UPD: changed bastion SG. also tried to downgrade EKS but it was not supported by AWS

examples/eks-managed-nodegroup/bastion.tf

@@ -6,7 +6,7 @@ module "bastion" {
   ami                         = data.aws_ami.this.id
   ignore_ami_changes          = true
   subnet_id                   = var.subnet_ids[0]
-  vpc_security_group_ids      = [module.sg.id, "sg-0735e2bab44a525b8"]
+  vpc_security_group_ids      = [module.sg.id, module.eks.cluster_primary_security_group_id]
   create_iam_instance_profile = true
   iam_role_description        = "IAM role for EC2 instance"
   iam_role_policies = {
@@ -30,6 +30,12 @@ module "bastion" {
     http_tokens                 = "required"
     http_put_response_hop_limit = 2
   }
+  user_data = <<EOF
+#!/bin/bash
+curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl
+chmod 755 kubectl
+mv kubectl /usr/local/bin/
+EOF
 }
 
 module "sg" {

examples/eks-managed-nodegroup/main.tf

@@ -16,7 +16,7 @@ module "eks" {
 
   cluster_name                   = "lab-ken2026-eks01"
   cluster_endpoint_public_access = true
-  cluster_version                = "1.28"
+  cluster_version                = "1.27"
 
   cluster_addons = {
     coredns = {