diff --git a/deployments/stacks/dpe-k8s-deployments/main.tf b/deployments/stacks/dpe-k8s-deployments/main.tf
index 16c39074..31a1eb05 100644
--- a/deployments/stacks/dpe-k8s-deployments/main.tf
+++ b/deployments/stacks/dpe-k8s-deployments/main.tf
@@ -29,6 +29,13 @@ module "argo-cd" {
   source = "../../../modules/argo-cd"
 }
 
+module "external-secrets" {
+  source      = "../../../modules/external-secrets"
+  region      = var.region
+  aws_account_id = var.aws_account_id
+  namespace = "external-secrets"
+}
+
 module "flux-cd" {
   depends_on = [module.sage-aws-eks-autoscaler]
   source     = "../../../modules/flux-cd"
diff --git a/deployments/stacks/dpe-k8s-deployments/variables.tf b/deployments/stacks/dpe-k8s-deployments/variables.tf
index 69961893..e986cc74 100644
--- a/deployments/stacks/dpe-k8s-deployments/variables.tf
+++ b/deployments/stacks/dpe-k8s-deployments/variables.tf
@@ -118,4 +118,4 @@ variable "docker_access_token" {
   description = "The access token to use for docker authenticated pulls. Created via by setting 'TF_VAR_docker_access_token' within spacelift as an environment variable"
   type        = string
   default     = ""
-}
+}
\ No newline at end of file
diff --git a/modules/argo-cd/main.tf b/modules/argo-cd/main.tf
index 3fc30291..6c2d0d53 100644
--- a/modules/argo-cd/main.tf
+++ b/modules/argo-cd/main.tf
@@ -14,3 +14,4 @@ resource "helm_release" "argo-cd" {
 
   values = [templatefile("${path.module}/templates/values.yaml", {})]
 }
+
diff --git a/modules/external-secrets/main.tf b/modules/external-secrets/main.tf
new file mode 100644
index 00000000..da2176b1
--- /dev/null
+++ b/modules/external-secrets/main.tf
@@ -0,0 +1,38 @@
+resource "kubernetes_namespace" "external-secrets" {
+  metadata { name =  var.namespace }
+}
+
+
+# Argo CD Application that installs ESO from the official Helm repo
+resource "kubectl_manifest" "external-secrets-app" {
+  yaml_body = <<YAML
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: external-secrets
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+spec:
+  project: default
+  %{if var.auto_deploy}
+  syncPolicy:
+    automated:
+      prune: ${var.auto_prune}
+  %{endif}
+  sources:
+  - repoURL: 'https://charts.external-secrets.io'
+    chart: external-secrets
+    targetRevision: v0.19.1
+    helm:
+      releaseName: external-secrets
+      valueFiles:
+      - $values/modules/external-secrets/templates/values.yaml
+  - repoURL: 'https://github.com/Sage-Bionetworks-Workflows/eks-stack.git'
+    targetRevision: ${var.git_revision}
+    ref: values
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: external-secrets
+YAML
+}
\ No newline at end of file
diff --git a/modules/external-secrets/templates/values.yaml b/modules/external-secrets/templates/values.yaml
new file mode 100644
index 00000000..5eace65d
--- /dev/null
+++ b/modules/external-secrets/templates/values.yaml
@@ -0,0 +1,610 @@
+# Default values for external-secrets
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+global:
+  nodeSelector: {}
+  tolerations: []
+  topologySpreadConstraints: []
+  affinity: {}
+  compatibility:
+    openshift:
+      # -- Manages the securityContext properties to make them compatible with OpenShift.
+      # Possible values:
+      # auto - Apply configurations if it is detected that OpenShift is the target platform.
+      # force - Always apply configurations.
+      # disabled - No modification applied.
+      adaptSecurityContext: auto
+
+replicaCount: 1
+
+bitwarden-sdk-server:
+  enabled: false
+  namespaceOverride: ""
+
+# -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
+revisionHistoryLimit: 10
+
+image:
+  repository: oci.external-secrets.io/external-secrets/external-secrets
+  pullPolicy: IfNotPresent
+  # -- The image tag to use. The default is the chart appVersion.
+  tag: ""
+  # -- The flavour of tag you want to use
+  # There are different image flavours available, like distroless and ubi.
+  # Please see GitHub release notes for image tags for these flavors.
+  # By default, the distroless image is used.
+  flavour: ""
+
+# -- If set, install and upgrade CRDs through helm chart.
+installCRDs: true
+
+crds:
+  # -- If true, create CRDs for Cluster External Secret.
+  createClusterExternalSecret: true
+  # -- If true, create CRDs for Cluster Secret Store.
+  createClusterSecretStore: true
+  # -- If true, create CRDs for Cluster Generator.
+  createClusterGenerator: true
+  # -- If true, create CRDs for Cluster Push Secret.
+  createClusterPushSecret: true
+  # -- If true, create CRDs for Push Secret.
+  createPushSecret: true
+  annotations: {}
+  conversion:
+    # -- Conversion is disabled by default as we stopped supporting v1alpha1.
+    enabled: false
+
+imagePullSecrets: []
+nameOverride: "external-secrets"
+fullnameOverride: "external-secrets"
+namespaceOverride: "external-secrets"
+
+# -- Additional labels added to all helm chart resources.
+commonLabels: {}
+
+# -- If true, external-secrets will perform leader election between instances to ensure no more
+# than one instance of external-secrets operates at a time.
+leaderElect: false
+
+# -- If set external secrets will filter matching
+# Secret Stores with the appropriate controller values.
+controllerClass: ""
+
+# -- If true external secrets will use recommended kubernetes
+# annotations as prometheus metric labels.
+extendedMetricLabels: false
+
+# -- If set external secrets are only reconciled in the
+# provided namespace
+scopedNamespace: ""
+
+# -- Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace
+# and implicitly disable cluster stores and cluster external secrets
+scopedRBAC: false
+
+# -- If true the OpenShift finalizer permissions will be added to RBAC
+openshiftFinalizers: true
+
+# -- if true, the operator will process cluster external secret. Else, it will ignore them.
+processClusterExternalSecret: true
+
+# -- if true, the operator will process cluster push secret. Else, it will ignore them.
+processClusterPushSecret: true
+
+# -- if true, the operator will process cluster store. Else, it will ignore them.
+processClusterStore: true
+
+# -- if true, the operator will process push secret. Else, it will ignore them.
+processPushSecret: true
+
+# -- Specifies whether an external secret operator deployment be created.
+createOperator: true
+
+# -- Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at
+# a time.
+concurrent: 1
+# -- Specifices Log Params to the External Secrets Operator
+log:
+  level: info
+  timeEncoding: epoch
+service:
+  # -- Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)
+  ipFamilyPolicy: ""
+  # -- Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
+  ipFamilies: []
+
+serviceAccount:
+  # -- Specifies whether a service account should be created.
+  create: true
+  # -- Automounts the service account token in all containers of the pod
+  automount: true
+  # -- Annotations to add to the service account.
+  annotations: {}
+  # -- Extra Labels to add to the service account.
+  extraLabels: {}
+  # -- The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template.
+  name: ""
+
+rbac:
+  # -- Specifies whether role and rolebinding resources should be created.
+  create: true
+
+  servicebindings:
+    # -- Specifies whether a clusterrole to give servicebindings read access should be created.
+    create: true
+
+  # -- Specifies whether permissions are aggregated to the view ClusterRole
+  aggregateToView: true
+
+  # -- Specifies whether permissions are aggregated to the edit ClusterRole
+  aggregateToEdit: true
+
+## -- Extra environment variables to add to container.
+extraEnv: []
+
+## -- Map of extra arguments to pass to container.
+extraArgs: {}
+
+## -- Extra volumes to pass to pod.
+extraVolumes: []
+
+## -- Extra Kubernetes objects to deploy with the helm chart
+extraObjects: []
+
+## -- Extra volumes to mount to the container.
+extraVolumeMounts: []
+
+## -- Extra init containers to add to the pod.
+extraInitContainers: []
+
+## -- Extra containers to add to the pod.
+extraContainers: []
+
+# -- Annotations to add to Deployment
+deploymentAnnotations: {}
+
+ # -- Set deployment strategy
+strategy: {}
+
+# -- Annotations to add to Pod
+podAnnotations: {}
+
+podLabels: {}
+
+podSecurityContext:
+  enabled: true
+  # fsGroup: 2000
+
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL
+  enabled: true
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 1000
+  seccompProfile:
+    type: RuntimeDefault
+
+resources: {}
+  # requests:
+  #   cpu: 10m
+  #   memory: 32Mi
+
+serviceMonitor:
+  # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics
+  enabled: false
+
+  # -- namespace where you want to install ServiceMonitors
+  namespace: ""
+
+  # -- Additional labels
+  additionalLabels: {}
+
+  # --  Interval to scrape metrics
+  interval: 30s
+
+  # -- Timeout if metrics can't be retrieved in given time interval
+  scrapeTimeout: 25s
+
+  # -- Let prometheus add an exported_ prefix to conflicting labels
+  honorLabels: false
+
+  # -- Metric relabel configs to apply to samples before ingestion. [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs)
+  metricRelabelings: []
+  # - action: replace
+  #   regex: (.*)
+  #   replacement: $1
+  #   sourceLabels:
+  #   - exported_namespace
+  #   targetLabel: namespace
+
+  # -- Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config)
+  relabelings: []
+  # - sourceLabels: [__meta_kubernetes_pod_node_name]
+  #   separator: ;
+  #   regex: ^(.*)$
+  #   targetLabel: nodename
+  #   replacement: $1
+  #   action: replace
+
+metrics:
+
+  listen:
+    port: 8080
+
+  service:
+    # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
+    enabled: false
+
+    # -- Metrics service port to scrape
+    port: 8080
+
+    # -- Additional service annotations
+    annotations: {}
+
+grafanaDashboard:
+  # -- If true creates a Grafana dashboard.
+  enabled: false
+
+  # -- Label that ConfigMaps should have to be loaded as dashboards.
+  sidecarLabel: "grafana_dashboard"
+
+  # -- Label value that ConfigMaps should have to be loaded as dashboards.
+  sidecarLabelValue: "1"
+
+  # -- Annotations that ConfigMaps can have to get configured in Grafana,
+  # See: sidecar.dashboards.folderAnnotation for specifying the dashboard folder.
+  # https://github.com/grafana/helm-charts/tree/main/charts/grafana
+  annotations: {}
+
+nodeSelector: {}
+
+tolerations: []
+
+topologySpreadConstraints: []
+
+affinity: {}
+
+# -- Pod priority class name.
+priorityClassName: ""
+
+# -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
+podDisruptionBudget:
+  enabled: false
+  minAvailable: 1    # @schema type:[integer, string]
+  nameOverride: ""
+  # maxUnavailable: "50%"
+
+# -- Run the controller on the host network
+hostNetwork: false
+
+webhook:
+  # -- Annotations to place on validating webhook configuration.
+  annotations: {}
+  # -- Specifies whether a webhook deployment be created. If set to false, crds.conversion.enabled should also be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint.
+  create: true
+  # -- Specifices the time to check if the cert is valid
+  certCheckInterval: "5m"
+  # -- Specifices the lookaheadInterval for certificate validity
+  lookaheadInterval: ""
+  replicaCount: 1
+  # -- Specifices Log Params to the Webhook
+  log:
+    level: info
+    timeEncoding: epoch
+  # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
+  revisionHistoryLimit: 10
+
+  certDir: /tmp/certs
+  # -- Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore
+  failurePolicy: Fail
+  # -- Specifies if webhook pod should use hostNetwork or not.
+  hostNetwork: false
+  image:
+    repository: oci.external-secrets.io/external-secrets/external-secrets
+    pullPolicy: IfNotPresent
+    # -- The image tag to use. The default is the chart appVersion.
+    tag: ""
+    # -- The flavour of tag you want to use
+    flavour: ""
+  imagePullSecrets: []
+  nameOverride: ""
+  fullnameOverride: ""
+  # -- The port the webhook will listen to
+  port: 10250
+  rbac:
+  # -- Specifies whether role and rolebinding resources should be created.
+    create: true
+  serviceAccount:
+    # -- Specifies whether a service account should be created.
+    create: true
+    # -- Automounts the service account token in all containers of the pod
+    automount: true
+    # -- Annotations to add to the service account.
+    annotations: {}
+    # -- Extra Labels to add to the service account.
+    extraLabels: {}
+    # -- The name of the service account to use.
+    # If not set and create is true, a name is generated using the fullname template.
+    name: ""
+  nodeSelector: {}
+
+  certManager:
+    # -- Enabling cert-manager support will disable the built in secret and
+    # switch to using cert-manager (installed separately) to automatically issue
+    # and renew the webhook certificate. This chart does not install
+    # cert-manager for you, See https://cert-manager.io/docs/
+    enabled: false
+    # -- Automatically add the cert-manager.io/inject-ca-from annotation to the
+    # webhooks and CRDs. As long as you have the cert-manager CA Injector
+    # enabled, this will automatically setup your webhook's CA to the one used
+    # by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector
+    addInjectorAnnotations: true
+    cert:
+      # -- Create a certificate resource within this chart. See
+      # https://cert-manager.io/docs/usage/certificate/
+      create: true
+      # -- For the Certificate created by this chart, setup the issuer. See
+      # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec
+      issuerRef:
+        group: cert-manager.io
+        kind: "Issuer"
+        name: "my-issuer"
+      # -- Set the requested duration (i.e. lifetime) of the Certificate. See
+      # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
+      # One year by default.
+      duration: "8760h"
+      # -- Set the revisionHistoryLimit on the Certificate. See
+      # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
+      # Defaults to 0 (ignored).
+      revisionHistoryLimit: 0
+      # -- How long before the currently issued certificate’s expiry
+      # cert-manager should renew the certificate. See
+      # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
+      # Note that renewBefore should be greater than .webhook.lookaheadInterval
+      # since the webhook will check this far in advance that the certificate is
+      # valid.
+      renewBefore: ""
+      # -- Add extra annotations to the Certificate resource.
+      annotations: {}
+
+  tolerations: []
+
+  topologySpreadConstraints: []
+
+  affinity: {}
+
+  # -- Set deployment strategy
+  strategy: {}
+
+    # -- Pod priority class name.
+  priorityClassName: ""
+
+  # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
+  podDisruptionBudget:
+    enabled: false
+    minAvailable: 1    # @schema type:[integer, string]
+    nameOverride: ""
+    # maxUnavailable: "50%"
+
+  metrics:
+
+    listen:
+      port: 8080
+
+    service:
+      # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
+      enabled: false
+
+      # -- Metrics service port to scrape
+      port: 8080
+
+      # -- Additional service annotations
+      annotations: {}
+
+
+  readinessProbe:
+    # -- Address for readiness probe
+    address: ""
+    # -- ReadinessProbe port for kubelet
+    port: 8081
+
+
+    ## -- Extra environment variables to add to container.
+  extraEnv: []
+
+    ## -- Map of extra arguments to pass to container.
+  extraArgs: {}
+
+    ## -- Extra init containers to add to the pod.
+  extraInitContainers: []
+
+    ## -- Extra volumes to pass to pod.
+  extraVolumes: []
+
+    ## -- Extra volumes to mount to the container.
+  extraVolumeMounts: []
+
+    # -- Annotations to add to Secret
+  secretAnnotations: {}
+
+    # -- Annotations to add to Deployment
+  deploymentAnnotations: {}
+
+    # -- Annotations to add to Pod
+  podAnnotations: {}
+
+  podLabels: {}
+
+  podSecurityContext:
+    enabled: true
+      # fsGroup: 2000
+
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+    enabled: true
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    runAsUser: 1000
+    seccompProfile:
+      type: RuntimeDefault
+
+  resources: {}
+      # requests:
+      #   cpu: 10m
+      #   memory: 32Mi
+
+  # -- Manage the service through which the webhook is reached.
+  service:
+    # -- Whether the service object should be enabled or not (it is expected to exist).
+    enabled: true
+    # -- Custom annotations for the webhook service.
+    annotations: {}
+    # -- Custom labels for the webhook service.
+    labels: {}
+    # -- The service type of the webhook service.
+    type: ClusterIP
+    # -- If the webhook service type is LoadBalancer, you can assign a specific load balancer IP here.
+    # Check the documentation of your load balancer provider to see if/how this should be used.
+    loadBalancerIP: ""
+
+certController:
+  # -- Specifies whether a certificate controller deployment be created.
+  create: true
+  requeueInterval: "5m"
+  replicaCount: 1
+  # -- Specifices Log Params to the Certificate Controller
+  log:
+    level: info
+    timeEncoding: epoch
+  # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
+  revisionHistoryLimit: 10
+
+  image:
+    repository: oci.external-secrets.io/external-secrets/external-secrets
+    pullPolicy: IfNotPresent
+    tag: ""
+    flavour: ""
+  imagePullSecrets: []
+  nameOverride: ""
+  fullnameOverride: ""
+  rbac:
+  # -- Specifies whether role and rolebinding resources should be created.
+    create: true
+  serviceAccount:
+    # -- Specifies whether a service account should be created.
+    create: true
+    # -- Automounts the service account token in all containers of the pod
+    automount: true
+    # -- Annotations to add to the service account.
+    annotations: 
+      eks.amazonaws.com/role-arn: arn:aws:iam::${aws_account_id}:role/eso-secretsmanager
+    # -- Extra Labels to add to the service account.
+    extraLabels: {}
+    # -- The name of the service account to use.
+    # If not set and create is true, a name is generated using the fullname template.
+    name: ""
+  nodeSelector: {}
+
+  tolerations: []
+
+  topologySpreadConstraints: []
+
+  affinity: {}
+
+  # -- Set deployment strategy
+  strategy: {}
+
+  # -- Run the certController on the host network
+  hostNetwork: false
+
+    # -- Pod priority class name.
+  priorityClassName: ""
+
+  # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
+  podDisruptionBudget:
+    enabled: false
+    minAvailable: 1    # @schema type:[integer, string]
+    nameOverride: ""
+    # maxUnavailable: "50%"
+
+  metrics:
+
+    listen:
+      port: 8080
+
+    service:
+      # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
+      enabled: false
+
+      # -- Metrics service port to scrape
+      port: 8080
+
+      # -- Additional service annotations
+      annotations: {}
+
+  readinessProbe:
+    # -- Address for readiness probe
+    address: ""
+    # -- ReadinessProbe port for kubelet
+    port: 8081
+
+    ## -- Extra environment variables to add to container.
+  extraEnv: []
+
+    ## -- Map of extra arguments to pass to container.
+  extraArgs: {}
+
+    ## -- Extra init containers to add to the pod.
+  extraInitContainers: []
+
+    ## -- Extra volumes to pass to pod.
+  extraVolumes: []
+
+    ## -- Extra volumes to mount to the container.
+  extraVolumeMounts: []
+
+    # -- Annotations to add to Deployment
+  deploymentAnnotations: {}
+
+    # -- Annotations to add to Pod
+  podAnnotations: {}
+
+  podLabels: {}
+
+  podSecurityContext:
+    enabled: true
+      # fsGroup: 2000
+
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+    enabled: true
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    runAsUser: 1000
+    seccompProfile:
+      type: RuntimeDefault
+
+  resources: {}
+      # requests:
+      #   cpu: 10m
+      #   memory: 32Mi
+
+# -- Specifies `dnsPolicy` to deployment
+dnsPolicy: ClusterFirst
+
+# -- Specifies `dnsOptions` to deployment
+dnsConfig: {}
+
+# -- Any extra pod spec on the deployment
+podSpecExtra: {}
\ No newline at end of file
diff --git a/modules/external-secrets/variables.tf b/modules/external-secrets/variables.tf
new file mode 100644
index 00000000..eca50799
--- /dev/null
+++ b/modules/external-secrets/variables.tf
@@ -0,0 +1,33 @@
+variable "auto_deploy" {
+  description = "Auto deploy through ArgoCD"
+  type        = bool
+  default     = false
+}
+
+variable "git_revision" {
+  description = "The git revision to deploy"
+  type        = string
+  default     = "main"
+}
+
+variable "auto_prune" {
+  description = "Auto prune through ArgoCD"
+  type        = bool
+  default     = false
+}
+
+variable "namespace" {
+  description = "The namespace to deploy into"
+  type        = string
+  default     = "external-secrets"
+}
+
+variable "region" {
+  description = "AWS region for External Secrets"
+  type        = string
+}
+
+variable "aws_account_id" {
+  description = "AWS account ID for IRSA role"
+  type        = string
+}
\ No newline at end of file
diff --git a/modules/external-secrets/versions.tf b/modules/external-secrets/versions.tf
new file mode 100644
index 00000000..9f47d757
--- /dev/null
+++ b/modules/external-secrets/versions.tf
@@ -0,0 +1,16 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.0"
+    }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = ">= 1.16.0"
+    }
+  }
+}
diff --git a/modules/sage-aws-eks/variables.tf b/modules/sage-aws-eks/variables.tf
index 1edd27b7..7c7e85ed 100644
--- a/modules/sage-aws-eks/variables.tf
+++ b/modules/sage-aws-eks/variables.tf
@@ -6,7 +6,7 @@ variable "cluster_name" {
 variable "cluster_version" {
   description = "Version of K8 cluster"
   type        = string
-  default     = "1.33"
+  default     = "1.32"
 }
 
 variable "region" {
diff --git a/modules/sage-aws-k8s-node-autoscaler/data.tf b/modules/sage-aws-k8s-node-autoscaler/data.tf
index 2d884fa9..c1d0e997 100644
--- a/modules/sage-aws-k8s-node-autoscaler/data.tf
+++ b/modules/sage-aws-k8s-node-autoscaler/data.tf
@@ -12,5 +12,4 @@ data "aws_secretsmanager_secret" "spotinst_token" {
 
 data "aws_secretsmanager_secret_version" "secret_credentials" {
   secret_id = data.aws_secretsmanager_secret.spotinst_token.id
-}
-
+}
\ No newline at end of file
diff --git a/modules/sage-aws-k8s-node-autoscaler/main.tf b/modules/sage-aws-k8s-node-autoscaler/main.tf
index 2d6fd448..3655d9c9 100644
--- a/modules/sage-aws-k8s-node-autoscaler/main.tf
+++ b/modules/sage-aws-k8s-node-autoscaler/main.tf
@@ -103,10 +103,8 @@ resource "helm_release" "ocean-kubernetes-controller" {
   }
 }
 
-
 module "ocean-aws-k8s" {
-  source  = "spotinst/ocean-aws-k8s/spotinst"
-  version = "1.4.0"
+  source  = git::https://github.com/spotinst/terraform-spotinst-ocean-aws-k8s.git?ref=7a30a60b4d0af3a7847467ac373511f3da58e40a
 
   # Configuration
   cluster_name                     = var.cluster_name
diff --git a/modules/sage-aws-k8s-node-autoscaler/variables.tf b/modules/sage-aws-k8s-node-autoscaler/variables.tf
index adbe0837..4455eada 100644
--- a/modules/sage-aws-k8s-node-autoscaler/variables.tf
+++ b/modules/sage-aws-k8s-node-autoscaler/variables.tf
@@ -53,4 +53,4 @@ variable "desired_capacity" {
 variable "single_az" {
   description = "Single AZ"
   type        = bool
-}
+}
\ No newline at end of file