diff --git a/terraform/provider.tf b/terraform/provider.tf
index edbdea1..f3df067 100644
--- a/terraform/provider.tf
+++ b/terraform/provider.tf
@@ -16,6 +16,10 @@ terraform {
             source  = "cloudflare/cloudflare"
             version = "~> 4.0"
         }
+        kubectl = {
+            source  = "gavinbunney/kubectl"
+            version = ">= 1.7.0"
+        }
     }
 }
 
@@ -40,3 +44,10 @@ provider "kubernetes" {
 provider "cloudflare" {
     api_token = var.CLOUDFLARE_TOKEN
 }
+
+provider "kubectl" {
+    host                   = aws_eks_cluster.eks_cluster.endpoint
+    cluster_ca_certificate = base64decode(aws_eks_cluster.eks_cluster.certificate_authority.0.data)
+    token                  = data.aws_eks_cluster_auth.cluster_auth.token
+    load_config_file       = false
+}
\ No newline at end of file
diff --git a/terraform/tls.tf b/terraform/tls.tf
index ab06fad..70ed125 100644
--- a/terraform/tls.tf
+++ b/terraform/tls.tf
@@ -12,34 +12,24 @@ resource "helm_release" "cert_manager" {
     }
 }
 
-resource "kubernetes_manifest" "cluster_issuer" {
-    manifest = {
-        apiVersion = "cert-manager.io/v1"
-        kind       = "ClusterIssuer"
-        metadata = {
-            name      = "letsencrypt-prod"
-            namespace = "cert-manager"
-        }
-        spec = {
-            acme = {
-                email      = var.CLOUDFLARE_EMAIL
-                server     = "https://acme-v02.api.letsencrypt.org/directory"
-                privateKeySecretRef = {
-                    name = "letsencrypt-prod-key"
-                }
-                solvers = [
-                    {
-                        dns01 = {
-                            cloudflare = {
-                                email    = var.CLOUDFLARE_EMAIL
-                                apiToken = var.CLOUDFLARE_TOKEN
-                            }
-                        }
-                    }
-                ]
-            }
-        }
-    }
-    skip_kind_check = true # because it depends on the cert-manager CRDs being installed
+resource "kubectl_manifest" "cluster_issuer" {
+    yaml_body = <<YAML
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+  namespace: cert-manager
+spec:
+    acme:
+        email: ${var.CLOUDFLARE_EMAIL}
+        server: https://acme-v02.api.letsencrypt.org/directory
+        privateKeySecretRef:
+        name: letsencrypt-prod-key
+        solvers:
+        - dns01:
+            cloudflare:
+            email: ${var.CLOUDFLARE_EMAIL}
+            apiToken: ${var.CLOUDFLARE_TOKEN}
+YAML
     depends_on = [helm_release.cert_manager]
 }