diff --git a/README.md b/README.md
index 6941171..2a8d7dc 100644
--- a/README.md
+++ b/README.md
@@ -51,14 +51,17 @@ sys 0m2.015s
| Name | Source | Version |
|------|--------|---------|
| [efs](#module\_efs) | git::https://github.e.it.census.gov/terraform-modules/aws-efs.git/ | master |
+| [subordinate\_ca](#module\_subordinate\_ca) | git::https://github.e.it.census.gov/terraform-modules/aws-certificates//acmpca-eks-cert-manager | n/a |
## Resources
| Name | Type |
|------|------|
+| [helm_release.clusterissuer](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.console_access](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.telemetry](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_secret.ca_key_pair](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
| [kubernetes_storage_class.ebs_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
| [kubernetes_storage_class.efs_sc](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
| [kubernetes_storage_class.gp3_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
@@ -70,7 +73,9 @@ sys 0m2.015s
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [cluster\_mailing\_list](#input\_cluster\_mailing\_list) | The mailing list for cluster notifications | `string` | `"cluster@example.com"` | no |
| [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
+| [namespace](#input\_namespace) | The namespace to deploy cert-manager resources into | `string` | `"cert-manager"` | no |
| [operators\_ns](#input\_operators\_ns) | Namespace to create where operators will be installed. | `string` | `"operators"` | no |
| [profile](#input\_profile) | AWS config profile | `string` | n/a | yes |
| [region](#input\_region) | AWS region | `string` | n/a | yes |
diff --git a/cert-mgr-cluster-issuer.tf b/cert-mgr-cluster-issuer.tf
new file mode 100644
index 0000000..41d8dad
--- /dev/null
+++ b/cert-mgr-cluster-issuer.tf
@@ -0,0 +1,53 @@
+locals {
+ common_tags = {
+ "boc:created_by" = "terraform"
+ }
+}
+
+# Create a subordinate cert for the cert-manager clusterissuer.
+module "subordinate_ca" {
+ # tflint-ignore: terraform_module_pinned_source
+ source = "git::https://github.e.it.census.gov/terraform-modules/aws-certificates//acmpca-eks-cert-manager"
+
+ cluster_name = var.cluster_name
+ contact_email = var.cluster_mailing_list
+ validity_days = 30
+
+ tags = merge(
+ local.common_tags,
+ )
+}
+
+resource "kubernetes_secret" "ca_key_pair" {
+ metadata {
+ name = "ca-key-pair"
+ # namespace = var.cluster_issuer_name
+ namespace = var.namespace
+ }
+
+ binary_data = {
+ "tls.key" = module.subordinate_ca.certificate_tls_key
+ "tls.crt" = module.subordinate_ca.certificate_tls_crt
+ }
+}
+
+resource "helm_release" "clusterissuer" {
+ name = "clusterissuer"
+ chart = "./clusterissuer"
+ namespace = var.namespace
+
+ set = [
+ {
+ name = "name"
+ value = "clusterissuer"
+ },
+ {
+ name = "apiVersion"
+ value = "cert-manager.io/v1"
+ },
+ {
+ name = "secretName"
+ value = kubernetes_secret.ca_key_pair.metadata[0].name
+ }
+ ]
+}
diff --git a/variables.tf b/variables.tf
index 3fb6c32..6872c2c 100644
--- a/variables.tf
+++ b/variables.tf
@@ -135,3 +135,15 @@ variable "tags" {
# type = list(any)
# default = []
# }
+
+variable "namespace" {
+ description = "The namespace to deploy cert-manager resources into"
+ type = string
+ default = "cert-manager"
+}
+
+variable "cluster_mailing_list" {
+ description = "The mailing list for cluster notifications"
+ type = string
+ default = "cluster@example.com"
+}