diff --git a/engine_pki_k8s_etcd_ca.tf b/engine_pki_k8s_etcd_ca.tf
deleted file mode 100644
index ef17bc9..0000000
--- a/engine_pki_k8s_etcd_ca.tf
+++ /dev/null
@@ -1,85 +0,0 @@
-# PKI mount for etcd-ca
-resource "vault_mount" "k8s_etcd_ca" {
-  path                  = "k8s/etcd-ca"
-  type                  = "pki"
-  description           = "PKI for k8s etcd certificates"
-  max_lease_ttl_seconds = 86400 * 365 * 10
-}
-
-# Generate the root CA for etcd
-resource "vault_pki_secret_backend_root_cert" "etcd_ca_root" {
-  backend     = vault_mount.k8s_etcd_ca.path
-  type        = "internal"
-  common_name = "etcd-ca"
-  ttl         = 86400 * 365 * 10
-  key_type    = "rsa"
-  key_bits    = 4096
-}
-
-# PKI role for kube-etcd
-resource "vault_pki_secret_backend_role" "kube_etcd" {
-  backend            = vault_mount.k8s_etcd_ca.path
-  name               = "kube-etcd"
-  allowed_domains    = ["kube-etcd", "*.main.unkin.net", "localhost"]
-  allow_ip_sans      = true
-  enforce_hostnames  = true
-  allow_subdomains   = true
-  allow_glob_domains = true
-  allow_localhost    = true
-  max_ttl            = 86400 * 90
-  ttl                = 86400 * 90
-  key_usage          = ["DigitalSignature", "KeyEncipherment"]
-  server_flag        = true
-  client_flag        = true
-}
-
-# PKI role for kube-etcd-peer
-resource "vault_pki_secret_backend_role" "kube_etcd_peer" {
-  backend            = vault_mount.k8s_etcd_ca.path
-  name               = "kube-etcd-peer"
-  allowed_domains    = ["kube-etcd-peer", "*.main.unkin.net", "localhost"]
-  allow_ip_sans      = true
-  enforce_hostnames  = true
-  allow_subdomains   = true
-  allow_glob_domains = true
-  allow_localhost    = true
-  max_ttl            = 86400 * 90
-  ttl                = 86400 * 90
-  key_usage          = ["DigitalSignature", "KeyEncipherment"]
-  server_flag        = true
-  client_flag        = true
-}
-
-# PKI role for kube-etcd-healthcheck-client
-resource "vault_pki_secret_backend_role" "kube_etcd_healthcheck_client" {
-  backend            = vault_mount.k8s_etcd_ca.path
-  name               = "kube-etcd-healthcheck-client"
-  allowed_domains    = ["kube-etcd-healthcheck-client", "*.main.unkin.net", "localhost"]
-  allow_ip_sans      = true
-  enforce_hostnames  = true
-  allow_subdomains   = true
-  allow_glob_domains = true
-  allow_localhost    = true
-  max_ttl            = 86400 * 90
-  ttl                = 86400 * 90
-  key_usage          = ["DigitalSignature", "KeyEncipherment"]
-  server_flag        = false
-  client_flag        = true
-}
-
-# PKI role for kube-apiserver-etcd-client
-resource "vault_pki_secret_backend_role" "kube-apiserver-etcd-client" {
-  backend            = vault_mount.k8s_etcd_ca.path
-  name               = "kube-apiserver-etcd-client"
-  allowed_domains    = ["kube-apiserver-etcd-client", "*.main.unkin.net", "localhost"]
-  allow_ip_sans      = true
-  enforce_hostnames  = true
-  allow_subdomains   = true
-  allow_glob_domains = true
-  allow_localhost    = true
-  max_ttl            = 86400 * 90
-  ttl                = 86400 * 90
-  key_usage          = ["DigitalSignature", "KeyEncipherment"]
-  server_flag        = false
-  client_flag        = true
-}
diff --git a/engine_pki_k8s_kubernetes_ca.tf b/engine_pki_k8s_kubernetes_ca.tf
deleted file mode 100644
index 4f72b2d..0000000
--- a/engine_pki_k8s_kubernetes_ca.tf
+++ /dev/null
@@ -1,49 +0,0 @@
-# Additional mounts and roles for Kubernetes CA and front-proxy CA
-resource "vault_mount" "k8s_kubernetes_ca" {
-  path                  = "k8s/kubernetes-ca"
-  type                  = "pki"
-  description           = "PKI for Kubernetes certificates"
-  max_lease_ttl_seconds = 86400 * 365 * 10
-}
-
-# Generate the root CA for etcd
-resource "vault_pki_secret_backend_root_cert" "k8s_kubernetes_ca_root" {
-  backend     = vault_mount.k8s_kubernetes_ca.path
-  type        = "internal"
-  common_name = "kubernetes-ca"
-  ttl         = 86400 * 365 * 10
-  key_type    = "rsa"
-  key_bits    = 4096
-}
-
-resource "vault_pki_secret_backend_role" "kube_apiserver" {
-  backend            = vault_mount.k8s_kubernetes_ca.path
-  name               = "kube-apiserver"
-  allowed_domains    = ["kube-apiserver", "*.main.unkin.net", "localhost"]
-  allow_ip_sans      = true
-  enforce_hostnames  = true
-  allow_subdomains   = true
-  allow_glob_domains = true
-  allow_localhost    = true
-  max_ttl            = 86400 * 90
-  ttl                = 86400 * 90
-  key_usage          = ["DigitalSignature", "KeyEncipherment"]
-  server_flag        = true
-  client_flag        = false
-}
-
-resource "vault_pki_secret_backend_role" "kube_apiserver_kubelet_client" {
-  backend            = vault_mount.k8s_kubernetes_ca.path
-  name               = "kube-apiserver-kubelet-client"
-  allowed_domains    = ["kube-apiserver-kubelet-client", "*.main.unkin.net", "localhost"]
-  allow_ip_sans      = true
-  enforce_hostnames  = true
-  allow_subdomains   = true
-  allow_glob_domains = true
-  allow_localhost    = true
-  max_ttl            = 86400 * 90
-  ttl                = 86400 * 90
-  key_usage          = ["DigitalSignature", "KeyEncipherment"]
-  server_flag        = false
-  client_flag        = true
-}