diff --git a/main.tf b/main.tf
index 18933422f5..c52b3d337c 100644
--- a/main.tf
+++ b/main.tf
@@ -26,6 +26,8 @@ locals {
   enable_cluster_encryption_config = length(var.cluster_encryption_config) > 0 && !local.create_outposts_local_cluster
 
   auto_mode_enabled = try(var.cluster_compute_config.enabled, false)
+  optional_pod_subnet_count = length(var.secondary_subnet_ids)
+  eks_cluster_subnet_count = length(var.subnet_ids)
 }
 
 ################################################################################
@@ -186,6 +188,24 @@ resource "aws_eks_cluster" "this" {
   }
 }
 
+resource "kubectl_manifest" "eni_config" {
+  for_each = local.optional_pod_subnet_count > 0 ? zipmap(var.availability_zones, slice(var.subnet_ids, local.eks_cluster_subnet_count, sum([local.eks_cluster_subnet_count, local.optional_pod_subnet_count]))) : {}
+
+  yaml_body = yamlencode({
+    apiVersion = "crd.k8s.amazonaws.com/v1alpha1"
+    kind       = "ENIConfig"
+    metadata = {
+      name = each.key
+    }
+    spec = {
+      securityGroups = [
+        module.eks.cluster_primary_security_group_id,
+      ]
+      subnet = each.value
+    }
+  })
+}
+
 resource "aws_ec2_tag" "cluster_primary_security_group" {
   # This should not affect the name of the cluster primary security group
   # Ref: https://github.com/terraform-aws-modules/terraform-aws-eks/pull/2006
diff --git a/variables.tf b/variables.tf
index 855c2133ec..da9d59d685 100644
--- a/variables.tf
+++ b/variables.tf
@@ -86,6 +86,17 @@ variable "subnet_ids" {
   default     = []
 }
 
+variable "availability_zones" {
+  description = "A list of availability zones in the region"
+  type        = list(string)
+}
+
+variable "secondary_subnet_ids" {
+  description = "Optional list of subnets to use for pods.If list is empty, pods will be placed in the subnet_ids subnets. Must be the length of the number of availability zones"
+  type        = list(string)
+  default     = []
+}
+
 variable "cluster_endpoint_private_access" {
   description = "Indicates whether or not the Amazon EKS private API server endpoint is enabled"
   type        = bool
diff --git a/versions.tf b/versions.tf
index 4466790686..464c7f58af 100644
--- a/versions.tf
+++ b/versions.tf
@@ -14,5 +14,9 @@ terraform {
       source  = "hashicorp/time"
       version = ">= 0.9"
     }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = ">= 1.18"
+    }
   }
 }