diff --git a/k8s/applications/argocd.yaml b/k8s/applications/argocd.yaml
index d2b090e..1d1313b 100644
--- a/k8s/applications/argocd.yaml
+++ b/k8s/applications/argocd.yaml
@@ -12,3 +12,13 @@ spec:
     repoURL: 'git@bitbucket.org:jamkazam/video-iac.git'
     targetRevision: HEAD
   project: default
+  syncPolicy:
+    automated: 
+      prune: true 
+      allowEmpty: false
+    retry:
+      limit: 5 
+      backoff:
+        duration: 5s 
+        factor: 2 
+        maxDuration: 3m 
\ No newline at end of file
diff --git a/k8s/applications/cert-manager.yaml b/k8s/applications/cert-manager.yaml
index e65d3be..07f6333 100644
--- a/k8s/applications/cert-manager.yaml
+++ b/k8s/applications/cert-manager.yaml
@@ -12,3 +12,13 @@ spec:
     repoURL: 'git@bitbucket.org:jamkazam/video-iac.git'
     targetRevision: HEAD
   project: default
+  syncPolicy:
+    automated: 
+      prune: true 
+      allowEmpty: false
+    retry:
+      limit: 5 
+      backoff:
+        duration: 5s 
+        factor: 2 
+        maxDuration: 3m 
\ No newline at end of file
diff --git a/k8s/applications/external-dns.yaml b/k8s/applications/external-dns.yaml
index 7c77c9e..0fbe0bb 100644
--- a/k8s/applications/external-dns.yaml
+++ b/k8s/applications/external-dns.yaml
@@ -15,3 +15,13 @@ spec:
     repoURL: 'git@bitbucket.org:jamkazam/video-iac.git'
     targetRevision: HEAD
   project: default
+  syncPolicy:
+    automated: 
+      prune: true 
+      allowEmpty: false
+    retry:
+      limit: 5 
+      backoff:
+        duration: 5s 
+        factor: 2 
+        maxDuration: 3m 
\ No newline at end of file
diff --git a/k8s/applications/haproxy-ingress.yaml b/k8s/applications/haproxy-ingress.yaml
index 439a987..dea2add 100644
--- a/k8s/applications/haproxy-ingress.yaml
+++ b/k8s/applications/haproxy-ingress.yaml
@@ -20,3 +20,13 @@ spec:
       values: |-
         prometheus-port: "9105"
   project: default
+  syncPolicy:
+    automated: 
+      prune: true 
+      allowEmpty: false
+    retry:
+      limit: 5 
+      backoff:
+        duration: 5s 
+        factor: 2 
+        maxDuration: 3m 
\ No newline at end of file
diff --git a/k8s/applications/ingress-nginx.yaml b/k8s/applications/ingress-nginx.yaml
index 35f9b44..37b373c 100644
--- a/k8s/applications/ingress-nginx.yaml
+++ b/k8s/applications/ingress-nginx.yaml
@@ -16,3 +16,13 @@ spec:
     targetRevision: 4.0.6
     chart: ingress-nginx
   project: default
+  syncPolicy:
+    automated: 
+      prune: true 
+      allowEmpty: false
+    retry:
+      limit: 5 
+      backoff:
+        duration: 5s 
+        factor: 2 
+        maxDuration: 3m 
\ No newline at end of file
diff --git a/k8s/applications/metrics-server.yaml b/k8s/applications/metrics-server.yaml
index 004f300..56a98ee 100644
--- a/k8s/applications/metrics-server.yaml
+++ b/k8s/applications/metrics-server.yaml
@@ -23,3 +23,13 @@ spec:
           kubelet-preferred-address-types: InternalIP
           kubelet-insecure-tls: true
   project: default
+  syncPolicy:
+    automated: 
+      prune: true 
+      allowEmpty: false
+    retry:
+      limit: 5 
+      backoff:
+        duration: 5s 
+        factor: 2 
+        maxDuration: 3m 
\ No newline at end of file
diff --git a/k8s/argocd/base/kustomization.yaml b/k8s/argocd/base/kustomization.yaml
index 9a90dad..6895565 100644
--- a/k8s/argocd/base/kustomization.yaml
+++ b/k8s/argocd/base/kustomization.yaml
@@ -3,5 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: argocd
 resources:
- # - https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
+  - https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
   - ingress.yaml
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
index 86cd369..1bb0caf 100644
--- a/terraform/.terraform.lock.hcl
+++ b/terraform/.terraform.lock.hcl
@@ -90,6 +90,28 @@ provider "registry.terraform.io/hashicorp/local" {
   ]
 }
 
+provider "registry.terraform.io/kbst/kustomization" {
+  version     = "0.6.0"
+  constraints = "0.6.0"
+  hashes = [
+    "h1:abrUi8VhJAz8It7ZJrUMJU8Nf35zCvfCXYizeicYWCs=",
+    "zh:07ba6c329139d32411ba3b52c1da0af8cf393925f9dec5844853f45bc26d235c",
+    "zh:08a1885c1c603c39fbec8e74b762ad4002aea5ecb8c57db297fb9e935bada5eb",
+    "zh:149d1ac2ace6e5539f1abd2186ed470a94d3146639d758db7ecefffc6ea86942",
+    "zh:30c641789aff263a088944a7765f7c3e104704e15f45c4b828ef5341cf1f87b2",
+    "zh:5497d55248fa47050000b213dae7bb9c5b3c33e31b4f4c6862dd4a5e46295df1",
+    "zh:6d6fac9185d34828e6f7d7f92f31590d600064a373e4f38add053c53cf9db5cf",
+    "zh:7cad5e6b8cdac3eee3654b4777a0ffc1627c9d5712d85e12a6f73e7b9fb112b7",
+    "zh:8c5e4557e5d70bec0eb00a708e0c71f0ef082f012fe8af3b7d14b3be8454a9b9",
+    "zh:91b11fead24db03e54bf49ffaf1afaf229d2f4d59331597aeb513ec4f8d1a114",
+    "zh:ac986c7102f413fbfabea49735c5b0343d34f313e93d772e7d12d504cc7b221d",
+    "zh:afc046c3ecc121d1c4c35822cad6280db1cff1165b99ed545d15d5cde3e5a464",
+    "zh:b726fc46c30f4c90cc6e7f3e991b31cb058768ae78596432f39997f3ed3f2085",
+    "zh:c46b73f037b0fc2dbc4d3a137d2ff17a794ec61c9d185f2d0252a3d7cf688dae",
+    "zh:d0962c860edc9c6db7bdb261fa9c9a3b11ca5e62f19552232c0b29ff9ca8fe7c",
+  ]
+}
+
 provider "registry.terraform.io/linode/linode" {
   version = "1.18.0"
   hashes = [
diff --git a/terraform/argocd-repo-creds.yaml b/terraform/argocd-repo-creds.yaml
new file mode 100644
index 0000000..219ace0
--- /dev/null
+++ b/terraform/argocd-repo-creds.yaml
@@ -0,0 +1,59 @@
+# Repository credentials, for using the same credentials in multiple repositories.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argoproj-https-creds
+  namespace: argocd
+  labels:
+    argocd.argoproj.io/secret-type: repo-creds
+stringData:
+  url: https://github.com/argoproj
+  password: my-password
+  username: my-username
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argoproj-ssh-creds
+  namespace: argocd
+  labels:
+    argocd.argoproj.io/secret-type: repo-creds
+stringData:
+  url: git@github.com:argoproj-labs
+  sshPrivateKey: |
+    -----BEGIN OPENSSH PRIVATE KEY-----
+    ...
+    -----END OPENSSH PRIVATE KEY-----
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: github-creds
+  namespace: argocd
+  labels:
+    argocd.argoproj.io/secret-type: repo-creds
+stringData:
+  url: https://github.com/argoproj
+  githubAppID: 1
+  githubAppInstallationID: 2
+  githubAppPrivateKey: |
+    -----BEGIN OPENSSH PRIVATE KEY-----
+    ...
+    -----END OPENSSH PRIVATE KEY-----
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: github-enterprise-creds
+  namespace: argocd
+  labels:
+    argocd.argoproj.io/secret-type: repo-creds
+stringData:
+  url: https://github.com/argoproj
+  githubAppID: 1
+  githubAppInstallationID: 2
+  githubAppEnterpriseBaseUrl: https://ghe.example.com/api/v3
+  githubAppPrivateKey: |
+    -----BEGIN OPENSSH PRIVATE KEY-----
+    ...
+    -----END OPENSSH PRIVATE KEY-----
\ No newline at end of file
diff --git a/terraform/argocd-repositories.yaml b/terraform/argocd-repositories.yaml
new file mode 100644
index 0000000..9857b16
--- /dev/null
+++ b/terraform/argocd-repositories.yaml
@@ -0,0 +1,54 @@
+# Git repositories configure Argo CD with (optional).
+# This list is updated when configuring/removing repos from the UI/CLI
+# Note: the last example in the list would use a repository credential template, configured under "argocd-repo-creds.yaml".
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-private-repo
+  namespace: argocd
+  labels:
+    argocd.argoproj.io/secret-type: repository
+stringData:
+  url: https://github.com/argoproj/my-private-repository
+  password: my-password
+  username: my-username
+  sshPrivateKey: |
+    -----BEGIN OPENSSH PRIVATE KEY-----
+    ...
+    -----END OPENSSH PRIVATE KEY-----
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: istio-helm-repo
+  namespace: argocd
+  labels:
+    argocd.argoproj.io/secret-type: repository
+stringData:
+  url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts
+  name: istio.io
+  type: helm
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: private-helm-repo
+  namespace: argocd
+  labels:
+    argocd.argoproj.io/secret-type: repository
+stringData:
+  url: https://my-private-chart-repo.internal
+  name: private-repo
+  type: helm
+  password: my-password
+  username: my-username
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: private-repo
+  namespace: argocd
+  labels:
+    argocd.argoproj.io/secret-type: repository
+stringData:
+  url: https://github.com/argoproj/private-repo
\ No newline at end of file
diff --git a/terraform/iam-external-dns.tf b/terraform/iam-external-dns.tf
new file mode 100644
index 0000000..01bd108
--- /dev/null
+++ b/terraform/iam-external-dns.tf
@@ -0,0 +1,40 @@
+
+
+resource "aws_iam_user" "lke-external-dns" {
+  name = "lke-external-dns"
+}
+
+resource "aws_iam_access_key" "lke-external-dns" {
+  user = aws_iam_user.lke-external-dns.name
+}
+
+resource "aws_iam_user_policy" "lke-external-dns" {
+  name   = "route-53"
+  user   = aws_iam_user.lke-external-dns.name
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "route53:ChangeResourceRecordSets"
+            ],
+            "Resource": [
+                "arn:aws:route53:::hostedzone/*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "route53:ListHostedZones",
+                "route53:ListResourceRecordSets"
+            ],
+            "Resource": [
+                "*"
+            ]
+        }
+    ]
+}
+EOF
+}
diff --git a/terraform/kubernetes.tf b/terraform/kubernetes.tf
new file mode 100644
index 0000000..9afb93b
--- /dev/null
+++ b/terraform/kubernetes.tf
@@ -0,0 +1,69 @@
+resource "kubernetes_namespace" "external-dns" {
+  depends_on = [local_file.kubeconfig]
+
+  metadata {
+    name = "external-dns"
+  }
+}
+
+resource "kubernetes_secret" "aws_user_external_dns" {
+  depends_on = [kubernetes_namespace.external-dns]
+
+  metadata {
+    name      = "aws-user-external-dns"
+    namespace = "external-dns"
+  }
+
+  data = {
+    username = aws_iam_access_key.lke-external-dns.id
+    password = aws_iam_access_key.lke-external-dns.secret
+  }
+
+  type = "kubernetes.io/basic-auth"
+
+}
+
+resource "kubernetes_namespace" "argocd" {
+  depends_on = [local_file.kubeconfig]
+
+  metadata {
+    name = "argocd"
+  }
+}
+
+data "aws_secretsmanager_secret" "bitbucket_ssh_argocd_key" {
+  name = "bitbucket-ssh-argocd-key"
+}
+
+data "aws_secretsmanager_secret_version" "bitbucket_ssh_argocd_key" {
+  secret_id = data.aws_secretsmanager_secret.bitbucket_ssh_argocd_key.id
+}
+
+resource "kubernetes_secret" "bitbucket_ssh_argocd_key" {
+  depends_on = [kubernetes_namespace.argocd]
+
+  metadata {
+    name      = "bitbucket-ssh-argocd-key"
+    namespace = "argocd"
+    labels = {
+      "argocd.argoproj.io/secret-type" = "repository"
+    }
+  }
+
+  data = {
+    url           = "git@bitbucket.org:jamkazam/video-iac"
+    sshPrivateKey = base64decode(jsondecode(data.aws_secretsmanager_secret_version.bitbucket_ssh_argocd_key.secret_string)["private"])
+  }
+
+}
+
+data "kustomization_build" "argocd" {
+  path = "../k8s/argocd/overlays/staging"
+}
+
+resource "kustomization_resource" "argocd" {
+  depends_on = [kubernetes_namespace.argocd]
+  for_each   = data.kustomization_build.argocd.ids
+
+  manifest = data.kustomization_build.argocd.manifests[each.value]
+}
diff --git a/terraform/lke.tf b/terraform/lke.tf
index b798a94..b21a458 100644
--- a/terraform/lke.tf
+++ b/terraform/lke.tf
@@ -34,6 +34,10 @@ provider "kubernetes" {
   config_path = local_file.kubeconfig.filename
 }
 
+provider "kustomization" {
+  kubeconfig_path = local_file.kubeconfig.filename
+}
+
 resource "linode_lke_cluster" "prd-video-cluster" {
   label       = "prd-video-cluster"
   k8s_version = "1.21"
diff --git a/terraform/terraform.tf b/terraform/terraform.tf
index 98840f8..9e74ec9 100644
--- a/terraform/terraform.tf
+++ b/terraform/terraform.tf
@@ -11,6 +11,10 @@ terraform {
     linode = {
       source = "linode/linode"
     }
+    kustomization = {
+      source  = "kbst/kustomization"
+      version = "0.6.0"
+    }
   }
 }