diff --git a/bootstrap/platform/main.tf b/bootstrap/platform/main.tf
index 80706de..4a3165d 100644
--- a/bootstrap/platform/main.tf
+++ b/bootstrap/platform/main.tf
@@ -75,6 +75,35 @@ ip6.arpa:53 {
     prometheus :9253
 }
 EOT
+
+  metallb_ip_address_pool_manifest = yamlencode({
+    apiVersion = "metallb.io/v1beta1"
+    kind       = "IPAddressPool"
+    metadata = {
+      name      = var.metallb.pool_name
+      namespace = var.metallb.namespace
+    }
+    spec = {
+      addresses = var.metallb.address_pool
+    }
+  })
+
+  metallb_l2_advertisement_manifest = yamlencode({
+    apiVersion = "metallb.io/v1beta1"
+    kind       = "L2Advertisement"
+    metadata = {
+      name      = var.metallb.pool_name
+      namespace = var.metallb.namespace
+    }
+    spec = {
+      ipAddressPools = [var.metallb.pool_name]
+    }
+  })
+
+  metallb_l2_manifests = join("\n---\n", compact([
+    local.metallb_ip_address_pool_manifest,
+    var.metallb.l2_advertisement_enabled ? local.metallb_l2_advertisement_manifest : "",
+  ]))
 }
 
 resource "helm_release" "calico_crds" {
@@ -536,39 +565,28 @@ resource "helm_release" "metallb" {
   ]
 }
 
-resource "kubernetes_manifest" "metallb_ip_address_pool" {
+resource "null_resource" "metallb_l2_config" {
   for_each = var.metallb.enabled && length(var.metallb.address_pool) > 0 ? { enabled = true } : {}
 
   depends_on = [helm_release.metallb]
 
-  manifest = {
-    apiVersion = "metallb.io/v1beta1"
-    kind       = "IPAddressPool"
-    metadata = {
-      name      = var.metallb.pool_name
-      namespace = var.metallb.namespace
-    }
-    spec = {
-      addresses = var.metallb.address_pool
-    }
+  triggers = {
+    kubeconfig_path = var.kubeconfig_path
+    manifest_hash   = sha256(local.metallb_l2_manifests)
   }
-}
 
-resource "kubernetes_manifest" "metallb_l2_advertisement" {
-  for_each = var.metallb.enabled && var.metallb.l2_advertisement_enabled && length(var.metallb.address_pool) > 0 ? { enabled = true } : {}
+  provisioner "local-exec" {
+    interpreter = ["/bin/bash", "-lc"]
+    command     = <<EOT
+set -euo pipefail
 
-  depends_on = [kubernetes_manifest.metallb_ip_address_pool]
+kubectl --kubeconfig "${self.triggers.kubeconfig_path}" wait --for=condition=Established --timeout=180s crd/ipaddresspools.metallb.io
+kubectl --kubeconfig "${self.triggers.kubeconfig_path}" wait --for=condition=Established --timeout=180s crd/l2advertisements.metallb.io
 
-  manifest = {
-    apiVersion = "metallb.io/v1beta1"
-    kind       = "L2Advertisement"
-    metadata = {
-      name      = var.metallb.pool_name
-      namespace = var.metallb.namespace
-    }
-    spec = {
-      ipAddressPools = [var.metallb.pool_name]
-    }
+cat <<'METALLB_MANIFESTS' | kubectl --kubeconfig "${self.triggers.kubeconfig_path}" apply -f -
+${local.metallb_l2_manifests}
+METALLB_MANIFESTS
+EOT
   }
 }