fallback)
+  image_registry   = lookup(local.externaldns, "image_registry", "docker.io")
+  image_repository = lookup(local.externaldns, "image_repository", "bitnami/external-dns")
+  image_tag        = lookup(local.externaldns, "image_tag", "")
+
+  # Node scheduling
+  node_selector = try(
+    var.inputs.kubernetes_node_pool_details.attributes.node_selector,
+    {}
+  )
+  tolerations = concat(
+    try(var.environment.default_tolerations, []),
+    try(var.inputs.kubernetes_node_pool_details.attributes.taints, [])
+  )
+}
+
diff --git a/modules/external_dns/aws/1.0/main.tf b/modules/external_dns/aws/1.0/main.tf
new file mode 100644
index 00000000..9d4a9160
--- /dev/null
+++ b/modules/external_dns/aws/1.0/main.tf
@@ -0,0 +1,162 @@
+# Name generation for IAM resources
+module "iam_user_name" {
+  source          = "github.com/Facets-cloud/facets-utility-modules//name"
+  environment     = var.environment
+  limit           = 64
+  globally_unique = false
+  resource_name   = local.cluster_name
+  resource_type   = "external-dns"
+  is_k8s          = false
+}
+
+module "iam_policy_name" {
+  source          = "github.com/Facets-cloud/facets-utility-modules//name"
+  environment     = var.environment
+  limit           = 128
+  globally_unique = false
+  resource_name   = local.cluster_name
+  resource_type   = "external-dns-policy"
+  is_k8s          = false
+}
+
+module "helm_name" {
+  source          = "github.com/Facets-cloud/facets-utility-modules//name"
+  environment     = var.environment
+  limit           = 53
+  globally_unique = false
+  resource_name   = var.instance_name
+  resource_type   = "externaldns"
+  is_k8s          = true
+}
+
+# IAM User for Route53 access
+resource "aws_iam_user" "external_dns_user" {
+  name = lower(module.iam_user_name.name)
+  tags = merge(var.environment.cloud_tags, {
+    Name      = "external-dns-${local.cluster_name}"
+    Purpose   = "Route53 DNS management"
+    ManagedBy = "facets"
+  })
+}
+
+# IAM Policy for Route53 permissions
+resource "aws_iam_user_policy" "external_dns_r53_policy" {
+  name = lower(module.iam_policy_name.name)
+  user = aws_iam_user.external_dns_user.name
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect   = "Allow"
+        Action   = "route53:GetChange"
+        Resource = "arn:aws:route53:::change/*"
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "route53:ChangeResourceRecordSets",
+          "route53:ListResourceRecordSets"
+        ]
+        Resource = "arn:aws:route53:::hostedzone/${local.hosted_zone_id}"
+      },
+      {
+        Effect   = "Allow"
+        Action   = "route53:ListHostedZonesByName"
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+# IAM Access Key
+resource "aws_iam_access_key" "external_dns_access_key" {
+  user = aws_iam_user.external_dns_user.name
+}
+
+# Kubernetes namespace for external-dns
+resource "kubernetes_namespace" "namespace" {
+  metadata {
+    name = local.namespace
+  }
+}
+
+# Kubernetes secret with Route53 credentials
+resource "kubernetes_secret" "external_dns_r53_secret" {
+  depends_on = [kubernetes_namespace.namespace]
+  metadata {
+    name      = local.secret_name
+    namespace = local.namespace
+  }
+  data = {
+    "access-key-id"     = aws_iam_access_key.external_dns_access_key.id
+    "secret-access-key" = aws_iam_access_key.external_dns_access_key.secret
+  }
+}
+
+# Deploy external-dns Helm chart
+resource "helm_release" "external_dns" {
+  depends_on       = [kubernetes_secret.external_dns_r53_secret]
+  name             = module.helm_name.name
+  chart            = "external-dns"
+  repository       = "oci://registry-1.docker.io/bitnamicharts"
+  version          = local.helm_version
+  namespace        = local.namespace
+  create_namespace = false
+  cleanup_on_fail  = local.cleanup_on_fail
+  wait             = local.wait
+  atomic           = local.atomic
+  timeout          = local.timeout
+  recreate_pods    = local.recreate_pods
+
+  values = [
+    yamlencode({
+      provider      = "aws"
+      txtOwnerId    = "${module.helm_name.name}-${var.environment.unique_name}"
+      txtSuffix     = var.environment.unique_name
+      policy        = "sync"
+      domainFilters = local.domain_filters
+      priorityClassName = "facets-critical"
+
+      image = {
+        registry   = "docker.io"
+        repository = "bitnamilegacy/external-dns"
+      }
+
+      resources = {
+        limits = {
+          cpu    = "500m"
+          memory = "500Mi"
+        }
+        requests = {
+          cpu    = "100m"
+          memory = "100Mi"
+        }
+      }
+
+      metrics = {
+        serviceMonitor = {
+          enabled = true
+        }
+      }
+
+      aws = {
+        region    = local.aws_region
+        zoneType  = local.zone_type
+        credentials = {
+          accessKeyIDSecretRef = {
+            name = local.secret_name
+            key  = "access-key-id"
+          }
+          secretAccessKeySecretRef = {
+            name = local.secret_name
+            key  = "secret-access-key"
+          }
+        }
+      }
+
+      nodeSelector = local.node_selector
+      tolerations  = local.tolerations
+    }),
+    yamlencode(local.user_supplied_helm_values)
+  ]
+}
diff --git a/modules/external_dns/aws/1.0/outputs.tf b/modules/external_dns/aws/1.0/outputs.tf
new file mode 100644
index 00000000..8b2356f5
--- /dev/null
+++ b/modules/external_dns/aws/1.0/outputs.tf
@@ -0,0 +1,19 @@
+locals {
+  output_attributes = {
+    secret_name                = kubernetes_secret.external_dns_r53_secret.metadata[0].name
+    secret_namespace           = local.namespace
+    aws_access_key_id_key      = "access-key-id"
+    aws_secret_access_key_key  = "secret-access-key"
+    gcp_credentials_json_key   = ""
+    azure_credentials_json_key = ""
+    hosted_zone_id             = local.hosted_zone_id
+    region                     = local.aws_region
+    provider                   = "aws"
+    subscription_id            = ""
+    tenant_id                  = ""
+    client_id                  = ""
+    resource_group_name        = ""
+    project_id                 = ""
+  }
+  output_interfaces = {}
+}
diff --git a/modules/external_dns/aws/1.0/variables.tf b/modules/external_dns/aws/1.0/variables.tf
new file mode 100644
index 00000000..e4746dff
--- /dev/null
+++ b/modules/external_dns/aws/1.0/variables.tf
@@ -0,0 +1,80 @@
+variable "instance_name" {
+  description = "The architectural name for the resource as added in the Facets blueprint designer."
+  type        = string
+  default     = "test_instance"
+}
+
+variable "environment" {
+  description = "An object containing details about the environment."
+  type = object({
+    name                = optional(string)
+    unique_name         = optional(string)
+    cloud_tags          = optional(map(string), {})
+    namespace           = optional(string, "default")
+    default_tolerations = optional(list(any), [])
+  })
+  default = {
+    namespace = "default"
+  }
+}
+
+#########################################################################
+# Instance Configuration Schema                                         #
+#                                                                       #
+# Matches the spec defined in facets.yaml                              #
+#########################################################################
+
+variable "instance" {
+  description = "The external DNS resource instance configuration"
+  type = object({
+    kind     = optional(string)
+    flavor   = optional(string)
+    version  = optional(string)
+    disabled = optional(bool, false)
+    spec = optional(object({
+      hosted_zone_id = optional(string, "*")
+      domain_filters = optional(list(string), [])
+      zone_type      = optional(string, "public")
+    }), {})
+    advanced = optional(object({
+      externaldns = optional(object({
+        version         = optional(string, "6.28.5")
+        cleanup_on_fail = optional(bool, true)
+        wait            = optional(bool, false)
+        atomic          = optional(bool, false)
+        timeout         = optional(number, 300)
+        recreate_pods   = optional(bool, false)
+        values          = optional(map(any), {})
+      }), {})
+    }), {})
+  })
+}
+
+
+
+variable "inputs" {
+  description = "Input dependencies from other modules"
+  type = object({
+    kubernetes_details = object({
+      attributes = object({
+        cluster_name     = string
+        cluster_endpoint = optional(string)
+        cloud_provider   = optional(string)
+      })
+      interfaces = optional(any)
+    })
+    cloud_account = object({
+      attributes = object({
+        aws_region   = string
+        aws_iam_role = optional(string)
+        external_id  = optional(string)
+      })
+    })
+    kubernetes_node_pool_details = optional(object({
+      attributes = optional(object({
+        node_selector = optional(map(string), {})
+        taints        = optional(list(any), [])
+      }), {})
+    }), null)
+  })
+}
diff --git a/modules/external_dns/azure/1.0/facets.yaml b/modules/external_dns/azure/1.0/facets.yaml
new file mode 100644
index 00000000..265a944b
--- /dev/null
+++ b/modules/external_dns/azure/1.0/facets.yaml
@@ -0,0 +1,48 @@
+intent: external_dns
+flavor: azure
+version: '1.0'
+description: Manages DNS credentials for Azure DNS operations in Kubernetes clusters
+clouds:
+- azure
+inputs:
+  kubernetes_details:
+    optional: false
+    type: '@facets/kubernetes-details'
+    displayName: Kubernetes Cluster
+    default:
+      resource_type: kubernetes_cluster
+      resource_name: default
+    providers:
+    - kubernetes
+    - helm
+  cloud_account:
+    optional: false
+    type: '@facets/azure_cloud_account'
+    displayName: Azure Cloud Account
+    providers:
+    - azurerm
+  kubernetes_node_pool_details:
+    type: '@facets/kubernetes_nodepool'
+    displayName: Node Pool
+    optional: false
+spec:
+  title: External DNS Controller for Azure DNS
+  description: Manages DNS credentials for Azure DNS operations
+  type: object
+  properties: {}
+  required: []
+outputs:
+  default:
+    type: '@facets/external_dns'
+    title: External DNS Details
+sample:
+  kind: external_dns
+  flavor: azure
+  version: '1.0'
+  disabled: true
+  spec: {}
+iac:
+  validated_files:
+  - main.tf
+  - variables.tf
+  - outputs.tf
diff --git a/modules/external_dns/azure/1.0/locals.tf b/modules/external_dns/azure/1.0/locals.tf
new file mode 100644
index 00000000..69b876a1
--- /dev/null
+++ b/modules/external_dns/azure/1.0/locals.tf
@@ -0,0 +1,72 @@
+locals {
+  spec     = lookup(var.instance, "spec", {})
+  advanced = lookup(var.instance, "advanced", {})
+
+  # Namespace and secret
+  namespace   = "external-dns"
+  secret_name = "${lower(var.instance_name)}-dns-secret"
+
+  # Azure account details (from cloud_account module)
+  subscription_id = var.inputs.cloud_account.attributes.subscription_id
+  tenant_id       = var.inputs.cloud_account.attributes.tenant_id
+  client_id       = var.inputs.cloud_account.attributes.client_id
+
+  # Resource group comes from kubernetes_details (AKS → network module)
+  resource_group_name = var.inputs.kubernetes_details.attributes.resource_group_name
+
+  # Region comes from cluster_location (AKS region) or network_details
+  region = try(
+    var.inputs.kubernetes_details.attributes.cluster_location,
+    var.inputs.kubernetes_details.attributes.network_details.region,
+    ""
+  )
+
+  # DNS configuration
+  domain_filters = lookup(local.spec, "domain_filters", [])
+
+  # Helm configuration
+  externaldns               = lookup(local.advanced, "externaldns", {})
+  helm_version              = lookup(local.externaldns, "version", "1.14.5")
+  cleanup_on_fail           = lookup(local.externaldns, "cleanup_on_fail", true)
+  wait                      = lookup(local.externaldns, "wait", false)
+  atomic                    = lookup(local.externaldns, "atomic", false)
+  timeout                   = lookup(local.externaldns, "timeout", 300)
+  recreate_pods             = lookup(local.externaldns, "recreate_pods", false)
+  user_supplied_helm_values = lookup(local.externaldns, "values", {})
+
+  # Chart source configuration (configurable with fallback)
+  # Default to official Kubernetes SIGs external-dns Helm chart
+  chart_path       = lookup(local.externaldns, "chart_path", "")
+  use_local_chart  = local.chart_path != ""
+  chart_source     = local.use_local_chart ? local.chart_path : "external-dns"
+  chart_repository = lookup(local.externaldns, "chart_repository", "https://kubernetes-sigs.github.io/external-dns")
+
+  # Image configuration (configurable with fallback)
+  # Default to official external-dns image from registry.k8s.io
+  image_registry   = lookup(local.externaldns, "image_registry", "registry.k8s.io")
+  image_repository = lookup(local.externaldns, "image_repository", "external-dns/external-dns")
+  image_tag        = lookup(local.externaldns, "image_tag", "")
+
+  # Priority class configuration
+  # Allow override via advanced config, default to "facets-critical"
+  # Users can set advanced.externaldns.priority_class_name to use a different priority class
+  priority_class_name = lookup(local.externaldns, "priority_class_name", "facets-critical")
+
+  # Node scheduling
+  node_selector = try(
+    var.inputs.kubernetes_node_pool_details.attributes.node_selector,
+    {}
+  )
+  # Handle taints: convert null/object to empty list, ensure it's always a list
+  # taints can come as: null, {}, [], or list of objects with {key, value, effect}
+  # Check if taints exists and is a list, otherwise return empty list
+  nodepool_taints = try(
+    var.inputs.kubernetes_node_pool_details.attributes.taints,
+    null
+  )
+  tolerations = concat(
+    try(var.environment.default_tolerations, []),
+    local.nodepool_taints != null && can(tolist(local.nodepool_taints)) ? tolist(local.nodepool_taints) : []
+  )
+}
+
diff --git a/modules/external_dns/azure/1.0/main.tf b/modules/external_dns/azure/1.0/main.tf
new file mode 100644
index 00000000..b1fe08a0
--- /dev/null
+++ b/modules/external_dns/azure/1.0/main.tf
@@ -0,0 +1,153 @@
+module "helm_name" {
+  source          = "github.com/Facets-cloud/facets-utility-modules//name"
+  environment     = var.environment
+  limit           = 53
+  globally_unique = false
+  resource_name   = var.instance_name
+  resource_type   = "externaldns"
+  is_k8s          = true
+}
+
+# Kubernetes namespace for external-dns
+resource "kubernetes_namespace" "namespace" {
+  metadata {
+    name = local.namespace
+  }
+}
+
+# Kubernetes secret with Azure DNS credentials
+# cert-manager expects the client secret in a key named "client-secret"
+resource "kubernetes_secret" "external_dns_azure_secret" {
+  depends_on = [kubernetes_namespace.namespace]
+  metadata {
+    name      = local.secret_name
+    namespace = local.namespace
+  }
+  data = {
+    # cert-manager azureDNS solver expects the key to be "client-secret"
+    # Use client_secret directly from cloud_account input
+    "client-secret" = var.inputs.cloud_account.attributes.client_secret
+  }
+}
+
+# Create azure.json ConfigMap for kubernetes-sigs external-dns chart
+# The official chart expects Azure credentials in /etc/kubernetes/azure.json file
+resource "kubernetes_config_map" "azure_json" {
+  depends_on = [kubernetes_namespace.namespace]
+  metadata {
+    name      = "${module.helm_name.name}-azure-config"
+    namespace = local.namespace
+  }
+  data = {
+    "azure.json" = jsonencode({
+      tenantId        = local.tenant_id
+      subscriptionId  = local.subscription_id
+      resourceGroup   = local.resource_group_name
+      aadClientId     = local.client_id
+      aadClientSecret = var.inputs.cloud_account.attributes.client_secret
+    })
+  }
+}
+
+# Deploy external-dns Helm chart
+resource "helm_release" "external_dns" {
+  depends_on = [
+    kubernetes_secret.external_dns_azure_secret,
+    kubernetes_config_map.azure_json
+  ]
+  name             = module.helm_name.name
+  chart            = local.chart_source
+  repository       = local.chart_repository
+  version          = local.helm_version
+  namespace        = local.namespace
+  create_namespace = false
+  cleanup_on_fail  = local.cleanup_on_fail
+  wait             = local.wait
+  atomic           = local.atomic
+  timeout          = local.timeout
+  recreate_pods    = local.recreate_pods
+
+  values = [
+    yamlencode({
+      # Provider configuration
+      provider = "azure"
+      policy   = "sync"
+
+      # Domain filters
+      domainFilters = local.domain_filters
+
+      # TXT record configuration
+      txtOwnerId = "${module.helm_name.name}-${var.environment.unique_name}"
+      txtSuffix  = var.environment.unique_name
+
+      # Service account configuration
+      serviceAccount = {
+        create = true
+        name   = module.helm_name.name
+      }
+
+      # Image configuration (official external-dns image)
+      image = local.image_tag != "" ? {
+        registry   = local.image_registry
+        repository = local.image_repository
+        tag        = local.image_tag
+        } : {
+        registry   = local.image_registry
+        repository = local.image_repository
+      }
+
+      # Resource limits
+      resources = {
+        limits = {
+          cpu    = "500m"
+          memory = "500Mi"
+        }
+        requests = {
+          cpu    = "100m"
+          memory = "100Mi"
+        }
+      }
+
+      # Metrics configuration
+      metrics = {
+        serviceMonitor = {
+          enabled = true
+        }
+      }
+
+      # Azure provider configuration
+      # kubernetes-sigs chart expects credentials via azure.json file mounted as volume
+      azure = {
+        resourceGroup = local.resource_group_name
+        # Note: tenantId, subscriptionId, aadClientId, aadClientSecret are read from
+        # /etc/kubernetes/azure.json file mounted via extraVolumes/extraVolumeMounts
+      }
+
+      # Mount azure.json ConfigMap as volume
+      extraVolumes = [
+        {
+          name = "azure-config"
+          configMap = {
+            name = kubernetes_config_map.azure_json.metadata[0].name
+          }
+        }
+      ]
+
+      extraVolumeMounts = [
+        {
+          name      = "azure-config"
+          mountPath = "/etc/kubernetes"
+          readOnly  = true
+        }
+      ]
+
+      # Node scheduling
+      nodeSelector = local.node_selector
+      tolerations  = local.tolerations
+
+      # Priority class
+      priorityClassName = local.priority_class_name
+    }),
+    yamlencode(local.user_supplied_helm_values)
+  ]
+}
diff --git a/modules/external_dns/azure/1.0/outputs.tf b/modules/external_dns/azure/1.0/outputs.tf
new file mode 100644
index 00000000..ab0fddfb
--- /dev/null
+++ b/modules/external_dns/azure/1.0/outputs.tf
@@ -0,0 +1,28 @@
+locals {
+  output_attributes = {
+    # Secret information (created by this module)
+    secret_name                = kubernetes_secret.external_dns_azure_secret.metadata[0].name
+    secret_namespace           = local.namespace
+    azure_credentials_json_key = "client-secret"
+
+    # Cloud provider identifier
+    provider = "azure"
+
+    # Azure account details (from cloud_account module via locals)
+    subscription_id     = local.subscription_id
+    tenant_id           = local.tenant_id
+    client_id           = local.client_id
+    resource_group_name = local.resource_group_name
+
+    # Region (from AKS cluster)
+    region = local.region
+
+    # Empty fields for other cloud providers
+    aws_access_key_id_key     = ""
+    aws_secret_access_key_key = ""
+    gcp_credentials_json_key  = ""
+    hosted_zone_id            = ""
+    project_id                = ""
+  }
+  output_interfaces = {}
+}
\ No newline at end of file
diff --git a/modules/external_dns/azure/1.0/variables.tf b/modules/external_dns/azure/1.0/variables.tf
new file mode 100644
index 00000000..10d6c5bf
--- /dev/null
+++ b/modules/external_dns/azure/1.0/variables.tf
@@ -0,0 +1,63 @@
+variable "instance_name" {
+  description = "The architectural name for the resource as added in the Facets blueprint designer."
+  type        = string
+  default     = "test_instance"
+}
+
+variable "environment" {
+  description = "An object containing details about the environment."
+  type = object({
+    name        = optional(string)
+    unique_name = optional(string)
+    cloud_tags  = optional(map(string), {})
+    namespace   = optional(string, "default")
+  })
+  default = {
+    namespace = "default"
+  }
+}
+
+variable "instance" {
+  description = "The external DNS resource instance configuration"
+  type = object({
+    kind     = optional(string)
+    flavor   = optional(string)
+    version  = optional(string)
+    disabled = optional(bool, false)
+    spec     = optional(object({}), {})
+  })
+}
+
+variable "inputs" {
+  description = "Input dependencies from other modules"
+  type = object({
+    kubernetes_details = object({
+      attributes = object({
+        cluster_name        = string
+        cluster_endpoint    = optional(string)
+        cloud_provider      = optional(string)
+        resource_group_name = string           # Comes from AKS cluster (which gets it from network module)
+        cluster_location    = optional(string) # Azure region
+        network_details = optional(object({
+          resource_group_name = optional(string)
+          region              = optional(string)
+        }), {})
+      })
+      interfaces = optional(any)
+    })
+    cloud_account = object({
+      attributes = object({
+        subscription_id = string
+        tenant_id       = string
+        client_id       = string
+        client_secret   = string
+      })
+    })
+    kubernetes_node_pool_details = optional(object({
+      attributes = optional(object({
+        node_selector = optional(map(string), {})
+        taints        = optional(any, null)
+      }), {})
+    }), null)
+  })
+}
diff --git a/modules/external_dns/gcp/1.0/facets.yaml b/modules/external_dns/gcp/1.0/facets.yaml
new file mode 100644
index 00000000..510a05a5
--- /dev/null
+++ b/modules/external_dns/gcp/1.0/facets.yaml
@@ -0,0 +1,43 @@
+intent: external_dns
+flavor: gcp
+version: '1.0'
+description: Manages DNS credentials and service account for Google Cloud DNS operations in Kubernetes clusters
+clouds:
+- gcp
+inputs:
+  kubernetes_details:
+    optional: false
+    type: '@facets/kubernetes-details'
+    displayName: Kubernetes Cluster
+    default:
+      resource_type: kubernetes_cluster
+      resource_name: default
+    providers:
+    - kubernetes
+  cloud_account:
+    optional: false
+    type: '@facets/gcp_cloud_account'
+    displayName: GCP Cloud Account
+    providers:
+    - google
+spec:
+  title: External DNS Controller for GCP Cloud DNS
+  description: Manages DNS credentials and service account for Google Cloud DNS operations
+  type: object
+  properties: {}
+  required: []
+outputs:
+  default:
+    type: '@facets/external_dns'
+    title: External DNS Details
+sample:
+  kind: external_dns
+  flavor: gcp
+  version: '1.0'
+  disabled: true
+  spec: {}
+iac:
+  validated_files:
+  - main.tf
+  - variables.tf
+  - outputs.tf
diff --git a/modules/external_dns/gcp/1.0/locals.tf b/modules/external_dns/gcp/1.0/locals.tf
new file mode 100644
index 00000000..23da20eb
--- /dev/null
+++ b/modules/external_dns/gcp/1.0/locals.tf
@@ -0,0 +1,48 @@
+locals {
+  spec     = lookup(var.instance, "spec", {})
+  advanced = lookup(var.instance, "advanced", {})
+
+  # DNS configuration
+  domain_filters    = lookup(local.spec, "domain_filters", [])
+  zone_visibility   = lookup(local.spec, "zone_visibility", "")
+  batch_change_size = lookup(local.spec, "batch_change_size", 1000)
+
+  # Namespace and secret
+  namespace   = "external-dns"
+  secret_name = "${lower(var.instance_name)}-dns-secret"
+
+  # Project ID can come from kubernetes_details (GKE) or cloud_account
+  project_id = try(
+    var.inputs.kubernetes_details.attributes.project_id,
+    var.inputs.cloud_account.attributes.project_id,
+    var.inputs.cloud_account.attributes.project,
+    ""
+  )
+  # Region can come from kubernetes_details (GKE) or cloud_account
+  region = try(
+    var.inputs.kubernetes_details.attributes.region,
+    var.inputs.cloud_account.attributes.region,
+    "us-central1"
+  )
+
+  # Helm configuration
+  externaldns               = lookup(local.advanced, "externaldns", {})
+  helm_version              = lookup(local.externaldns, "version", "6.28.5")
+  cleanup_on_fail           = lookup(local.externaldns, "cleanup_on_fail", true)
+  wait                      = lookup(local.externaldns, "wait", false)
+  atomic                    = lookup(local.externaldns, "atomic", false)
+  timeout                   = lookup(local.externaldns, "timeout", 300)
+  recreate_pods             = lookup(local.externaldns, "recreate_pods", false)
+  user_supplied_helm_values = lookup(local.externaldns, "values", {})
+
+  # Node scheduling
+  node_selector = try(
+    var.inputs.kubernetes_node_pool_details.attributes.node_selector,
+    {}
+  )
+  tolerations = concat(
+    try(var.environment.default_tolerations, []),
+    try(var.inputs.kubernetes_node_pool_details.attributes.taints, [])
+  )
+}
+
diff --git a/modules/external_dns/gcp/1.0/main.tf b/modules/external_dns/gcp/1.0/main.tf
new file mode 100644
index 00000000..7a0c5497
--- /dev/null
+++ b/modules/external_dns/gcp/1.0/main.tf
@@ -0,0 +1,101 @@
+module "helm_name" {
+  source          = "github.com/Facets-cloud/facets-utility-modules//name"
+  environment     = var.environment
+  limit           = 53
+  globally_unique = false
+  resource_name   = var.instance_name
+  resource_type   = "externaldns"
+  is_k8s          = true
+}
+
+# Kubernetes namespace for external-dns
+resource "kubernetes_namespace" "namespace" {
+  metadata {
+    name = local.namespace
+  }
+}
+
+# Read existing DNS credentials secret (created by platform)
+data "kubernetes_secret_v1" "dns" {
+  metadata {
+    name      = "facets-tenant-dns"
+    namespace = "default"
+  }
+}
+
+# Kubernetes secret with GCP DNS credentials
+resource "kubernetes_secret" "external_dns_gcp_secret" {
+  depends_on = [kubernetes_namespace.namespace]
+  metadata {
+    name      = local.secret_name
+    namespace = local.namespace
+  }
+  data = {
+    # Handle null data gracefully - use try() to safely access nested data
+    "credentials.json" = try(
+      lookup(try(data.kubernetes_secret_v1.dns.data, {}), "credentials.json", null),
+      ""
+    )
+  }
+}
+
+# Deploy external-dns Helm chart
+resource "helm_release" "external_dns" {
+  depends_on       = [kubernetes_secret.external_dns_gcp_secret]
+  name             = module.helm_name.name
+  chart            = "external-dns"
+  repository       = "oci://registry-1.docker.io/bitnamicharts"
+  version          = local.helm_version
+  namespace        = local.namespace
+  create_namespace = false
+  cleanup_on_fail  = local.cleanup_on_fail
+  wait             = local.wait
+  atomic           = local.atomic
+  timeout          = local.timeout
+  recreate_pods    = local.recreate_pods
+
+  values = [
+    yamlencode({
+      provider      = "google"
+      txtOwnerId    = "${module.helm_name.name}-${var.environment.unique_name}"
+      txtSuffix     = var.environment.unique_name
+      policy        = "sync"
+      domainFilters = local.domain_filters
+      priorityClassName = "facets-critical"
+
+      image = {
+        registry   = "docker.io"
+        repository = "bitnamilegacy/external-dns"
+      }
+
+      resources = {
+        limits = {
+          cpu    = "500m"
+          memory = "500Mi"
+        }
+        requests = {
+          cpu    = "100m"
+          memory = "100Mi"
+        }
+      }
+
+      metrics = {
+        serviceMonitor = {
+          enabled = true
+        }
+      }
+
+      google = {
+        project = local.project_id
+        serviceAccountSecret    = local.secret_name
+        serviceAccountSecretKey = "credentials.json"
+        zoneVisibility          = local.zone_visibility
+        batchChangeSize         = local.batch_change_size
+      }
+
+      nodeSelector = local.node_selector
+      tolerations  = local.tolerations
+    }),
+    yamlencode(local.user_supplied_helm_values)
+  ]
+}
diff --git a/modules/external_dns/gcp/1.0/outputs.tf b/modules/external_dns/gcp/1.0/outputs.tf
new file mode 100644
index 00000000..ae093ccf
--- /dev/null
+++ b/modules/external_dns/gcp/1.0/outputs.tf
@@ -0,0 +1,19 @@
+locals {
+  output_attributes = {
+    secret_name                = kubernetes_secret.external_dns_gcp_secret.metadata[0].name
+    secret_namespace           = local.namespace
+    aws_access_key_id_key      = ""
+    aws_secret_access_key_key  = ""
+    gcp_credentials_json_key   = "credentials.json"
+    azure_credentials_json_key = ""
+    hosted_zone_id             = ""
+    region                     = local.region
+    provider                   = "gcp"
+    subscription_id            = ""
+    tenant_id                  = ""
+    client_id                  = ""
+    resource_group_name        = ""
+    project_id                 = local.project_id
+  }
+  output_interfaces = {}
+}
diff --git a/modules/external_dns/gcp/1.0/variables.tf b/modules/external_dns/gcp/1.0/variables.tf
new file mode 100644
index 00000000..031870cd
--- /dev/null
+++ b/modules/external_dns/gcp/1.0/variables.tf
@@ -0,0 +1,75 @@
+variable "instance_name" {
+  description = "The architectural name for the resource as added in the Facets blueprint designer."
+  type        = string
+  default     = "test_instance"
+}
+
+variable "environment" {
+  description = "An object containing details about the environment."
+  type = object({
+    name                = optional(string)
+    unique_name         = optional(string)
+    cloud_tags          = optional(map(string), {})
+    namespace           = optional(string, "default")
+    default_tolerations = optional(list(any), [])
+  })
+  default = {
+    namespace = "default"
+  }
+}
+
+variable "instance" {
+  description = "The external DNS resource instance configuration"
+  type = object({
+    kind     = optional(string)
+    flavor   = optional(string)
+    version  = optional(string)
+    disabled = optional(bool, false)
+    spec = optional(object({
+      domain_filters    = optional(list(string), [])
+      zone_visibility   = optional(string, "")
+      batch_change_size = optional(number, 1000)
+    }), {})
+    advanced = optional(object({
+      externaldns = optional(object({
+        version         = optional(string, "6.28.5")
+        cleanup_on_fail = optional(bool, true)
+        wait            = optional(bool, false)
+        atomic          = optional(bool, false)
+        timeout         = optional(number, 300)
+        recreate_pods   = optional(bool, false)
+        values          = optional(map(any), {})
+      }), {})
+    }), {})
+  })
+}
+
+variable "inputs" {
+  description = "Input dependencies from other modules"
+  type = object({
+    kubernetes_details = object({
+      attributes = object({
+        cluster_name     = string
+        cluster_endpoint = optional(string)
+        cloud_provider   = optional(string)
+        project_id       = optional(string) # Comes from GKE cluster
+        region           = optional(string) # Comes from GKE cluster
+      })
+      interfaces = optional(any)
+    })
+    cloud_account = object({
+      attributes = object({
+        project_id  = string # GCP project ID
+        project     = optional(string) # Backward compatibility
+        credentials = optional(string) # Service account JSON
+        region      = optional(string)
+      })
+    })
+    kubernetes_node_pool_details = optional(object({
+      attributes = optional(object({
+        node_selector = optional(map(string), {})
+        taints        = optional(list(any), [])
+      }), {})
+    }), null)
+  })
+}
diff --git a/modules/kubernetes_node_pool/azure/1.0/main.tf b/modules/kubernetes_node_pool/azure/1.0/main.tf
index e82d9548..ad2f7eb7 100644
--- a/modules/kubernetes_node_pool/azure/1.0/main.tf
+++ b/modules/kubernetes_node_pool/azure/1.0/main.tf
@@ -19,7 +19,7 @@ locals {
 
 resource "azurerm_kubernetes_cluster_node_pool" "node_pool" {
   name                  = local.os_type == "Windows" && length(local.name) >= 6 ? "windos" : local.name
-  kubernetes_cluster_id = var.inputs.kubernetes_details.attributes.cluster_id
+  kubernetes_cluster_id = var.inputs.kubernetes_details.cluster_id
   vm_size               = var.instance.spec.instance_type
   os_disk_size_gb       = trim(var.instance.spec.disk_size, "G")
   os_type               = local.os_type
@@ -40,7 +40,7 @@ resource "azurerm_kubernetes_cluster_node_pool" "node_pool" {
 
   mode                 = lookup(local.aks_advanced, "mode", "User")
   orchestrator_version = lookup(local.aks_advanced, "orchestrator_version", null)
-  vnet_subnet_id       = lookup(local.aks_advanced, "vnet_subnet_id", var.inputs.kubernetes_details.attributes.network_details.private_subnet_ids[0])
+  vnet_subnet_id       = lookup(local.aks_advanced, "vnet_subnet_id", var.inputs.kubernetes_details.network_details.private_subnet_ids[0])
   eviction_policy      = local.priority == "Spot" ? lookup(local.aks_advanced, "eviction_policy", "Delete") : null
 
   tags           = local.tags
diff --git a/modules/kubernetes_node_pool/gcp_node_fleet/1.0/gke_node_pool b/modules/kubernetes_node_pool/gcp_node_fleet/1.0/gke_node_pool
deleted file mode 120000
index 6baf40b6..00000000
--- a/modules/kubernetes_node_pool/gcp_node_fleet/1.0/gke_node_pool
+++ /dev/null
@@ -1 +0,0 @@
-/Users/ishaankalra/Documents/Facets Work/github-repositories/facets-modules-redesign/gcp/kubernetes_node_pool/gcp/1.0
\ No newline at end of file
diff --git a/outputs/external_dns/outputs.yaml b/outputs/external_dns/outputs.yaml
new file mode 100644
index 00000000..c0466556
--- /dev/null
+++ b/outputs/external_dns/outputs.yaml
@@ -0,0 +1,48 @@
+name: '@facets/external_dns'
+properties:
+  attributes:
+    type: object
+    properties:
+      secret_name:
+        type: string
+        description: Name of the Kubernetes secret containing DNS credentials
+      secret_namespace:
+        type: string
+        description: Namespace where the DNS credentials secret is stored
+      aws_access_key_id_key:
+        type: string
+        description: Secret key name for AWS access key ID (AWS only)
+      aws_secret_access_key_key:
+        type: string
+        description: Secret key name for AWS secret access key (AWS only)
+      gcp_credentials_json_key:
+        type: string
+        description: Secret key name for GCP credentials JSON (GCP only)
+      azure_credentials_json_key:
+        type: string
+        description: Secret key name for Azure credentials JSON (Azure only)
+      hosted_zone_id:
+        type: string
+        description: AWS Route53 hosted zone ID (AWS only)
+      region:
+        type: string
+        description: Cloud region for DNS operations
+      provider:
+        type: string
+        description: Cloud provider (aws, gcp, azure)
+      subscription_id:
+        type: string
+        description: Azure subscription ID (Azure only)
+      tenant_id:
+        type: string
+        description: Azure tenant ID (Azure only)
+      client_id:
+        type: string
+        description: Azure client ID (Azure only)
+      project_id:
+        type: string
+        description: GCP project ID (GCP only)
+  interfaces:
+    type: object
+providers: []
+