diff --git a/ipa.tf b/application.tf
similarity index 53%
rename from ipa.tf
rename to application.tf
index 80f6f95f..949ba2ba 100644
--- a/ipa.tf
+++ b/application.tf
@@ -9,10 +9,6 @@ locals {
   storage_class         = var.on_prem_test == false ? "encrypted-gp2" : "nfs-client"
   acm_arn               = var.acm_arn == "" && var.enable_waf == true ? aws_acm_certificate_validation.alb[0].certificate_arn : var.acm_arn
   efs_values = var.include_efs == true ? [<<EOF
-  aws-fsx-csi-driver:
-    enabled: false
-  aws-efs-csi-driver:
-    enabled: true
   storage:
     volumeSetup:
       image:
@@ -22,14 +18,14 @@ locals {
       mountOptions: []
       csi:
         driver: efs.csi.aws.com
-        volumeHandle: ${module.efs-storage[0].efs_filesystem_id}
+        volumeHandle: "${module.efs-storage[0].efs_filesystem_id}"
     indicoStorageClass:
       enabled: true
       name: indico-sc
       provisioner: efs.csi.aws.com
       parameters:
         provisioningMode: efs-ap
-        fileSystemId: ${module.efs-storage[0].efs_filesystem_id}
+        fileSystemId: "${module.efs-storage[0].efs_filesystem_id}"
         directoryPerms: "700"
         gidRangeStart: "1000" # optional
         gidRangeEnd: "2000" # optional
@@ -37,10 +33,6 @@ locals {
  EOF
   ] : []
   fsx_values = var.include_fsx == true ? [<<EOF
-  aws-fsx-csi-driver:
-    enabled: true
-  aws-efs-csi-driver:
-    enabled: ${var.local_registry_enabled} 
   storage:
     volumeSetup:
       image:
@@ -49,9 +41,9 @@ locals {
       csi:
         driver: fsx.csi.aws.com
         volumeAttributes:
-          dnsname: ${module.fsx-storage[0].fsx_rwx_dns_name}
-          mountname: ${module.fsx-storage[0].fsx_rwx_mount_name}
-        volumeHandle: ${module.fsx-storage[0].fsx_rwx_id}
+          dnsname: "${module.fsx-storage[0].fsx_rwx_dns_name}"
+          mountname: "${module.fsx-storage[0].fsx_rwx_mount_name}"
+        volumeHandle: "${module.fsx-storage[0].fsx_rwx_id}"
     indicoStorageClass:
       enabled: true
       name: indico-sc
@@ -252,39 +244,33 @@ EOT
   dns01RecursiveNameserversOnly = var.network_allow_public == true ? false : true
   dns01RecursiveNameservers     = var.network_allow_public == true ? "" : "kube-dns.kube-system.svc.cluster.local:53"
 }
-resource "kubernetes_secret" "issuer-secret" {
+
+data "github_repository" "argo-github-repo" {
+  count     = var.argo_enabled == true ? 1 : 0
+  full_name = "IndicoDataSolutions/${var.argo_repo}"
+}
+
+resource "kubernetes_namespace" "indico" {
   depends_on = [
     module.cluster,
     time_sleep.wait_1_minutes_after_cluster
   ]
-
   metadata {
-    name      = "acme-route53"
-    namespace = "default"
-    annotations = {
-      "reflector.v1.k8s.emberstack.com/reflection-allowed"      = true
-      "reflector.v1.k8s.emberstack.com/reflection-auto-enabled" = true
-      "temporary.please.change/weaker-credentials-needed"       = true
-    }
-  }
-
-  type = "Opaque"
-
-  data = {
-    "secret-access-key" = var.aws_secret_key
+    name = "indico"
   }
 }
 
-#TODO: move to prereqs
+# Need to make sure the pull secret is in first, so that all of our images can be pulled from harbor
 resource "kubernetes_secret" "harbor-pull-secret" {
   depends_on = [
     module.cluster,
-    time_sleep.wait_1_minutes_after_cluster
+    time_sleep.wait_1_minutes_after_cluster,
+    kubernetes_namespace.indico
   ]
 
   metadata {
     name      = "harbor-pull-secret"
-    namespace = "default"
+    namespace = "indico"
     annotations = {
       "reflector.v1.k8s.emberstack.com/reflection-allowed"      = true
       "reflector.v1.k8s.emberstack.com/reflection-auto-enabled" = true
@@ -298,69 +284,15 @@ resource "kubernetes_secret" "harbor-pull-secret" {
   }
 }
 
-output "ns" {
-  value = var.use_static_ssl_certificates ? ["no-hosted-zone"] : data.aws_route53_zone.primary[0].name_servers
-}
-
-
-resource "github_repository_file" "pre-reqs-values-yaml" {
-  count               = var.argo_enabled == true ? 1 : 0
-  repository          = data.github_repository.argo-github-repo[0].name
-  branch              = var.argo_branch
-  file                = "${var.argo_path}/helm/pre-reqs-values.values"
-  commit_message      = var.message
-  overwrite_on_create = true
-
-  lifecycle {
-    ignore_changes = [
-      content
-    ]
-  }
-  content = base64decode(var.pre-reqs-values-yaml-b64)
-}
-
-
-resource "github_repository_file" "crds-values-yaml" {
-  count               = var.argo_enabled == true ? 1 : 0
-  repository          = data.github_repository.argo-github-repo[0].name
-  branch              = var.argo_branch
-  file                = "${var.argo_path}/helm/crds-values.values"
-  commit_message      = var.message
-  overwrite_on_create = true
-
-  lifecycle {
-    ignore_changes = [
-      content
-    ]
-  }
-  content = base64decode(var.crds-values-yaml-b64)
-}
-
-data "github_repository_file" "data-crds-values" {
-  count = var.argo_enabled == true ? 1 : 0
-  depends_on = [
-    github_repository_file.crds-values-yaml
-  ]
-  repository = data.github_repository.argo-github-repo[0].name
-  branch     = var.argo_branch
-  file       = var.argo_path == "." ? "helm/crds-values.values" : "${var.argo_path}/helm/crds-values.values"
-}
-
-data "github_repository_file" "data-pre-reqs-values" {
-  count = var.argo_enabled == true ? 1 : 0
-
-  depends_on = [
-    github_repository_file.pre-reqs-values-yaml
-  ]
-  repository = data.github_repository.argo-github-repo[0].name
-  branch     = var.argo_branch
-  file       = var.argo_path == "." ? "helm/pre-reqs-values.values" : "${var.argo_path}/helm/pre-reqs-values.values"
-}
-
+# Then set up the secrets operator authentication with vault 
+# (what level of permission does this require? Are we giving customers admin credentials?) 
+# The auth backend they create is named <account>-<region>-<cluster-name>, so we can make 
+# sure their credentials only have access to create <account>-* k8s auth methods
 module "secrets-operator-setup" {
   depends_on = [
     module.cluster,
-    time_sleep.wait_1_minutes_after_cluster
+    time_sleep.wait_1_minutes_after_cluster,
+    kubernetes_secret.harbor-pull-secret
   ]
   count           = var.secrets_operator_enabled == true ? 1 : 0
   source          = "./modules/common/vault-secrets-operator-setup"
@@ -371,32 +303,162 @@ module "secrets-operator-setup" {
   kubernetes_host = module.cluster.kubernetes_host
 }
 
-
-resource "helm_release" "ipa-vso" {
-  count = var.thanos_enabled == true ? 1 : 0
+resource "kubectl_manifest" "gp2-storageclass" {
   depends_on = [
     module.cluster,
-    data.github_repository_file.data-crds-values,
-    module.secrets-operator-setup,
     time_sleep.wait_1_minutes_after_cluster
   ]
+  yaml_body = <<YAML
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: gp2
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+parameters:
+  fsType: ext4
+  type: gp2
+provisioner: kubernetes.io/aws-ebs
+volumeBindingMode: WaitForFirstConsumer
+YAML
+  lifecycle {
+    ignore_changes = [
+      yaml_body
+    ]
+  }
+}
 
-  verify           = false
-  name             = "ipa-vso"
-  create_namespace = true
-  namespace        = "default"
-  repository       = "https://helm.releases.hashicorp.com"
-  chart            = "vault-secrets-operator"
-  version          = var.vault_secrets_operator_version
-  wait             = true
-  values = [
-    <<EOF
+# Once (if) the secrets operator is set up, we can deploy the common charts
+locals {
+  indico_crds_values = [<<EOF
+migrations:
+  image:
+    registry: ${var.image_registry}
+  vaultSecretsOperator:
+    updateCRDs: ${var.secrets_operator_enabled}
+  opentelemetryOperator:
+    updateCRDs: ${var.monitoring_enabled}
+aws-ebs-csi-driver:
+  image:
+    repository: ${var.image_registry}/public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver
+  sidecars:
+    provisioner:
+      image:
+        repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner
+    attacher:
+      image:
+        repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/external-attacher
+    snapshotter:
+      image:
+        repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/external-snapshotter/csi-snapshotter
+    livenessProbe:
+      image:
+        repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe
+    resizer:
+      image:
+        repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/external-resizer
+    nodeDriverRegistrar:
+      image:
+        repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar
+  controller:
+    extraVolumeTags:
+      ${indent(6, yamlencode(var.default_tags))}
+cert-manager:
+  enabled: true
+  crds:
+    enabled: true
+  dns01RecursiveNameservers: ${local.dns01RecursiveNameservers}
+  dns01RecursiveNameserversOnly: ${local.dns01RecursiveNameserversOnly}
+  nodeSelector:
+    kubernetes.io/os: linux
+  webhook:
+    nodeSelector:
+      kubernetes.io/os: linux
+  cainjector:
+    nodeSelector:
+      kubernetes.io/os: linux
+  image:
+    repository: ${var.image_registry}/quay.io/jetstack/cert-manager-controller
+  webhook:
+    image:
+      repository: ${var.image_registry}/quay.io/jetstack/cert-manager-webhook
+  cainjector:
+    image:
+      repository: ${var.image_registry}/quay.io/jetstack/cert-manager-cainjector
+  acmesolver:
+    image:
+      repository: ${var.image_registry}/quay.io/jetstack/cert-manager-acmesolver
+  startupapicheck:
+    image:
+      repository: ${var.image_registry}/quay.io/jetstack/cert-manager-startupapicheck
+  extraEnv:
+    - name: AWS_REGION
+      value: 'aws-global'
+crunchy-pgo:
+  enabled: ${var.ipa_enabled || var.insights_enabled}
+  updateCRDs: 
+    enabled: true
+  pgo: 
+    controllerImages:
+      cluster: ${var.image_registry}/registry.crunchydata.com/crunchydata/postgres-operator:ubi8-5.7.1-0
+    relatedImages:
+      postgres_17:
+        image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres:ubi8-17.2-0
+      postgres_17_gis_3.4:
+        image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-17.2-3.4-0
+      postgres_16:
+        image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres:ubi8-16.6-0
+      postgres_16_gis_3.4:
+        image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-16.6-0
+      postgres_16_gis_3.3:
+        image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-16.6-3.3-0
+      postgres_15:
+        image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres:ubi8-15.10-0
+      postgres_15_gis_3.3:
+        image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-15.10-3.3-0
+      postgres_14:
+        image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres:ubi8-14.15-0
+      postgres_14_gis_3.1:
+        image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-14.15-3.1-0
+      postgres_14_gis_3.2:
+        image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-14.15-3.2-0
+      postgres_14_gis_3.3:
+        image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-14.15-3.3-0
+      postgres_13:
+        image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres:ubi8-13.18-0
+      postgres_13_gis_3.0:
+        image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-13.18-3.0-0
+      postgres_13_gis_3.1:
+        image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-13.18-3.1-0
+      pgadmin:
+        image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi8-4.30-32
+      pgbackrest:
+        image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.53.1-1
+      pgbouncer:
+        image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-pgbouncer:ubi8-1.23-1
+      pgexporter:
+        image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi8-0.15.0-13
+      pgupgrade:
+        image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-upgrade:ubi8-5.7.1-0
+      standalone_pgadmin:
+        image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi8-8.12-1
+migrations-operator:
+  enabled: ${var.ipa_enabled || var.insights_enabled}
+  image:
+    repository: ${var.image_registry}/indico/migrations-operator
+  controllerImage:
+    repository: ${var.image_registry}/indico/migrations-controller
+    kubectlImage: ${var.image_registry}/indico/migrations-controller-kubectl
+minio:
+  enabled: ${var.insights_enabled || var.minio_enabled}
+vault-secrets-operator:
+  enabled: ${var.secrets_operator_enabled}
   controller: 
     imagePullSecrets:
       - name: harbor-pull-secret
     kubeRbacProxy:
       image:
-        repository: ${var.image_registry}/gcr.io/kubebuilder/kube-rbac-proxy
+        repository: ${var.image_registry}/quay.io/brancz/kube-rbac-proxy
       resources:
         limits:
           cpu: 500m
@@ -414,7 +476,6 @@ resource "helm_release" "ipa-vso" {
         requests:
           cpu: 500m
           memory: 512Mi
-
   defaultAuthMethod:
     enabled: true
     namespace: default
@@ -424,7 +485,6 @@ resource "helm_release" "ipa-vso" {
       role: ${var.secrets_operator_enabled == true ? module.secrets-operator-setup[0].vault_auth_role_name : "unused-role"}
       tokenAudiences: ["vault"]
       serviceAccount: ${var.secrets_operator_enabled == true ? module.secrets-operator-setup[0].vault_auth_service_account_name : "vault-sa"}
-
   defaultVaultConnection:
     enabled: true
     address: ${var.vault_address}
@@ -436,300 +496,67 @@ resource "helm_release" "ipa-vso" {
         - name: manager
           args:
           - "--client-cache-persistence-model=direct-encrypted"
-EOF
-  ]
-}
-
-resource "helm_release" "external-secrets" {
-  depends_on = [
-    module.cluster,
-    data.github_repository_file.data-crds-values,
-    module.secrets-operator-setup,
-    time_sleep.wait_1_minutes_after_cluster
-  ]
-
-
-  verify           = false
-  name             = "external-secrets"
-  create_namespace = true
-  namespace        = "default"
-  repository       = var.ipa_repo
-  chart            = "external-secrets"
-  version          = var.external_secrets_version
-  wait             = true
-
-  values = [<<EOF
-    external-secrets:
-      image:
-        repository: ${var.image_registry}/ghcr.io/external-secrets/external-secrets
-      webhook:
-        image:
-          repository: ${var.image_registry}/ghcr.io/external-secrets/external-secrets
-      certController:
-        image:
-          repository: ${var.image_registry}/ghcr.io/external-secrets/external-secrets
-
-  EOF
-  ]
-
-}
-
-
-resource "helm_release" "ipa-crds" {
-  depends_on = [
-    module.cluster,
-    data.github_repository_file.data-crds-values,
-    module.secrets-operator-setup,
-    time_sleep.wait_1_minutes_after_cluster
-  ]
-
-  verify           = false
-  name             = "ipa-crds"
-  create_namespace = true
-  namespace        = "default"
-  repository       = var.ipa_repo
-  chart            = "ipa-crds"
-  version          = var.ipa_crds_version
-  wait             = true
-  timeout          = "1800" # 30 minutes
-
-  values = [
-    <<EOF
-  crunchy-pgo:
-    enabled: true
-    updateCRDs: 
-      enabled: true
-    pgo: 
-      controllerImages:
-        cluster: ${var.image_registry}/registry.crunchydata.com/crunchydata/postgres-operator:ubi8-5.7.1-0
-      relatedImages:
-        postgres_17:
-          image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres:ubi8-17.2-0
-        postgres_17_gis_3.4:
-          image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-17.2-3.4-0
-        postgres_16:
-          image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres:ubi8-16.6-0
-        postgres_16_gis_3.4:
-          image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-16.6-0
-        postgres_16_gis_3.3:
-          image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-16.6-3.3-0
-        postgres_15:
-          image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres:ubi8-15.10-0
-        postgres_15_gis_3.3:
-          image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-15.10-3.3-0
-        postgres_14:
-          image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres:ubi8-14.15-0
-        postgres_14_gis_3.1:
-          image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-14.15-3.1-0
-        postgres_14_gis_3.2:
-          image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-14.15-3.2-0
-        postgres_14_gis_3.3:
-          image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-14.15-3.3-0
-        postgres_13:
-          image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres:ubi8-13.18-0
-        postgres_13_gis_3.0:
-          image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-13.18-3.0-0
-        postgres_13_gis_3.1:
-          image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-13.18-3.1-0
-        pgadmin:
-          image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi8-4.30-32
-        pgbackrest:
-          image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.53.1-1
-        pgbouncer:
-          image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-pgbouncer:ubi8-1.23-1
-        pgexporter:
-          image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi8-0.15.0-13
-        pgupgrade:
-          image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-upgrade:ubi8-5.7.1-0
-        standalone_pgadmin:
-          image: ${var.image_registry}/registry.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi8-8.12-1
-  migrations-operator:
-    image:
-      repository: ${var.image_registry}/indico/migrations-operator
-    controllerImage:
-      repository: ${var.image_registry}/indico/migrations-controller
-      kubectlImage: ${var.image_registry}/indico/migrations-controller-kubectl
-  aws-ebs-csi-driver:
-    image:
-      repository: ${var.image_registry}/public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver
-    sidecars:
-      provisioner:
-        image:
-          repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner
-      attacher:
-        image:
-          repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/external-attacher
-      snapshotter:
-        image:
-          repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/external-snapshotter/csi-snapshotter
-      livenessProbe:
-        image:
-          repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe
-      resizer:
-        image:
-          repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/external-resizer
-      nodeDriverRegistrar:
-        image:
-          repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar
-    controller:
-      extraVolumeTags:
-        ${indent(8, yamlencode(var.default_tags))}
-
-  cert-manager:
-    enabled: true
-    crds:
-      enabled: true
-    dns01RecursiveNameservers: ${local.dns01RecursiveNameservers}
-    dns01RecursiveNameserversOnly: ${local.dns01RecursiveNameserversOnly}
-    nodeSelector:
-      kubernetes.io/os: linux
-    webhook:
-      nodeSelector:
-        kubernetes.io/os: linux
-    cainjector:
-      nodeSelector:
-        kubernetes.io/os: linux
+external-secrets:
+  enabled: true
+  image:
+    repository: ${var.image_registry}/ghcr.io/external-secrets/external-secrets
+  webhook:
     image:
-      repository: ${var.image_registry}/quay.io/jetstack/cert-manager-controller
-    webhook:
-      image:
-        repository: ${var.image_registry}/quay.io/jetstack/cert-manager-webhook
-    cainjector:
-      image:
-        repository: ${var.image_registry}/quay.io/jetstack/cert-manager-cainjector
-    acmesolver:
-      image:
-        repository: ${var.image_registry}/quay.io/jetstack/cert-manager-acmesolver
-    startupapicheck:
-      image:
-        repository: ${var.image_registry}/quay.io/jetstack/cert-manager-startupapicheck
-    extraEnv:
-      - name: AWS_REGION
-        value: 'aws-global'
-  migrations:
+      repository: ${var.image_registry}/ghcr.io/external-secrets/external-secrets
+  certController:
     image:
-      registry: ${var.image_registry}
-    vaultSecretsOperator:
-      updateCRDs: ${var.secrets_operator_enabled}
-    opentelemetryOperator:
-      updateCRDs: ${var.monitoring_enabled}
-EOF
-    ,
-    <<EOT
-${var.argo_enabled == true ? data.github_repository_file.data-crds-values[0].content : ""}
-EOT
-  ]
-}
-
-resource "kubectl_manifest" "gp2-storageclass" {
-  depends_on = [
-    module.cluster,
-    time_sleep.wait_1_minutes_after_cluster
-  ]
-  yaml_body = <<YAML
-apiVersion: storage.k8s.io/v1
-kind: StorageClass
-metadata:
-  name: gp2
-  annotations:
-    storageclass.kubernetes.io/is-default-class: "true"
-parameters:
-  fsType: ext4
-  type: gp2
-provisioner: kubernetes.io/aws-ebs
-volumeBindingMode: WaitForFirstConsumer
-YAML
-}
-
-resource "time_sleep" "wait_1_minutes_after_crds" {
-  depends_on = [helm_release.ipa-crds]
-
-  create_duration = "1m"
-}
-
-# resource "kubectl_manifest" "thanos-storage-secret" {
-#   count      = var.thanos_enabled ? 1 : 0
-#   depends_on = [helm_release.ipa-crds, module.secrets-operator-setup]
-#   yaml_body  = <<YAML
-#     apiVersion: "secrets.hashicorp.com/v1beta1"
-#     kind: "VaultStaticSecret"
-#     metadata:
-#       name:  vault-thanos-storage
-#       namespace: default
-#     spec:
-#       type: "kv-v2"
-#       namespace: default
-#       mount: customer-Indico-Devops
-#       path: thanos-storage
-#       refreshAfter: 60s
-#       rolloutRestartTargets:
-#         - name: prometheus-monitoring-kube-prometheus-prometheus
-#           kind: StatefulSet
-#       destination:
-#         annotations:
-#           reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
-#           reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
-#         create: true
-#         name: thanos-storage
-#       vaultAuthRef: default
-#   YAML
-# }
-
-resource "helm_release" "ipa-pre-requisites" {
-  depends_on = [
-    time_sleep.wait_1_minutes_after_crds,
-    module.cluster,
-    module.fsx-storage,
-    helm_release.ipa-crds,
-    data.vault_kv_secret_v2.zerossl_data,
-    data.github_repository_file.data-pre-reqs-values,
-    null_resource.update_storage_class,
-    time_sleep.wait_1_minutes_after_cluster
+      repository: ${var.image_registry}/ghcr.io/external-secrets/external-secrets
+  EOF
   ]
 
-  verify           = false
-  name             = "ipa-pre-reqs"
-  create_namespace = true
-  namespace        = "default"
-  repository       = var.ipa_repo
-  chart            = "ipa-pre-requisites"
-  version          = var.ipa_pre_reqs_version
-  wait             = false
-  timeout          = "1800" # 30 minutes
-  disable_webhooks = false
-
-  values = concat(local.storage_spec, [<<EOF
+  indico_pre_reqs_values = [<<EOF
 global:
+  host: ${local.dns_name}
   image:
     registry: ${var.image_registry}
-cluster:
-  cloudProvider: aws
-  name: ${var.label}
-  region: ${var.region}
-  domain: indico.io
-  account: ${var.aws_account}
-  argoRepo: ${var.argo_repo}
-  argoBranch: ${var.argo_branch}
-  argoPath: ${var.argo_path}
-  ipaVersion: ${var.ipa_version}
-  ipaPreReqsVersion: ${var.ipa_pre_reqs_version}
-  ipaCrdsVersion: ${var.ipa_crds_version}
-
+storage:
+  ebsStorageClass:
+    enabled: true
 secrets:
-  rabbitmq:
-    create: true
-  
-  general:
-    create: true
-
   clusterIssuer:
     zerossl:
       create: true
       eabEmail: devops-sa@indico.io
       eabKid: "${jsondecode(data.vault_kv_secret_v2.zerossl_data.data_json)["EAB_KID"]}"
       eabHmacKey: "${jsondecode(data.vault_kv_secret_v2.zerossl_data.data_json)["EAB_HMAC_KEY"]}"
+    letsencrypt:
+      create: true
+    selfSigned:
+      create: true
+localPullSecret:
+  password: "${random_password.password.result}"
+  secretName: local-pull-secret
+  username: local-user
+proxyRegistryAccess:
+  proxyPassword: ${var.local_registry_enabled == true ? jsondecode(data.vault_kv_secret_v2.account-robot-credentials[0].data_json)["harbor_password"] : ""}
+  proxyPullSecretName: remote-access
+  proxyUrl: https://${var.image_registry}
+  proxyUsername: ${var.local_registry_enabled == true ? jsondecode(data.vault_kv_secret_v2.account-robot-credentials[0].data_json)["harbor_username"] : ""}
+registryUrl: local-registry.${local.dns_name}
+restartCronjob:
+  cronSchedule: 0 0 */3 * *
+  disabled: false
+  image: bitnami/kubectl:1.20.13
 
-${local.dns_configuration_values}
+aws-efs-csi-driver:
+  enabled: ${var.include_efs ? var.include_efs : var.local_registry_enabled}
+  image:
+    repository: ${var.image_registry}/public.ecr.aws/efs-csi-driver/amazon/aws-efs-csi-driver
+  sidecars:
+    livenessProbe:
+      image:
+        repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe
+    nodeDriverRegistrar:
+      image:
+        repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar
+    csiProvisioner:
+      image:
+        repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner
 aws-for-fluent-bit:
   enabled: true
   image:
@@ -738,31 +565,254 @@ aws-for-fluent-bit:
     region: ${var.region}
     logGroupName: "/aws/eks/fluentbit-cloudwatch/${var.label}/logs"
     logGroupTemplate: "/aws/eks/fluentbit-cloudwatch/${var.label}/workload/$kubernetes['namespace_name']"
-ipaConfig:
-  image:
-    registry: ${var.image_registry}
-rabbitmq:
-  rabbitmq:
-    image:
-      registry: ${var.image_registry}
+aws-fsx-csi-driver:
+  enabled: ${var.include_fsx}
+  image:  
+    repository: ${var.image_registry}/public.ecr.aws/fsx-csi-driver/aws-fsx-csi-driver
+    pullPolicy: IfNotPresent
+  imagePullSecrets:
+    - harbor-pull-secret
+  sidecars:
+    livenessProbe:
+      image:
+        repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe
+    nodeDriverRegistrar:
+      image:
+        repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar
+    provisioner:
+      image:
+        repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner
+    resizer:
+      image:
+        repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/external-resizer
+aws-load-balancer-controller:
+  enabled: ${var.use_acm}
+  aws-load-balancer-controller:
+    clusterName: ${var.label}
+    vpcId: ${local.network[0].indico_vpc_id}
+    region: ${var.region}
 cluster-autoscaler:
+  enabled: true
   cluster-autoscaler:
     awsRegion: ${var.region}
     image:
       repository: ${var.image_registry}/public-gcr-k8s-proxy/autoscaling/cluster-autoscaler
-      tag: "v1.20.0"
+      tag: "v${var.k8s_version}.0"
     autoDiscovery:
       clusterName: "${var.label}"
     extraArgs:
       aws-use-static-instance-list: true
+${local.dns_configuration_values}
+ingress-nginx:
+  enabled: true
+  controller:
+    service:
+      enableHttp: ${local.enableHttp}
+      targetPorts:
+        https: ${local.backend_port}
+${local.lb_config}
+    image:
+      registry: ${var.image_registry}/registry.k8s.io
+      digest: ""
+    admissionWebhooks:
+      patch:
+        image:
+          registry: ${var.image_registry}/registry.k8s.io
+          digest: ""
+  rbac:
+    create: true
+
+  admissionWebhooks:
+    patch:
+      nodeSelector.beta.kubernetes.io/os: linux
+
+  defaultBackend:
+    nodeSelector.beta.kubernetes.io/os: linux
+  service:
+    annotations:
+      service.beta.kubernetes.io/oci-load-balancer-internal: "${local.internal_elb}"
+reflector:
+  image:
+    repository: ${var.image_registry}/docker.io/emberstack/kubernetes-reflector
+  EOF
+  ]
+
+  monitoring_values = var.monitoring_enabled ? [<<EOF
+global:
+  host: "${local.dns_name}"
+authentication:
+  ingressUsername: monitoring
+  ingressPassword: ${random_password.monitoring-password.result}
+${local.alerting_configuration_values}
+keda:
+  enabled: ${var.monitoring_enabled}
+  global:
+    image:
+      registry: "${var.image_registry}/ghcr.io"
+  imagePullSecrets:
+    - name: harbor-pull-secret
+  resources:
+    operator:
+      requests:
+        memory: 512Mi
+      limits:
+        memory: 4Gi
+  crds:
+    install: true
+  
+  podAnnotations:
+    keda:
+      prometheus.io/scrape: "true"
+      prometheus.io/path: "/metrics"
+      prometheus.io/port: "8080"
+    metricsAdapter: 
+      prometheus.io/scrape: "true"
+      prometheus.io/path: "/metrics"
+      prometheus.io/port: "9022"
+  prometheus:
+    metricServer:
+      enabled: true
+      podMonitor:
+        enabled: true
+    operator:
+      enabled: true
+      podMonitor:
+        enabled: true
+kube-prometheus-stack:
+${local.kube_prometheus_stack_values}
+metrics-server:
+  global:
+    imageRegistry: ${var.image_registry}/docker.io
+opentelemetry-operator:
+  enabled: ${var.monitoring_enabled}
+  testFramework:
+    image:
+      repository: ${var.image_registry}/docker.io/library/busybox
+  kubeRBACProxy:
+    image:
+      repository: ${var.image_registry}/quay.io/brancz/kube-rbac-proxy
+  manager:
+    image:
+      repository: ${var.image_registry}/ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator
+    collectorImage:
+      repository: ${var.image_registry}/docker.io/otel/opentelemetry-collector-contrib
+opentelemetry-collector:
+  enabled: true
+  imagePullSecrets:
+    - name: harbor-pull-secret
+  image:
+    repository: ${var.image_registry}/docker.io/otel/opentelemetry-collector-contrib
+  fullnameOverride: "collector-collector"
+  mode: deployment
+  tolerations:
+  - effect: NoSchedule
+    key: indico.io/monitoring
+    operator: Exists
+  nodeSelector:
+    node_group: monitoring-workers
+  ports:
+    jaeger-compact:
+      enabled: false
+    jaeger-thrift:
+      enabled: false
+    jaeger-grpc:
+      enabled: false
+    zipkin:
+      enabled: false
+
+  config:
+    receivers:
+      jaeger: null
+      prometheus: null
+      zipkin: null
+    exporters:
+      otlp:
+        endpoint: monitoring-tempo.monitoring.svc:4317
+        tls:
+          insecure: true
+    service:
+      pipelines:
+        traces:
+          receivers:
+            - otlp
+          processors:
+            - batch
+          exporters:
+            - otlp
+        metrics: null
+        logs: null
+  EOF
+  ] : []
+}
+
+module "indico-common" {
+  depends_on = [
+    module.cluster,
+    time_sleep.wait_1_minutes_after_cluster,
+    module.secrets-operator-setup
+  ]
+  source                           = "./modules/common/indico-common"
+  argo_enabled                     = var.argo_enabled
+  github_repo_name                 = var.argo_repo
+  github_repo_branch               = var.argo_branch
+  github_file_path                 = var.argo_path
+  github_commit_message            = var.message
+  helm_registry                    = var.ipa_repo
+  namespace                        = "indico"
+  indico_crds_version              = var.indico_crds_version
+  indico_crds_values_yaml_b64      = var.indico-crds-values-yaml-b64
+  indico_crds_values_overrides     = local.indico_crds_values
+  indico_pre_reqs_version          = var.indico_pre_reqs_version
+  indico_pre_reqs_values_overrides = local.indico_pre_reqs_values
+  indico_pre_reqs_values_yaml_b64  = var.indico-pre-reqs-values-yaml-b64
+  monitoring_enabled               = var.monitoring_enabled
+  monitoring_values                = local.monitoring_values
+  monitoring_version               = var.monitoring_version
+}
+
+
+
+# With the common charts are installed, we can then move on to installing intake and/or insights
+locals {
+  ipa_pre_reqs_values = concat(local.storage_spec, [<<EOF
+global:
+  image:
+    registry: ${var.image_registry}
+cluster:
+  cloudProvider: aws
+  name: ${var.label}
+  region: ${var.region}
+  domain: indico.io
+  account: ${var.aws_account}
+  argoRepo: ${var.argo_repo}
+  argoBranch: ${var.argo_branch}
+  argoPath: ${var.argo_path}
+  ipaVersion: ${var.ipa_version}
+  ipaPreReqsVersion: ${var.ipa_pre_reqs_version}
+  ipaCrdsVersion: ${var.ipa_crds_version}
+ipaConfig:
+  image:
+    registry: ${var.image_registry}
+apiModels:
+  image:
+    registry: ${var.image_registry}
+secrets:
+  rabbitmq:
+    create: true
+  general:
+    create: true
+
+celery-backend:
+  redis:
+    global:
+      imageRegistry: ${var.image_registry}
 crunchy-postgres:
   enabled: true
   postgres-data:
     enabled: true
     metadata:
       annotations:
-        reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
-        reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+        reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "default,indico,monitoring"
     instances:
     - affinity:
         nodeAffinity:
@@ -790,6 +840,7 @@ crunchy-postgres:
         annotations:
           reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
           reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+          reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "default,indico,monitoring"
       dataVolumeClaimSpec:
         storageClassName: ${local.storage_class}
         accessModes:
@@ -829,14 +880,140 @@ crunchy-postgres:
           requests:
             cpu: 1000m
             memory: 3000Mi
-    imagePullSecrets:
-      - name: harbor-pull-secret
-  postgres-metrics:
-    enabled: false
+rabbitmq:
+  rabbitmq:
+    image:
+      registry: ${var.image_registry}
+  EOF
+  ])
+
+  intake_values = <<EOF
+global:
+  image:
+    registry: ${var.local_registry_enabled ? "local-registry.${local.dns_name}" : "${var.image_registry}"}/indico
+${local.local_registry_tf_cod_values}
+runtime-scanner:
+  enabled: ${replace(lower(var.aws_account), "indico", "") == lower(var.aws_account) ? "false" : "true"}
+  image:
+    repository: ${var.local_registry_enabled ? "local-registry.${local.dns_name}" : "${var.image_registry}"}/indico-devops/runtime-scanner
+  authentication:
+    ingressUser: monitoring
+    ingressPassword: ${random_password.monitoring-password.result}
+    ${indent(4, local.runtime_scanner_ingress_values)}
+celery-flower:
+  image:
+    repository: ${var.local_registry_enabled ? "local-registry.${local.dns_name}" : "${var.image_registry}"}/indico/flower
+aws-node-termination:
+  aws-node-termination-handler:
+    image:
+      repository: ${var.local_registry_enabled ? "local-registry.${local.dns_name}" : "${var.image_registry}"}/indico/aws-node-termination-handler
+nvidia-device-plugin:
+  nvidia-device-plugin:
+    image:
+      repository: ${var.local_registry_enabled ? "local-registry.${local.dns_name}" : "${var.image_registry}"}/public-nvcr-proxy/nvidia/k8s-device-plugin
+reloader:
+  reloader:
+    reloader:
+      deployment:
+        image:
+          name: ${var.local_registry_enabled ? "local-registry.${local.dns_name}" : "${var.image_registry}"}/dockerhub-proxy/stakater/reloader
+kafka-strimzi:
+  strimzi-kafka-operator: 
+    defaultImageRegistry: ${var.local_registry_enabled ? "local-registry.${local.dns_name}" : "${var.image_registry}"}/strimzi-proxy
+  kafkacat:
+    image:
+      registry: ${var.local_registry_enabled ? "local-registry.${local.dns_name}" : "${var.image_registry}"}/dockerhub-proxy/confluentinc
+  schemaRegistry:
+    image:
+      registry: ${var.local_registry_enabled ? "local-registry.${local.dns_name}" : "${var.image_registry}"}/dockerhub-proxy/confluentinc
+  kafkaConnect:
+    image:
+      registry: ${var.local_registry_enabled ? "local-registry.${local.dns_name}" : "${var.image_registry}"}/indico
+${local.alb_ipa_values}
+  EOF
+}
+
+module "intake" {
+  depends_on = [
+    module.indico-common
+  ]
+  source                            = "./modules/common/intake"
+  count                             = var.ipa_enabled ? 1 : 0
+  argo_enabled                      = var.argo_enabled
+  github_repo_name                  = var.argo_repo
+  github_repo_branch                = var.argo_branch
+  github_file_path                  = var.argo_path
+  github_commit_message             = var.message
+  helm_registry                     = var.ipa_repo
+  namespace                         = "default"
+  ipa_pre_reqs_version              = var.ipa_pre_reqs_version
+  pre_reqs_values_yaml_b64          = var.pre-reqs-values-yaml-b64
+  ipa_pre_reqs_values_overrides     = local.ipa_pre_reqs_values
+  account                           = var.aws_account
+  region                            = var.region
+  label                             = var.label
+  argo_application_name             = lower("${var.aws_account}.${var.region}.${var.label}-ipa")
+  vault_path                        = "tools/argo/data/ipa-deploy"
+  argo_server                       = module.cluster.kubernetes_host
+  argo_project_name                 = var.argo_enabled ? module.argo-registration[0].argo_project_name : ""
+  intake_version                    = var.ipa_version
+  k8s_version                       = var.k8s_version
+  intake_values_terraform_overrides = local.intake_values
+  intake_values_overrides           = var.ipa_values
+}
+
+locals {
+  smoketests_values = <<EOF
+  cluster:
+    account: ${var.aws_account}
+    region: ${var.region}
+    name: ${var.label}
+  host: ${local.dns_name}
+  image:
+    repository: ${var.local_registry_enabled ? "local-registry.${local.dns_name}" : "${var.image_registry}"}/indico/integration_tests
+  ${indent(4, base64decode(var.ipa_smoketest_values))}
+  EOF
+}
+
+module "intake_smoketests" {
+  depends_on = [
+    module.intake
+  ]
+  count                  = var.ipa_smoketest_enabled && var.ipa_enabled ? 1 : 0
+  source                 = "./modules/common/application-deployment"
+  account                = var.aws_account
+  region                 = var.region
+  label                  = var.label
+  namespace              = "default"
+  argo_enabled           = var.argo_enabled
+  github_repo_name       = var.argo_repo
+  github_repo_branch     = var.argo_branch
+  github_file_path       = "${var.argo_path}/ipa_smoketest.yaml"
+  github_commit_message  = var.message
+  argo_application_name  = local.argo_smoketest_app_name
+  argo_vault_plugin_path = "tools/argo/data/ipa-deploy"
+  argo_server            = module.cluster.kubernetes_host
+  argo_project_name      = var.argo_enabled ? module.argo-registration[0].argo_project_name : ""
+  chart_name             = "cod-smoketests"
+  chart_repo             = var.ipa_smoketest_repo
+  chart_version          = var.ipa_smoketest_version
+  k8s_version            = var.k8s_version
+  release_name           = "run"
+  terraform_helm_values  = ""
+  helm_values            = indent(10, trimspace(local.smoketests_values))
+}
+
+locals {
+  insights_pre_reqs_values = [<<EOF
+crunchy-postgres:
+  enabled: true
+  postgres-data:
+    enabled: true
+    name: postgres-insights
+    postgresVersion: 13
     metadata:
       annotations:
-        reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
-        reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+        reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "insights,indico,monitoring"
     instances:
     - affinity:
         nodeAffinity:
@@ -854,28 +1031,29 @@ crunchy-postgres:
               - key: postgres-operator.crunchydata.com/cluster
                 operator: In
                 values:
-                - postgres-metrics
+                - postgres-insights
               - key: postgres-operator.crunchydata.com/instance-set
                 operator: In
                 values:
-                - pgha1
+                - pgha2
             topologyKey: kubernetes.io/hostname
       metadata:
         annotations:
           reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
           reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+          reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "insights,indico,monitoring"
       dataVolumeClaimSpec:
         storageClassName: ${local.storage_class}
         accessModes:
         - ReadWriteOnce
         resources:
           requests:
-            storage: 100Gi
-      name: pgha1
-      replicas: 2
+            storage: 200Gi
+      name: pgha2
+      replicas: ${var.az_count}
       resources:
         requests:
-          cpu: 500m
+          cpu: 1000m
           memory: 3000Mi
       tolerations:
         - effect: NoSchedule
@@ -884,13 +1062,13 @@ crunchy-postgres:
     pgBackRestConfig:
       global:
         archive-timeout: '10000'
-        repo1-path: /pgbackrest/postgres-metrics/repo1
-        repo1-retention-full: '5'
-        repo1-s3-key-type: auto
-        repo1-s3-kms-key-id: "${module.kms_key.key_arn}"
-        repo1-s3-role: ${module.iam.node_role_name}
+        repo2-path: /pgbackrest/postgres-insights/repo2
+        repo2-retention-full: '5'
+        repo2-s3-key-type: auto
+        repo2-s3-kms-key-id: "${module.kms_key.key_arn}"
+        repo2-s3-role: ${module.iam.node_role_name}
       repos:
-      - name: repo1
+      - name: repo2
         s3:
           bucket: ${module.s3-storage.pgbackup_s3_bucket_name}
           endpoint: s3.${var.region}.amazonaws.com
@@ -903,125 +1081,206 @@ crunchy-postgres:
           requests:
             cpu: 1000m
             memory: 3000Mi
-    imagePullSecrets:
-      - name: harbor-pull-secret
-reflector:
-  image:
-    repository: ${var.image_registry}/docker.io/emberstack/kubernetes-reflector
-apiModels:
-  image:
-    registry: ${var.image_registry}
-aws-load-balancer-controller:
-  enabled: ${var.use_acm}
-  aws-load-balancer-controller:
-    clusterName: ${var.label}
-    vpcId: ${local.network[0].indico_vpc_id}
-    region: ${var.region}
-aws-fsx-csi-driver:
-  image:  
-    repository: ${var.image_registry}/public.ecr.aws/fsx-csi-driver/aws-fsx-csi-driver
-    pullPolicy: IfNotPresent
-  imagePullSecrets:
-    - harbor-pull-secret
-  sidecars:
-    livenessProbe:
-      image:
-        repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe
-    nodeDriverRegistrar:
-      image:
-        repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar
-    provisioner:
-      image:
-        repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner
-    resizer:
-      image:
-        repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/external-resizer
-aws-efs-csi-driver:
-  image:
-    repository: ${var.image_registry}/public.ecr.aws/efs-csi-driver/amazon/aws-efs-csi-driver
-  sidecars:
-    livenessProbe:
-      image:
-        repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe
-    nodeDriverRegistrar:
-      image:
-        repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar
-    csiProvisioner:
-      image:
-        repository: ${var.image_registry}/public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner
-metrics-server:
-  global:
-    imageRegistry: ${var.image_registry}/docker.io
-celery-backend:
-  redis:
-    global:
-      imageRegistry: ${var.image_registry}
-opentelemetry-operator:
-  testFramework:
-    image:
-      repository: ${var.image_registry}/docker.io/library/busybox
-  kubeRBACProxy:
-    image:
-      repository: ${var.image_registry}/quay.io/brancz/kube-rbac-proxy
-  manager:
+    users:
+      - name: indico
+        options: "SUPERUSER"
+        databases:
+          - aqueduct
+          - ask_my_collection
+          - lagoon
+          - noct
+ingress:
+  useStaticCertificate: false
+  secretName: indico-ssl-static-cert
+  tls.crt: #base64 encoded value of certificate chain
+  tls.key: #base64 encoded value of certificate key
+minio:
+  topology:
+    volumeSize: 128Gi
+  storage:
+    accessKey: <path:tools/argo/data/indico-dev/ins-dev/storage#access_key_id>
+    secretKey: <path:tools/argo/data/indico-dev/ins-dev/storage#secret_access_key>
+  backup:
+    enabled: ${var.include_miniobkp}
+    schedule: "0 4 * * 2" # This schedules the job to run at 4:00 AM every Tuesday
+    localBackup: false
     image:
-      repository: ${var.image_registry}/ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator
-    collectorImage:
-      repository: ${var.image_registry}/docker.io/otel/opentelemetry-collector-contrib
-EOF
-    ,
-    <<EOT
-${var.argo_enabled == true ? data.github_repository_file.data-pre-reqs-values[0].content : ""}
-EOT
-  ])
-}
-
-
-#resource "null_resource" "tfc" {
-#  triggers = {
-#    always_run = "${timestamp()}"
-#  }
-#
-#  provisioner "local-exec" {
-#    command = "env|sort"
-#  }
-#}
+      repository: harbor.devops.indico.io/docker.io/amazon/aws-cli
+      tag: 2.22.4
+    awsBucket: ${module.s3-storage.miniobkp_s3_bucket_name}
+weaviate:
+  cronjob:
+    services:
+      weaviate-backup:
+        enabled: true
+  backupStorageConfig:
+    accessKey: <path:tools/argo/data/indico-dev/ins-dev/storage#access_key_id>
+    secretKey: <path:tools/argo/data/indico-dev/ins-dev/storage#secret_access_key>
+    url: http://minio-tenant-hl.insights.svc.cluster.local:9000
+  weaviate:
+    env:
+      GOMEMLIMIT: "31GiB" # 1 less than the hard limit on the used nodes 
+    backups:
+      s3:
+        enabled: true
+        envconfig:
+          BACKUP_S3_ENDPOINT: minio-tenant-hl.insights.svc.cluster.local:9000
+        secrets:
+          AWS_ACCESS_KEY_ID: <path:tools/argo/data/indico-dev/ins-dev/storage#access_key_id>
+          AWS_SECRET_ACCESS_KEY: <path:tools/argo/data/indico-dev/ins-dev/storage#secret_access_key>
+  EOF
+  ]
 
-data "external" "git_information" {
-  program = ["sh", "${path.module}/get_sha.sh"]
+  insights_values = <<EOF
+global:
+  host: ${lower("${var.label}.${var.region}.${var.aws_account}.indico.io")}
+  features:
+    askMyDocument: true
+insights-edge:
+  additionalAllowedOrigins:
+    - https://local.indico.io:1234
+server:
+  services:
+    lagoon:
+      env:
+        FIELD_AUTOCONFIRM_CONFIDENCE: 0.8
+        FIELD_CONFIG_PATH: "fields_config.yaml"
+ask-my-docs:
+  llmConfig:
+    llm: indico-azure-instance
+    azure:
+      apiBase: https://indico-openai.openai.azure.com/
+      deployment: indico-gpt-4
+      apiKey: <path:tools/argo/data/RandD/azureOpenAiKey#apiKey>
+  EOF
 }
 
-output "git_sha" {
-  value = data.external.git_information.result.sha
+module "insights" {
+  depends_on = [
+    module.indico-common
+  ]
+  source                              = "./modules/common/insights"
+  count                               = var.insights_enabled ? 1 : 0
+  argo_enabled                        = var.argo_enabled
+  github_repo_name                    = var.argo_repo
+  github_repo_branch                  = var.argo_branch
+  github_file_path                    = var.argo_path
+  github_commit_message               = var.message
+  helm_registry                       = var.ipa_repo
+  namespace                           = "insights"
+  ins_pre_reqs_version                = var.insights_pre_reqs_version
+  pre_reqs_values_yaml_b64            = var.insights-pre-reqs-values-yaml-b64
+  ins_pre_reqs_values_overrides       = local.insights_pre_reqs_values
+  account                             = var.aws_account
+  region                              = var.region
+  label                               = var.label
+  argo_application_name               = lower("${var.aws_account}.${var.region}.${var.label}-insights")
+  vault_path                          = "tools/argo/data/ipa-deploy"
+  argo_server                         = module.cluster.kubernetes_host
+  argo_project_name                   = var.argo_enabled ? module.argo-registration[0].argo_project_name : ""
+  insights_version                    = var.insights_version
+  k8s_version                         = var.k8s_version
+  insights_values_terraform_overrides = local.insights_values
+  insights_values_overrides           = var.insights_values
 }
 
+# And we can install any additional helm charts at this point as well
+module "additional_application" {
+  depends_on = [
+    module.indico-common
+  ]
 
-output "git_branch" {
-  value = data.external.git_information.result.branch
+  for_each = var.applications
+
+  source                 = "./modules/common/application-deployment"
+  account                = var.aws_account
+  region                 = var.region
+  label                  = var.label
+  namespace              = each.value.namespace
+  argo_enabled           = var.argo_enabled
+  github_repo_name       = var.argo_repo
+  github_repo_branch     = var.argo_branch
+  github_file_path       = "${var.argo_path}/${each.value.name}_application.yaml"
+  github_commit_message  = var.message
+  argo_application_name  = lower("${var.aws_account}-${var.region}-${var.label}-${each.value.name}")
+  argo_vault_plugin_path = each.value.vaultPath
+  argo_server            = module.cluster.kubernetes_host
+  argo_project_name      = var.argo_enabled ? module.argo-registration[0].argo_project_name : ""
+  chart_name             = each.value.chart
+  chart_repo             = each.value.repo
+  chart_version          = each.value.version
+  k8s_version            = var.k8s_version
+  release_name           = each.value.name
+  terraform_helm_values  = ""
+  helm_values            = trimspace(base64decode(each.value.values))
 }
 
-/*
-resource "null_resource" "sleep-5-minutes-wait-for-charts-smoketest-build" {
+
+resource "argocd_application" "ipa" {
   depends_on = [
-    time_sleep.wait_1_minutes_after_pre_reqs
+    # local_file.kubeconfig,
+    module.intake,
+    module.insights,
+    module.argo-registration,
+    kubernetes_job.snapshot-restore-job,
   ]
 
-  triggers = {
-    always_run = "${timestamp()}"
+  count = var.argo_enabled == true ? 1 : 0
+
+  wait = true
+
+  metadata {
+    name      = lower("${var.aws_account}-${var.region}-${var.label}-deploy-ipa")
+    namespace = var.argo_namespace
+    labels = {
+      test = "true"
+    }
   }
 
-  provisioner "local-exec" {
-    command = "sleep 300"
+  spec {
+    project = module.argo-registration[0].argo_project_name
+
+    source {
+      repo_url        = "https://github.com/IndicoDataSolutions/${var.argo_repo}.git"
+      path            = var.argo_path
+      target_revision = var.argo_branch
+      directory {
+        recurse = false
+        jsonnet {
+        }
+      }
+    }
+    sync_policy {
+      automated {
+        prune       = true
+        self_heal   = true
+        allow_empty = false
+      }
+      sync_options = [
+        "ServerSideApply=true",
+        "CreateNamespace=true"
+      ]
+    }
+
+    destination {
+      #server    = "https://kubernetes.default.svc"
+      name      = "in-cluster"
+      namespace = var.argo_namespace
+    }
+  }
+
+  timeouts {
+    create = "30m"
+    delete = "30m"
   }
 }
-*/
 
 resource "null_resource" "wait-for-tf-cod-chart-build" {
   count = var.argo_enabled == true ? 1 : 0
 
   depends_on = [
-    time_sleep.wait_1_minutes_after_pre_reqs,
-    helm_release.ipa-pre-requisites
+    module.intake,
+    module.indico-common
   ]
 
   triggers = {
@@ -1036,7 +1295,6 @@ resource "null_resource" "wait-for-tf-cod-chart-build" {
   }
 }
 
-
 output "harbor-api-token" {
   sensitive = true
   value     = var.argo_enabled == true ? jsondecode(data.vault_kv_secret_v2.harbor-api-token[0].data_json)["bearer_token"] : ""
@@ -1046,45 +1304,6 @@ output "smoketest_chart_version" {
   value = "${path.module}/validate_chart.sh terraform-smoketests 0.1.1-${data.external.git_information.result.branch}-${substr(data.external.git_information.result.sha, 0, 8)}"
 }
 
-resource "helm_release" "terraform-smoketests" {
-  count = var.terraform_smoketests_enabled == true ? 1 : 0
-
-  depends_on = [
-    null_resource.wait-for-tf-cod-chart-build,
-    #null_resource.sleep-5-minutes-wait-for-charts-smoketest-build,
-    kubernetes_config_map.terraform-variables,
-    helm_release.monitoring
-  ]
-
-  verify           = false
-  name             = "terraform-smoketests-${substr(data.external.git_information.result.sha, 0, 8)}"
-  namespace        = "default"
-  repository       = var.ipa_repo
-  chart            = "terraform-smoketests"
-  version          = "0.1.1-${data.external.git_information.result.branch}-${substr(data.external.git_information.result.sha, 0, 8)}"
-  wait             = true
-  wait_for_jobs    = true
-  timeout          = "300" # 5 minutes
-  disable_webhooks = false
-  values = [<<EOF
-  cluster:
-    cloudProvider: aws
-    account: ${var.aws_account}
-    region: ${var.region}
-    name: ${var.label}
-  image:
-    repository: ${var.image_registry}/indico/terraform-smoketests
-    tag: "${substr(data.external.git_information.result.sha, 0, 8)}"
-  EOF
-  ]
-}
-
-resource "time_sleep" "wait_1_minutes_after_pre_reqs" {
-  depends_on = [helm_release.ipa-pre-requisites]
-
-  create_duration = "1m"
-}
-
 data "vault_kv_secret_v2" "account-robot-credentials" {
   count = var.local_registry_enabled == true ? 1 : 0
   mount = "customer-${var.aws_account}"
@@ -1208,11 +1427,7 @@ resource "htpasswd_password" "hash" {
 
 resource "helm_release" "local-registry" {
   depends_on = [
-    kubernetes_namespace.local-registry,
-    time_sleep.wait_1_minutes_after_pre_reqs,
-    module.cluster,
-    kubernetes_persistent_volume_claim.local-registry,
-    time_sleep.wait_1_minutes_after_cluster
+    module.indico-common
   ]
 
   count = var.local_registry_enabled == true ? 1 : 0
@@ -1227,11 +1442,9 @@ resource "helm_release" "local-registry" {
   wait             = false
   timeout          = "1800" # 30 minutes
   disable_webhooks = false
-
   values = [<<EOF
 cert-manager:
   enabled: false
-
 ingress-nginx:
   enabled: true
   
@@ -1259,7 +1472,6 @@ ingress-nginx:
         annotations:
           service.beta.kubernetes.io/aws-load-balancer-internal: "true"
         enabled: true
-
 docker-registry:
   image:
     repository: ${var.image_registry}/docker.io/library/registry
@@ -1278,7 +1490,6 @@ docker-registry:
       cert-manager.io/cluster-issuer: zerossl
       kubernetes.io/ingress.class: nginx-internal
       service.beta.kubernetes.io/aws-load-balancer-internal: "true"
-
     labels: 
       acme.cert-manager.io/dns01-solver: "true"
     hosts:
@@ -1294,26 +1505,21 @@ docker-registry:
     size: 100Gi
     existingClaim: local-registry
     storageClass: local-registry
-
   proxy:
     enabled: true
     remoteurl: https://${var.image_registry}
     secretRef: remote-access
   replicaCount: 3
-  
   secrets:
     htpasswd: local-user:${htpasswd_password.hash.bcrypt}
-
 localPullSecret:
   password: ${random_password.password.result}
   secretName: local-pull-secret
   username: local-user
-
 metrics-server:
   apiService:
     create: true
   enabled: false
-
 proxyRegistryAccess:
   proxyPassword: ${var.local_registry_enabled == true ? jsondecode(data.vault_kv_secret_v2.account-robot-credentials[0].data_json)["harbor_password"] : ""}
   proxyPullSecretName: remote-access
@@ -1337,223 +1543,6 @@ output "local_registry_username" {
   value = "local-user"
 }
 
-
-data "github_repository" "argo-github-repo" {
-  count     = var.argo_enabled == true ? 1 : 0
-  full_name = "IndicoDataSolutions/${var.argo_repo}"
-}
-
-resource "github_repository_file" "smoketest-application-yaml" {
-  count = var.ipa_smoketest_enabled == true && var.argo_enabled == true ? 1 : 0
-
-  repository          = data.github_repository.argo-github-repo[0].name
-  branch              = var.argo_branch
-  file                = "${var.argo_path}/ipa_smoketest.yaml"
-  commit_message      = var.message
-  overwrite_on_create = true
-
-  lifecycle {
-    ignore_changes = [
-      content
-    ]
-  }
-
-  content = <<EOT
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: ${local.argo_smoketest_app_name}
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-  labels:
-    app: cod
-    region: ${var.region}
-    account: ${var.aws_account}
-    name: ${var.label}
-  annotations:
-    avp.kubernetes.io/path: tools/argo/data/ipa-deploy
-    argocd.argoproj.io/sync-wave: "2"
-spec:
-  destination:
-    server: ${module.cluster.kubernetes_host}
-    namespace: default
-  project: ${module.argo-registration[0].argo_project_name}
-  syncPolicy:
-    automated:
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
-      - ServerSideApply=true
-
-  source:
-    chart: cod-smoketests
-    repoURL: ${var.ipa_smoketest_repo}
-    targetRevision: ${var.ipa_smoketest_version}
-    plugin:
-      name: argocd-vault-plugin-helm-values-expand-no-build
-      env:
-        - name: KUBE_VERSION
-          value: "${var.k8s_version}"
-
-        - name: RELEASE_NAME
-          value: run
-      
-        - name: HELM_VALUES
-          value: |
-            cluster:
-              name: ${var.label}
-              region: ${var.region}
-              account: ${var.aws_account}
-            host: ${local.dns_name}
-            image:
-              repository: ${var.local_registry_enabled ? "local-registry.${local.dns_name}" : "${var.image_registry}"}/indico/integration_tests
-            ${indent(12, base64decode(var.ipa_smoketest_values))}    
-EOT
-}
-
-resource "github_repository_file" "alb-values-yaml" {
-  count               = var.argo_enabled == true ? 1 : 0
-  repository          = data.github_repository.argo-github-repo[0].name
-  branch              = var.argo_branch
-  file                = "${var.argo_path}/helm/alb.values"
-  commit_message      = var.message
-  overwrite_on_create = true
-
-  lifecycle {
-    ignore_changes = [
-      content
-    ]
-  }
-  depends_on = [
-    module.cluster,
-    aws_acm_certificate_validation.alb[0],
-    time_sleep.wait_1_minutes_after_cluster
-  ]
-
-  content = local.alb_ipa_values
-}
-
-resource "github_repository_file" "argocd-application-yaml" {
-  count               = var.argo_enabled == true ? 1 : 0
-  repository          = data.github_repository.argo-github-repo[0].name
-  branch              = var.argo_branch
-  file                = "${var.argo_path}/ipa_application.yaml"
-  commit_message      = var.message
-  overwrite_on_create = true
-
-  lifecycle {
-    ignore_changes = [
-      content
-    ]
-  }
-  depends_on = [
-    module.cluster,
-    aws_wafv2_web_acl.wafv2-acl[0],
-    time_sleep.wait_1_minutes_after_cluster
-  ]
-
-  content = <<EOT
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: ${local.argo_app_name}
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-  labels:
-    app: cod
-    region: ${var.region}
-    account: ${var.aws_account}
-    name: ${var.label}
-  annotations:
-    avp.kubernetes.io/path: tools/argo/data/ipa-deploy
-    argocd.argoproj.io/sync-wave: "-2"
-spec:
-  ignoreDifferences:
-    - group: apps
-      jsonPointers:
-        - /spec/replicas
-      kind: Deployment
-  destination:
-    server: ${module.cluster.kubernetes_host}
-    namespace: default
-  project: ${module.argo-registration[0].argo_project_name}
-  syncPolicy:
-    automated:
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
-      - ServerSideApply=true
-  source:
-    chart: ipa
-    repoURL: ${var.ipa_repo}
-    targetRevision: ${var.ipa_version}
-    plugin:
-      name: argocd-vault-plugin-helm-values-expand-no-build
-      env:
-        - name: KUBE_VERSION
-          value: "${var.k8s_version}"
-
-        - name: RELEASE_NAME
-          value: ipa
-        
-        - name: HELM_TF_COD_VALUES
-          value: |
-            global:
-              image:
-                registry: ${var.local_registry_enabled ? "local-registry.${local.dns_name}" : "${var.image_registry}"}/indico
-            ${indent(12, local.local_registry_tf_cod_values)}
-            runtime-scanner:
-              enabled: ${replace(lower(var.aws_account), "indico", "") == lower(var.aws_account) ? "false" : "true"}
-              image:
-                repository: ${var.local_registry_enabled ? "local-registry.${local.dns_name}" : "${var.image_registry}"}/indico-devops/runtime-scanner
-              authentication:
-                ingressUser: monitoring
-                ingressPassword: ${random_password.monitoring-password.result}
-                ${indent(14, local.runtime_scanner_ingress_values)}
-            celery-flower:
-              image:
-              
-                repository: ${var.local_registry_enabled ? "local-registry.${local.dns_name}" : "${var.image_registry}"}/indico/flower
-            aws-node-termination:
-              aws-node-termination-handler:
-                image:
-                  repository: ${var.local_registry_enabled ? "local-registry.${local.dns_name}" : "${var.image_registry}"}/indico/aws-node-termination-handler
-            nvidia-device-plugin:
-              nvidia-device-plugin:
-                image:
-                  repository: ${var.local_registry_enabled ? "local-registry.${local.dns_name}" : "${var.image_registry}"}/public-nvcr-proxy/nvidia/k8s-device-plugin
-            reloader:
-              reloader:
-                reloader:
-                  deployment:
-                    image:
-                      name: ${var.local_registry_enabled ? "local-registry.${local.dns_name}" : "${var.image_registry}"}/dockerhub-proxy/stakater/reloader
-            kafka-strimzi:
-              strimzi-kafka-operator: 
-                defaultImageRegistry: ${var.local_registry_enabled ? "local-registry.${local.dns_name}" : "${var.image_registry}"}/strimzi-proxy
-              kafkacat:
-                image:
-                  registry: ${var.local_registry_enabled ? "local-registry.${local.dns_name}" : "${var.image_registry}"}/dockerhub-proxy/confluentinc
-              schemaRegistry:
-                image:
-                  registry: ${var.local_registry_enabled ? "local-registry.${local.dns_name}" : "${var.image_registry}"}/dockerhub-proxy/confluentinc
-              kafkaConnect:
-                image:
-                  registry: ${var.local_registry_enabled ? "local-registry.${local.dns_name}" : "${var.image_registry}"}/indico
-            ${indent(12, local.alb_ipa_values)}         
-        - name: HELM_VALUES
-          value: |
-            ${base64decode(var.ipa_values)}    
-EOT
-}
-
-
-# resource "local_file" "kubeconfig" {
-#   content  = module.cluster.kubectl_config
-#   filename = "${path.module}/module.kubeconfig"
-# }
-
-
 data "vault_kv_secret_v2" "zerossl_data" {
   mount = var.vault_mount_path
   name  = "zerossl"
@@ -1564,128 +1553,25 @@ output "zerossl" {
   value     = data.vault_kv_secret_v2.zerossl_data.data_json
 }
 
-resource "argocd_application" "ipa" {
+resource "kubernetes_secret" "issuer-secret" {
   depends_on = [
-    # local_file.kubeconfig,
-    helm_release.ipa-pre-requisites,
-    time_sleep.wait_1_minutes_after_pre_reqs,
-    module.argo-registration,
-    kubernetes_job.snapshot-restore-job,
-    github_repository_file.argocd-application-yaml,
-    helm_release.monitoring
+    module.cluster,
+    time_sleep.wait_1_minutes_after_cluster
   ]
 
-  count = var.argo_enabled == true ? 1 : 0
-
-  wait = true
-
   metadata {
-    name      = lower("${var.aws_account}-${var.region}-${var.label}-deploy-ipa")
-    namespace = var.argo_namespace
-    labels = {
-      test = "true"
+    name      = "acme-route53"
+    namespace = "default"
+    annotations = {
+      "reflector.v1.k8s.emberstack.com/reflection-allowed"      = true
+      "reflector.v1.k8s.emberstack.com/reflection-auto-enabled" = true
+      "temporary.please.change/weaker-credentials-needed"       = true
     }
   }
 
-  spec {
-    project = module.argo-registration[0].argo_project_name
-
-    source {
-      repo_url        = "https://github.com/IndicoDataSolutions/${var.argo_repo}.git"
-      path            = var.argo_path
-      target_revision = var.argo_branch
-      directory {
-        recurse = false
-        jsonnet {
-        }
-      }
-    }
-    sync_policy {
-      automated {
-        prune       = true
-        self_heal   = true
-        allow_empty = false
-      }
-      sync_options = [
-        "ServerSideApply=true",
-        "CreateNamespace=true"
-      ]
-    }
-
-    destination {
-      #server    = "https://kubernetes.default.svc"
-      name      = "in-cluster"
-      namespace = var.argo_namespace
-    }
-  }
+  type = "Opaque"
 
-  timeouts {
-    create = "30m"
-    delete = "30m"
+  data = {
+    "secret-access-key" = var.aws_secret_key
   }
 }
-
-
-# Create Argo Application YAML for each user supplied application
-
-
-resource "github_repository_file" "custom-application-yaml" {
-  for_each = var.argo_enabled == true ? var.applications : {}
-
-  repository          = data.github_repository.argo-github-repo[0].name
-  branch              = var.argo_branch
-  file                = "${var.argo_path}/${each.value.name}_application.yaml"
-  commit_message      = var.message
-  overwrite_on_create = true
-
-  #TODO:
-  # this allows people to make edits to the file so we don't overwrite it.
-  #lifecycle {
-  #  ignore_changes = [
-  #    content
-  #  ]
-  #}
-
-  content = <<EOT
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: ${lower("${var.aws_account}-${var.region}-${var.label}-${each.value.name}")} 
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-  annotations:
-     avp.kubernetes.io/path: ${each.value.vaultPath}
-     argocd.argoproj.io/compare-options: ServerSideDiff=true
-  labels:
-    app: ${each.value.name}
-    region: ${var.region}
-    account: ${var.aws_account}
-    name: ${var.label}
-spec:
-  destination:
-    server: ${module.cluster.kubernetes_host}
-    namespace: ${each.value.namespace}
-  project: ${module.argo-registration[0].argo_project_name}
-  syncPolicy:
-    automated:
-      prune: true
-    syncOptions:
-      - CreateNamespace=${each.value.createNamespace}
-      - ServerSideApply=true
-  source:
-    chart: ${each.value.chart}
-    repoURL: ${each.value.repo}
-    targetRevision: ${each.value.version}
-    plugin:
-      name: argocd-vault-plugin-helm-values-expand-no-build
-      env:
-        - name: KUBE_VERSION
-          value: "${var.k8s_version}"
-        - name: RELEASE_NAME
-          value: ${each.value.name}
-        - name: HELM_VALUES
-          value: |
-            ${indent(12, base64decode(each.value.values))}
-EOT
-}
-
diff --git a/aws_specific_modules.tf b/aws_specific_modules.tf
index b2319800..b203bf4f 100644
--- a/aws_specific_modules.tf
+++ b/aws_specific_modules.tf
@@ -5,7 +5,7 @@ module "keycloak" {
   count = var.keycloak_enabled == true ? 1 : 0
   depends_on = [
     module.cluster,
-    helm_release.ipa-pre-requisites
+    module.intake
   ]
   source         = "./modules/aws/keycloak"
   local_dns_name = local.dns_name
diff --git a/azure/application.tf b/azure/application.tf
new file mode 100644
index 00000000..95152c00
--- /dev/null
+++ b/azure/application.tf
@@ -0,0 +1,1120 @@
+locals {
+  openshift_dns_credentials = <<EOF
+  {
+  "tenantId" : "${data.azurerm_client_config.current.tenant_id}",
+  "subscriptionId" : "${split("/", data.azurerm_subscription.primary.id)[2]}",
+  "resourceGroup" : "${var.common_resource_group}",
+  "aadClientId": "${var.use_workload_identity == true ? azuread_application.workload_identity.0.application_id : ""}",
+  "aadClientSecret": "${var.use_workload_identity == true ? azuread_application_password.workload_identity.0.value : ""}"
+  }
+  EOF
+
+  azure_dns_credentials = <<EOF
+  {
+    "tenantId" : "${data.azurerm_client_config.current.tenant_id}",
+    "subscriptionId" : "${split("/", data.azurerm_subscription.primary.id)[2]}",
+    "resourceGroup" : "${var.common_resource_group}",
+    "useManagedIdentityExtension" : true,
+    "userAssignedIdentityID" : "${module.cluster.kubelet_identity.client_id}"
+  }
+  EOF
+
+  # https://docs.openshift.com/container-platform/4.10/nodes/pods/nodes-pods-autoscaling-custom.html
+  prometheus_address = var.is_openshift ? "https://thanos-querier.openshift-monitoring.svc.cluster.local:9091" : "http://monitoring-kube-prometheus-prometheus.monitoring.svc.cluster.local:9090/prometheus"
+
+}
+resource "kubernetes_secret" "issuer-secret" {
+  depends_on = [
+    module.cluster
+  ]
+
+  metadata {
+    name      = "acme-azuredns"
+    namespace = "indico"
+    annotations = {
+      "reflector.v1.k8s.emberstack.com/reflection-allowed"      = true
+      "reflector.v1.k8s.emberstack.com/reflection-auto-enabled" = true
+      "temporary.please.change/weaker-credentials-needed"       = true
+    }
+  }
+
+  type = "Opaque"
+
+  data = {
+    "secret-access-key" = "foobar"
+  }
+}
+
+#TODO: move to prereqs
+resource "kubernetes_secret" "harbor-pull-secret" {
+  depends_on = [
+    module.cluster
+  ]
+
+  metadata {
+    name      = "harbor-pull-secret"
+    namespace = "indico"
+    annotations = {
+      "reflector.v1.k8s.emberstack.com/reflection-allowed"      = true
+      "reflector.v1.k8s.emberstack.com/reflection-auto-enabled" = true
+    }
+  }
+
+  type = "kubernetes.io/dockerconfigjson"
+
+  data = {
+    ".dockerconfigjson" = "${base64decode(var.harbor_pull_secret_b64)}"
+  }
+}
+
+data "vault_kv_secret_v2" "harbor-api-token" {
+  count = var.argo_enabled == true ? 1 : 0
+  mount = "tools/argo"
+  name  = "harbor-api"
+}
+
+module "secrets-operator-setup" {
+  depends_on = [
+    module.cluster
+  ]
+  count           = var.secrets_operator_enabled == true ? 1 : 0
+  source          = "../modules/common/vault-secrets-operator-setup"
+  vault_address   = var.vault_address
+  account         = var.account
+  region          = var.region
+  name            = var.label
+  kubernetes_host = module.cluster.kubernetes_host
+}
+
+resource "kubernetes_namespace" "indico" {
+  metadata {
+    name = "indico"
+  }
+}
+
+locals {
+  indico_crds_values = [<<EOF
+migrations:
+  vaultSecretsOperator:
+    updateCRDs: ${var.secrets_operator_enabled}
+aws-ebs-csi-driver:
+  enabled: false
+cert-manager: 
+  enabled: true
+  crds:
+    enabled: true   
+  nodeSelector:
+    kubernetes.io/os: linux
+  webhook:
+    nodeSelector:
+      kubernetes.io/os: linux
+  cainjector:
+    nodeSelector:
+      kubernetes.io/os: linux
+migrations-operator:
+  enabled: ${var.ipa_enabled || var.insights_enabled}
+  image:
+    repository: ${var.image_registry}/indico/migrations-operator
+  controllerImage:
+    repository: ${var.image_registry}/indico/migrations-controller
+    kubectlImage: ${var.image_registry}/indico/migrations-controller-kubectl
+crunchy-pgo:
+  enabled: ${var.ipa_enabled || var.insights_enabled}
+minio:
+  enabled: ${var.insights_enabled || var.minio_enabled}
+vault-secrets-operator:
+  enabled: ${var.secrets_operator_enabled}
+  controller: 
+    imagePullSecrets:
+      - name: harbor-pull-secret
+    kubeRbacProxy:
+      image:
+        repository: ${var.image_registry}/quay.io/brancz/kube-rbac-proxy
+      resources:
+        limits:
+          cpu: 500m
+          memory: 1024Mi
+        requests:
+          cpu: 500m
+          memory: 512Mi
+    manager:
+      image:
+        repository: ${var.image_registry}/docker.io/hashicorp/vault-secrets-operator
+      resources:
+        limits:
+          cpu: 500m
+          memory: 1024Mi
+        requests:
+          cpu: 500m
+          memory: 512Mi
+  defaultAuthMethod:
+    enabled: true
+    namespace: default
+    method: kubernetes
+    mount: ${var.secrets_operator_enabled == true ? module.secrets-operator-setup[0].vault_mount_path : "unused-mount"}
+    kubernetes:
+      role: ${var.secrets_operator_enabled == true ? module.secrets-operator-setup[0].vault_auth_role_name : "unused-role"}
+      tokenAudiences: ["vault"]
+      serviceAccount: ${var.secrets_operator_enabled == true ? module.secrets-operator-setup[0].vault_auth_service_account_name : "vault-sa"}
+  defaultVaultConnection:
+    enabled: true
+    address: ${var.vault_address}
+    skipTLSVerify: false
+    spec:
+    template:
+      spec:
+        containers:
+        - name: manager
+          args:
+          - "--client-cache-persistence-model=direct-encrypted"
+external-secrets:
+  enabled: true
+  installCRDs: true
+  image:
+    repository: ${var.image_registry}/ghcr.io/external-secrets/external-secrets
+  webhook:
+    image:
+      repository: ${var.image_registry}/ghcr.io/external-secrets/external-secrets
+  certController:
+    image:
+      repository: ${var.image_registry}/ghcr.io/external-secrets/external-secrets
+  EOF
+  ]
+
+  indico_pre_reqs_values = [<<EOF
+global:
+  host: ${local.dns_name}
+  image:
+    registry: ${var.image_registry}
+storage:
+  ebsStorageClass:
+    enabled: false
+secrets:
+  rabbitmq:
+    create: true
+  general:
+    create: true
+  clusterIssuer:
+    zerossl:
+      create: ${var.enable_custom_cluster_issuer == false ? true : false}
+      eabEmail: devops-sa@indico.io
+      eabKid: "${jsondecode(data.vault_kv_secret_v2.zerossl_data.data_json)["EAB_KID"]}"
+      eabHmacKey: "${jsondecode(data.vault_kv_secret_v2.zerossl_data.data_json)["EAB_HMAC_KEY"]}"
+    letsencrypt:
+      create: true
+clusterIssuer:
+  additionalSolvers:
+    - dns01:
+        azureDNS:
+          environment: AzurePublicCloud
+          hostedZoneName: ${local.base_domain}
+          managedIdentity:
+            clientID: ${module.cluster.kubelet_identity.client_id}
+          resourceGroupName: ${var.common_resource_group}
+          subscriptionID: ${split("/", data.azurerm_subscription.primary.id)[2]}
+      selector:
+        matchLabels:
+          "acme.cert-manager.io/dns01-solver": "true"
+
+aws-efs-csi-driver:
+  enabled: false
+aws-for-fluent-bit:
+  enabled: false
+aws-fsx-csi-driver:
+  enabled: false
+aws-load-balancer-controller:
+  enabled: false
+cluster-autoscaler:
+  enabled: false
+external-dns:
+  enabled: ${var.enable_external_dns}
+  logLevel: debug
+  policy: sync
+  txtOwnerId: "${var.label}-${var.region}"
+  domainFilters:
+    - ${var.account}.${var.domain_suffix}.
+
+  provider: azure
+  
+  extraVolumes: 
+    - name: azure-config
+      configMap:
+        name: dns-credentials-config
+
+  extraVolumeMounts: 
+    - name: azure-config
+      mountPath: /etc/kubernetes/azure.json
+      subPath: azure.json
+
+  policy: sync
+  sources:
+    - service
+    - ingress
+ingress-nginx:
+  enabled: ${local.kube_prometheus_stack_enabled}
+  rbac:
+    create: true
+  controller:
+    service:
+      annotations:
+        service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /healthz
+  admissionWebhooks:
+    patch:
+      nodeSelector.beta.kubernetes.io/os: linux
+    controller:
+      service:
+        annotations:
+          service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /healthz
+  authentication:
+    ingressUsername: monitoring
+    ingressPassword: ${random_password.monitoring-password.result}
+  defaultBackend:
+    nodeSelector.beta.kubernetes.io/os: linux
+reflector:
+  image:
+    repository: ${var.image_registry}/docker.io/emberstack/kubernetes-reflector
+  EOF
+  ]
+
+  monitoring_values = var.monitoring_enabled ? concat([<<EOF
+global:
+  host: "${local.dns_name}"
+prometheus-postgres-exporter:
+  enabled: false
+authentication:
+  ingressUsername: monitoring
+  ingressPassword: ${random_password.monitoring-password.result}
+${local.alerting_configuration_values}
+keda:
+  enabled: ${var.monitoring_enabled}
+  global:
+    image:
+      registry: "${var.image_registry}/ghcr.io"
+  imagePullSecrets:
+    - name: harbor-pull-secret
+  resources:
+    operator:
+      requests:
+        memory: 512Mi
+      limits:
+        memory: 4Gi
+  crds:
+    install: true
+  
+  podAnnotations:
+    keda:
+      prometheus.io/scrape: "true"
+      prometheus.io/path: "/metrics"
+      prometheus.io/port: "8080"
+    metricsAdapter: 
+      prometheus.io/scrape: "true"
+      prometheus.io/path: "/metrics"
+      prometheus.io/port: "9022"
+  prometheus:
+    metricServer:
+      enabled: true
+      podMonitor:
+        enabled: true
+    operator:
+      enabled: true
+      podMonitor:
+        enabled: true
+kube-prometheus-stack:
+${local.kube_prometheus_stack_values}
+metrics-server:
+  enabled: false
+opentelemetry-operator:
+  enabled: ${var.monitoring_enabled}
+  testFramework:
+    image:
+      repository: ${var.image_registry}/docker.io/library/busybox
+  kubeRBACProxy:
+    image:
+      repository: ${var.image_registry}/quay.io/brancz/kube-rbac-proxy
+  manager:
+    image:
+      repository: ${var.image_registry}/ghcr.io/open-telemetry/opentelemetry-operator/opentelemetry-operator
+    collectorImage:
+      repository: ${var.image_registry}/docker.io/otel/opentelemetry-collector-contrib
+opentelemetry-collector:
+  enabled: true
+  imagePullSecrets:
+    - name: harbor-pull-secret
+  image:
+    repository: ${var.image_registry}/docker.io/otel/opentelemetry-collector-contrib
+  fullnameOverride: "collector-collector"
+  mode: deployment
+  tolerations:
+  - effect: NoSchedule
+    key: indico.io/monitoring
+    operator: Exists
+  nodeSelector:
+    node_group: monitoring-workers
+  ports:
+    jaeger-compact:
+      enabled: false
+    jaeger-thrift:
+      enabled: false
+    jaeger-grpc:
+      enabled: false
+    zipkin:
+      enabled: false
+
+  config:
+    receivers:
+      jaeger: null
+      prometheus: null
+      zipkin: null
+    exporters:
+      otlp:
+        endpoint: monitoring-tempo.monitoring.svc:4317
+        tls:
+          insecure: true
+    service:
+      pipelines:
+        traces:
+          receivers:
+            - otlp
+          processors:
+            - batch
+          exporters:
+            - otlp
+        metrics: null
+        logs: null
+sql-exporter:
+  enabled: ${var.ipa_enabled}
+  image:
+    repository: '${var.image_registry}/dockerhub-proxy/burningalchemist/sql_exporter'
+  EOF
+    ], [<<EOF
+${local.private_dns_config}
+  EOF
+  ]) : []
+}
+
+module "indico-common" {
+  depends_on = [
+    module.cluster,
+    time_sleep.wait_1_minutes_after_cluster,
+    module.secrets-operator-setup
+  ]
+  source                           = "../modules/common/indico-common"
+  argo_enabled                     = var.argo_enabled
+  github_repo_name                 = var.argo_repo
+  github_repo_branch               = var.argo_branch
+  github_file_path                 = var.argo_path
+  github_commit_message            = var.message
+  helm_registry                    = var.ipa_repo
+  namespace                        = "indico"
+  indico_crds_version              = var.indico_crds_version
+  indico_crds_values_yaml_b64      = var.indico-crds-values-yaml-b64
+  indico_crds_values_overrides     = local.indico_crds_values
+  indico_pre_reqs_version          = var.indico_pre_reqs_version
+  indico_pre_reqs_values_overrides = local.indico_pre_reqs_values
+  indico_pre_reqs_values_yaml_b64  = var.indico-pre-reqs-values-yaml-b64
+  monitoring_enabled               = var.monitoring_enabled
+  monitoring_values                = local.monitoring_values
+  monitoring_version               = var.monitoring_version
+}
+
+resource "time_sleep" "wait_1_minutes_after_cluster" {
+  depends_on = [module.cluster]
+
+  create_duration = "1m"
+}
+
+# Install the Machinesets now
+resource "helm_release" "crunchy-postgres" {
+  count = var.is_openshift == true ? 1 : 0
+  depends_on = [
+    module.cluster,
+    module.indico-common
+  ]
+
+  name             = "crunchy"
+  create_namespace = true
+  namespace        = "crunchy"
+  repository       = var.ipa_repo
+  chart            = "crunchy-postgres"
+  version          = "0.3.0"
+  timeout          = "600" # 10 minutes
+  wait             = true
+
+  values = [<<EOF
+  enabled: true
+  postgres-data:
+    openshift: true
+    metadata:
+      annotations:
+        reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+        reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+    instances:
+    - affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: node_group
+                operator: In
+                values:
+                - pgo-workers
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: postgres-operator.crunchydata.com/cluster
+                operator: In
+                values:
+                - postgres-data
+              - key: postgres-operator.crunchydata.com/instance-set
+                operator: In
+                values:
+                - pgha1
+            topologyKey: kubernetes.io/hostname
+      metadata:
+        annotations:
+          reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+          reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+      dataVolumeClaimSpec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 200Gi
+      name: pgha1
+      replicas: 1
+      resources:
+        requests:
+          cpu: 1000m
+          memory: 3000Mi
+      tolerations:
+        - effect: NoSchedule
+          key: indico.io/crunchy
+          operator: Exists
+    pgBackRestConfig:
+      global:
+        archive-timeout: '10000'
+        repo1-retention-full: '5'
+      repos:
+      - name: repo1
+        volume:
+          volumeClaimSpec:
+            accessModes:
+            - ReadWriteOnce
+            resources:
+              requests:
+                storage: 200Gi
+        schedules:
+          full: 30 4 * * 0 # Full backup weekly at 4:30am Sunday
+          differential: 0 0 * * * # Diff backup daily at midnight
+    imagePullSecrets:
+      - name: harbor-pull-secret
+  postgres-metrics:
+    enabled: false
+  EOF
+  ]
+}
+
+resource "azurerm_role_assignment" "external_dns" {
+  count = var.is_azure == true && var.is_openshift == false && var.private_dns_zone != true ? 1 : 0
+  depends_on = [
+    module.cluster
+  ]
+  scope                            = data.azurerm_dns_zone.domain.0.id
+  role_definition_name             = "DNS Zone Contributor"
+  principal_id                     = module.cluster.kubelet_identity.object_id
+  skip_service_principal_aad_check = true
+}
+
+resource "kubernetes_secret" "azure_storage_key" {
+  depends_on = [
+    module.cluster,
+    time_sleep.wait_1_minutes_after_cluster
+  ]
+  metadata {
+    name      = "azure-storage-key"
+    namespace = "indico"
+    annotations = {
+      "reflector.v1.k8s.emberstack.com/reflection-allowed"      = true
+      "reflector.v1.k8s.emberstack.com/reflection-auto-enabled" = true
+    }
+  }
+
+  data = {
+    AZURE_CLIENT_ID         = module.cluster.kubelet_identity.client_id
+    azurestorageaccountname = module.storage.storage_account_name
+    azurestorageaccountkey  = module.storage.storage_account_primary_access_key
+    AZURE_ACCOUNT_NAME      = module.storage.storage_account_name
+    AZURE_ACCOUNT_KEY       = module.storage.storage_account_primary_access_key
+    AZURE_CONTAINER         = module.storage.blob_store_name
+  }
+}
+
+resource "kubernetes_config_map" "azure_dns_credentials" {
+  count = var.include_external_dns == true ? 1 : 0
+
+  depends_on = [
+    module.cluster,
+    time_sleep.wait_1_minutes_after_cluster
+  ]
+
+  metadata {
+    name      = "dns-credentials-config"
+    namespace = "indico"
+  }
+
+  data = {
+    "azure.json" = var.is_openshift ? local.openshift_dns_credentials : local.azure_dns_credentials
+  }
+}
+
+
+resource "kubectl_manifest" "custom-cluster-issuer" {
+  count = var.enable_custom_cluster_issuer == true ? 1 : 0
+  depends_on = [
+    module.cluster,
+    module.storage,
+    module.indico-common,
+    time_sleep.wait_1_minutes_after_cluster,
+    data.vault_kv_secret_v2.zerossl_data,
+    kubernetes_secret.azure_storage_key,
+    kubernetes_config_map.azure_dns_credentials,
+    kubernetes_service_account.workload_identity,
+  ]
+  yaml_body = <<YAML
+    apiVersion: cert-manager.io/v1
+    kind: ClusterIssuer
+    metadata:
+      name: zerossl
+    spec:
+      ${indent(6, var.custom_cluster_issuer_spec)} 
+  YAML
+}
+
+locals {
+  ipa_pre_reqs_values = [<<EOF
+cluster:
+  cloudProvider: azure
+  name: ${var.label}
+  region: ${var.region}
+  domain: ${var.domain_suffix}
+  account: ${var.account}
+  argoRepo: ${var.argo_repo}
+  argoBranch: ${var.argo_branch}
+  argoPath: ${var.argo_path}
+  ipaVersion: ${var.ipa_version}
+  ipaPreReqsVersion: ${var.ipa_pre_reqs_version}
+  ipaCrdsVersion: ${var.ipa_crds_version}
+
+storage:
+  existingPVC: false
+  ebsStorageClass:
+    enabled: false
+  indicoStorageClass:
+    enabled: false
+    name: "${local.indico_storage_class_name}"
+  pvcSpec:
+    azureFile:
+      readOnly: false
+      secretName: "azure-storage-key"
+      secretNamespace: null
+      shareName: ${module.storage.fileshare_name}
+    mountOptions:
+      - dir_mode=0777
+      - file_mode=0777
+      - uid=0
+      - gid=0
+      - nobrl
+      - nosharesock
+    csi: null
+    persistentVolumeReclaimPolicy: Retain
+    volumeMode: Filesystem
+
+rabbitmq:
+  enabled: true
+  rabbitmq:
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+
+apiModels:
+  enabled: true
+  nodeSelector:
+    node_group: static-workers
+
+crunchy-postgres:
+  enabled: ${!var.is_openshift}
+  postgres-data:
+    metadata:
+      annotations:
+        reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "default,indico,monitoring"
+    instances:
+    - affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: node_group
+                operator: In
+                values:
+                - pgo-workers
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: postgres-operator.crunchydata.com/cluster
+                operator: In
+                values:
+                - postgres-data
+              - key: postgres-operator.crunchydata.com/instance-set
+                operator: In
+                values:
+                - pgha1
+            topologyKey: kubernetes.io/hostname
+      metadata:
+        annotations:
+          reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+          reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+          reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "default,indico,monitoring"
+      dataVolumeClaimSpec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 200Gi
+      name: pgha1
+      replicas: 1
+      resources:
+        requests:
+          cpu: 500m
+          memory: 3000Mi
+      tolerations:
+        - effect: NoSchedule
+          key: indico.io/crunchy
+          operator: Exists
+    pgBackRestConfig:
+      global:
+        archive-timeout: '10000'
+        repo1-path: /pgbackrest/postgres-data/repo1
+        repo1-retention-full: '5'
+        repo1-azure-account: ${module.storage.storage_account_name}
+        repo1-azure-key: ${module.storage.storage_account_primary_access_key}
+      repos:
+      - name: repo1
+        azure:
+          container: " ${module.storage.crunchy_backup_name}"
+        schedules:
+          full: 30 4 * * *
+          incremental: 0 0 * * *
+      jobs:
+        resources:
+          requests:
+            cpu: 1000m
+            memory: 3000Mi
+  EOF
+  ]
+
+  intake_values = <<EOF
+nvidia-device-plugin:
+  nvidia-device-plugin:
+    compatWithCPUManager: True
+readapi:
+  annotations:
+    reloader.stakater.com/auto: "true"
+  serviceAccountName: "workload-identity-storage-account"
+  labels:
+    "azure.workload.identity/use": "true"
+  secretRefs:
+    - indico-static-secrets
+    - indico-generated-secrets
+    - rabbitmq
+    - azure-storage-key
+aws-node-termination:
+  enabled: false 
+global:
+  podLabels:
+    "azure.workload.identity/use": "true"
+  serviceAccountName: "workload-identity-storage-account"
+runtime-scanner:
+  enabled: ${replace(lower(var.account), "indico", "") == lower(var.account) ? "false" : "true"}
+  authentication:
+    ingressUser: monitoring
+    ingressPassword: ${random_password.monitoring-password.result}
+  EOF
+}
+
+module "intake" {
+  depends_on = [
+    module.indico-common
+  ]
+  source                            = "../modules/common/intake"
+  count                             = var.ipa_enabled ? 1 : 0
+  argo_enabled                      = var.argo_enabled
+  github_repo_name                  = var.argo_repo
+  github_repo_branch                = var.argo_branch
+  github_file_path                  = var.argo_path
+  github_commit_message             = var.message
+  helm_registry                     = var.ipa_repo
+  namespace                         = "default"
+  ipa_pre_reqs_version              = var.ipa_pre_reqs_version
+  pre_reqs_values_yaml_b64          = var.pre-reqs-values-yaml-b64
+  ipa_pre_reqs_values_overrides     = local.ipa_pre_reqs_values
+  account                           = var.account
+  region                            = var.region
+  label                             = var.label
+  argo_application_name             = lower("${var.account}.${var.region}.${var.label}-ipa")
+  vault_path                        = "tools/argo/data/ipa-deploy"
+  argo_server                       = module.cluster.kubernetes_host
+  argo_project_name                 = module.argo-registration[0].argo_project_name
+  intake_version                    = var.ipa_version
+  k8s_version                       = var.k8s_version
+  intake_values_terraform_overrides = local.intake_values
+  intake_values_overrides           = var.ipa_values
+}
+
+data "github_repository" "argo-github-repo" {
+  count     = var.argo_enabled == true ? 1 : 0
+  full_name = "${var.github_organization}/${var.argo_repo}"
+}
+
+locals {
+  smoketests_values = <<EOF
+  cluster:
+    account: ${var.account}
+    region: ${var.region}
+    name: ${var.label}
+  host: ${local.dns_name}
+  slack:
+    channel: ${var.ipa_smoketest_slack_channel}
+  prometheus:
+    url: ${local.prometheus_address}
+  ${indent(4, base64decode(var.ipa_smoketest_values))}
+  EOF
+}
+
+module "intake_smoketests" {
+  depends_on = [
+    module.intake
+  ]
+  count                  = var.ipa_smoketest_enabled && var.ipa_enabled ? 1 : 0
+  source                 = "../modules/common/application-deployment"
+  account                = var.account
+  region                 = var.region
+  label                  = var.label
+  namespace              = "default"
+  argo_enabled           = var.argo_enabled
+  github_repo_name       = var.argo_repo
+  github_repo_branch     = var.argo_branch
+  github_file_path       = "${var.argo_path}/ipa_smoketest.yaml"
+  github_commit_message  = var.message
+  argo_application_name  = local.argo_smoketest_app_name
+  argo_vault_plugin_path = "tools/argo/data/ipa-deploy"
+  argo_server            = module.cluster.kubernetes_host
+  argo_project_name      = var.argo_enabled ? module.argo-registration[0].argo_project_name : ""
+  chart_name             = "cod-smoketests"
+  chart_repo             = var.ipa_smoketest_repo
+  chart_version          = var.ipa_smoketest_version
+  k8s_version            = var.k8s_version
+  release_name           = "run"
+  terraform_helm_values  = ""
+  helm_values            = indent(10, trimspace(local.smoketests_values))
+}
+
+locals {
+  insights_pre_reqs_values = [<<EOF
+crunchy-postgres:
+  enabled: ${!var.is_openshift}
+  postgres-data:
+    enabled: true
+    name: postgres-insights
+    postgresVersion: 13
+    metadata:
+      annotations:
+        reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "insights,indico,monitoring"
+    instances:
+    - affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: node_group
+                operator: In
+                values:
+                - pgo-workers
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: postgres-operator.crunchydata.com/cluster
+                operator: In
+                values:
+                - postgres-insights
+              - key: postgres-operator.crunchydata.com/instance-set
+                operator: In
+                values:
+                - pgha2
+            topologyKey: kubernetes.io/hostname
+      metadata:
+        annotations:
+          reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+          reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+          reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "insights,indico,monitoring"
+      dataVolumeClaimSpec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 200Gi
+      name: pgha2
+      replicas: 1
+      resources:
+        requests:
+          cpu: 1000m
+          memory: 3000Mi
+      tolerations:
+        - effect: NoSchedule
+          key: indico.io/crunchy
+          operator: Exists
+    pgBackRestConfig:
+      global:
+        archive-timeout: '10000'
+        repo2-path: /pgbackrest/postgres-data/repo2
+        repo2-retention-full: '5'
+        repo2-azure-account: ${module.storage.storage_account_name}
+        repo2-azure-key: ${module.storage.storage_account_primary_access_key}
+      repos:
+      - name: repo2
+        azure:
+          container: " ${module.storage.crunchy_backup_name}"
+        schedules:
+          full: 30 4 * * *
+          incremental: 0 */1 * * *
+      jobs:
+        resources:
+          requests:
+            cpu: 1000m
+            memory: 3000Mi
+    monitoring: true
+    users:
+      - name: indico
+        options: "SUPERUSER"
+        databases:
+          - aqueduct
+          - ask_my_collection
+          - lagoon
+          - noct
+ingress:
+  useStaticCertificate: false
+  secretName: indico-ssl-static-cert
+  tls.crt: #base64 encoded value of certificate chain
+  tls.key: #base64 encoded value of certificate key
+minio:
+  createStorageClass: false
+  topology:
+    volumeSize: 128Gi
+    storageClassName: default
+  storage:
+    accessKey: <path:tools/argo/data/indico-dev/ins-dev/storage#access_key_id>
+    secretKey: <path:tools/argo/data/indico-dev/ins-dev/storage#secret_access_key>
+weaviate:
+  cronjob:
+    services:
+      weaviate-backup:
+        enabled: true
+  backupStorageConfig:
+    accessKey: <path:tools/argo/data/indico-dev/ins-dev/storage#access_key_id>
+    secretKey: <path:tools/argo/data/indico-dev/ins-dev/storage#secret_access_key>
+    url: http://minio-tenant-hl.insights.svc.cluster.local:9000
+  weaviate:
+    env:
+      GOMEMLIMIT: "31GiB" # 1 less than the hard limit on the used nodes
+    # TODO: enable this when we have a backup bucket
+    backups:
+      s3:
+        enabled: false
+        envconfig:
+          BACKUP_S3_ENDPOINT: minio-tenant-hl.insights.svc.cluster.local:9000
+        secrets:
+          AWS_ACCESS_KEY_ID: <path:tools/argo/data/indico-dev/ins-dev/storage#access_key_id>
+          AWS_SECRET_ACCESS_KEY: <path:tools/argo/data/indico-dev/ins-dev/storage#secret_access_key>
+  EOF
+  ]
+
+  insights_values = <<EOF
+global:
+  host: ${var.label}.${var.region}.indico-dev.indico.io
+  features:
+    askMyDocument: true
+  intake:
+    host: dev-ci.us-east-2.indico-dev.indico.io
+    apiToken: <path:tools/argo/data/indico-dev/ins-dev/intake#api_token>
+    tokenSecret: <path:tools/argo/data/indico-dev/ins-dev/intake#noct_token_secret>
+    cookieSecret: <path:tools/argo/data/indico-dev/ins-dev/intake#noct_cookie_secret>
+insights-edge:
+  additionalAllowedOrigins:
+    - https://local.indico.io:1234
+server:
+  services:
+    lagoon:
+      env:
+        FIELD_AUTOCONFIRM_CONFIDENCE: 0.8
+        FIELD_CONFIG_PATH: "fields_config.yaml"
+ask-my-docs:
+  llmConfig:
+    llm: indico-azure-instance
+    azure:
+      apiBase: https://indico-openai.openai.azure.com/
+      deployment: indico-gpt-4
+      apiKey: <path:tools/argo/data/RandD/azureOpenAiKey#apiKey>
+  EOF
+}
+
+module "insights" {
+  depends_on = [
+    module.indico-common
+  ]
+  source                              = "../modules/common/insights"
+  count                               = var.insights_enabled ? 1 : 0
+  argo_enabled                        = var.argo_enabled
+  github_repo_name                    = var.argo_repo
+  github_repo_branch                  = var.argo_branch
+  github_file_path                    = var.argo_path
+  github_commit_message               = var.message
+  helm_registry                       = var.ipa_repo
+  namespace                           = "insights"
+  ins_pre_reqs_version                = var.insights_pre_reqs_version
+  pre_reqs_values_yaml_b64            = var.insights-pre-reqs-values-yaml-b64
+  ins_pre_reqs_values_overrides       = local.insights_pre_reqs_values
+  account                             = var.account
+  region                              = var.region
+  label                               = var.label
+  argo_application_name               = lower("${var.account}.${var.region}.${var.label}-insights")
+  vault_path                          = "tools/argo/data/ipa-deploy"
+  argo_server                         = module.cluster.kubernetes_host
+  argo_project_name                   = module.argo-registration[0].argo_project_name
+  insights_version                    = var.insights_version
+  k8s_version                         = var.k8s_version
+  insights_values_terraform_overrides = local.insights_values
+  insights_values_overrides           = var.insights_values
+}
+
+# And we can install any additional helm charts at this point as well
+module "additional_application" {
+  depends_on = [
+    module.indico-common
+  ]
+
+  for_each = var.applications
+
+  source                 = "../modules/common/application-deployment"
+  account                = var.account
+  region                 = var.region
+  label                  = var.label
+  namespace              = each.value.namespace
+  argo_enabled           = var.argo_enabled
+  github_repo_name       = var.argo_repo
+  github_repo_branch     = var.argo_branch
+  github_file_path       = "${var.argo_path}/${each.value.name}_application.yaml"
+  github_commit_message  = var.message
+  argo_application_name  = lower("${var.account}-${var.region}-${var.label}-${each.value.name}")
+  argo_vault_plugin_path = each.value.vaultPath
+  argo_server            = module.cluster.kubernetes_host
+  argo_project_name      = var.argo_enabled ? module.argo-registration[0].argo_project_name : ""
+  chart_name             = each.value.chart
+  chart_repo             = each.value.repo
+  chart_version          = each.value.version
+  k8s_version            = var.k8s_version
+  release_name           = each.value.name
+  terraform_helm_values  = ""
+  helm_values            = trimspace(base64decode(each.value.values))
+}
+
+data "vault_kv_secret_v2" "zerossl_data" {
+  mount = local.customer_vault_mount_path
+  name  = "zerossl"
+}
+
+output "zerossl" {
+  sensitive = true
+  value     = data.vault_kv_secret_v2.zerossl_data.data_json
+}
+
+resource "argocd_application" "ipa" {
+  depends_on = [
+    module.intake,
+    module.insights,
+    module.argo-registration,
+    helm_release.cod-snapshot-restore
+  ]
+
+  count = var.ipa_enabled == true ? 1 : 0
+
+  wait = true
+
+  metadata {
+    name      = lower("${var.account}-${var.region}-${var.label}-deploy-ipa")
+    namespace = "argo"
+    labels = {
+      test = "true"
+    }
+  }
+
+  spec {
+
+    project = lower("${var.account}.${var.label}.${var.region}")
+
+    source {
+      repo_url        = "https://github.com/IndicoDataSolutions/${var.argo_repo}.git"
+      path            = var.argo_path
+      target_revision = var.argo_branch
+      directory {
+        recurse = false
+        jsonnet {
+        }
+      }
+    }
+
+    sync_policy {
+      automated {
+        prune       = true
+        self_heal   = true
+        allow_empty = false
+      }
+      sync_options = [
+        "ServerSideApply=true",
+        "CreateNamespace=true"
+      ]
+    }
+
+    destination {
+      server    = "https://kubernetes.default.svc"
+      namespace = "argo"
+    }
+  }
+
+  timeouts {
+    create = "30m"
+    delete = "30m"
+  }
+}
+
+resource "null_resource" "wait-for-tf-cod-chart-build" {
+  count = var.argo_enabled == true ? 1 : 0
+
+  depends_on = [
+    module.intake,
+    module.indico-common
+  ]
+
+  triggers = {
+    always_run = "${timestamp()}"
+  }
+
+  provisioner "local-exec" {
+    environment = {
+      HARBOR_API_TOKEN = jsondecode(data.vault_kv_secret_v2.harbor-api-token[0].data_json)["bearer_token"]
+    }
+    command = "${path.module}/validate_chart.sh terraform-smoketests 0.1.1-${data.external.git_information.result.branch}-${substr(data.external.git_information.result.sha, 0, 8)}"
+  }
+}
diff --git a/azure/ipa.tf b/azure/ipa.tf
deleted file mode 100644
index 30992aec..00000000
--- a/azure/ipa.tf
+++ /dev/null
@@ -1,1084 +0,0 @@
-locals {
-  openshift_dns_credentials = <<EOF
-  {
-  "tenantId" : "${data.azurerm_client_config.current.tenant_id}",
-  "subscriptionId" : "${split("/", data.azurerm_subscription.primary.id)[2]}",
-  "resourceGroup" : "${var.common_resource_group}",
-  "aadClientId": "${var.use_workload_identity == true ? azuread_application.workload_identity.0.application_id : ""}",
-  "aadClientSecret": "${var.use_workload_identity == true ? azuread_application_password.workload_identity.0.value : ""}"
-  }
-  EOF
-
-  azure_dns_credentials = <<EOF
-  {
-    "tenantId" : "${data.azurerm_client_config.current.tenant_id}",
-    "subscriptionId" : "${split("/", data.azurerm_subscription.primary.id)[2]}",
-    "resourceGroup" : "${var.common_resource_group}",
-    "useManagedIdentityExtension" : true,
-    "userAssignedIdentityID" : "${module.cluster.kubelet_identity.client_id}"
-  }
-  EOF
-
-  # https://docs.openshift.com/container-platform/4.10/nodes/pods/nodes-pods-autoscaling-custom.html
-  prometheus_address = var.is_openshift ? "https://thanos-querier.openshift-monitoring.svc.cluster.local:9091" : "http://monitoring-kube-prometheus-prometheus.monitoring.svc.cluster.local:9090/prometheus"
-
-}
-resource "kubernetes_secret" "issuer-secret" {
-  depends_on = [
-    module.cluster
-  ]
-
-  metadata {
-    name      = "acme-azuredns"
-    namespace = "default"
-    annotations = {
-      "reflector.v1.k8s.emberstack.com/reflection-allowed"      = true
-      "reflector.v1.k8s.emberstack.com/reflection-auto-enabled" = true
-      "temporary.please.change/weaker-credentials-needed"       = true
-    }
-  }
-
-  type = "Opaque"
-
-  data = {
-    "secret-access-key" = "foobar"
-  }
-}
-
-#TODO: move to prereqs
-resource "kubernetes_secret" "harbor-pull-secret" {
-  depends_on = [
-    module.cluster
-  ]
-
-  metadata {
-    name      = "harbor-pull-secret"
-    namespace = "default"
-    annotations = {
-      "reflector.v1.k8s.emberstack.com/reflection-allowed"      = true
-      "reflector.v1.k8s.emberstack.com/reflection-auto-enabled" = true
-    }
-  }
-
-  type = "kubernetes.io/dockerconfigjson"
-
-  data = {
-    ".dockerconfigjson" = "${base64decode(var.harbor_pull_secret_b64)}"
-  }
-}
-
-data "vault_kv_secret_v2" "harbor-api-token" {
-  count = var.argo_enabled == true ? 1 : 0
-  mount = "tools/argo"
-  name  = "harbor-api"
-}
-
-resource "github_repository_file" "pre-reqs-values-yaml" {
-  count               = var.argo_enabled == true ? 1 : 0
-  repository          = data.github_repository.argo-github-repo[0].name
-  branch              = var.argo_branch
-  file                = "${var.argo_path}/helm/pre-reqs-values.values"
-  commit_message      = var.message
-  overwrite_on_create = true
-
-  lifecycle {
-    ignore_changes = [
-      content
-    ]
-  }
-  content = base64decode(var.pre-reqs-values-yaml-b64)
-}
-
-
-resource "github_repository_file" "crds-values-yaml" {
-  count               = var.argo_enabled == true ? 1 : 0
-  repository          = data.github_repository.argo-github-repo[0].name
-  branch              = var.argo_branch
-  file                = "${var.argo_path}/helm/crds-values.values"
-  commit_message      = var.message
-  overwrite_on_create = true
-
-  lifecycle {
-    ignore_changes = [
-      content
-    ]
-  }
-  content = base64decode(var.crds-values-yaml-b64)
-}
-
-data "github_repository_file" "data-crds-values" {
-  count = var.argo_enabled == true ? 1 : 0
-  depends_on = [
-    github_repository_file.crds-values-yaml
-  ]
-  repository = data.github_repository.argo-github-repo[0].name
-  branch     = var.argo_branch
-  file       = var.argo_path == "." ? "helm/crds-values.values" : "${var.argo_path}/helm/crds-values.values"
-}
-
-
-data "github_repository_file" "data-pre-reqs-values" {
-  count = var.argo_enabled == true ? 1 : 0
-
-  depends_on = [
-    github_repository_file.pre-reqs-values-yaml
-  ]
-  repository = data.github_repository.argo-github-repo[0].name
-  branch     = var.argo_branch
-  file       = var.argo_path == "." ? "helm/pre-reqs-values.values" : "${var.argo_path}/helm/pre-reqs-values.values"
-}
-
-module "secrets-operator-setup" {
-  depends_on = [
-    module.cluster
-  ]
-  count           = var.secrets_operator_enabled == true ? 1 : 0
-  source          = "../modules/common/vault-secrets-operator-setup"
-  vault_address   = var.vault_address
-  account         = var.account
-  region          = var.region
-  name            = var.label
-  kubernetes_host = module.cluster.kubernetes_host
-}
-
-resource "helm_release" "ipa-vso" {
-  count = var.thanos_enabled == true ? 1 : 0
-  depends_on = [
-    module.cluster,
-    data.github_repository_file.data-crds-values,
-    module.secrets-operator-setup
-  ]
-
-  verify           = false
-  name             = "ipa-vso"
-  create_namespace = true
-  namespace        = "default"
-  repository       = "https://helm.releases.hashicorp.com"
-  chart            = "vault-secrets-operator"
-  version          = var.vault_secrets_operator_version
-  wait             = true
-
-  values = [
-    <<EOF
-  controller: 
-    imagePullSecrets:
-      - name: harbor-pull-secret
-    kubeRbacProxy:
-      image:
-        repository: ${var.image_registry}/gcr.io/kubebuilder/kube-rbac-proxy
-      resources:
-        limits:
-          cpu: 500m
-          memory: 1024Mi
-        requests:
-          cpu: 500m
-          memory: 512Mi
-
-    manager:
-      image:
-        repository: ${var.image_registry}/docker.io/hashicorp/vault-secrets-operator
-      resources:
-        limits:
-          cpu: 500m
-          memory: 1024Mi
-        requests:
-          cpu: 500m
-          memory: 512Mi
-
-  defaultAuthMethod:
-    enabled: true
-    namespace: default
-    method: kubernetes
-    mount: ${var.secrets_operator_enabled == true ? module.secrets-operator-setup[0].vault_mount_path : "unused-mount"}
-    kubernetes:
-      role: ${var.secrets_operator_enabled == true ? module.secrets-operator-setup[0].vault_auth_role_name : "unused-role"}
-      tokenAudiences: ["vault"]
-      serviceAccount: ${var.secrets_operator_enabled == true ? module.secrets-operator-setup[0].vault_auth_service_account_name : "vault-sa"}
-
-  defaultVaultConnection:
-    enabled: true
-    address: ${var.vault_address}
-    skipTLSVerify: false
-    spec:
-    template:
-      spec:
-        containers:
-        - name: manager
-          args:
-          - "--client-cache-persistence-model=direct-encrypted"
-EOF
-  ]
-}
-
-resource "helm_release" "ipa-crds" {
-  depends_on = [
-    module.cluster,
-    kubernetes_secret.harbor-pull-secret,
-    kubernetes_secret.issuer-secret,
-    data.github_repository_file.data-crds-values,
-    module.secrets-operator-setup
-  ]
-
-  verify           = false
-  name             = "ipa-crds"
-  create_namespace = true
-  namespace        = "default"
-  repository       = var.ipa_repo
-  chart            = "ipa-crds"
-  version          = var.ipa_crds_version
-  timeout          = "1800" # 30 minutes
-  wait             = true
-
-  values = [<<EOF
-  crunchy-pgo:
-    enabled: true
-  
-  aws-ebs-csi-driver:
-    enabled: false
-
-  cert-manager: 
-    enabled: true
-    crds:
-      enabled: true   
-    nodeSelector:
-      kubernetes.io/os: linux
-    webhook:
-      nodeSelector:
-        kubernetes.io/os: linux
-    cainjector:
-      nodeSelector:
-        kubernetes.io/os: linux
-  aws-ebs-csi-driver:
-    enabled: false
-EOF
-    ,
-    <<EOT
-${var.argo_enabled == true ? data.github_repository_file.data-crds-values[0].content : ""}
-EOT
-  ]
-}
-
-resource "time_sleep" "wait_1_minutes_after_crds" {
-  depends_on = [helm_release.ipa-crds]
-
-  create_duration = "1m"
-}
-
-data "external" "git_information" {
-  program = ["sh", "${path.module}/get_sha.sh"]
-}
-
-output "git_sha" {
-  value = data.external.git_information.result.sha
-}
-
-
-output "git_branch" {
-  value = data.external.git_information.result.branch
-}
-
-output "wait_command" {
-  value = "${path.module}/validate_chart.sh terraform-smoketests 0.1.1-${data.external.git_information.result.branch}-${substr(data.external.git_information.result.sha, 0, 8)}"
-}
-
-resource "null_resource" "wait-for-tf-cod-chart-build" {
-  count = var.argo_enabled == true ? 1 : 0
-
-  depends_on = [
-    time_sleep.wait_1_minutes_after_pre_reqs,
-    helm_release.ipa-pre-requisites
-  ]
-
-  triggers = {
-    always_run = "${timestamp()}"
-  }
-
-  provisioner "local-exec" {
-    environment = {
-      HARBOR_API_TOKEN = jsondecode(data.vault_kv_secret_v2.harbor-api-token[0].data_json)["bearer_token"]
-    }
-    command = "${path.module}/validate_chart.sh terraform-smoketests 0.1.1-${data.external.git_information.result.branch}-${substr(data.external.git_information.result.sha, 0, 8)}"
-  }
-}
-
-resource "helm_release" "terraform-smoketests" {
-  depends_on = [
-    null_resource.wait-for-tf-cod-chart-build,
-    kubernetes_config_map.terraform-variables,
-    helm_release.monitoring
-  ]
-  count = var.terraform_smoketests_enabled == true ? 1 : 0
-
-  verify           = false
-  name             = "terraform-smoketests-${substr(data.external.git_information.result.sha, 0, 8)}"
-  namespace        = "default"
-  repository       = var.ipa_repo
-  chart            = "terraform-smoketests"
-  version          = "0.1.1-${data.external.git_information.result.branch}-${substr(data.external.git_information.result.sha, 0, 8)}"
-  wait             = true
-  wait_for_jobs    = true
-  timeout          = "300" # 5 minutes
-  disable_webhooks = false
-  values = [<<EOF
-  cluster:
-    cloudProvider: azure
-    account: ${var.account}
-    region: ${var.region}
-    name: ${var.label}
-  image:
-    tag: "${substr(data.external.git_information.result.sha, 0, 8)}"
-  EOF
-  ]
-}
-
-# Install the Machinesets now
-resource "helm_release" "crunchy-postgres" {
-  count = var.is_openshift == true ? 1 : 0
-  depends_on = [
-    module.cluster,
-    helm_release.ipa-crds,
-    time_sleep.wait_1_minutes_after_crds
-  ]
-
-  name             = "crunchy"
-  create_namespace = true
-  namespace        = "crunchy"
-  repository       = var.ipa_repo
-  chart            = "crunchy-postgres"
-  version          = "0.3.0"
-  timeout          = "600" # 10 minutes
-  wait             = true
-
-  values = [<<EOF
-  enabled: true
-  postgres-data:
-    openshift: true
-    metadata:
-      annotations:
-        reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
-        reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
-    instances:
-    - affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-            - matchExpressions:
-              - key: node_group
-                operator: In
-                values:
-                - pgo-workers
-        podAntiAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-          - labelSelector:
-              matchExpressions:
-              - key: postgres-operator.crunchydata.com/cluster
-                operator: In
-                values:
-                - postgres-data
-              - key: postgres-operator.crunchydata.com/instance-set
-                operator: In
-                values:
-                - pgha1
-            topologyKey: kubernetes.io/hostname
-      metadata:
-        annotations:
-          reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
-          reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
-      dataVolumeClaimSpec:
-        accessModes:
-        - ReadWriteOnce
-        resources:
-          requests:
-            storage: 200Gi
-      name: pgha1
-      replicas: 1
-      resources:
-        requests:
-          cpu: 1000m
-          memory: 3000Mi
-      tolerations:
-        - effect: NoSchedule
-          key: indico.io/crunchy
-          operator: Exists
-    pgBackRestConfig:
-      global:
-        archive-timeout: '10000'
-        repo1-retention-full: '5'
-      repos:
-      - name: repo1
-        volume:
-          volumeClaimSpec:
-            accessModes:
-            - ReadWriteOnce
-            resources:
-              requests:
-                storage: 200Gi
-        schedules:
-          full: 30 4 * * 0 # Full backup weekly at 4:30am Sunday
-          differential: 0 0 * * * # Diff backup daily at midnight
-    imagePullSecrets:
-      - name: harbor-pull-secret
-  postgres-metrics:
-    enabled: false
-  EOF
-  ]
-}
-
-resource "azurerm_role_assignment" "external_dns" {
-  count = var.is_azure == true && var.is_openshift == false && var.private_dns_zone != true ? 1 : 0
-  depends_on = [
-    module.cluster
-  ]
-  scope                            = data.azurerm_dns_zone.domain.0.id
-  role_definition_name             = "DNS Zone Contributor"
-  principal_id                     = module.cluster.kubelet_identity.object_id
-  skip_service_principal_aad_check = true
-}
-
-resource "kubernetes_secret" "azure_storage_key" {
-  depends_on = [
-    module.cluster
-  ]
-  metadata {
-    name = "azure-storage-key"
-  }
-
-  data = {
-    AZURE_CLIENT_ID         = module.cluster.kubelet_identity.client_id
-    azurestorageaccountname = module.storage.storage_account_name
-    azurestorageaccountkey  = module.storage.storage_account_primary_access_key
-    AZURE_ACCOUNT_NAME      = module.storage.storage_account_name
-    AZURE_ACCOUNT_KEY       = module.storage.storage_account_primary_access_key
-    AZURE_CONTAINER         = module.storage.blob_store_name
-  }
-}
-
-resource "kubernetes_config_map" "azure_dns_credentials" {
-  count = var.include_external_dns == true ? 1 : 0
-
-  depends_on = [
-    module.cluster
-  ]
-
-  metadata {
-    name = "dns-credentials-config"
-  }
-
-  data = {
-    "azure.json" = var.is_openshift ? local.openshift_dns_credentials : local.azure_dns_credentials
-  }
-}
-
-
-# resource "kubectl_manifest" "thanos-storage-secret" {
-#   count      = var.thanos_enabled ? 1 : 0
-#   depends_on = [helm_release.ipa-crds, module.secrets-operator-setup]
-#   yaml_body  = <<YAML
-#     apiVersion: "secrets.hashicorp.com/v1beta1"
-#     kind: "VaultStaticSecret"
-#     metadata:
-#       name:  vault-thanos-storage
-#       namespace: default
-#     spec:
-#       type: "kv-v2"
-#       namespace: default
-#       mount: customer-Indico-Devops
-#       path: thanos-storage
-#       refreshAfter: 60s
-#       rolloutRestartTargets:
-#         - name: prometheus-monitoring-kube-prometheus-prometheus
-#           kind: StatefulSet
-#       destination:
-#         annotations:
-#           reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
-#           reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
-#         create: true
-#         name: thanos-storage
-#       vaultAuthRef: default
-#   YAML
-# }
-
-
-resource "kubectl_manifest" "custom-cluster-issuer" {
-  count = var.enable_custom_cluster_issuer == true ? 1 : 0
-  depends_on = [
-    time_sleep.wait_1_minutes_after_crds,
-    module.cluster,
-    module.storage,
-    helm_release.ipa-crds,
-    data.vault_kv_secret_v2.zerossl_data,
-    kubernetes_secret.azure_storage_key,
-    kubernetes_config_map.azure_dns_credentials,
-    kubernetes_service_account.workload_identity,
-    data.github_repository_file.data-pre-reqs-values
-  ]
-  yaml_body = <<YAML
-    apiVersion: cert-manager.io/v1
-    kind: ClusterIssuer
-    metadata:
-      name: zerossl
-    spec:
-      ${indent(6, var.custom_cluster_issuer_spec)} 
-  YAML
-}
-
-
-resource "helm_release" "ipa-pre-requisites" {
-  depends_on = [
-    time_sleep.wait_1_minutes_after_crds,
-    module.cluster,
-    module.storage,
-    helm_release.ipa-crds,
-    data.vault_kv_secret_v2.zerossl_data,
-    kubernetes_secret.azure_storage_key,
-    kubernetes_config_map.azure_dns_credentials,
-    kubernetes_service_account.workload_identity,
-    data.github_repository_file.data-pre-reqs-values
-  ]
-
-  verify           = false
-  name             = "ipa-pre-reqs"
-  create_namespace = true
-  namespace        = "default"
-  repository       = var.ipa_repo
-  chart            = "ipa-pre-requisites"
-  version          = var.ipa_pre_reqs_version
-  wait             = false
-  timeout          = "1800" # 30 minutes
-  disable_webhooks = false
-
-  values = [<<EOF
-
-cluster:
-  cloudProvider: azure
-  name: ${var.label}
-  region: ${var.region}
-  domain: ${var.domain_suffix}
-  account: ${var.account}
-  argoRepo: ${var.argo_repo}
-  argoBranch: ${var.argo_branch}
-  argoPath: ${var.argo_path}
-  ipaVersion: ${var.ipa_version}
-  ipaPreReqsVersion: ${var.ipa_pre_reqs_version}
-  ipaCrdsVersion: ${var.ipa_crds_version}
-
-rabbitmq:
-  enabled: true
-  rabbitmq:
-    metrics:
-      enabled: true
-      serviceMonitor:
-        enabled: true
-
-secrets:
-  rabbitmq:
-    create: true
-  
-  general:
-    create: true
-
-  clusterIssuer:
-    zerossl:
-      create: ${var.enable_custom_cluster_issuer == false ? true : false}
-      eabEmail: devops-sa@indico.io
-      eabKid: "${jsondecode(data.vault_kv_secret_v2.zerossl_data.data_json)["EAB_KID"]}"
-      eabHmacKey: "${jsondecode(data.vault_kv_secret_v2.zerossl_data.data_json)["EAB_HMAC_KEY"]}"
-     
-clusterIssuer:
-  additionalSolvers:
-    - dns01:
-        azureDNS:
-          environment: AzurePublicCloud
-          hostedZoneName: ${local.base_domain}
-          managedIdentity:
-            clientID: ${module.cluster.kubelet_identity.client_id}
-          resourceGroupName: ${var.common_resource_group}
-          subscriptionID: ${split("/", data.azurerm_subscription.primary.id)[2]}
-      selector:
-        matchLabels:
-          "acme.cert-manager.io/dns01-solver": "true"
-
-apiModels:
-  enabled: true
-  nodeSelector:
-    node_group: static-workers
-
-external-dns:
-  enabled: ${var.enable_external_dns}
-  logLevel: debug
-  policy: sync
-  txtOwnerId: "${var.label}-${var.region}"
-  domainFilters:
-    - ${var.account}.${var.domain_suffix}.
-
-  provider: azure
-  
-  extraVolumes: 
-    - name: azure-config
-      configMap:
-        name: dns-credentials-config
-
-  extraVolumeMounts: 
-    - name: azure-config
-      mountPath: /etc/kubernetes/azure.json
-      subPath: azure.json
-
-  policy: sync
-  sources:
-    - service
-    - ingress
-
-cluster-autoscaler:
-  enabled: false
-      
-storage:
-  existingPVC: false
-  ebsStorageClass:
-    enabled: false
-  indicoStorageClass:
-    enabled: false
-    name: "${local.indico_storage_class_name}"
-  pvcSpec:
-    azureFile:
-      readOnly: false
-      secretName: "azure-storage-key"
-      secretNamespace: null
-      shareName: ${module.storage.fileshare_name}
-    mountOptions:
-      - dir_mode=0777
-      - file_mode=0777
-      - uid=0
-      - gid=0
-      - nobrl
-      - nosharesock
-    csi: null
-    persistentVolumeReclaimPolicy: Retain
-    volumeMode: Filesystem
-
-crunchy-postgres:
-  enabled: ${!var.is_openshift}
-  postgres-data:
-    metadata:
-      annotations:
-        reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
-        reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
-    instances:
-    - affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-            - matchExpressions:
-              - key: node_group
-                operator: In
-                values:
-                - pgo-workers
-        podAntiAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-          - labelSelector:
-              matchExpressions:
-              - key: postgres-operator.crunchydata.com/cluster
-                operator: In
-                values:
-                - postgres-data
-              - key: postgres-operator.crunchydata.com/instance-set
-                operator: In
-                values:
-                - pgha1
-            topologyKey: kubernetes.io/hostname
-      metadata:
-        annotations:
-          reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
-          reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
-      dataVolumeClaimSpec:
-        accessModes:
-        - ReadWriteOnce
-        resources:
-          requests:
-            storage: 200Gi
-      name: pgha1
-      replicas: 1
-      resources:
-        requests:
-          cpu: 500m
-          memory: 3000Mi
-      tolerations:
-        - effect: NoSchedule
-          key: indico.io/crunchy
-          operator: Exists
-    pgBackRestConfig:
-      global: # https://access.crunchydata.com/documentation/postgres-operator/v5/tutorial/backups/#using-azure-blob-storage
-        archive-timeout: '10000'
-        repo1-path: /pgbackrest/postgres-data/repo1
-        repo1-retention-full: '5'
-        repo1-azure-account: ${module.storage.storage_account_name}
-        repo1-azure-key: ${module.storage.storage_account_primary_access_key}
-      repos:
-      - name: repo1
-        azure:
-          container: " ${module.storage.crunchy_backup_name}"
-        schedules:
-          full: 30 4 * * *
-          incremental: 0 */1 * * *
-    imagePullSecrets:
-      - name: harbor-pull-secret
-  postgres-metrics:
-    enabled: false
-    
-aws-fsx-csi-driver:
-  enabled: false
-metrics-server:
-  enabled: false
-migrations:
-  vaultSecretsOperator:
-    updateCRDs: ${var.secrets_operator_enabled}
-  EOF
-    ,
-    <<EOT
-${var.argo_enabled == true ? data.github_repository_file.data-pre-reqs-values[0].content : ""}
-EOT
-  ]
-}
-
-resource "time_sleep" "wait_1_minutes_after_pre_reqs" {
-  depends_on = [helm_release.ipa-pre-requisites]
-
-  create_duration = "1m"
-}
-
-data "github_repository" "argo-github-repo" {
-  count     = var.argo_enabled == true ? 1 : 0
-  full_name = "${var.github_organization}/${var.argo_repo}"
-}
-
-resource "github_repository_file" "smoketest-application-yaml" {
-  count = var.ipa_smoketest_enabled == true ? 1 : 0
-
-  repository          = data.github_repository.argo-github-repo[0].name
-  branch              = var.argo_branch
-  file                = "${var.argo_path}/ipa_smoketest.yaml"
-  commit_message      = var.message
-  overwrite_on_create = true
-
-  lifecycle {
-    ignore_changes = [
-      content
-    ]
-  }
-
-  content = <<EOT
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: ${local.argo_smoketest_app_name}
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-  labels:
-    app: cod
-    region: ${var.region}
-    account: ${var.account}
-    name: ${var.label}
-  annotations:
-    avp.kubernetes.io/path: tools/argo/data/ipa-deploy
-    argocd.argoproj.io/sync-wave: "2"
-spec:
-  destination:
-    server: ${module.cluster.kubernetes_host}
-    namespace: default
-  project: "${lower("${var.account}.${var.label}.${var.region}")}"
-  syncPolicy:
-    automated:
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
-      - ServerSideApply=true
-  source:
-    chart: cod-smoketests
-    repoURL: ${var.ipa_smoketest_repo}
-    targetRevision: ${var.ipa_smoketest_version}
-    plugin:
-      name: argocd-vault-plugin-helm-values-expand-no-build
-      env:
-        - name: KUBE_VERSION
-          value: "${var.k8s_version}"
-          
-        - name: RELEASE_NAME
-          value: run
-  
-        - name: HELM_TF_COD_VALUES
-          value: |
-            prometheus:
-              url: ${local.prometheus_address}
-
-        - name: HELM_VALUES
-          value: |
-            cluster:
-              name: ${var.label}
-              region: ${var.region}
-              account: ${var.account}
-            host: ${local.dns_name}
-            slack:
-              channel: ${var.ipa_smoketest_slack_channel}
-            ${indent(12, base64decode(var.ipa_smoketest_values))} 
-EOT
-}
-
-
-resource "github_repository_file" "argocd-application-yaml" {
-  count = var.argo_enabled == true ? 1 : 0
-
-  repository          = data.github_repository.argo-github-repo[0].name
-  branch              = var.argo_branch
-  file                = "${var.argo_path}/ipa_application.yaml"
-  commit_message      = var.message
-  overwrite_on_create = true
-
-  lifecycle {
-    ignore_changes = [
-      content
-    ]
-  }
-
-  content = <<EOT
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: ${local.argo_app_name}
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-  labels:
-    app: cod
-    region: ${var.region}
-    account: ${var.account}
-    name: ${var.label}
-  annotations:
-    avp.kubernetes.io/path: tools/argo/data/ipa-deploy
-spec:
-  ignoreDifferences:
-    - group: apps
-      jsonPointers:
-        - /spec/replicas
-      kind: Deployment
-  destination:
-    server: ${module.cluster.kubernetes_host}
-    namespace: default
-  project: "${lower("${var.account}.${var.label}.${var.region}")}"
-  syncPolicy:
-    automated:
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
-      - ServerSideApply=true
-    retry:
-      limit: 8
-      backoff:
-        duration: 1m0s
-        factor: 2
-  source:
-    chart: ipa
-    repoURL: ${var.ipa_repo}
-    targetRevision: ${var.ipa_version}
-    plugin:
-      name: argocd-vault-plugin-helm-values-expand-no-build
-      env:
-        - name: KUBE_VERSION
-          value: "${var.k8s_version}"
-          
-        - name: RELEASE_NAME
-          value: ipa
-        
-        - name: HELM_TF_COD_VALUES
-          value: |
-            nvidia-device-plugin:
-              nvidia-device-plugin:
-                compatWithCPUManager: True
-            readapi:
-              annotations:
-                reloader.stakater.com/auto: "true"
-              serviceAccountName: "workload-identity-storage-account"
-              labels:
-                "azure.workload.identity/use": "true"
-              secretRefs:
-                - indico-static-secrets
-                - indico-generated-secrets
-                - rabbitmq
-                - azure-storage-key
-            aws-node-termination:
-              enabled: false 
-            global:
-              podLabels:
-                "azure.workload.identity/use": "true"
-              serviceAccountName: "workload-identity-storage-account"
-            runtime-scanner:
-              enabled: ${replace(lower(var.account), "indico", "") == lower(var.account) ? "false" : "true"}
-              authentication:
-                ingressUser: monitoring
-                ingressPassword: ${random_password.monitoring-password.result}
-        
-        - name: HELM_VALUES
-          value: |
-            ${base64decode(var.ipa_values)}    
-EOT
-}
-
-data "vault_kv_secret_v2" "zerossl_data" {
-  mount = local.customer_vault_mount_path
-  name  = "zerossl"
-}
-
-output "zerossl" {
-  sensitive = true
-  value     = data.vault_kv_secret_v2.zerossl_data.data_json
-}
-
-resource "argocd_application" "ipa" {
-  depends_on = [
-    helm_release.ipa-pre-requisites,
-    time_sleep.wait_1_minutes_after_pre_reqs,
-    module.argo-registration,
-    helm_release.cod-snapshot-restore,
-    github_repository_file.smoketest-application-yaml,
-    github_repository_file.argocd-application-yaml,
-    helm_release.keda-monitoring
-  ]
-
-  count = var.ipa_enabled == true ? 1 : 0
-
-  wait = true
-
-  metadata {
-    name      = lower("${var.account}-${var.region}-${var.label}-deploy-ipa")
-    namespace = "argo"
-    labels = {
-      test = "true"
-    }
-  }
-
-  spec {
-
-    project = lower("${var.account}.${var.label}.${var.region}")
-
-    source {
-      plugin {
-        name = "argocd-vault-plugin"
-      }
-      repo_url        = "https://github.com/IndicoDataSolutions/${var.argo_repo}.git"
-      path            = var.argo_path
-      target_revision = var.argo_branch
-    }
-
-    sync_policy {
-      automated {
-        prune       = true
-        self_heal   = true
-        allow_empty = false
-      }
-      sync_options = [
-        "ServerSideApply=true",
-        "CreateNamespace=true"
-      ]
-    }
-
-    destination {
-      server    = "https://kubernetes.default.svc"
-      namespace = "argo"
-    }
-  }
-
-  timeouts {
-    create = "30m"
-    delete = "30m"
-  }
-}
-
-
-# Create Argo Application YAML for each user supplied application
-
-
-resource "github_repository_file" "custom-application-yaml" {
-  for_each = var.argo_enabled == true ? var.applications : {}
-
-  repository          = data.github_repository.argo-github-repo[0].name
-  branch              = var.argo_branch
-  file                = "${var.argo_path}/${each.value.name}_application.yaml"
-  commit_message      = var.message
-  overwrite_on_create = true
-
-  #TODO:
-  # this allows people to make edits to the file so we don't overwrite it.
-  #lifecycle {
-  #  ignore_changes = [
-  #    content
-  #  ]
-  #}
-  content = <<EOT
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: ${lower("${var.account}-${var.region}-${var.label}-${each.value.name}")} 
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-  annotations:
-     avp.kubernetes.io/path: ${each.value.vaultPath}
-     argocd.argoproj.io/compare-options: ServerSideDiff=true
-  labels:
-    app: ${each.value.name}
-    region: ${var.region}
-    account: ${var.account}
-    name: ${var.label}
-spec:
-  destination:
-    server: ${module.cluster.kubernetes_host}
-    namespace: ${each.value.namespace}
-  project: "${lower("${var.account}.${var.label}.${var.region}")}"
-  syncPolicy:
-    automated:
-      prune: true
-    syncOptions:
-      - CreateNamespace=${each.value.createNamespace}
-      - ServerSideApply=true
-  source:
-    chart: ${each.value.chart}
-    repoURL: ${each.value.repo}
-    targetRevision: ${each.value.version}
-    plugin:
-      name: argocd-vault-plugin-helm-values-expand-no-build
-      env:
-        - name: KUBE_VERSION
-          value: "${var.k8s_version}"
-        - name: RELEASE_NAME
-          value: ${each.value.name}
-        - name: HELM_VALUES
-          value: |
-            ${indent(12, base64decode(each.value.values))}
-EOT
-}
-
-resource "helm_release" "external-secrets" {
-  depends_on = [
-    module.cluster,
-    data.github_repository_file.data-crds-values,
-    module.secrets-operator-setup
-  ]
-
-
-  verify           = false
-  name             = "external-secrets"
-  create_namespace = true
-  namespace        = "default"
-  repository       = var.ipa_repo
-  chart            = "external-secrets"
-  version          = var.external_secrets_version
-  wait             = true
-
-  values = [<<EOF
-    image:
-      repository: ${var.image_registry}/ghcr.io/external-secrets/external-secrets
-    certController:
-      image:
-        repository: ${var.image_registry}/ghcr.io/external-secrets/external-secrets
-    webhook:
-      image:
-        repository: ${var.image_registry}/ghcr.io/external-secrets/external-secrets
-  EOF
-  ]
-}
diff --git a/azure/main.tf b/azure/main.tf
index 39af434a..c4071f18 100644
--- a/azure/main.tf
+++ b/azure/main.tf
@@ -14,18 +14,19 @@ terraform {
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
-      version = ">= 2.33.0"
+      version = ">= 2.35.0"
     }
     kubectl = {
-      source = "gavinbunney/kubectl"
+      source  = "gavinbunney/kubectl"
+      version = "1.14.0"
     }
     helm = {
       source  = "hashicorp/helm"
-      version = "2.15.0"
+      version = ">= 2.15.0"
     }
     argocd = {
       source  = "oboukili/argocd"
-      version = "5.4.0"
+      version = "6.0.2"
     }
     local = {
       source  = "hashicorp/local"
@@ -33,11 +34,15 @@ terraform {
     }
     github = {
       source  = "integrations/github"
-      version = "4.26.0"
+      version = "5.34.0"
     }
     vault = {
       source  = "hashicorp/vault"
-      version = "3.13.0"
+      version = "3.22.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~>3.5.1"
     }
   }
 }
@@ -185,7 +190,8 @@ provider "kubectl" {
 
 module "argo-registration" {
   depends_on = [
-    module.cluster
+    module.cluster,
+    time_sleep.wait_1_minutes_after_cluster
   ]
 
   count = var.argo_enabled == true ? 1 : 0
@@ -213,13 +219,12 @@ provider "local" {}
 
 locals {
   resource_group_name         = coalesce(var.resource_group_name, "${var.label}-${var.region}")
-  network_resource_group_name = var.network_type == "load" ? var.network_resource_group_name : local.resource_group_name
+  network_resource_group_name = var.network_resource_group_name_override != null ? var.network_resource_group_name_override : local.resource_group_name
 
   sentinel_workspace_name                = coalesce(var.sentinel_workspace_name, "${var.account}-sentinel-workspace")
   sentinel_workspace_resource_group_name = coalesce(var.sentinel_workspace_resource_group_name, "${var.account}-sentinel-group")
 
   snapshot_storage_account_name = replace(lower("${var.account}snapshots"), "-", "")
-  storage_account_name          = replace(lower(var.storage_account_name), "-", "")
 
   argo_app_name           = lower("${var.account}.${var.region}.${var.label}-ipa")
   argo_cluster_name       = "${var.account}.${var.region}.${var.label}"
@@ -271,17 +276,18 @@ module "storage" {
   depends_on = [
     azurerm_resource_group.cod-cluster
   ]
-  source                       = "app.terraform.io/indico/indico-azure-blob/mod"
-  version                      = "1.0.1"
-  label                        = var.label
-  region                       = var.region
-  resource_group_name          = local.resource_group_name
-  storage_account_name         = local.storage_account_name
-  keyvault_name                = var.keyvault_name
-  blob_type                    = var.blob_type
-  fileshare_name_override      = var.fileshare_name_override
-  blob_store_name_override     = var.blob_store_name_override
-  crunchy_backup_name_override = var.crunchy_backup_name_override
+  source                        = "app.terraform.io/indico/indico-azure-blob/mod"
+  version                       = "1.1.1"
+  label                         = var.label
+  region                        = var.region
+  resource_group_name           = local.resource_group_name
+  storage_account_name_override = var.storage_account_name_override
+  keyvault_name_override        = var.keyvault_name_override
+  keyvault_key_name_override    = var.keyvault_key_name_override
+  blob_type                     = var.blob_type
+  fileshare_name_override       = var.fileshare_name_override
+  blob_store_name_override      = var.blob_store_name_override
+  crunchy_backup_name_override  = var.crunchy_backup_name_override
 }
 
 resource "azurerm_user_assigned_identity" "cluster_dns" {
@@ -311,8 +317,8 @@ module "cluster" {
   region                       = var.region
   svp_client_id                = var.svp_client_id
   svp_client_secret            = var.svp_client_secret
-  default_node_pool            = var.default_node_pool
-  additional_node_pools        = var.additional_node_pools
+  default_node_pool            = local.default_node_pool
+  additional_node_pools        = local.additional_node_pools
   vnet_subnet_id               = module.networking.subnet_id
   k8s_version                  = var.k8s_version
   private_cluster_enabled      = var.private_cluster_enabled
diff --git a/azure/monitoring.tf b/azure/monitoring.tf
index 9c22db50..a165e4ca 100644
--- a/azure/monitoring.tf
+++ b/azure/monitoring.tf
@@ -28,7 +28,7 @@ ingress-nginx:
     ) : (<<EOT
       thanos: {}
   EOT
-   )
+  )
   alerting_configuration_values = var.alerting_enabled == false ? (<<EOT
 noExtraConfigs: true
   EOT
@@ -90,7 +90,7 @@ EOT
         clusterFullName: ${lower("${var.account}-${var.region}-${var.name}")}
 ${local.thanos_config}
       nodeSelector:
-        node_group: static-workers
+        node_group: monitoring-workers
     ingress:
       enabled: true
       annotations:
@@ -149,7 +149,7 @@ ${local.thanos_config}
         clusterFullName: ${lower("${var.account}-${var.region}-${var.name}")}
 ${local.thanos_config}
       nodeSelector:
-        node_group: static-workers
+        node_group: monitoring-workers
     ingress:
       annotations:
         cert-manager.io/cluster-issuer: zerossl
@@ -230,259 +230,3 @@ resource "azurerm_role_assignment" "private_dns_contributor" {
   role_definition_name = "Network Contributor"
   principal_id         = var.private_dns_zone_id == "System" ? module.cluster.principal_id : azurerm_user_assigned_identity.cluster_dns[0].principal_id
 }
-
-
-resource "helm_release" "monitoring" {
-  count = var.monitoring_enabled == true ? 1 : 0
-  depends_on = [
-    module.cluster,
-    helm_release.external-secrets,
-    helm_release.ipa-pre-requisites,
-    azurerm_dns_caa_record.alertmanager-caa,
-    azurerm_dns_caa_record.grafana-caa,
-    azurerm_dns_caa_record.prometheus-caa,
-    time_sleep.wait_1_minutes_after_pre_reqs,
-    azurerm_role_assignment.private_dns_contributor
-  ]
-
-  verify           = false
-  name             = "monitoring"
-  create_namespace = true
-  namespace        = "monitoring"
-  repository       = var.ipa_repo
-  chart            = "monitoring"
-  version          = var.monitoring_version
-  wait             = false
-  timeout          = "900" # 15 minutes
-  skip_crds        = true
-
-  values = [<<EOF
-global:
-  host: "${local.dns_name}"
-
-prometheus-postgres-exporter:
-  enabled: false
-
-ingress-nginx:
-  enabled: ${local.kube_prometheus_stack_enabled}
-
-  rbac:
-    create: true
-
-  controller:
-    service:
-      annotations:
-        service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /healthz
-
-  admissionWebhooks:
-    patch:
-      nodeSelector.beta.kubernetes.io/os: linux
-
-    controller:
-      service:
-        annotations:
-          service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /healthz
-  
-  authentication:
-    ingressUsername: monitoring
-    ingressPassword: ${random_password.monitoring-password.result}
-
-
-  defaultBackend:
-    nodeSelector.beta.kubernetes.io/os: linux
-
-authentication:
-  ingressUsername: monitoring
-  ingressPassword: ${random_password.monitoring-password.result}
-
-${local.alerting_configuration_values}
-kube-prometheus-stack:
-${local.kube_prometheus_stack_values}
-EOF
-    ,
-    <<EOF
-${local.private_dns_config}
-    EOF
-  ]
-}
-
-# resource "kubectl_manifest" "thanos-datasource-credentials" {
-#   count     = var.thanos_enabled ? 1 : 0
-#   provider  = kubectl.thanos-kubectl
-#   yaml_body = <<YAML
-# apiVersion: v1
-# stringData:
-#   admin-password: ${random_password.monitoring-password.result}
-# kind: Secret
-# metadata:
-#   name: ${replace(local.dns_name, ".", "-")}
-#   namespace: default
-# type: Opaque
-#   YAML
-# }
-
-# resource "kubectl_manifest" "thanos-datasource" {
-#   count      = var.thanos_enabled ? 1 : 0
-#   depends_on = [kubectl_manifest.thanos-datasource-credentials]
-#   provider   = kubectl.thanos-kubectl
-#   yaml_body  = <<YAML
-# apiVersion: grafana.integreatly.org/v1beta1
-# kind: GrafanaDatasource
-# metadata:
-#   name: ${replace(local.dns_name, ".", "-")}
-#   namespace: default
-# spec:
-#   valuesFrom:
-#     - targetPath: "secureJsonData.basicAuthPassword"
-#       valueFrom:
-#         secretKeyRef:
-#           name: ${replace(local.dns_name, ".", "-")}
-#           key: admin-password
-#   datasource:
-#     basicAuth: true
-#     basicAuthUser: monitoring
-#     editable: false
-#     access: proxy
-#     editable: true
-#     jsonData:
-#       timeInterval: 5s
-#       tlsSkipVerify: true
-#     name: ${local.dns_name}
-#     secureJsonData:
-#       basicAuthPassword: $${admin-password}
-#     type: prometheus
-#     url: https://prometheus.${local.dns_name}/prometheus
-#   instanceSelector:
-#     matchLabels:
-#       dashboards: external-grafana
-#   YAML
-# }
-
-
-resource "helm_release" "keda-monitoring" {
-  count = !var.is_openshift == true && var.monitoring_enabled == true ? 1 : 0
-  depends_on = [
-    module.cluster,
-    helm_release.monitoring
-  ]
-
-  name             = "keda"
-  create_namespace = true
-  namespace        = "default"
-  repository       = var.ipa_repo
-  chart            = "keda"
-  version          = var.keda_version
-  wait             = true
-
-
-  values = [<<EOF
-    image:
-      metricsApiServer:
-        repository: ${var.image_registry}/ghcr.io/kedacore/keda-metrics-apiserver
-      webhooks:
-        repository: ${var.image_registry}/ghcr.io/kedacore/keda-admission-webhooks
-      keda:
-        repository: ${var.image_registry}/ghcr.io/kedacore/keda
-    imagePullSecrets:
-      - name: harbor-pull-secret
-      
-    resources:
-      operator:
-        requests:
-          memory: 512Mi
-        limits:
-          memory: 4Gi
-
-    crds:
-      install: true
-    
-    podAnnotations:
-      keda:
-        prometheus.io/scrape: "true"
-        prometheus.io/path: "/metrics"
-        prometheus.io/port: "8080"
-      metricsAdapter: 
-        prometheus.io/scrape: "true"
-        prometheus.io/path: "/metrics"
-        prometheus.io/port: "9022"
-
-    prometheus:
-      metricServer:
-        enabled: true
-        serviceMonitor:
-          enabled: true
-        podMonitor:
-          enabled: true
-      operator:
-        enabled: true
-        serviceMonitor:
-          enabled: true
-        podMonitor:
-          enabled: true
- EOF
-  ]
-}
-
-resource "helm_release" "opentelemetry-collector" {
-  count = local.kube_prometheus_stack_enabled == true ? 1 : 0
-  depends_on = [
-    module.cluster,
-    helm_release.monitoring
-  ]
-
-  name             = "opentelemetry-collector"
-  create_namespace = true
-  namespace        = "default"
-  repository       = var.ipa_repo
-  chart            = "opentelemetry-collector"
-  version          = var.opentelemetry_collector_version
-
-
-  values = [<<EOF
-    enabled: true
-    imagePullSecrets:
-      - name: harbor-pull-secret
-    image:
-      repository: ${var.image_registry}/docker.io/otel/opentelemetry-collector-contrib
-    fullnameOverride: "collector-collector"
-    mode: deployment
-    tolerations:
-    - effect: NoSchedule
-      key: indico.io/monitoring
-      operator: Exists
-    nodeSelector:
-      node_group: monitoring-workers
-    ports:
-      jaeger-compact:
-        enabled: false
-      jaeger-thrift:
-        enabled: false
-      jaeger-grpc:
-        enabled: false
-      zipkin:
-        enabled: false
-
-    config:
-      receivers:
-        jaeger: null
-        prometheus: null
-        zipkin: null
-      exporters:
-        otlp:
-          endpoint: monitoring-tempo.monitoring.svc:4317
-          tls:
-            insecure: true
-      service:
-        pipelines:
-          traces:
-            receivers:
-              - otlp
-            processors:
-              - batch
-            exporters:
-              - otlp
-          metrics: null
-          logs: null
- EOF
-  ]
-}
diff --git a/azure/moved.tf b/azure/moved.tf
new file mode 100644
index 00000000..083e187f
--- /dev/null
+++ b/azure/moved.tf
@@ -0,0 +1,49 @@
+moved {
+  from = module.cluster.aws_iam_policy.cluster_node_ebs_iam_policy
+  to   = module.iam.module.create_eks_node_role[0].aws_iam_policy.policies[0]
+}
+
+moved {
+  from = module.cluster.aws_iam_policy.cluster_node_iam_policy
+  to   = module.iam.module.create_eks_node_role[0].aws_iam_policy.policies[1]
+}
+
+moved {
+  from = module.cluster.aws_iam_role.node_role
+  to   = module.iam.module.create_eks_node_role[0].aws_iam_role.role
+}
+
+moved {
+  from = github_repository_file.argocd-application-yaml[0]
+  to   = module.intake[0].module.intake_application.github_repository_file.argocd-application-yaml[0]
+}
+
+moved {
+  from = github_repository_file.crds-values-yaml[0]
+  to   = module.indico-common.github_repository_file.crds_values_yaml[0]
+}
+
+moved {
+  from = github_repository_file.pre-reqs-values-yaml[0]
+  to   = module.intake[0].github_repository_file.pre_reqs_values_yaml[0]
+}
+
+moved {
+  from = github_repository_file.smoketest-application-yaml[0]
+  to   = module.intake_smoketests[0].github_repository_file.argocd-application-yaml[0]
+}
+
+moved {
+  from = helm_release.ipa-pre-requisites
+  to   = module.intake[0].helm_release.ipa-pre-requisites
+}
+
+moved {
+  from = helm_release.monitoring[0]
+  to   = module.indico-common.helm_release.monitoring[0]
+}
+
+moved {
+  from = kubectl_manifest.gp2-storageclass
+  to   = module.indico-common.kubectl_manifest.gp2-storageclass
+}
diff --git a/azure/nodes.tf b/azure/nodes.tf
new file mode 100644
index 00000000..c69946e1
--- /dev/null
+++ b/azure/nodes.tf
@@ -0,0 +1,245 @@
+locals {
+  aks_default_node_pool = {
+    name       = "defaultpool"
+    node_count = 3
+    vm_size    = "Standard_D16_v3"
+    zones      = ["1", "2"]
+    taints     = null
+    labels = {
+      "node_group" : "default-workers"
+    }
+    cluster_auto_scaling           = true
+    cluster_auto_scaling_min_count = 1
+    cluster_auto_scaling_max_count = 5
+  }
+
+  aks_default_node_pool_logic = var.default_node_pool == null ? local.aks_default_node_pool : null
+
+  default_node_pool = var.default_node_pool == null ? local.aks_default_node_pool_logic : var.default_node_pool
+
+  intake_default_node_pools = {
+    gpuworkers = {
+      node_count = 0
+      pool_name  = "gpu"
+      vm_size    = "Standard_NC4as_T4_v3"
+      node_os    = "Linux"
+      zones      = ["0"]
+      taints     = ["nvidia.com/gpu=true:NoSchedule"]
+      labels = {
+        "node_group" : "gpu-workers",
+        "k8s.amazonaws.com/accelerator" : "nvidia"
+      }
+      cluster_auto_scaling           = true
+      cluster_auto_scaling_min_count = 0
+      cluster_auto_scaling_max_count = 5
+    },
+    celeryworkers = {
+      node_count = 0
+      pool_name  = "celery"
+      vm_size    = "Standard_D16_v3"
+      node_os    = "Linux"
+      zones      = ["1", "2"]
+      taints     = ["indico.io/celery=true:NoSchedule"]
+      labels = {
+        "node_group" : "celery-workers"
+      }
+      cluster_auto_scaling           = true
+      cluster_auto_scaling_min_count = 0
+      cluster_auto_scaling_max_count = 20
+    },
+    staticworkers = {
+      node_count = 1
+      pool_name  = "static"
+      vm_size    = "Standard_D16_v3"
+      node_os    = "Linux"
+      zones      = ["1", "2"]
+      taints     = []
+      labels = {
+        "node_group" : "static-workers"
+      }
+      cluster_auto_scaling           = true
+      cluster_auto_scaling_min_count = 1
+      cluster_auto_scaling_max_count = 20
+    },
+    pdfworkers = {
+      node_count = 1
+      pool_name  = "pdf"
+      vm_size    = "Standard_D16_v3"
+      node_os    = "Linux"
+      zones      = ["1", "2"]
+      taints     = ["indico.io/pdfextraction=true:NoSchedule"]
+      labels = {
+        "node_group" : "pdf-workers"
+      }
+      cluster_auto_scaling           = true
+      cluster_auto_scaling_min_count = 0
+      cluster_auto_scaling_max_count = 5
+    },
+    highmemworkers = {
+      node_count = 0
+      pool_name  = "highmem"
+      vm_size    = "Standard_D16_v3"
+      node_os    = "Linux"
+      zones      = ["1", "2"]
+      taints     = ["indico.io/highmem=true:NoSchedule"]
+      labels = {
+        "node_group" : "highmem-workers"
+      }
+      cluster_auto_scaling           = true
+      cluster_auto_scaling_min_count = 0
+      cluster_auto_scaling_max_count = 3
+    },
+    monitoringworkers = {
+      node_count = 1
+      pool_name  = "monitoring"
+      vm_size    = "Standard_d11_v2"
+      node_os    = "Linux"
+      zones      = ["1", "2"]
+      taints     = ["indico.io/monitoring=true:NoSchedule"]
+      labels = {
+        "node_group" : "monitoring-workers"
+      }
+      cluster_auto_scaling           = true
+      cluster_auto_scaling_min_count = 1
+      cluster_auto_scaling_max_count = 4
+    },
+    pgoworkers = {
+      node_count = 1
+      pool_name  = "pgo"
+      vm_size    = "Standard_D16_v3"
+      node_os    = "Linux"
+      zones      = ["1", "2"]
+      taints     = ["indico.io/crunchy=true:NoSchedule"]
+      labels = {
+        "node_group" : "pgo-workers"
+      }
+      cluster_auto_scaling           = true
+      cluster_auto_scaling_min_count = 1
+      cluster_auto_scaling_max_count = 4
+    },
+    azurite = {
+      node_count = 1
+      pool_name  = "azurite"
+      vm_size    = "Standard_D16_v3"
+      node_os    = "Linux"
+      zones      = ["1", "2"]
+      taints     = ["indico.io/azurite=true:NoSchedule"]
+      labels = {
+        "node_group" : "readapi-azurite"
+      }
+      cluster_auto_scaling           = true
+      cluster_auto_scaling_min_count = 0
+      cluster_auto_scaling_max_count = 1
+    }
+  }
+
+  insights_default_node_pools = {
+    general = {
+      node_count = 3
+      pool_name  = "general"
+      vm_size    = "Standard_D16_v3"
+      node_os    = "Linux"
+      zones      = ["1", "2"]
+      taints     = []
+      labels = {
+        "node_group" : "general"
+      }
+      cluster_auto_scaling           = true
+      cluster_auto_scaling_min_count = 1
+      cluster_auto_scaling_max_count = 5
+    },
+    pgoworkers = {
+      node_count = 1
+      pool_name  = "pgo"
+      vm_size    = "Standard_D16_v3"
+      node_os    = "Linux"
+      zones      = ["1", "2"]
+      taints     = ["indico.io/crunchy=true:NoSchedule"]
+      labels = {
+        "node_group" : "pgo-workers"
+      }
+      cluster_auto_scaling           = true
+      cluster_auto_scaling_min_count = 1
+      cluster_auto_scaling_max_count = 4
+    },
+    celeryworkers = {
+      node_count = 0
+      pool_name  = "celery"
+      vm_size    = "Standard_D16_v3"
+      node_os    = "Linux"
+      zones      = ["1", "2"]
+      taints     = ["indico.io/celery=true:NoSchedule"]
+      labels = {
+        "node_group" : "celery-workers"
+      }
+      cluster_auto_scaling           = true
+      cluster_auto_scaling_min_count = 0
+      cluster_auto_scaling_max_count = 20
+    },
+    minio = {
+      node_count = 0
+      pool_name  = "minio"
+      vm_size    = "Standard_D16_v3"
+      node_os    = "Linux"
+      zones      = ["1", "2"]
+      taints     = ["indico.io/minio=true:NoSchedule"]
+      labels = {
+        "node_group" : "minio"
+      }
+      cluster_auto_scaling           = true
+      cluster_auto_scaling_min_count = 0
+      cluster_auto_scaling_max_count = 4
+    },
+    monitoringworkers = {
+      node_count = 1
+      pool_name  = "monitoring"
+      vm_size    = "Standard_d11_v2"
+      node_os    = "Linux"
+      zones      = ["1", "2"]
+      taints     = ["indico.io/monitoring=true:NoSchedule"]
+      labels = {
+        "node_group" : "monitoring-workers"
+      }
+      cluster_auto_scaling           = true
+      cluster_auto_scaling_min_count = 1
+      cluster_auto_scaling_max_count = 4
+    },
+    weaviate = {
+      node_count = 0
+      pool_name  = "weaviate"
+      vm_size    = "Standard_D16_v3"
+      node_os    = "Linux"
+      zones      = ["1", "2"]
+      taints     = ["indico.io/weaviate=true:NoSchedule"]
+      labels = {
+        "node_group" : "weaviate"
+      }
+      cluster_auto_scaling           = true
+      cluster_auto_scaling_min_count = 0
+      cluster_auto_scaling_max_count = 3
+    },
+    weaviate-workers = {
+      node_count = 0
+      pool_name  = "weavworkers"
+      vm_size    = "Standard_D16_v3"
+      node_os    = "Linux"
+      zones      = ["1", "2"]
+      taints     = ["indico.io/weaviate-workers=true:NoSchedule"]
+      labels = {
+        "node_group" : "weaviate-workers"
+      }
+      cluster_auto_scaling           = true
+      cluster_auto_scaling_min_count = 0
+      cluster_auto_scaling_max_count = 2
+    }
+  }
+
+  default_node_pools = merge((var.insights_enabled ? local.insights_default_node_pools : null), (var.ipa_enabled ? local.intake_default_node_pools : null))
+
+  # This is to avoid terraform errors when the node groups variable is set,
+  # as different keys make the objects incompatible for a ternary function. 
+  # To solve this, we set it to null which matches all types
+  default_node_pools_logic = var.additional_node_pools == null ? local.default_node_pools : null 
+
+  additional_node_pools = var.additional_node_pools == null ? local.default_node_pools_logic : var.additional_node_pools 
+}
\ No newline at end of file
diff --git a/azure/outputs.tf b/azure/outputs.tf
index e69a9921..a4386374 100644
--- a/azure/outputs.tf
+++ b/azure/outputs.tf
@@ -39,3 +39,7 @@ output "resource_group_name" {
   value = local.resource_group_name
 }
 
+data "external" "git_information" {
+  program = ["sh", "${path.module}/get_sha.sh"]
+}
+
diff --git a/azure/snapshot.tf b/azure/snapshot.tf
index 7cfd94d8..81a1c73b 100644
--- a/azure/snapshot.tf
+++ b/azure/snapshot.tf
@@ -18,7 +18,7 @@ resource "kubernetes_secret" "cod-snapshot-client-id" {
 resource "helm_release" "cod-snapshot-restore" {
   depends_on = [
     module.cluster,
-    helm_release.ipa-pre-requisites,
+    module.indico-common,
     kubernetes_secret.cod-snapshot-client-id,
     azuread_application_federated_identity_credential.workload_snapshot_identity,
     kubernetes_service_account.workload_identity
diff --git a/azure/tf-smoketest-variables.tf b/azure/tf-smoketest-variables.tf
index 368095ad..6fcabbaf 100644
--- a/azure/tf-smoketest-variables.tf
+++ b/azure/tf-smoketest-variables.tf
@@ -18,7 +18,7 @@ resource "kubernetes_config_map" "terraform-variables" {
     vnet_cidr = "${jsonencode(var.vnet_cidr)}"
     subnet_cidrs = "${jsonencode(var.subnet_cidrs)}"
     worker_subnet_cidrs = "${jsonencode(var.worker_subnet_cidrs)}"
-    storage_account_name = "${jsonencode(var.storage_account_name)}"
+    storage_account_name_override = "${jsonencode(var.storage_account_name_override)}"
     vault_address = "${jsonencode(var.vault_address)}"
     argo_enabled = "${jsonencode(var.argo_enabled)}"
     argo_host = "${jsonencode(var.argo_host)}"
@@ -115,10 +115,11 @@ resource "kubernetes_config_map" "terraform-variables" {
     sentinel_workspace_id = "${jsonencode(var.sentinel_workspace_id)}"
     cluster_manager_vm_size = "${jsonencode(var.cluster_manager_vm_size)}"
     network_type = "${jsonencode(var.network_type)}"
-    network_resource_group_name = "${jsonencode(var.network_resource_group_name)}"
+    network_resource_group_name_override = "${jsonencode(var.network_resource_group_name_override)}"
     virtual_network_name = "${jsonencode(var.virtual_network_name)}"
     virtual_subnet_name = "${jsonencode(var.virtual_subnet_name)}"
-    keyvault_name = "${jsonencode(var.keyvault_name)}"
+    keyvault_name_override = "${jsonencode(var.keyvault_name_override)}"
+    keyvault_key_name_override = "${jsonencode(var.keyvault_key_name_override)}"
     network_plugin = "${jsonencode(var.network_plugin)}"
     network_plugin_mode = "${jsonencode(var.network_plugin_mode)}"
     enable_custom_cluster_issuer = "${jsonencode(var.enable_custom_cluster_issuer)}"
@@ -135,6 +136,34 @@ resource "kubernetes_config_map" "terraform-variables" {
     secrets_operator_enabled = "${jsonencode(var.secrets_operator_enabled)}"
     vault_secrets_operator_version = "${jsonencode(var.vault_secrets_operator_version)}"
     aks_storage_account_name = "${jsonencode(var.aks_storage_account_name)}"
+    readapi_type = "${jsonencode(var.readapi_type)}"
+    readapi_azure_resource_group_override = "${jsonencode(var.readapi_azure_resource_group_override)}"
+    readapi_name_override = "${jsonencode(var.readapi_name_override)}"
+    readapi_queue_name_override = "${jsonencode(var.readapi_queue_name_override)}"
+    servicebus_type = "${jsonencode(var.servicebus_type)}"
+    servicebus_namespace_name_override = "${jsonencode(var.servicebus_namespace_name_override)}"
+    servicebus_queue_name_override = "${jsonencode(var.servicebus_queue_name_override)}"
+    servicebus_topic_name_override = "${jsonencode(var.servicebus_topic_name_override)}"
+    blob_type = "${jsonencode(var.blob_type)}"
+    fileshare_name_override = "${jsonencode(var.fileshare_name_override)}"
+    blob_store_name_override = "${jsonencode(var.blob_store_name_override)}"
+    crunchy_backup_name_override = "${jsonencode(var.crunchy_backup_name_override)}"
+    indico_crds_version = "${jsonencode(var.indico_crds_version)}"
+    indico_pre_reqs_version = "${jsonencode(var.indico_pre_reqs_version)}"
+    insights_pre_reqs_values_yaml_b64 = "${jsonencode(var.insights-pre-reqs-values-yaml-b64)}"
+    insights_enabled = "${jsonencode(var.insights_enabled)}"
+    insights_values = "${jsonencode(var.insights_values)}"
+    insights_version = "${jsonencode(var.insights_version)}"
+    insights_smoketest_version = "${jsonencode(var.insights_smoketest_version)}"
+    insights_smoketest_values = "${jsonencode(var.insights_smoketest_values)}"
+    insights_smoketest_enabled = "${jsonencode(var.insights_smoketest_enabled)}"
+    insights_smoketest_cronjob_enabled = "${jsonencode(var.insights_smoketest_cronjob_enabled)}"
+    insights_pre_reqs_version = "${jsonencode(var.insights_pre_reqs_version)}"
+    insights_local_registry_harbor_robot_account_name = "${jsonencode(var.insights_local_registry_harbor_robot_account_name)}"
+    insights_local_registry_enabled = "${jsonencode(var.insights_local_registry_enabled)}"
+    minio_enabled = "${jsonencode(var.minio_enabled)}"
+    indico_crds_values_yaml_b64 = "${jsonencode(var.indico-crds-values-yaml-b64)}"
+    indico_pre_reqs_values_yaml_b64 = "${jsonencode(var.indico-pre-reqs-values-yaml-b64)}"
 
     }
   }
diff --git a/azure/user_vars.auto.tfvars b/azure/user_vars.auto.tfvars
index 33544346..d12f761d 100644
--- a/azure/user_vars.auto.tfvars
+++ b/azure/user_vars.auto.tfvars
@@ -6,136 +6,9 @@
 region                  = "eastus"
 vnet_cidr               = "192.168.0.0/20"
 subnet_cidrs            = ["192.168.0.0/22"]
-storage_account_name    = ""
 private_cluster_enabled = false
 k8s_version             = "1.31"
 
-default_node_pool = {
-  name       = "defaultpool"
-  node_count = 3
-  vm_size    = "Standard_D16_v3"
-  zones      = ["1", "2"]
-  taints     = null
-  labels = {
-    "node_group" : "default-workers"
-  }
-  cluster_auto_scaling           = true
-  cluster_auto_scaling_min_count = 1
-  cluster_auto_scaling_max_count = 5
-}
+default_node_pool = null
 
-additional_node_pools = {
-  gpuworkers = {
-    node_count = 0
-    pool_name  = "gpu"
-    vm_size    = "Standard_NC4as_T4_v3"
-    node_os    = "Linux"
-    zones      = ["0"]
-    taints     = ["nvidia.com/gpu=true:NoSchedule"]
-    labels = {
-      "node_group" : "gpu-workers",
-      "k8s.amazonaws.com/accelerator" : "nvidia"
-    }
-    cluster_auto_scaling           = true
-    cluster_auto_scaling_min_count = 0
-    cluster_auto_scaling_max_count = 5
-  },
-  celeryworkers = {
-    node_count = 0
-    pool_name  = "celery"
-    vm_size    = "Standard_D16_v3"
-    node_os    = "Linux"
-    zones      = ["1", "2"]
-    taints     = ["indico.io/celery=true:NoSchedule"]
-    labels = {
-      "node_group" : "celery-workers"
-    }
-    cluster_auto_scaling           = true
-    cluster_auto_scaling_min_count = 0
-    cluster_auto_scaling_max_count = 20
-  },
-  staticworkers = {
-    node_count = 1
-    pool_name  = "static"
-    vm_size    = "Standard_D16_v3"
-    node_os    = "Linux"
-    zones      = ["1", "2"]
-    taints     = []
-    labels = {
-      "node_group" : "static-workers"
-    }
-    cluster_auto_scaling           = true
-    cluster_auto_scaling_min_count = 1
-    cluster_auto_scaling_max_count = 20
-  },
-  pdfworkers = {
-    node_count = 1
-    pool_name  = "pdf"
-    vm_size    = "Standard_D16_v3"
-    node_os    = "Linux"
-    zones      = ["1", "2"]
-    taints     = ["indico.io/pdfextraction=true:NoSchedule"]
-    labels = {
-      "node_group" : "pdf-workers"
-    }
-    cluster_auto_scaling           = true
-    cluster_auto_scaling_min_count = 0
-    cluster_auto_scaling_max_count = 5
-  },
-  highmemworkers = {
-    node_count = 0
-    pool_name  = "highmem"
-    vm_size    = "Standard_D16_v3"
-    node_os    = "Linux"
-    zones      = ["1", "2"]
-    taints     = ["indico.io/highmem=true:NoSchedule"]
-    labels = {
-      "node_group" : "highmem-workers"
-    }
-    cluster_auto_scaling           = true
-    cluster_auto_scaling_min_count = 0
-    cluster_auto_scaling_max_count = 3
-  },
-  monitoringworkers = {
-    node_count = 1
-    pool_name  = "monitoring"
-    vm_size    = "Standard_d11_v2"
-    node_os    = "Linux"
-    zones      = ["1", "2"]
-    taints     = ["indico.io/monitoring=true:NoSchedule"]
-    labels = {
-      "node_group" : "monitoring-workers"
-    }
-    cluster_auto_scaling           = true
-    cluster_auto_scaling_min_count = 1
-    cluster_auto_scaling_max_count = 4
-  },
-  pgoworkers = {
-    node_count = 1
-    pool_name  = "pgo"
-    vm_size    = "Standard_D16_v3"
-    node_os    = "Linux"
-    zones      = ["1", "2"]
-    taints     = ["indico.io/crunchy=true:NoSchedule"]
-    labels = {
-      "node_group" : "pgo-workers"
-    }
-    cluster_auto_scaling           = true
-    cluster_auto_scaling_min_count = 1
-    cluster_auto_scaling_max_count = 4
-  },
-  azurite = {
-    node_count = 1
-    pool_name  = "azurite"
-    vm_size    = "Standard_D16_v3"
-    node_os    = "Linux"
-    zones      = ["1", "2"]
-    taints     = ["indico.io/azurite=true:NoSchedule"]
-    labels = {
-      "node_group" : "readapi-azurite"
-    }
-    cluster_auto_scaling           = true
-    cluster_auto_scaling_min_count = 0
-    cluster_auto_scaling_max_count = 1
-  }
-}
+additional_node_pools = null
diff --git a/azure/variables.tf b/azure/variables.tf
index 3599e1f6..d368cf58 100644
--- a/azure/variables.tf
+++ b/azure/variables.tf
@@ -75,10 +75,10 @@ variable "worker_subnet_cidrs" {
 }
 
 ### storage account variables
-variable "storage_account_name" {
+variable "storage_account_name_override" {
   type        = string
-  default     = ""
-  description = "Name of the indico storage account"
+  default     = null
+  description = "Name of the indico storage account if not using the default"
 }
 
 variable "vault_address" {
@@ -211,65 +211,15 @@ variable "k8s_version" {
 }
 
 variable "default_node_pool" {
-  type = object({
-    node_count                     = number
-    vm_size                        = string
-    name                           = string
-    zones                          = list(string)
-    taints                         = list(string)
-    cluster_auto_scaling           = bool
-    cluster_auto_scaling_min_count = number
-    cluster_auto_scaling_max_count = number
-    labels                         = map(string)
-  })
-
-  default = {
-    name                           = "empty"
-    cluster_auto_scaling           = false
-    cluster_auto_scaling_max_count = 0
-    cluster_auto_scaling_min_count = 0
-    labels = {
-      "key" = "value"
-    }
-    node_count = 0
-    node_os    = "value"
-    pool_name  = "value"
-    taints     = ["value"]
-    vm_size    = "value"
-    zones      = ["value"]
-  }
+  default = null
+
+  description = "Override the default configuration for the cluster node pool"
 }
 
 variable "additional_node_pools" {
-  type = map(object({
-    node_count                     = number
-    vm_size                        = string
-    zones                          = list(string)
-    node_os                        = string
-    pool_name                      = string
-    taints                         = list(string)
-    labels                         = map(string)
-    cluster_auto_scaling           = bool
-    cluster_auto_scaling_min_count = number
-    cluster_auto_scaling_max_count = number
-  }))
+  default = null
 
-  default = {
-    "empty" = {
-      cluster_auto_scaling           = false
-      cluster_auto_scaling_max_count = 0
-      cluster_auto_scaling_min_count = 0
-      labels = {
-        "key" = "value"
-      }
-      node_count = 1
-      node_os    = "value"
-      pool_name  = "value"
-      taints     = ["value"]
-      vm_size    = "value"
-      zones      = ["value"]
-    }
-  }
+  description = "Override the default configuration for additional node pools, which is generated based on enabled applications"
 }
 
 variable "applications" {
@@ -717,9 +667,10 @@ variable "network_type" {
   default = "create"
 }
 
-variable "network_resource_group_name" {
-  type    = string
-  default = null
+variable "network_resource_group_name_override" {
+  type        = string
+  default     = null
+  description = "Name for the resource group that will contain the networking resources. If not specified, defaults to general resource group"
 }
 
 variable "virtual_network_name" {
@@ -732,9 +683,16 @@ variable "virtual_subnet_name" {
   type    = string
 }
 
-variable "keyvault_name" {
-  default = null
-  type    = string
+variable "keyvault_name_override" {
+  default     = null
+  type        = string
+  description = "keyvault name override if not using the default"
+}
+
+variable "keyvault_key_name_override" {
+  default     = null
+  type        = string
+  description = "keyvault key name override if not using the default"
 }
 
 variable "network_plugin" {
@@ -898,3 +856,95 @@ variable "crunchy_backup_name_override" {
   default     = null
   description = "Override the default crunchy-backup name"
 }
+
+variable "indico_crds_version" {
+  type        = string
+  default     = ""
+  description = "Version of the indico-crds helm chart"
+}
+
+variable "indico_pre_reqs_version" {
+  type        = string
+  default     = ""
+  description = "Version of the indico-pre-reqs helm chart"
+}
+
+variable "insights-pre-reqs-values-yaml-b64" {
+  type        = string
+  default     = "Cg=="
+  description = "user provided overrides to indico-pre-reqs helm chart"
+}
+
+variable "insights_enabled" {
+  type        = bool
+  default     = false
+  description = "Toggle for enabling insights deployment"
+}
+
+variable "insights_values" {
+  type        = string
+  default     = ""
+  description = "User provided overrides to the insights application"
+}
+
+variable "insights_version" {
+  type        = string
+  default     = ""
+  description = "Insights helm chart version to deploy to the cluster"
+}
+
+variable "insights_smoketest_version" {
+  type        = string
+  default     = ""
+  description = "Insights smoketest to deploy to the cluster"
+}
+
+variable "insights_smoketest_values" {
+  type        = string
+  default     = ""
+  description = "Insights smoketest overrides"
+}
+
+variable "insights_smoketest_enabled" {
+  type        = bool
+  default     = false
+  description = "Toggle for enabling smoketest"
+}
+
+variable "insights_smoketest_cronjob_enabled" {
+  type        = bool
+  default     = false
+  description = "Toggle for scheduling smoketests"
+}
+
+variable "insights_pre_reqs_version" {
+  type        = string
+  default     = ""
+  description = "insights-pre-requisites helm chart version"
+}
+
+variable "insights_local_registry_harbor_robot_account_name" {
+  type        = string
+  default     = ""
+  description = ""
+}
+
+variable "insights_local_registry_enabled" {
+  type        = string
+  default     = ""
+  description = ""
+}
+
+variable "minio_enabled" {
+  type        = bool
+  default     = false
+  description = "Toggle for enabling minio deployment"
+}
+
+variable "indico-crds-values-yaml-b64" {
+  default = "Cg=="
+}
+
+variable "indico-pre-reqs-values-yaml-b64" {
+  default = "Cg=="
+}
diff --git a/azure/workload_identity.tf b/azure/workload_identity.tf
index 7a62e2b7..9e746a39 100644
--- a/azure/workload_identity.tf
+++ b/azure/workload_identity.tf
@@ -1,9 +1,5 @@
 data "azuread_client_config" "current" {}
 
-
-
-
-
 resource "azuread_application" "workload_identity" {
   count        = var.use_workload_identity == true ? 1 : 0
   display_name = "${var.label}-${var.region}-workload-identity"
diff --git a/main.tf b/main.tf
index ea56f760..55328b23 100644
--- a/main.tf
+++ b/main.tf
@@ -161,7 +161,7 @@ module "networking" {
 module "sqs_sns" {
   count                      = var.sqs_sns == true ? 1 : 0
   source                     = "app.terraform.io/indico/indico-aws-sqs-sns/mod"
-  version                    = "2.0.0"
+  version                    = "2.0.2"
   region                     = var.region
   label                      = var.label
   kms_master_key_id          = module.kms_key.key.id
@@ -209,7 +209,7 @@ module "security-group" {
 
 module "s3-storage" {
   source                             = "app.terraform.io/indico/indico-aws-buckets/mod"
-  version                            = "4.1.1"
+  version                            = "4.2.2"
   force_destroy                      = true # allows terraform to destroy non-empty buckets.
   label                              = var.label
   kms_key_arn                        = module.kms_key.key.arn
@@ -222,6 +222,8 @@ module "s3-storage" {
   data_s3_bucket_name_override       = var.data_s3_bucket_name_override
   api_models_s3_bucket_name_override = var.api_models_s3_bucket_name_override
   pgbackup_s3_bucket_name_override   = var.pgbackup_s3_bucket_name_override
+  miniobkp_s3_bucket_name_override   = var.miniobkp_s3_bucket_name_override
+  include_miniobkp                   = var.include_miniobkp && var.insights_enabled ? true : false
 }
 
 
@@ -323,7 +325,7 @@ module "iam" {
   aws_primary_dns_role_arn   = var.aws_primary_dns_role_arn
   efs_filesystem_id          = [var.include_efs == true ? module.efs-storage[0].efs_filesystem_id : ""]
   fsx_arns                   = [var.include_rox ? module.fsx-storage[0].fsx-rox.arn : "", var.include_fsx == true ? module.fsx-storage[0].fsx-rwx.arn : ""]
-  s3_buckets                 = compact([module.s3-storage.data_s3_bucket_name, var.include_pgbackup ? module.s3-storage.pgbackup_s3_bucket_name : "", var.include_rox ? module.s3-storage.api_models_s3_bucket_name : "", lower("${var.aws_account}-aws-cod-snapshots"), var.performance_bucket ? "indico-locust-benchmark-test-results" : ""])
+  s3_buckets                 = compact([module.s3-storage.data_s3_bucket_name, var.include_pgbackup ? module.s3-storage.pgbackup_s3_bucket_name : "", var.include_rox ? module.s3-storage.api_models_s3_bucket_name : "", lower("${var.aws_account}-aws-cod-snapshots"), var.performance_bucket ? "indico-locust-benchmark-test-results" : "", var.include_miniobkp && var.insights_enabled ? module.s3-storage.miniobkp_s3_bucket_name : ""])
   kms_key_arn                = module.kms_key.key_arn
   # s3 replication
   enable_s3_replication                            = var.enable_s3_replication
@@ -363,7 +365,7 @@ module "cluster" {
   az_count   = var.az_count
   subnet_ids = flatten([local.network[0].private_subnet_ids])
 
-  node_groups          = var.node_groups
+  node_groups          = local.node_groups
   node_role_name       = module.iam.node_role_name
   node_role_arn        = module.iam.node_role_arn
   instance_volume_size = var.instance_volume_size
diff --git a/modules/common/application-deployment/application.tf b/modules/common/application-deployment/application.tf
new file mode 100644
index 00000000..293d5458
--- /dev/null
+++ b/modules/common/application-deployment/application.tf
@@ -0,0 +1,75 @@
+terraform {
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = "5.34.0"
+    }
+  }
+}
+
+resource "github_repository_file" "argocd-application-yaml" {
+  count               = var.argo_enabled == true ? 1 : 0
+  repository          = var.github_repo_name
+  branch              = var.github_repo_branch
+  file                = var.github_file_path
+  commit_message      = var.github_commit_message
+  overwrite_on_create = true
+
+  lifecycle {
+    ignore_changes = [
+      content
+    ]
+  }
+
+  content = <<EOT
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ${var.argo_application_name}
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  labels:
+    app: cod
+    region: ${var.region}
+    account: ${var.account}
+    name: ${var.label}
+  annotations:
+    avp.kubernetes.io/path: ${var.argo_vault_plugin_path}
+    argocd.argoproj.io/sync-wave: "-2"
+spec:
+  ignoreDifferences:
+    - group: apps
+      jsonPointers:
+        - /spec/replicas
+      kind: Deployment
+  destination:
+    server: ${var.argo_server}
+    namespace: ${var.namespace}
+  project: ${var.argo_project_name}
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
+  source:
+    chart: ${var.chart_name}
+    repoURL: ${var.chart_repo}
+    targetRevision: ${var.chart_version}
+    plugin:
+      name: argocd-vault-plugin-helm-values-expand-no-build
+      env:
+        - name: KUBE_VERSION
+          value: "${var.k8s_version}"
+
+        - name: RELEASE_NAME
+          value: ${var.release_name}
+        
+        - name: HELM_TF_COD_VALUES
+          value: |
+            ${var.terraform_helm_values}
+        - name: HELM_VALUES
+          value: |
+            ${var.helm_values}
+EOT
+}
diff --git a/modules/common/application-deployment/outputs.tf b/modules/common/application-deployment/outputs.tf
new file mode 100644
index 00000000..e69de29b
diff --git a/modules/common/application-deployment/variables.tf b/modules/common/application-deployment/variables.tf
new file mode 100644
index 00000000..efd623d8
--- /dev/null
+++ b/modules/common/application-deployment/variables.tf
@@ -0,0 +1,122 @@
+variable "account" {
+  type        = string
+  default     = ""
+  description = ""
+}
+
+variable "region" {
+  type        = string
+  default     = ""
+  description = ""
+}
+
+variable "label" {
+  type        = string
+  default     = ""
+  description = ""
+}
+
+variable "namespace" {
+  type        = string
+  default     = ""
+  description = ""
+}
+
+variable "argo_enabled" {
+  type        = bool
+  default     = true
+  description = "Flag to enable/disable argo. If argo is diabled, everything will be installed through helm"
+}
+
+# Argo enabled
+variable "github_repo_name" {
+  type        = string
+  default     = ""
+  description = ""
+}
+
+variable "github_repo_branch" {
+  type        = string
+  default     = ""
+  description = ""
+}
+
+variable "github_file_path" {
+  type        = string
+  default     = ""
+  description = ""
+}
+
+variable "github_commit_message" {
+  type        = string
+  default     = ""
+  description = ""
+}
+
+variable "argo_application_name" {
+  type        = string
+  default     = ""
+  description = ""
+}
+
+variable "argo_vault_plugin_path" {
+  type        = string
+  default     = ""
+  description = ""
+}
+
+variable "argo_server" {
+  type        = string
+  default     = ""
+  description = ""
+}
+
+variable "argo_project_name" {
+  type        = string
+  default     = ""
+  description = ""
+}
+
+# Argo disabled, use helm
+variable "chart_name" {
+  type        = string
+  default     = ""
+  description = ""
+}
+
+variable "chart_repo" {
+  type        = string
+  default     = ""
+  description = ""
+}
+
+variable "chart_version" {
+  type        = string
+  default     = ""
+  description = ""
+}
+
+variable "k8s_version" {
+  type        = string
+  default     = ""
+  description = ""
+}
+
+variable "release_name" {
+  type        = string
+  default     = ""
+  description = ""
+}
+
+variable "terraform_helm_values" {
+  type        = string
+  default     = ""
+  description = ""
+}
+
+variable "helm_values" {
+  type        = string
+  default     = ""
+  description = ""
+}
+
diff --git a/modules/common/indico-common/main.tf b/modules/common/indico-common/main.tf
new file mode 100644
index 00000000..288a6a0c
--- /dev/null
+++ b/modules/common/indico-common/main.tf
@@ -0,0 +1,132 @@
+# Start with the crds and operators
+terraform {
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = "5.34.0"
+    }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = "1.14.0"
+    }
+  }
+}
+
+resource "github_repository_file" "crds_values_yaml" {
+  count               = var.argo_enabled == true ? 1 : 0
+  repository          = var.github_repo_name
+  branch              = var.github_repo_branch
+  file                = "${var.github_file_path}/helm/indico-crds-values.values"
+  commit_message      = var.github_commit_message
+  overwrite_on_create = true
+
+  lifecycle {
+    ignore_changes = [
+      content
+    ]
+  }
+  content = base64decode(var.indico_crds_values_yaml_b64)
+}
+
+data "github_repository_file" "data_crds_values" {
+  count = var.argo_enabled == true ? 1 : 0
+  depends_on = [
+    github_repository_file.crds_values_yaml
+  ]
+  repository = var.github_repo_name
+  branch     = var.github_repo_branch
+  file       = var.github_file_path == "." ? "helm/indico-crds-values.values" : "${var.github_file_path}/helm/indico-crds-values.values"
+}
+
+resource "helm_release" "indico_crds" {
+  verify           = false
+  name             = "indico-crds"
+  create_namespace = true
+  namespace        = var.namespace
+  repository       = var.helm_registry
+  chart            = "indico-crds"
+  version          = var.indico_crds_version
+  wait             = true
+  timeout          = "1800" # 30 minutes
+
+  values = concat(var.indico_crds_values_overrides, [<<EOT
+${var.argo_enabled == true ? data.github_repository_file.data_crds_values[0].content : base64decode(var.indico_crds_values_yaml_b64)}
+EOT
+  ])
+}
+
+# Wait for the crd chart to settle
+resource "time_sleep" "wait_1_minutes_after_crds" {
+  depends_on = [helm_release.indico_crds]
+
+  create_duration = "1m"
+}
+
+# Operator installed, on to pre-reqs
+resource "github_repository_file" "pre_reqs_values_yaml" {
+  count               = var.argo_enabled == true ? 1 : 0
+  repository          = var.github_repo_name
+  branch              = var.github_repo_branch
+  file                = "${var.github_file_path}/helm/indico-pre-reqs-values.values"
+  commit_message      = var.github_commit_message
+  overwrite_on_create = true
+
+  lifecycle {
+    ignore_changes = [
+      content
+    ]
+  }
+  content = base64decode(var.indico_pre_reqs_values_yaml_b64)
+}
+
+data "github_repository_file" "data_pre_reqs_values" {
+  count = var.argo_enabled == true ? 1 : 0
+
+  depends_on = [
+    github_repository_file.pre_reqs_values_yaml
+  ]
+  repository = var.github_repo_name
+  branch     = var.github_repo_branch
+  file       = var.github_file_path == "." ? "helm/indico-pre-reqs-values.values" : "${var.github_file_path}/helm/indico-pre-reqs-values.values"
+}
+
+resource "helm_release" "indico_pre_requisites" {
+  depends_on = [
+    data.github_repository_file.data_pre_reqs_values,
+    time_sleep.wait_1_minutes_after_crds,
+  ]
+
+  verify           = false
+  name             = "indico-pre-reqs"
+  create_namespace = true
+  namespace        = var.namespace
+  repository       = var.helm_registry
+  chart            = "indico-pre-reqs"
+  version          = var.indico_pre_reqs_version
+  wait             = false
+  timeout          = "1800" # 30 minutes
+  disable_webhooks = false
+
+  values = concat(var.indico_pre_reqs_values_overrides, [<<EOT
+${var.argo_enabled == true ? data.github_repository_file.data_pre_reqs_values[0].content : base64decode(var.indico_pre_reqs_values_yaml_b64)}
+EOT
+  ])
+}
+
+resource "helm_release" "monitoring" {
+  depends_on = [helm_release.indico_pre_requisites]
+
+  count = var.monitoring_enabled == true ? 1 : 0
+
+  verify           = false
+  name             = "monitoring"
+  create_namespace = true
+  namespace        = "monitoring"
+  repository       = var.helm_registry
+  chart            = "monitoring"
+  version          = var.monitoring_version
+  wait             = false
+  timeout          = "1800" # 30 minutes
+
+  values = var.monitoring_values
+}
diff --git a/modules/common/indico-common/outputs.tf b/modules/common/indico-common/outputs.tf
new file mode 100644
index 00000000..e69de29b
diff --git a/modules/common/indico-common/variables.tf b/modules/common/indico-common/variables.tf
new file mode 100644
index 00000000..8e5914f6
--- /dev/null
+++ b/modules/common/indico-common/variables.tf
@@ -0,0 +1,98 @@
+variable "argo_enabled" {
+  type        = bool
+  default     = true
+  description = "Flag to enable/disable argo. If argo is diabled, everything will be installed through helm"
+}
+
+# Argo enabled
+variable "github_repo_name" {
+  type        = string
+  default     = ""
+  description = "Repo where the cod.yaml, application.yaml, and helm overrides are stored when argo is enabled"
+}
+
+variable "github_repo_branch" {
+  type        = string
+  default     = ""
+  description = "Branch of the repo"
+}
+
+variable "github_file_path" {
+  type        = string
+  default     = "."
+  description = "Path of the yaml files in the repo"
+}
+
+variable "github_commit_message" {
+  type        = string
+  default     = ""
+  description = "Commit message to send to github when adding application configuration files"
+}
+
+variable "helm_registry" {
+  type        = string
+  default     = "https://harbor.devops.indico.io/chartrepo/indico-charts"
+  description = "Helm registry URL"
+}
+
+variable "namespace" {
+  type        = string
+  default     = "indico"
+  description = "Namespace to deploy indico common deployments/secrets"
+}
+
+# CRDS helm install
+variable "indico_crds_version" {
+  type        = string
+  default     = ""
+  description = "indico-crds chart version to deploy to the cluster"
+}
+
+variable "indico_crds_values_yaml_b64" {
+  type        = string
+  default     = "Cg=="
+  description = "indico-crds values provided by the user in the cod.yaml"
+}
+
+variable "indico_crds_values_overrides" {
+  type        = list(string)
+  default     = []
+  description = "indico-crds values overrides from the terraform"
+}
+
+# indico-pre-requisites install 
+variable "indico_pre_reqs_version" {
+  type        = string
+  default     = ""
+  description = "indico-pre-requisistes chart version to deploy to the cluster"
+}
+
+variable "indico_pre_reqs_values_yaml_b64" {
+  type        = string
+  default     = "Cg=="
+  description = "indico-pre-requisistes values provided by the user in the cod.yaml"
+}
+
+variable "indico_pre_reqs_values_overrides" {
+  type        = list(string)
+  default     = []
+  description = "indico-pre-requisites values overrides from the terraform"
+}
+
+variable "monitoring_enabled" {
+  type        = bool
+  default     = true
+  description = "Flag to enable/disable monitoring"
+}
+
+variable "monitoring_values" {
+  type        = list(string)
+  default     = []
+  description = "Monitoring values"
+}
+
+variable "monitoring_version" {
+  type        = string
+  default     = ""
+  description = "Monitoring chart version"
+}
diff --git a/modules/common/insights/main.tf b/modules/common/insights/main.tf
new file mode 100644
index 00000000..27592b73
--- /dev/null
+++ b/modules/common/insights/main.tf
@@ -0,0 +1,91 @@
+terraform {
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = "5.34.0"
+    }
+  }
+}
+
+# Start with application pre-reqs
+resource "github_repository_file" "pre_reqs_values_yaml" {
+  count               = var.argo_enabled == true ? 1 : 0
+  repository          = var.github_repo_name
+  branch              = var.github_repo_branch
+  file                = "${var.github_file_path}/helm/ins-pre-reqs-values.values"
+  commit_message      = var.github_commit_message
+  overwrite_on_create = true
+
+  lifecycle {
+    ignore_changes = [
+      content
+    ]
+  }
+  content = base64decode(var.pre_reqs_values_yaml_b64)
+}
+
+data "github_repository_file" "data_pre_reqs_values" {
+  count = var.argo_enabled == true ? 1 : 0
+
+  depends_on = [
+    github_repository_file.pre_reqs_values_yaml
+  ]
+  repository = var.github_repo_name
+  branch     = var.github_repo_branch
+  file       = var.github_file_path == "." ? "helm/ins-pre-reqs-values.values" : "${var.github_file_path}/helm/ins-pre-reqs-values.values"
+}
+
+resource "helm_release" "ins_pre_requisites" {
+  depends_on = [
+    data.github_repository_file.data_pre_reqs_values,
+  ]
+
+  verify           = false
+  name             = "insights-pre-reqs"
+  create_namespace = true
+  namespace        = var.namespace
+  repository       = var.helm_registry
+  chart            = "insights-pre-reqs"
+  version          = var.ins_pre_reqs_version
+  wait             = false
+  timeout          = "1800" # 30 minutes
+  disable_webhooks = false
+
+  values = concat(var.ins_pre_reqs_values_overrides, [<<EOT
+${var.argo_enabled == true ? data.github_repository_file.data_pre_reqs_values[0].content : base64decode(var.pre_reqs_values_yaml_b64)}
+EOT
+  ])
+}
+
+# Let pre-reqs settle
+resource "time_sleep" "wait_1_minutes_after_pre_reqs" {
+  depends_on = [helm_release.ins_pre_requisites]
+
+  create_duration = "1m"
+}
+
+# Deploy the application
+module "insights_application" {
+  depends_on             = [time_sleep.wait_1_minutes_after_pre_reqs]
+  source                 = "../application-deployment"
+  account                = var.account
+  region                 = var.region
+  label                  = var.label
+  namespace              = var.namespace
+  argo_enabled           = var.argo_enabled
+  github_repo_name       = var.github_repo_name
+  github_repo_branch     = var.github_repo_branch
+  github_file_path       = "${var.github_file_path}/insights_application.yaml"
+  github_commit_message  = var.github_commit_message
+  argo_application_name  = var.argo_application_name
+  argo_vault_plugin_path = var.vault_path
+  argo_server            = var.argo_server
+  argo_project_name      = var.argo_project_name
+  chart_name             = "insights"
+  chart_repo             = var.helm_registry
+  chart_version          = var.insights_version
+  k8s_version            = var.k8s_version
+  release_name           = "insights"
+  terraform_helm_values  = indent(12, trimspace(var.insights_values_terraform_overrides))
+  helm_values            = trimspace(base64decode(var.insights_values_overrides))
+}
diff --git a/modules/common/insights/outputs.tf b/modules/common/insights/outputs.tf
new file mode 100644
index 00000000..e69de29b
diff --git a/modules/common/insights/variables.tf b/modules/common/insights/variables.tf
new file mode 100644
index 00000000..a70615ea
--- /dev/null
+++ b/modules/common/insights/variables.tf
@@ -0,0 +1,128 @@
+variable "argo_enabled" {
+  type        = bool
+  default     = true
+  description = "Flag to enable/disable argo. If argo is diabled, everything will be installed through helm"
+}
+
+# Argo enabled
+variable "github_repo_name" {
+  type        = string
+  default     = ""
+  description = "Repo where the cod.yaml, application.yaml, and helm overrides are stored when argo is enabled"
+}
+
+variable "github_repo_branch" {
+  type        = string
+  default     = ""
+  description = "Branch of the repo"
+}
+
+variable "github_file_path" {
+  type        = string
+  default     = ""
+  description = "Path of the yaml files in the repo"
+}
+
+variable "github_commit_message" {
+  type        = string
+  default     = ""
+  description = "Commit message to send to github when adding application configuration files"
+}
+
+variable "helm_registry" {
+  type        = string
+  default     = "https://harbor.devops.indico.io/chartrepo/indico-charts"
+  description = "Helm registry URL"
+}
+
+variable "namespace" {
+  type        = string
+  default     = "default"
+  description = "Namespace to deploy intake deployments/secrets. Defaults to 'default' due to historical placement"
+}
+
+# pre reqs buttons
+variable "ins_pre_reqs_version" {
+  type        = string
+  default     = ""
+  description = "ipa-pre-requisistes chart version to deploy to the cluster"
+}
+
+variable "pre_reqs_values_yaml_b64" {
+  type        = string
+  default     = "Cg=="
+  description = "ipa-pre-requisistes values provided by the user in the cod.yaml"
+}
+
+variable "ins_pre_reqs_values_overrides" {
+  type        = list(string)
+  default     = []
+  description = "ipa-pre-requisites values overrides from the terraform"
+}
+
+# Application deployment
+variable "account" {
+  type        = string
+  default     = ""
+  description = "Account name for the cluster"
+}
+
+variable "region" {
+  type        = string
+  default     = ""
+  description = "Region of the cluster"
+}
+
+variable "label" {
+  type        = string
+  default     = ""
+  description = "Name of the cluster"
+}
+
+variable "argo_application_name" {
+  type        = string
+  default     = ""
+  description = "Name of the application to create in Argo for intake"
+}
+
+variable "vault_path" {
+  type        = string
+  default     = ""
+  description = "Vault path for secrets in the application (generally not used)"
+}
+
+variable "argo_server" {
+  type        = string
+  default     = ""
+  description = "Server to deploy the Argo application to"
+}
+
+variable "argo_project_name" {
+  type        = string
+  default     = ""
+  description = "Argo project the application falls under"
+}
+
+variable "insights_version" {
+  type        = string
+  default     = ""
+  description = "Helm chart version of the intake helm chart"
+}
+
+variable "k8s_version" {
+  type        = string
+  default     = ""
+  description = "The kubernetes version of the cluster"
+}
+
+variable "insights_values_terraform_overrides" {
+  type        = string
+  default     = ""
+  description = "Overrides to the helm values of the intake chart from tf_cod"
+}
+
+variable "insights_values_overrides" {
+  type        = string
+  default     = ""
+  description = "Overrides to the helm values of the intake chart from the cod user"
+}
diff --git a/modules/common/intake/main.tf b/modules/common/intake/main.tf
new file mode 100644
index 00000000..890bd2d7
--- /dev/null
+++ b/modules/common/intake/main.tf
@@ -0,0 +1,91 @@
+terraform {
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = "5.34.0"
+    }
+  }
+}
+
+# Start with application pre-reqs
+resource "github_repository_file" "pre_reqs_values_yaml" {
+  count               = var.argo_enabled == true ? 1 : 0
+  repository          = var.github_repo_name
+  branch              = var.github_repo_branch
+  file                = "${var.github_file_path}/helm/pre-reqs-values.values"
+  commit_message      = var.github_commit_message
+  overwrite_on_create = true
+
+  lifecycle {
+    ignore_changes = [
+      content
+    ]
+  }
+  content = base64decode(var.pre_reqs_values_yaml_b64)
+}
+
+data "github_repository_file" "data_pre_reqs_values" {
+  count = var.argo_enabled == true ? 1 : 0
+
+  depends_on = [
+    github_repository_file.pre_reqs_values_yaml
+  ]
+  repository = var.github_repo_name
+  branch     = var.github_repo_branch
+  file       = var.github_file_path == "." ? "helm/pre-reqs-values.values" : "${var.github_file_path}/helm/pre-reqs-values.values"
+}
+
+resource "helm_release" "ipa-pre-requisites" {
+  depends_on = [
+    data.github_repository_file.data_pre_reqs_values,
+  ]
+
+  verify           = false
+  name             = "ipa-pre-reqs"
+  create_namespace = true
+  namespace        = var.namespace
+  repository       = var.helm_registry
+  chart            = "ipa-pre-requisites"
+  version          = var.ipa_pre_reqs_version
+  wait             = false
+  timeout          = "1800" # 30 minutes
+  disable_webhooks = false
+
+  values = concat(var.ipa_pre_reqs_values_overrides, [<<EOT
+${var.argo_enabled == true ? data.github_repository_file.data_pre_reqs_values[0].content : base64decode(var.pre_reqs_values_yaml_b64)}
+EOT
+  ])
+}
+
+# Let pre-reqs settle
+resource "time_sleep" "wait_1_minutes_after_pre_reqs" {
+  depends_on = [helm_release.ipa-pre-requisites]
+
+  create_duration = "1m"
+}
+
+# Deploy the application
+module "intake_application" {
+  depends_on             = [time_sleep.wait_1_minutes_after_pre_reqs]
+  source                 = "../application-deployment"
+  account                = var.account
+  region                 = var.region
+  label                  = var.label
+  namespace              = var.namespace
+  argo_enabled           = var.argo_enabled
+  github_repo_name       = var.github_repo_name
+  github_repo_branch     = var.github_repo_branch
+  github_file_path       = "${var.github_file_path}/ipa_application.yaml"
+  github_commit_message  = var.github_commit_message
+  argo_application_name  = var.argo_application_name
+  argo_vault_plugin_path = var.vault_path
+  argo_server            = var.argo_server
+  argo_project_name      = var.argo_project_name
+  chart_name             = "ipa"
+  chart_repo             = var.helm_registry
+  chart_version          = var.intake_version
+  k8s_version            = var.k8s_version
+  release_name           = "ipa"
+  terraform_helm_values  = indent(12, trimspace(var.intake_values_terraform_overrides))
+  helm_values            = trimspace(base64decode(var.intake_values_overrides))
+}
diff --git a/modules/common/intake/outputs.tf b/modules/common/intake/outputs.tf
new file mode 100644
index 00000000..e69de29b
diff --git a/modules/common/intake/variables.tf b/modules/common/intake/variables.tf
new file mode 100644
index 00000000..89039b96
--- /dev/null
+++ b/modules/common/intake/variables.tf
@@ -0,0 +1,128 @@
+variable "argo_enabled" {
+  type        = bool
+  default     = true
+  description = "Flag to enable/disable argo. If argo is diabled, everything will be installed through helm"
+}
+
+# Argo enabled
+variable "github_repo_name" {
+  type        = string
+  default     = ""
+  description = "Repo where the cod.yaml, application.yaml, and helm overrides are stored when argo is enabled"
+}
+
+variable "github_repo_branch" {
+  type        = string
+  default     = ""
+  description = "Branch of the repo"
+}
+
+variable "github_file_path" {
+  type        = string
+  default     = ""
+  description = "Path of the yaml files in the repo"
+}
+
+variable "github_commit_message" {
+  type        = string
+  default     = ""
+  description = "Commit message to send to github when adding application configuration files"
+}
+
+variable "helm_registry" {
+  type        = string
+  default     = "https://harbor.devops.indico.io/chartrepo/indico-charts"
+  description = "Helm registry URL"
+}
+
+variable "namespace" {
+  type        = string
+  default     = "default"
+  description = "Namespace to deploy intake deployments/secrets. Defaults to 'default' due to historical placement"
+}
+
+# pre reqs buttons
+variable "ipa_pre_reqs_version" {
+  type        = string
+  default     = ""
+  description = "ipa-pre-requisistes chart version to deploy to the cluster"
+}
+
+variable "pre_reqs_values_yaml_b64" {
+  type        = string
+  default     = "Cg=="
+  description = "ipa-pre-requisistes values provided by the user in the cod.yaml"
+}
+
+variable "ipa_pre_reqs_values_overrides" {
+  type        = list(string)
+  default     = []
+  description = "ipa-pre-requisites values overrides from the terraform"
+}
+
+# Application deployment
+variable "account" {
+  type        = string
+  default     = ""
+  description = "Account name for the cluster"
+}
+
+variable "region" {
+  type        = string
+  default     = ""
+  description = "Region of the cluster"
+}
+
+variable "label" {
+  type        = string
+  default     = ""
+  description = "Name of the cluster"
+}
+
+variable "argo_application_name" {
+  type        = string
+  default     = ""
+  description = "Name of the application to create in Argo for intake"
+}
+
+variable "vault_path" {
+  type        = string
+  default     = ""
+  description = "Vault path for secrets in the application (generally not used)"
+}
+
+variable "argo_server" {
+  type        = string
+  default     = ""
+  description = "Server to deploy the Argo application to"
+}
+
+variable "argo_project_name" {
+  type        = string
+  default     = ""
+  description = "Argo project the application falls under"
+}
+
+variable "intake_version" {
+  type        = string
+  default     = ""
+  description = "Helm chart version of the intake helm chart"
+}
+
+variable "k8s_version" {
+  type        = string
+  default     = ""
+  description = "The kubernetes version of the cluster"
+}
+
+variable "intake_values_terraform_overrides" {
+  type        = string
+  default     = ""
+  description = "Overrides to the helm values of the intake chart from tf_cod"
+}
+
+variable "intake_values_overrides" {
+  type        = string
+  default     = ""
+  description = "Overrides to the helm values of the intake chart from the cod user"
+}
diff --git a/modules/common/vault-secrets-operator-setup/operator-setup.tf b/modules/common/vault-secrets-operator-setup/operator-setup.tf
index dedf8e65..3d0b3626 100644
--- a/modules/common/vault-secrets-operator-setup/operator-setup.tf
+++ b/modules/common/vault-secrets-operator-setup/operator-setup.tf
@@ -2,7 +2,7 @@
 resource "kubernetes_service_account_v1" "vault-auth-default" {
   metadata {
     name      = "vault-auth"
-    namespace = "default"
+    namespace = "indico"
   }
 
   automount_service_account_token = true
@@ -33,7 +33,7 @@ resource "kubernetes_secret_v1" "vault-auth-default" {
   depends_on = [kubernetes_service_account_v1.vault-auth-default]
   metadata {
     name      = "vault-auth"
-    namespace = "default"
+    namespace = "indico"
     annotations = {
       "kubernetes.io/service-account.name" = kubernetes_service_account_v1.vault-auth-default.metadata.0.name
     }
@@ -79,7 +79,7 @@ resource "vault_kubernetes_auth_backend_role" "vault-auth-role" {
   backend                          = vault_auth_backend.kubernetes.path
   role_name                        = "vault-auth-role"
   bound_service_account_names      = [kubernetes_service_account_v1.vault-auth-default.metadata.0.name]
-  bound_service_account_namespaces = ["default"]
+  bound_service_account_namespaces = ["indico"]
   token_ttl                        = 3600
   token_policies                   = [vault_policy.vault-auth-policy.name]
   audience                         = var.audience
diff --git a/monitoring.tf b/monitoring.tf
index a9a6f3b1..5181afcb 100644
--- a/monitoring.tf
+++ b/monitoring.tf
@@ -19,10 +19,10 @@ locals {
       thanos: {}
   EOT
   )
-  
+
   backend_port = var.acm_arn != "" ? "http" : "https"
-  enableHttp = var.acm_arn != "" || var.use_nlb == true ? false : true
-  lb_config = var.acm_arn != "" ? local.acm_loadbalancer_config : local.loadbalancer_config
+  enableHttp   = var.acm_arn != "" || var.use_nlb == true ? false : true
+  lb_config    = var.acm_arn != "" ? local.acm_loadbalancer_config : local.loadbalancer_config
   loadbalancer_config = var.use_nlb == true ? (<<EOT
       external:
         enabled: ${var.network_allow_public}
@@ -44,7 +44,7 @@ locals {
           service.beta.kubernetes.io/aws-load-balancer-internal: "${local.internal_elb}"
           service.beta.kubernetes.io/aws-load-balancer-subnets: "${var.internal_elb_use_public_subnets ? join(", ", local.network[0].public_subnet_ids) : join(", ", local.network[0].private_subnet_ids)}"
   EOT
-  ) : (<<EOT
+    ) : (<<EOT
       external:
         enabled: ${var.network_allow_public}
       internal:
@@ -107,7 +107,7 @@ EOT
           hosts:
             - alertmanager-${local.dns_name}
   EOT
-  ) : (<<EOT
+    ) : (<<EOT
       tls: []
   EOT
   )
@@ -117,7 +117,7 @@ EOT
           hosts:
             - grafana-${local.dns_name}
   EOT
-  ) : (<<EOT
+    ) : (<<EOT
       tls: []
   EOT
   )
@@ -127,7 +127,7 @@ EOT
           hosts:
             - prometheus-${local.dns_name}
   EOT
-  ) : (<<EOT
+    ) : (<<EOT
       tls: []
   EOT
   )
@@ -216,6 +216,7 @@ ${local.prometheus_tls}
       path: /
 ${local.grafana_tls}
 sql-exporter:
+  enabled: ${var.ipa_enabled}
   image:
     repository: '${var.image_registry}/dockerhub-proxy/burningalchemist/sql_exporter'
 tempo:
@@ -299,6 +300,7 @@ ${local.thanos_config}
       labels:
         acme.cert-manager.io/dns01-solver: "true"
 sql-exporter:
+  enabled: ${var.ipa_enabled}
   image:
     repository: '${var.image_registry}/dockerhub-proxy/burningalchemist/sql_exporter'
 tempo:
@@ -361,247 +363,3 @@ output "monitoring-password" {
   sensitive = true
   value     = random_password.monitoring-password.result
 }
-
-
-resource "helm_release" "monitoring" {
-  count = var.monitoring_enabled == true ? 1 : 0
-  depends_on = [
-    module.cluster,
-    helm_release.ipa-pre-requisites,
-    helm_release.external-secrets,
-    aws_route53_record.alertmanager-caa,
-    aws_route53_record.grafana-caa,
-    aws_route53_record.prometheus-caa,
-    time_sleep.wait_1_minutes_after_pre_reqs,
-    null_resource.update_storage_class
-  ]
-
-  verify           = false
-  name             = "monitoring"
-  create_namespace = true
-  namespace        = "monitoring"
-  repository       = var.ipa_repo
-  chart            = "monitoring"
-  version          = var.monitoring_version
-  wait             = false
-  timeout          = "900" # 15 minutes
-  skip_crds        = true
-
-  values = [<<EOF
-global:
-  host: "${local.dns_name}"
-
-
-ingress-nginx:
-  enabled: true
-  controller:
-    service:
-      enableHttp: ${local.enableHttp}
-      targetPorts:
-        https: ${local.backend_port}
-${local.lb_config}
-    image:
-      registry: ${var.image_registry}/registry.k8s.io
-      digest: ""
-    admissionWebhooks:
-      patch:
-        image:
-          registry: ${var.image_registry}/registry.k8s.io
-          digest: ""
-  rbac:
-    create: true
-
-  admissionWebhooks:
-    patch:
-      nodeSelector.beta.kubernetes.io/os: linux
-
-  defaultBackend:
-    nodeSelector.beta.kubernetes.io/os: linux
-  service:
-    annotations:
-      service.beta.kubernetes.io/oci-load-balancer-internal: "${local.internal_elb}"
-
-authentication:
-  ingressUsername: monitoring
-  ingressPassword: ${random_password.monitoring-password.result}
-
-${local.alerting_configuration_values}
-kube-prometheus-stack:
-${local.kube_prometheus_stack_values}
-EOF
-  ]
-}
-
-
-# resource "kubectl_manifest" "thanos-datasource-credentials" {
-#   count     = var.thanos_enabled ? 1 : 0
-#   provider  = kubectl.thanos-kubectl
-#   yaml_body = <<YAML
-# apiVersion: v1
-# stringData:
-#   admin-password: ${random_password.monitoring-password.result}
-# kind: Secret
-# metadata:
-#   name: ${replace(local.dns_name, ".", "-")}
-#   namespace: default
-# type: Opaque
-#   YAML
-# }
-
-# resource "kubectl_manifest" "thanos-datasource" {
-#   count      = var.thanos_enabled ? 1 : 0
-#   depends_on = [kubectl_manifest.thanos-datasource-credentials]
-#   provider   = kubectl.thanos-kubectl
-#   yaml_body  = <<YAML
-# apiVersion: grafana.integreatly.org/v1beta1
-# kind: GrafanaDatasource
-# metadata:
-#   name: ${replace(local.dns_name, ".", "-")}
-#   namespace: default
-# spec:
-#   valuesFrom:
-#     - targetPath: "secureJsonData.basicAuthPassword"
-#       valueFrom:
-#         secretKeyRef:
-#           name: ${replace(local.dns_name, ".", "-")}
-#           key: admin-password
-#   datasource:
-#     basicAuth: true
-#     basicAuthUser: monitoring
-#     editable: false
-#     access: proxy
-#     editable: true
-#     jsonData:
-#       timeInterval: 5s
-#       tlsSkipVerify: true
-#     name: ${local.dns_name}
-#     secureJsonData:
-#       basicAuthPassword: $${admin-password}
-#     type: prometheus
-#     url: https://prometheus.${local.dns_name}/prometheus
-#   instanceSelector:
-#     matchLabels:
-#       dashboards: external-grafana
-#   YAML
-# }
-
-resource "helm_release" "keda-monitoring" {
-  count = var.monitoring_enabled == true ? 1 : 0
-  depends_on = [
-    module.cluster,
-    helm_release.monitoring
-  ]
-
-  name             = "keda"
-  create_namespace = true
-  namespace        = "default"
-  repository       = var.ipa_repo
-  chart            = "keda"
-  version          = var.keda_version
-
-
-  values = [<<EOF
-    keda:
-      global:
-        image:
-          registry: ${var.image_registry}/ghcr.io
-      imagePullSecrets:
-        - name: harbor-pull-secret
-      resources:
-        operator:
-          requests:
-            memory: 512Mi
-          limits:
-            memory: 4Gi
-          
-      crds:
-        install: true
-      
-      podAnnotations:
-        keda:
-          prometheus.io/scrape: "true"
-          prometheus.io/path: "/metrics"
-          prometheus.io/port: "8080"
-        metricsAdapter: 
-          prometheus.io/scrape: "true"
-          prometheus.io/path: "/metrics"
-          prometheus.io/port: "9022"
-
-      prometheus:
-        metricServer:
-          enabled: true
-          podMonitor:
-            enabled: true
-        operator:
-          enabled: true
-          podMonitor:
-            enabled: true
- EOF
-  ]
-}
-
-resource "helm_release" "opentelemetry-collector" {
-  count = var.monitoring_enabled == true ? 1 : 0
-  depends_on = [
-    module.cluster,
-    helm_release.monitoring
-  ]
-
-  name             = "opentelemetry-collector"
-  create_namespace = true
-  namespace        = "default"
-  repository       = var.ipa_repo
-  chart            = "opentelemetry-collector"
-  version          = var.opentelemetry_collector_version
-
-
-  values = [<<EOF
-    opentelemetry-collector:
-      enabled: true
-      imagePullSecrets:
-        - name: harbor-pull-secret
-      image:
-        repository: ${var.image_registry}/docker.io/otel/opentelemetry-collector-contrib
-      fullnameOverride: "collector-collector"
-      mode: deployment
-      tolerations:
-      - effect: NoSchedule
-        key: indico.io/monitoring
-        operator: Exists
-      nodeSelector:
-        node_group: monitoring-workers
-      ports:
-        jaeger-compact:
-          enabled: false
-        jaeger-thrift:
-          enabled: false
-        jaeger-grpc:
-          enabled: false
-        zipkin:
-          enabled: false
-
-      config:
-        receivers:
-          jaeger: null
-          prometheus: null
-          zipkin: null
-        exporters:
-          otlp:
-            endpoint: monitoring-tempo.monitoring.svc:4317
-            tls:
-              insecure: true
-        service:
-          pipelines:
-            traces:
-              receivers:
-                - otlp
-              processors:
-                - batch
-              exporters:
-                - otlp
-            metrics: null
-            logs: null
- EOF
-  ]
-}
-
diff --git a/moved.tf b/moved.tf
index 57a19e6d..4f9615ff 100644
--- a/moved.tf
+++ b/moved.tf
@@ -12,3 +12,33 @@ moved {
   from = module.cluster.aws_iam_role.node_role
   to   = module.iam.module.create_eks_node_role[0].aws_iam_role.role
 }
+
+moved {
+  from = github_repository_file.argocd-application-yaml[0]
+  to   = module.intake[0].module.intake_application.github_repository_file.argocd-application-yaml[0]
+}
+
+moved {
+  from = github_repository_file.crds-values-yaml[0]
+  to   = module.indico-common.github_repository_file.crds_values_yaml[0]
+}
+
+moved {
+  from = github_repository_file.pre-reqs-values-yaml[0]
+  to   = module.intake[0].github_repository_file.pre_reqs_values_yaml[0]
+}
+
+moved {
+  from = github_repository_file.smoketest-application-yaml[0]
+  to   = module.intake_smoketests[0].github_repository_file.argocd-application-yaml[0]
+}
+
+moved {
+  from = helm_release.ipa-pre-requisites
+  to   = module.intake[0].helm_release.ipa-pre-requisites
+}
+
+moved {
+  from = helm_release.monitoring[0]
+  to   = module.indico-common.helm_release.monitoring[0]
+}
diff --git a/nodes.tf b/nodes.tf
new file mode 100644
index 00000000..5e2cf000
--- /dev/null
+++ b/nodes.tf
@@ -0,0 +1,159 @@
+locals {
+  intake_default_node_groups = {
+    gpu-workers = {
+      min_size               = 0
+      max_size               = 5
+      instance_types         = ["g4dn.xlarge"]
+      type                   = "gpu"
+      spot                   = false
+      desired_capacity       = "0"
+      additional_node_labels = "group=gpu-enabled"
+      taints                 = "--register-with-taints=nvidia.com/gpu=true:NoSchedule"
+    },
+    celery-workers = {
+      min_size         = 0
+      max_size         = 20
+      instance_types   = ["m5.xlarge"]
+      type             = "cpu"
+      spot             = false
+      desired_capacity = "0"
+      taints           = "--register-with-taints=indico.io/celery=true:NoSchedule"
+    },
+    static-workers = {
+      min_size         = 1
+      max_size         = 20
+      instance_types   = ["m5.xlarge"]
+      type             = "cpu"
+      spot             = false
+      desired_capacity = "0"
+    },
+    pdf-workers = {
+      min_size         = 0
+      max_size         = 3
+      instance_types   = ["m5.xlarge"]
+      type             = "cpu"
+      spot             = false
+      desired_capacity = "1"
+      taints           = "--register-with-taints=indico.io/pdfextraction=true:NoSchedule"
+    },
+    highmem-workers = {
+      min_size         = 0
+      max_size         = 3
+      instance_types   = ["m5.2xlarge"]
+      type             = "cpu"
+      spot             = false
+      desired_capacity = "0"
+      taints           = "--register-with-taints=indico.io/highmem=true:NoSchedule"
+    },
+    monitoring-workers = {
+      min_size         = 1
+      max_size         = 4
+      instance_types   = ["m5.large"]
+      type             = "cpu"
+      spot             = false
+      desired_capacity = "1"
+      taints           = "--register-with-taints=indico.io/monitoring=true:NoSchedule"
+    },
+    pgo-workers = {
+      min_size         = 1
+      max_size         = 4
+      instance_types   = ["m5.large"]
+      type             = "cpu"
+      spot             = false
+      desired_capacity = "1"
+      taints           = "--register-with-taints=indico.io/crunchy=true:NoSchedule"
+    },
+    readapi-servers = {
+      min_size         = 0
+      max_size         = 3
+      instance_types   = ["m5.2xlarge"]
+      type             = "cpu"
+      spot             = false
+      desired_capacity = "0"
+      taints           = "--register-with-taints=indico.io/readapi-server=true:NoSchedule"
+    },
+    readapi-azurite = {
+      min_size         = 0
+      max_size         = 1
+      instance_types   = ["m5.xlarge"]
+      type             = "cpu"
+      spot             = false
+      desired_capacity = "1"
+      taints           = "--register-with-taints=indico.io/azurite=true:NoSchedule"
+    }
+  }
+
+  insights_default_node_groups = {
+    general = {
+        type                   = "cpu"
+        spot                   = false
+        instance_types         = ["m5a.xlarge"]
+        min_size               = 1
+        max_size               = 5
+        desired_capacity       = "3"
+    },
+    pgo-workers = {
+        type                   = "cpu"
+        spot                   = false
+        instance_types         = ["m5a.large"]
+        min_size               = 1
+        max_size               = 2
+        desired_capacity       = "2"
+        taints                 = "--register-with-taints=indico.io/crunchy=true:NoSchedule"
+    },
+    celery-workers = {
+      type                     = "cpu"
+      spot                     = false
+      instance_types           = ["m5a.xlarge"]
+      min_size                 = 1
+      max_size                 = 3
+      desired_capacity         = "1"
+      taints                   = "--register-with-taints=indico.io/celery-workers=true:NoSchedule"
+    },
+    minio = {
+        type                   = "cpu"
+        spot                   = false
+        instance_types         = ["t3a.xlarge"]
+        min_size               = 1
+        max_size               = 4
+        desired_capacity       = "4"
+        taints                 = "--register-with-taints=indico.io/minio=true:NoSchedule"
+    },
+    monitoring-workers = {
+      min_size         = 1
+      max_size         = 4
+      instance_types   = ["m5.large"]
+      type             = "cpu"
+      spot             = false
+      desired_capacity = "1"
+      taints           = "--register-with-taints=indico.io/monitoring=true:NoSchedule"
+    },
+    weaviate = {
+        type                   = "cpu"
+        spot                   = false
+        instance_types         = ["r5a.xlarge"]
+        min_size               = 1
+        max_size               = 3
+        desired_capacity       = "3"
+        taints                 = "--register-with-taints=indico.io/weaviate=true:NoSchedule"
+    },
+    weaviate-workers = {
+        type                   = "cpu"
+        spot                   = false
+        instance_types         = ["c6a.2xlarge"]
+        min_size               = 1
+        max_size               = 4
+        desired_capacity       = "2"
+        taints                 = "--register-with-taints=indico.io/weaviate-workers=true:NoSchedule"
+    }
+  }
+
+  default_node_groups = merge((var.insights_enabled ? local.insights_default_node_groups : null), (var.ipa_enabled ? local.intake_default_node_groups : null))
+
+  # This is to avoid terraform errors when the node groups variable is set,
+  # as different keys make the objects incompatible for a ternary function. 
+  # To solve this, we set it to null which matches all types
+  default_node_groups_logic = var.node_groups == null ? local.default_node_groups : null 
+
+  node_groups = var.node_groups == null ? local.default_node_groups_logic : var.node_groups 
+}
\ No newline at end of file
diff --git a/outputs.tf b/outputs.tf
index 25cd1ddf..6ee81c01 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -102,4 +102,20 @@ output "argo_repo" {
 
 output "monitoring_enabled" {
   value = var.monitoring_enabled
-}
\ No newline at end of file
+}
+
+output "ns" {
+  value = var.use_static_ssl_certificates ? ["no-hosted-zone"] : data.aws_route53_zone.primary[0].name_servers
+}
+
+data "external" "git_information" {
+  program = ["sh", "${path.module}/get_sha.sh"]
+}
+
+output "git_sha" {
+  value = data.external.git_information.result.sha
+}
+
+output "git_branch" {
+  value = data.external.git_information.result.branch
+}
diff --git a/snapshot.tf b/snapshot.tf
index 73d84724..08051177 100644
--- a/snapshot.tf
+++ b/snapshot.tf
@@ -1,6 +1,6 @@
 resource "kubectl_manifest" "snapshot-service-account" {
   depends_on = [
-    helm_release.ipa-pre-requisites
+    module.intake
   ]
   count     = var.restore_snapshot_enabled == true ? 1 : 0
   yaml_body = <<YAML
@@ -15,7 +15,7 @@ YAML
 
 resource "kubectl_manifest" "snapshot-cluster-role" {
   depends_on = [
-    helm_release.ipa-pre-requisites
+    module.intake
   ]
   count     = var.restore_snapshot_enabled == true ? 1 : 0
   yaml_body = <<YAML
@@ -36,7 +36,7 @@ YAML
 
 resource "kubectl_manifest" "snapshot-cluster-role-binding" {
   depends_on = [
-    helm_release.ipa-pre-requisites
+    module.intake
   ]
   count     = var.restore_snapshot_enabled == true ? 1 : 0
   yaml_body = <<YAML
@@ -59,7 +59,7 @@ YAML
 
 resource "kubernetes_job" "snapshot-restore-job" {
   depends_on = [
-    helm_release.ipa-pre-requisites,
+    module.indico-common,
     kubectl_manifest.snapshot-cluster-role-binding,
     kubectl_manifest.snapshot-cluster-role,
     kubectl_manifest.snapshot-service-account
diff --git a/tf-smoketest-variables.tf b/tf-smoketest-variables.tf
index 00be2d31..76de5d89 100644
--- a/tf-smoketest-variables.tf
+++ b/tf-smoketest-variables.tf
@@ -215,6 +215,24 @@ resource "kubernetes_config_map" "terraform-variables" {
     fsx_rox_arn = "${jsonencode(var.fsx_rox_arn)}"
     efs_filesystem_name = "${jsonencode(var.efs_filesystem_name)}"
     efs_type = "${jsonencode(var.efs_type)}"
+    indico_crds_version = "${jsonencode(var.indico_crds_version)}"
+    indico_pre_reqs_version = "${jsonencode(var.indico_pre_reqs_version)}"
+    insights_pre_reqs_values_yaml_b64 = "${jsonencode(var.insights-pre-reqs-values-yaml-b64)}"
+    insights_enabled = "${jsonencode(var.insights_enabled)}"
+    insights_values = "${jsonencode(var.insights_values)}"
+    insights_version = "${jsonencode(var.insights_version)}"
+    insights_smoketest_version = "${jsonencode(var.insights_smoketest_version)}"
+    insights_smoketest_values = "${jsonencode(var.insights_smoketest_values)}"
+    insights_smoketest_enabled = "${jsonencode(var.insights_smoketest_enabled)}"
+    insights_smoketest_cronjob_enabled = "${jsonencode(var.insights_smoketest_cronjob_enabled)}"
+    insights_pre_reqs_version = "${jsonencode(var.insights_pre_reqs_version)}"
+    insights_local_registry_harbor_robot_account_name = "${jsonencode(var.insights_local_registry_harbor_robot_account_name)}"
+    insights_local_registry_enabled = "${jsonencode(var.insights_local_registry_enabled)}"
+    minio_enabled = "${jsonencode(var.minio_enabled)}"
+    indico_crds_values_yaml_b64 = "${jsonencode(var.indico-crds-values-yaml-b64)}"
+    indico_pre_reqs_values_yaml_b64 = "${jsonencode(var.indico-pre-reqs-values-yaml-b64)}"
+    include_miniobkp = "${jsonencode(var.include_miniobkp)}"
+    miniobkp_s3_bucket_name_override = "${jsonencode(var.miniobkp_s3_bucket_name_override)}"
 
     }
   }
diff --git a/user_vars.auto.tfvars b/user_vars.auto.tfvars
index 97e6756b..882e00ea 100644
--- a/user_vars.auto.tfvars
+++ b/user_vars.auto.tfvars
@@ -12,89 +12,6 @@ ipa_values = ""
 #cluster_name         = "dop-832"
 #label                = "dop-832" # will be used for resource naming. should be unique within the AWS account
 k8s_version = "1.31"
-node_groups = {
-  gpu-workers = {
-    min_size               = 0
-    max_size               = 5
-    instance_types         = ["g4dn.xlarge"]
-    type                   = "gpu"
-    spot                   = false
-    desired_capacity       = "0"
-    additional_node_labels = "group=gpu-enabled"
-    taints                 = "--register-with-taints=nvidia.com/gpu=true:NoSchedule"
-  },
-  celery-workers = {
-    min_size         = 0
-    max_size         = 20
-    instance_types   = ["m5.xlarge"]
-    type             = "cpu"
-    spot             = false
-    desired_capacity = "0"
-    taints           = "--register-with-taints=indico.io/celery=true:NoSchedule"
-  },
-  static-workers = {
-    min_size         = 1
-    max_size         = 20
-    instance_types   = ["m5.xlarge"]
-    type             = "cpu"
-    spot             = false
-    desired_capacity = "0"
-  },
-  pdf-workers = {
-    min_size         = 0
-    max_size         = 3
-    instance_types   = ["m5.xlarge"]
-    type             = "cpu"
-    spot             = false
-    desired_capacity = "1"
-    taints           = "--register-with-taints=indico.io/pdfextraction=true:NoSchedule"
-  },
-  highmem-workers = {
-    min_size         = 0
-    max_size         = 3
-    instance_types   = ["m5.2xlarge"]
-    type             = "cpu"
-    spot             = false
-    desired_capacity = "0"
-    taints           = "--register-with-taints=indico.io/highmem=true:NoSchedule"
-  },
-  monitoring-workers = {
-    min_size         = 1
-    max_size         = 4
-    instance_types   = ["m5.large"]
-    type             = "cpu"
-    spot             = false
-    desired_capacity = "1"
-    taints           = "--register-with-taints=indico.io/monitoring=true:NoSchedule"
-  },
-  pgo-workers = {
-    min_size         = 1
-    max_size         = 4
-    instance_types   = ["m5.large"]
-    type             = "cpu"
-    spot             = false
-    desired_capacity = "1"
-    taints           = "--register-with-taints=indico.io/crunchy=true:NoSchedule"
-  },
-  readapi-servers = {
-    min_size         = 0
-    max_size         = 3
-    instance_types   = ["m5.2xlarge"]
-    type             = "cpu"
-    spot             = false
-    desired_capacity = "0"
-    taints           = "--register-with-taints=indico.io/readapi-server=true:NoSchedule"
-  },
-  readapi-azurite = {
-    min_size         = 0
-    max_size         = 1
-    instance_types   = ["m5.xlarge"]
-    type             = "cpu"
-    spot             = false
-    desired_capacity = "1"
-    taints           = "--register-with-taints=indico.io/azurite=true:NoSchedule"
-  }
-}
 # additional_tags = { # delete this if no additional tags needed
 #   foo = "bar",
 #   baz = "qux"
diff --git a/variables.tf b/variables.tf
index ac00bdb4..9133a8f9 100644
--- a/variables.tf
+++ b/variables.tf
@@ -197,6 +197,8 @@ variable "k8s_version" {
 }
 
 variable "node_groups" {
+  default = null
+  description = "Override for the node groups assigned to the cluster. If not supplied, the node groups will be determined from intake and insights defaults"
 }
 
 variable "node_bootstrap_arguments" {
@@ -1188,51 +1190,51 @@ variable "pgbackup_s3_bucket_name_override" {
 
 # Additional variables
 variable "enable_s3_replication" {
-  type = bool
-  default = false
+  type        = bool
+  default     = false
   description = "Flag to enable s3 replication"
 }
 
 variable "create_s3_replication_role" {
-  type = bool
-  default = true
+  type        = bool
+  default     = true
   description = "Flag to create or load s3 replication role"
 }
 
 variable "s3_replication_role_name_override" {
-  type = string
-  default = null
+  type        = string
+  default     = null
   description = "Name override for s3 replication role"
 }
 
 variable "destination_kms_key_arn" {
-  type = string
-  default = ""
+  type        = string
+  default     = ""
   description = "arn of kms key used to encrypt s3 replication destination buckets"
 }
 
 variable "data_destination_bucket" {
-  type = string
-  default = ""
+  type        = string
+  default     = ""
   description = "s3 replication data destination bucket"
 }
 
 variable "api_model_destination_bucket" {
-  type    = string
-  default = ""
+  type        = string
+  default     = ""
   description = "s3 replication api model destination bucket"
 }
 
 # Node role
 variable "create_node_role" {
-  type = bool
-  default = true
+  type        = bool
+  default     = true
   description = "Flag to create or load node role"
 }
 
 variable "node_role_name_override" {
-  type = string
-  default = null
+  type        = string
+  default     = null
   description = "Name override for node role"
 }
 
@@ -1314,3 +1316,107 @@ variable "efs_type" {
     error_message = "${var.efs_type} not valid. Type must be either create or load"
   }
 }
+
+variable "indico_crds_version" {
+  type        = string
+  default     = ""
+  description = "Version of the indico-crds helm chart"
+}
+
+variable "indico_pre_reqs_version" {
+  type        = string
+  default     = ""
+  description = "Version of the indico-pre-reqs helm chart"
+}
+
+variable "insights-pre-reqs-values-yaml-b64" {
+  type        = string
+  default     = "Cg=="
+  description = "user provided overrides to indico-pre-reqs helm chart"
+}
+
+variable "insights_enabled" {
+  type        = bool
+  default     = false
+  description = "Toggle for enabling insights deployment"
+}
+
+variable "insights_values" {
+  type        = string
+  default     = ""
+  description = "User provided overrides to the insights application"
+}
+
+variable "insights_version" {
+  type        = string
+  default     = ""
+  description = "Insights helm chart version to deploy to the cluster"
+}
+
+variable "insights_smoketest_version" {
+  type        = string
+  default     = ""
+  description = "Insights smoketest to deploy to the cluster"
+}
+
+variable "insights_smoketest_values" {
+  type        = string
+  default     = ""
+  description = "Insights smoketest overrides"
+}
+
+variable "insights_smoketest_enabled" {
+  type        = bool
+  default     = false
+  description = "Toggle for enabling smoketest"
+}
+
+variable "insights_smoketest_cronjob_enabled" {
+  type        = bool
+  default     = false
+  description = "Toggle for scheduling smoketests"
+}
+
+variable "insights_pre_reqs_version" {
+  type        = string
+  default     = ""
+  description = "insights-pre-requisites helm chart version"
+}
+
+variable "insights_local_registry_harbor_robot_account_name" {
+  type        = string
+  default     = ""
+  description = ""
+}
+
+variable "insights_local_registry_enabled" {
+  type        = string
+  default     = ""
+  description = ""
+}
+
+variable "minio_enabled" {
+  type        = bool
+  default     = false
+  description = "Toggle for enabling minio deployment"
+}
+
+variable "indico-crds-values-yaml-b64" {
+  default = "Cg=="
+}
+
+variable "indico-pre-reqs-values-yaml-b64" {
+  default = "Cg=="
+}
+
+variable "include_miniobkp" {
+  type        = string
+  default     = true
+  description = "If true this will create a miniobkp bucket"
+}
+
+variable "miniobkp_s3_bucket_name_override" {
+  type        = string
+  default     = null
+  description = "The name of the existing S3 bucket to be loaded and used as the minio backup bucket"
+}