{
  inputs,
  pkgs,
  paths,
  elib,
  lib,
  ...
}: let
  inherit
    (lib)
    mkMerge
    filterAttrs
    mapAttrs
    recursiveUpdate
    ;
  inherit
    (inputs.uk3s-nix.lib)
    sanitizeKubernetesManifest
    yqManifestSanitizerFilter
    ;
  inherit
    (inputs.uk3s-nix.legacyPackages.${pkgs.stdenv.system})
    kubernetesManifestsToTerraformModule
    splitYamlDoc
    helm2nix2terraform
    ;
in {
  resource."kubernetes_namespace"."metallb-system" = {
    metadata = {
      name = "metallb-system";
    };
  };

  resource."kubernetes_namespace"."istio-system" = {
    metadata = {
      name = "istio-system";

      # has to be kept in sync with `main` profile
      labels = {
        "istio.io/rev" = "1-20-2";
      };
    };
  };

  module."gateway-api" = {
    source = inputs.uk3s-nix.legacyPackages.${pkgs.stdenv.system}.kubernetesManifestsToTerraformModule {
      name = "gateway-crds";
      splitJson = inputs.uk3s-nix.legacyPackages.${pkgs.stdenv.system}.splitYamlDoc {
        name = "gateway-crds-manifests";
        yamlDocument = pkgs.fetchurl {
          url = "https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/experimental-install.yaml";
          hash = "sha256-EPMidEoAXU5z4rBn6V/s1M/sYZ3HVkkwtIjClr+jvsE=";
          curlOptsList = ["-L"];
        };
        outputFormat = "json";
        yqFilter = yqManifestSanitizerFilter;
      };
    };
  };

  module."istio-api" = {
    source = kubernetesManifestsToTerraformModule {
      name = "istio-crds";
      extraAttrs = {
        field_manager.force_conflicts = true;
      };
      splitJson = splitYamlDoc {
        name = "istio-crds-manifests";
        yamlDocument = pkgs.fetchurl {
          url = "https://raw.githubusercontent.com/istio/api/${pkgs.istioctl.version}/kubernetes/customresourcedefinitions.gen.yaml";
          hash = "sha256-cPMT2On0i0ltbePd8xiMpvoM5P/CZhgf8OlaeUcxgoo=";
        };
        outputFormat = "json";
        yqFilter = yqManifestSanitizerFilter;
      };
    };
  };

  imports = [
    (elib.terraformModule {
      name = "kubernetes";
      source = {config, ...}: {
        imports = [
          (helm2nix2terraform {
            path = "${paths.root}/terranix/prepare/kubernetes";
            predicate = chart: name: manifest:
              manifest.kind == "CustomResourceDefinition";
            mapper = resource:
              if resource.manifest.kind == "CustomResourceDefinition"
              then
                (resource
                  // {
                    manifest =
                      resource.manifest
                      // {
                        metadata = filterAttrs (n: _: n != "creationTimestamp") resource.manifest.metadata;
                      };
                  })
              else resource;
          })
        ];

        resource."kubernetes_manifest" = {
          "default_CustomResourceDefinition_bgppeers_metallb_io" = {
            computed_fields = [
              "spec.conversion.webhook.clientConfig.caBundle"
            ];
          };
        };
      };
    })
  ];
}