diff --git a/_examples/eks/main.tf b/_examples/eks/main.tf
index 7710898d26..da08cd7305 100644
--- a/_examples/eks/main.tf
+++ b/_examples/eks/main.tf
@@ -2,11 +2,11 @@ terraform {
   required_providers {
     kubernetes = {
       source = "hashicorp/kubernetes"
-      version = ">= 2.0.0"
+      version = ">= 2.0.2"
     }
     helm = {
       source  = "hashicorp/helm"
-      version = ">= 2.0.1"
+      version = ">= 2.0.2"
     }
     aws = {
       source  = "hashicorp/aws"
@@ -19,21 +19,37 @@ data "aws_eks_cluster" "default" {
   name = module.cluster.cluster_id
 }
 
-data "aws_eks_cluster_auth" "default" {
-  name = module.cluster.cluster_id
-}
-
+# This configuration relies on a plugin binary to fetch the token to the EKS cluster.
+# The main advantage is that the token will always be up-to-date, even when the `terraform apply` runs for
+# a longer time than the token TTL. The downside of this approach is that the binary must be present
+# on the system running terraform, either in $PATH as shown below, or in another location, which can be
+# specified in the `command`.
+# See the commented provider blocks below for alternative configuration options.
 provider "kubernetes" {
   host                   = data.aws_eks_cluster.default.endpoint
   cluster_ca_certificate = base64decode(data.aws_eks_cluster.default.certificate_authority[0].data)
   exec {
     api_version = "client.authentication.k8s.io/v1alpha1"
-    args        = ["eks", "get-token", "--cluster-name", var.cluster_name]
-    command     = "aws"
+    args        = ["token", "--cluster-id", module.vpc.cluster_name]
+    command     = "aws-iam-authenticator"
   }
 }
 
+# This configuration is also valid, but users may prefer not to install the full aws binary onto CI systems.
+#provider "kubernetes" {
+#  host                   = data.aws_eks_cluster.default.endpoint
+#  cluster_ca_certificate = base64decode(data.aws_eks_cluster.default.certificate_authority[0].data)
+#  exec {
+#    api_version = "client.authentication.k8s.io/v1alpha1"
+#    args        = ["eks", "get-token", "--cluster-name", module.vpc.cluster_name]
+#    command     = "aws"
+#  }
+#}
+
 # This configuration is also valid, but the token may expire during long-running applies.
+# data "aws_eks_cluster_auth" "default" {
+#  name = module.cluster.cluster_id
+#}
 #provider "kubernetes" {
 #  host                   = data.aws_eks_cluster.default.endpoint
 #  cluster_ca_certificate = base64decode(data.aws_eks_cluster.default.certificate_authority[0].data)
@@ -44,11 +60,10 @@ provider "helm" {
   kubernetes {
     host                   = data.aws_eks_cluster.default.endpoint
     cluster_ca_certificate = base64decode(data.aws_eks_cluster.default.certificate_authority[0].data)
-    token                  = data.aws_eks_cluster_auth.default.token
     exec {
       api_version = "client.authentication.k8s.io/v1alpha1"
-      args        = ["eks", "get-token", "--cluster-name", var.cluster_name]
-      command     = "aws"
+      args        = ["token", "--cluster-id", module.vpc.cluster_name]
+      command     = "aws-iam-authenticator"
     }
   }
 }
@@ -63,7 +78,7 @@ module "vpc" {
 
 module "cluster" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "v13.2.1"
+  version = "14.0.0"
 
   vpc_id  = module.vpc.vpc_id
   subnets = module.vpc.subnets
@@ -75,11 +90,14 @@ module "cluster" {
   # See ./kubernetes-config/main.tf provider block for details.
   write_kubeconfig = false
 
+  workers_group_defaults = {
+    root_volume_type = "gp2"
+  }
   worker_groups = [
     {
       instance_type        = var.workers_type
       asg_desired_capacity = var.workers_count
-      asg_max_size         = "10"
+      asg_max_size         = 4
     },
   ]