diff --git a/README.md b/README.md
index 3d456eff..cbedb844 100644
--- a/README.md
+++ b/README.md
@@ -172,7 +172,7 @@ allow us to review for any security advisories.
 
 ### Deploying an application to the kubernetes cluster
 Deployment of applications to the kubernetes cluster is handled through the combination
-of terraform (.tf) scripts, spacelift (CICD tool), and ArgoCd (Declarative definitions 
+of terraform (.tf) scripts, spacelift (CICD tool), and ArgoCd or Flux CD (Declarative definitions 
 for applications).
 
 To start of the deployment journey the first step is to create a new terraform module
diff --git a/deployments/spacelift/dpe-k8s/main.tf b/deployments/spacelift/dpe-k8s/main.tf
index cd03d65a..c6ad7e5d 100644
--- a/deployments/spacelift/dpe-k8s/main.tf
+++ b/deployments/spacelift/dpe-k8s/main.tf
@@ -45,6 +45,7 @@ locals {
     pod_to_node_dns_sg_id               = "TF_VAR_pod_to_node_dns_sg_id"
     smtp_user                           = "TF_VAR_smtp_user"
     smtp_password                       = "TF_VAR_smtp_password"
+    cluster_oidc_provider_arn           = "TF_VAR_cluster_oidc_provider_arn"
   }
 }
 
@@ -178,31 +179,6 @@ resource "spacelift_stack_dependency_reference" "cluster-name" {
 #   stack_id  = spacelift_stack.k8s-stack.id
 # }
 
-resource "spacelift_stack_destructor" "k8s-stack-deployments-destructor" {
-  depends_on = [
-    spacelift_stack.k8s-stack,
-    spacelift_aws_integration_attachment.k8s-deployments-aws-integration-attachment,
-    spacelift_context_attachment.k8s-kubeconfig-hooks,
-    spacelift_stack_dependency_reference.cluster-name,
-    spacelift_stack_dependency_reference.region-name,
-    spacelift_environment_variable.k8s-stack-deployments-environment-variables
-  ]
-
-  stack_id = spacelift_stack.k8s-stack-deployments.id
-}
-
-resource "spacelift_stack_destructor" "k8s-stack-destructor" {
-  depends_on = [
-    spacelift_aws_integration_attachment.k8s-aws-integration-attachment,
-    spacelift_context_attachment.k8s-kubeconfig-hooks,
-    spacelift_stack_dependency_reference.cluster-name,
-    spacelift_stack_dependency_reference.region-name,
-    spacelift_environment_variable.k8s-stack-environment-variables
-  ]
-
-  stack_id = spacelift_stack.k8s-stack.id
-}
-
 resource "spacelift_aws_integration_attachment" "k8s-aws-integration-attachment" {
   integration_id = var.aws_integration_id
   stack_id       = spacelift_stack.k8s-stack.id
@@ -244,12 +220,6 @@ resource "spacelift_stack" "auth0" {
   ]
 }
 
-resource "spacelift_stack_destructor" "auth0-stack-destructor" {
-  count    = var.deploy_auth0 ? 1 : 0
-  stack_id = spacelift_stack.auth0[0].id
-}
-
-
 resource "spacelift_environment_variable" "auth0-stack-environment-variables" {
   depends_on = [
     spacelift_stack.auth0
diff --git a/deployments/stacks/dpe-k8s-deployments/main.tf b/deployments/stacks/dpe-k8s-deployments/main.tf
index 30c32b9f..1b78a28b 100644
--- a/deployments/stacks/dpe-k8s-deployments/main.tf
+++ b/deployments/stacks/dpe-k8s-deployments/main.tf
@@ -1,3 +1,6 @@
+locals {
+  git_revision = var.git_revision
+}
 module "sage-aws-eks-autoscaler" {
   source                 = "spacelift.io/sagebionetworks/sage-aws-eks-autoscaler/aws"
   version                = "0.9.0"
@@ -26,13 +29,19 @@ module "argo-cd" {
   source = "../../../modules/argo-cd"
 }
 
+module "flux-cd" {
+  depends_on = [module.sage-aws-eks-autoscaler]
+  source     = "../../../modules/flux-cd"
+}
+
 module "victoria-metrics" {
-  depends_on   = [module.argo-cd]
-  source       = "spacelift.io/sagebionetworks/victoria-metrics/aws"
-  version      = "0.4.8"
+  depends_on = [module.argo-cd]
+  # source       = "spacelift.io/sagebionetworks/victoria-metrics/aws"
+  # version      = "0.4.8"
+  source       = "../../../modules/victoria-metrics"
   auto_deploy  = var.auto_deploy
   auto_prune   = var.auto_prune
-  git_revision = var.git_revision
+  git_revision = local.git_revision
 }
 
 module "trivy-operator" {
@@ -41,7 +50,7 @@ module "trivy-operator" {
   version      = "0.3.2"
   auto_deploy  = var.auto_deploy
   auto_prune   = var.auto_prune
-  git_revision = var.git_revision
+  git_revision = local.git_revision
 }
 
 module "airflow" {
@@ -50,7 +59,7 @@ module "airflow" {
   version      = "0.4.0"
   auto_deploy  = var.auto_deploy
   auto_prune   = var.auto_prune
-  git_revision = var.git_revision
+  git_revision = local.git_revision
   namespace    = "airflow"
 }
 
@@ -60,7 +69,7 @@ module "postgres-cloud-native-operator" {
   version      = "0.4.0"
   auto_deploy  = var.auto_deploy
   auto_prune   = var.auto_prune
-  git_revision = var.git_revision
+  git_revision = local.git_revision
 }
 
 module "postgres-cloud-native-database" {
@@ -69,30 +78,40 @@ module "postgres-cloud-native-database" {
   version              = "0.5.0"
   auto_deploy          = var.auto_deploy
   auto_prune           = var.auto_prune
-  git_revision         = var.git_revision
+  git_revision         = local.git_revision
   namespace            = "airflow"
   argo_deployment_name = "airflow-postgres-cloud-native"
 }
 
+module "clickhouse-backup-bucket" {
+  source                    = "../../../modules/s3-bucket"
+  bucket_name               = "clickhouse-backup-${var.aws_account_id}-${var.cluster_name}"
+  enable_versioning         = false
+  aws_account_id            = var.aws_account_id
+  cluster_name              = var.cluster_name
+  cluster_oidc_provider_arn = var.cluster_oidc_provider_arn
+}
 
 module "signoz" {
   depends_on = [module.argo-cd]
   # source               = "spacelift.io/sagebionetworks/postgres-cloud-native-database/aws"
   # version              = "0.5.0"
-  source               = "../../../modules/signoz"
-  auto_deploy          = var.auto_deploy
-  auto_prune           = var.auto_prune
-  git_revision         = var.git_revision
-  namespace            = "signoz"
-  argo_deployment_name = "signoz"
-  enable_otel_ingress  = var.enable_otel_ingress && var.enable_cluster_ingress
-  gateway_namespace    = "envoy-gateway"
-  cluster_name         = var.cluster_name
-  auth0_jwks_uri       = var.auth0_jwks_uri
-  smtp_password        = var.smtp_password
-  smtp_user            = var.smtp_user
-  smtp_from            = var.smtp_from
-  auth0_identifier     = var.auth0_identifier
+  source                = "../../../modules/signoz"
+  auto_deploy           = var.auto_deploy
+  auto_prune            = var.auto_prune
+  git_revision          = local.git_revision
+  namespace             = "signoz"
+  argo_deployment_name  = "signoz"
+  enable_otel_ingress   = var.enable_otel_ingress && var.enable_cluster_ingress
+  gateway_namespace     = "envoy-gateway"
+  cluster_name          = var.cluster_name
+  auth0_jwks_uri        = var.auth0_jwks_uri
+  smtp_password         = var.smtp_password
+  smtp_user             = var.smtp_user
+  smtp_from             = var.smtp_from
+  auth0_identifier      = var.auth0_identifier
+  s3_backup_bucket_name = module.clickhouse-backup-bucket.bucket_name
+  s3_access_role_arn    = module.clickhouse-backup-bucket.access_role_arn
 }
 
 module "envoy-gateway" {
@@ -103,7 +122,7 @@ module "envoy-gateway" {
   source               = "../../../modules/envoy-gateway"
   auto_deploy          = var.auto_deploy
   auto_prune           = var.auto_prune
-  git_revision         = var.git_revision
+  git_revision         = local.git_revision
   namespace            = "envoy-gateway"
   argo_deployment_name = "envoy-gateway"
   cluster_issuer_name  = "lets-encrypt-prod"
@@ -118,7 +137,7 @@ module "cert-manager" {
   source               = "../../../modules/cert-manager"
   auto_deploy          = var.auto_deploy
   auto_prune           = var.auto_prune
-  git_revision         = var.git_revision
+  git_revision         = local.git_revision
   namespace            = "cert-manager"
   argo_deployment_name = "cert-manager"
 }
diff --git a/deployments/stacks/dpe-k8s-deployments/variables.tf b/deployments/stacks/dpe-k8s-deployments/variables.tf
index 8f62670b..21b40836 100644
--- a/deployments/stacks/dpe-k8s-deployments/variables.tf
+++ b/deployments/stacks/dpe-k8s-deployments/variables.tf
@@ -40,6 +40,11 @@ variable "cluster_name" {
   type        = string
 }
 
+variable "cluster_oidc_provider_arn" {
+  description = "EKS cluster ARN for the oidc provider"
+  type        = string
+}
+
 variable "spotinst_account" {
   description = "Spot.io account"
   type        = string
diff --git a/deployments/stacks/dpe-k8s/outputs.tf b/deployments/stacks/dpe-k8s/outputs.tf
index 6851f6a7..1a920dad 100644
--- a/deployments/stacks/dpe-k8s/outputs.tf
+++ b/deployments/stacks/dpe-k8s/outputs.tf
@@ -38,11 +38,15 @@ output "cluster_name" {
   value = module.sage-aws-eks.cluster_name
 }
 
+output "cluster_oidc_provider_arn" {
+  value = module.sage-aws-eks.cluster_oidc_provider_arn
+}
+
 output "smtp_user" {
-  value = length(module.sage-aws-ses) > 0 ? module.sage-aws-ses[0].smtp_user : null
+  value = length(module.sage-aws-ses) > 0 ? module.sage-aws-ses[0].smtp_user : ""
 }
 
 output "smtp_password" {
   sensitive = true
-  value     = length(module.sage-aws-ses) > 0 ? module.sage-aws-ses[0].smtp_password : null
+  value     = length(module.sage-aws-ses) > 0 ? module.sage-aws-ses[0].smtp_password : ""
 }
diff --git a/modules/flux-cd/README.md b/modules/flux-cd/README.md
new file mode 100644
index 00000000..df006cd6
--- /dev/null
+++ b/modules/flux-cd/README.md
@@ -0,0 +1,56 @@
+# Purpose
+This module is used to deploy the `Flux CD` [helm chart](https://fluxcd-community.github.io/helm-charts) to the cluster. [`Flux CD`](https://fluxcd.io/) is a GitOps tool used to manage the application lifecycle on a Kubernetes cluster. It was originally deployed because unlike `Argo CD`, it supports the use of `postRenderers` which are used to apply any additional changes to the application after it has been deployed, and were needed to be used to deploy the `clickhouse-backup` sidecar container to the `signoz` helm release. We do not plan to move all existing applications to using `Flux CD` at this time, but it is available and preferred to be used for any new applications added to the cluster.
+
+## What resources are being deployed through this module
+In addition to a `helm_release` which deploys the `Flux CD` helm chart, this module also creates a `capacitor` resource which is used as the frontend for `Flux CD`.
+
+## Accessing the Flux CD UI
+To access the `Flux CD` UI, you only need to port-forward the `capacitor` pod and access it in your browser.
+
+# Deploying an application with Flux CD
+To deploy an application with `Flux CD`, you will need to create a `HelmRepository` resource which points to the helm chart you want to deploy. In that resource definition, you will set the `apiVersion` to `source.toolkit.fluxcd.io/v1` and the `kind` to `HelmRepository`. For example (code from the `signoz` module):
+
+```
+resource "kubectl_manifest" "signoz-helm-repo" {
+  depends_on = [kubernetes_namespace.signoz]
+
+  yaml_body = <<YAML
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: signoz
+  namespace: ${var.namespace}
+spec:
+  interval: 24h
+  url: https://charts.signoz.io
+YAML
+}
+```
+
+In your `Deployment` or `HelmRelease` resource, you will need to add a similar configuration, for example (again from the `signoz` module):
+```
+resource "kubectl_manifest" "signoz-helm-release" {
+  depends_on = [kubernetes_namespace.signoz]
+
+  yaml_body = <<YAML
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: signoz
+  namespace: ${var.namespace}
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: signoz
+      version: '0.55.1'
+      sourceRef:
+        kind: HelmRepository
+        name: signoz
+        namespace: ${var.namespace}
+      interval: 10m
+      reconcileStrategy: Revision
+...
+YAML
+}
+```
diff --git a/modules/flux-cd/main.tf b/modules/flux-cd/main.tf
new file mode 100644
index 00000000..a6b0b5c3
--- /dev/null
+++ b/modules/flux-cd/main.tf
@@ -0,0 +1,56 @@
+resource "kubernetes_namespace" "flux-system" {
+  metadata {
+    name = "flux-system"
+  }
+}
+
+resource "helm_release" "fluxcd" {
+  name       = "flux2"
+  repository = "https://fluxcd-community.github.io/helm-charts"
+  chart      = "flux2"
+  namespace  = "flux-system"
+  version    = "2.14.0"
+  depends_on = [kubernetes_namespace.flux-system]
+
+  values = [templatefile("${path.module}/templates/values.yaml", {})]
+}
+
+resource "kubectl_manifest" "capacitor" {
+  depends_on = [helm_release.fluxcd]
+
+  yaml_body = <<YAML
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: capacitor
+  namespace: flux-system
+spec:
+  interval: 12h
+  url: oci://ghcr.io/gimlet-io/capacitor-manifests
+  ref:
+    semver: ">=0.1.0"
+YAML
+}
+
+resource "kubectl_manifest" "capacitor-kustomization" {
+  depends_on = [helm_release.fluxcd]
+
+  yaml_body = <<YAML
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: capacitor
+  namespace: flux-system
+spec:
+  targetNamespace: flux-system
+  interval: 1h
+  retryInterval: 2m
+  timeout: 5m
+  wait: true
+  prune: true
+  path: "./"
+  sourceRef:
+    kind: OCIRepository
+    name: capacitor
+YAML
+}
diff --git a/modules/flux-cd/templates/values.yaml b/modules/flux-cd/templates/values.yaml
new file mode 100644
index 00000000..c42ea8d2
--- /dev/null
+++ b/modules/flux-cd/templates/values.yaml
@@ -0,0 +1,327 @@
+# global
+
+installCRDs: true
+crds:
+  # -- Add annotations to all CRD resources, e.g. "helm.sh/resource-policy": keep
+  annotations: {}
+
+multitenancy:
+  # -- Implement the patches for Multi-tenancy lockdown.
+  # See https://fluxcd.io/docs/installation/#multi-tenancy-lockdown
+  enabled: false
+  # -- All Kustomizations and HelmReleases which don’t have spec.serviceAccountName
+  # specified, will use the default account from the tenant’s namespace.
+  # Tenants have to specify a service account in their Flux resources to be able
+  # to deploy workloads in their namespaces as the default account has no permissions.
+  defaultServiceAccount: "default"
+  # -- Both kustomize-controller and helm-controller service accounts run privileged
+  # with cluster-admin ClusterRoleBinding. Disable if you want to run them with a
+  # minimum set of permissions.
+  privileged: true
+
+clusterDomain: cluster.local
+
+cli:
+  image: ghcr.io/fluxcd/flux-cli
+  tag: v2.4.0
+  nodeSelector: {}
+  affinity: {}
+  tolerations: []
+  annotations: {}
+  serviceAccount:
+    automount: true
+
+# controllers
+
+helmController:
+  create: true
+  image: ghcr.io/fluxcd/helm-controller
+  tag: v1.1.0
+  resources:
+    limits: {}
+    # cpu: 1000m
+    # memory: 1Gi
+    requests:
+      cpu: 100m
+      memory: 64Mi
+  priorityClassName: ""
+  annotations:
+    prometheus.io/port: "8080"
+    prometheus.io/scrape: "true"
+  labels: {}
+  container:
+    additionalArgs: []
+  extraEnv: []
+  serviceAccount:
+    create: true
+    automount: true
+    annotations: {}
+  imagePullPolicy: ""
+  nodeSelector: {}
+  # expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core
+  # for example:
+  #   affinity:
+  #     nodeAffinity:
+  #      requiredDuringSchedulingIgnoredDuringExecution:
+  #        nodeSelectorTerms:
+  #        - matchExpressions:
+  #          - key: foo.bar.com/role
+  #            operator: In
+  #            values:
+  #            - master
+
+  affinity: {}
+  # expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core
+  # for example:
+  #   tolerations:
+  #   - key: foo.bar.com/role
+  #     operator: Equal
+  #     value: master
+  #     effect: NoSchedule
+
+  tolerations: []
+
+imageAutomationController:
+  create: true
+  image: ghcr.io/fluxcd/image-automation-controller
+  tag: v0.39.0
+  resources:
+    limits: {}
+    # cpu: 1000m
+    # memory: 1Gi
+    requests:
+      cpu: 100m
+      memory: 64Mi
+  priorityClassName: ""
+  annotations:
+    prometheus.io/port: "8080"
+    prometheus.io/scrape: "true"
+  labels: {}
+  container:
+    additionalArgs: []
+  extraEnv: []
+  serviceAccount:
+    create: true
+    automount: true
+    annotations: {}
+  imagePullPolicy: ""
+  nodeSelector: {}
+  affinity: {}
+  tolerations: []
+
+imageReflectionController:
+  create: true
+  image: ghcr.io/fluxcd/image-reflector-controller
+  tag: v0.33.0
+  resources:
+    limits: {}
+    # cpu: 1000m
+    # memory: 1Gi
+    requests:
+      cpu: 100m
+      memory: 64Mi
+  priorityClassName: ""
+  annotations:
+    prometheus.io/port: "8080"
+    prometheus.io/scrape: "true"
+  labels: {}
+  container:
+    additionalArgs: []
+  extraEnv: []
+  serviceAccount:
+    create: true
+    automount: true
+    annotations: {}
+  imagePullPolicy: ""
+  nodeSelector: {}
+  affinity: {}
+  tolerations: []
+
+kustomizeController:
+  create: true
+  image: ghcr.io/fluxcd/kustomize-controller
+  tag: v1.4.0
+  resources:
+    limits: {}
+    # cpu: 1000m
+    # memory: 1Gi
+    requests:
+      cpu: 100m
+      memory: 64Mi
+  priorityClassName: ""
+  annotations:
+    prometheus.io/port: "8080"
+    prometheus.io/scrape: "true"
+  labels: {}
+  container:
+    additionalArgs: []
+  extraEnv: []
+  serviceAccount:
+    create: true
+    automount: true
+    annotations: {}
+  imagePullPolicy: ""
+  secret:
+    # -- Create a secret to use it with extraSecretMounts. Defaults to false.
+    create: false
+    name: ""
+    data: {}
+  # -- Defines envFrom using a configmap and/or secret.
+  envFrom:
+    map:
+      name: ""
+    secret:
+      name: ""
+  # -- Defines additional mounts with secrets.
+  # Secrets must be manually created in the namespace or with kustomizeController.secret
+  extraSecretMounts: []
+  # - name: secret-files
+  #   mountPath: /etc/secrets
+  #   subPath: ""
+  #   secretName: secret-files
+  #   readOnly: true
+
+  nodeSelector: {}
+  affinity: {}
+  tolerations: []
+
+notificationController:
+  create: true
+  image: ghcr.io/fluxcd/notification-controller
+  tag: v1.4.0
+  resources:
+    limits: {}
+    # cpu: 1000m
+    # memory: 1Gi
+    requests:
+      cpu: 100m
+      memory: 64Mi
+  priorityClassName: ""
+  annotations:
+    prometheus.io/port: "8080"
+    prometheus.io/scrape: "true"
+  labels: {}
+  container:
+    additionalArgs: []
+  extraEnv: []
+  serviceAccount:
+    create: true
+    automount: true
+    annotations: {}
+  imagePullPolicy: ""
+  service:
+    labels: {}
+    annotations: {}
+  webhookReceiver:
+    service:
+      labels: {}
+      annotations: {}
+    ingress:
+      create: false
+      # ingressClassName: nginx
+      annotations: {}
+      # kubernetes.io/ingress.class: nginx
+      # kubernetes.io/tls-acme: "true"
+      labels: {}
+      hosts:
+        - host: flux-webhook.example.com
+          paths:
+            - path: /
+              pathType: ImplementationSpecific
+      tls: []
+      #  - secretName: flux-webhook-tls
+      #    hosts:
+      #      - flux-webhook.example.com
+
+
+  nodeSelector: {}
+  affinity: {}
+  tolerations: []
+
+sourceController:
+  create: true
+  image: ghcr.io/fluxcd/source-controller
+  tag: v1.4.1
+  resources:
+    limits: {}
+    # cpu: 1000m
+    # memory: 1Gi
+    requests:
+      cpu: 100m
+      memory: 64Mi
+  priorityClassName: ""
+  annotations:
+    prometheus.io/port: "8080"
+    prometheus.io/scrape: "true"
+  labels: {}
+  container:
+    additionalArgs: []
+  serviceAccount:
+    create: true
+    automount: true
+    annotations: {}
+  imagePullPolicy: ""
+  service:
+    labels: {}
+    annotations: {}
+  nodeSelector: {}
+  affinity: {}
+  tolerations: []
+  extraEnv: []
+
+policies:
+  create: true
+
+rbac:
+  create: true
+  # -- Grant the Kubernetes view, edit and admin roles access to Flux custom resources
+  createAggregation: true
+  # -- Add annotations to all RBAC resources, e.g. "helm.sh/resource-policy": keep
+  annotations: {}
+  roleRef:
+    name: cluster-admin
+
+logLevel: info
+watchAllNamespaces: true
+
+# -- contents of pod imagePullSecret in form 'name=[secretName]'; applied to all controllers
+imagePullSecrets: []
+
+# -- Array of extra K8s manifests to deploy
+extraObjects: []
+# Example usage from https://fluxcd.io/docs/components/source/buckets/#static-authentication
+# - apiVersion: source.toolkit.fluxcd.io/v1beta2
+#   kind: Bucket
+#   metadata:
+#     name: podinfo
+#     namespace: default
+#   spec:
+#     interval: 1m
+#     provider: generic
+#     bucketName: podinfo
+#     endpoint: minio.minio.svc.cluster.local:9000
+#     insecure: true
+#     secretRef:
+#       name: minio-credentials
+# - apiVersion: v1
+#   kind: Secret
+#   metadata:
+#     name: minio-credentials
+#     namespace: default
+#   type: Opaque
+#   data:
+#     accesskey: <BASE64>
+#     secretkey: <BASE64>
+
+# Enables podMonitor creation for the Prometheus Operator
+prometheus:
+  podMonitor:
+    # -- Enables podMonitor endpoint
+    create: false
+    podMetricsEndpoints:
+      - port: http-prom
+        relabelings:
+          # https://github.com/prometheus-operator/prometheus-operator/issues/4816
+          - sourceLabels: [__meta_kubernetes_pod_phase]
+            action: keep
+            regex: Running
diff --git a/modules/flux-cd/versions.tf b/modules/flux-cd/versions.tf
new file mode 100644
index 00000000..31cbf926
--- /dev/null
+++ b/modules/flux-cd/versions.tf
@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.0"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "~> 2.0"
+    }
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = "1.14.0"
+    }
+  }
+}
diff --git a/modules/s3-bucket/README.md b/modules/s3-bucket/README.md
new file mode 100644
index 00000000..44aa0594
--- /dev/null
+++ b/modules/s3-bucket/README.md
@@ -0,0 +1,37 @@
+# Purpose
+This is a simple module that can be used within applications to create an S3 bucket.
+
+## WARNING
+If you are tearing down a stack with a deployed S3 Bucket, you will likely encounter an error similar to the following:
+```
+deleting S3 Bucket (my-beautiful-bucket): operation error S3: DeleteBucket, https response error StatusCode: 409, RequestID: 123, HostID: 123456789+g=, api error BucketNotEmpty: The bucket you tried to delete is not empty. You must delete all versions in the bucket.
+```
+We have intentionally not handled this behavior as a safeguard against accidental deletion of a bucket that contains important data. If you need to delete the bucket, you will need to manually delete all objects within it. If versioning is enabled for the bucket, you will also need to delete all versions of the objects.
+
+# Usage
+Using this module only requires calling it in your terraform code:
+```
+module "my_beautiful_bucket" {
+  source      = "../../../modules/s3-bucket"
+  bucket_name = "my-beautiful-bucket"
+  enable_versioning = false
+  aws_account_id = var.aws_account_id
+  cluster_name = var.cluster_name
+  cluster_oidc_provider_arn = var.cluster_oidc_provider_arn
+}
+```
+
+The module handles creating the necessary IAM policy, role, and role policy attachment for accessing the bucket and provides the role ARN as an output.
+
+After confirming that the policy and role are configured correctly, you can either use the ARN directly in your application code or configure a kubernetes service account bound to the IAM role. The latter can be done like so:
+```
+resource "kubernetes_service_account" "my_beautiful_bucket_service_account" {
+  metadata {
+    name      = "my-beautiful-bucket-service-account"
+    namespace = var.namespace
+    annotations = {
+      "eks.amazonaws.com/role-arn" = "${module.my_beautiful_bucket.iam_role_arn}"
+    }
+  }
+}
+```
diff --git a/modules/s3-bucket/main.tf b/modules/s3-bucket/main.tf
new file mode 100644
index 00000000..a9d13f22
--- /dev/null
+++ b/modules/s3-bucket/main.tf
@@ -0,0 +1,64 @@
+resource "aws_s3_bucket" "bucket" {
+  bucket = var.bucket_name
+  tags = merge(
+    var.tags,
+    {
+      Name = var.bucket_name
+    }
+  )
+}
+
+resource "aws_s3_bucket_versioning" "versioning" {
+  bucket = aws_s3_bucket.bucket.id
+  versioning_configuration {
+    status = var.enable_versioning ? "Enabled" : "Disabled"
+  }
+}
+
+
+resource "aws_iam_policy" "s3-access-policy" {
+  name        = "access-policy-${var.aws_account_id}-${var.cluster_name}-${var.bucket_name}"
+  description = "Policy to access the s3 bucket"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "s3:ListBucket",
+          "s3:GetObject",
+          "s3:PutObject",
+          "s3:DeleteObject",
+        ]
+        Resource = [
+          aws_s3_bucket.bucket.arn,
+          "${aws_s3_bucket.bucket.arn}/*"
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role" "s3-access-iam-role" {
+  name        = "s3-${var.cluster_name}-${var.bucket_name}"
+  description = "Assumed role to access the s3 bucket with the given permissions."
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Effect = "Allow"
+        Principal = {
+          Federated = "${var.cluster_oidc_provider_arn}",
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "s3-access-policy-attachment" {
+  role       = aws_iam_role.s3-access-iam-role.name
+  policy_arn = aws_iam_policy.s3-access-policy.arn
+}
diff --git a/modules/s3-bucket/outputs.tf b/modules/s3-bucket/outputs.tf
new file mode 100644
index 00000000..25983295
--- /dev/null
+++ b/modules/s3-bucket/outputs.tf
@@ -0,0 +1,14 @@
+output "bucket_name" {
+  description = "Name of the created S3 bucket"
+  value       = aws_s3_bucket.bucket.id
+}
+
+output "bucket_arn" {
+  description = "ARN of the created S3 bucket"
+  value       = aws_s3_bucket.bucket.arn
+}
+
+output "access_role_arn" {
+  description = "ARN of the role to access the S3 bucket"
+  value       = aws_iam_role.s3-access-iam-role.arn
+}
\ No newline at end of file
diff --git a/modules/s3-bucket/variables.tf b/modules/s3-bucket/variables.tf
new file mode 100644
index 00000000..25877694
--- /dev/null
+++ b/modules/s3-bucket/variables.tf
@@ -0,0 +1,33 @@
+variable "bucket_name" {
+  description = "Name of the S3 bucket to create"
+  type        = string
+}
+
+variable "tags" {
+  description = "Tags to apply to the S3 bucket"
+  type        = map(string)
+  default = {
+    "CostCenter" = "No Program / 000000"
+  }
+}
+
+variable "enable_versioning" {
+  description = "Enable versioning on the bucket"
+  type        = bool
+  default     = true
+}
+
+variable "aws_account_id" {
+  description = "AWS account ID"
+  type        = string
+}
+
+variable "cluster_name" {
+  description = "EKS cluster name"
+  type        = string
+}
+
+variable "cluster_oidc_provider_arn" {
+  description = "EKS cluster ARN for the oidc provider"
+  type        = string
+}
diff --git a/modules/s3-bucket/versions.tf b/modules/s3-bucket/versions.tf
new file mode 100644
index 00000000..cba4c144
--- /dev/null
+++ b/modules/s3-bucket/versions.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
diff --git a/modules/sage-aws-eks/ouputs.tf b/modules/sage-aws-eks/ouputs.tf
index 59692964..8114420b 100644
--- a/modules/sage-aws-eks/ouputs.tf
+++ b/modules/sage-aws-eks/ouputs.tf
@@ -13,3 +13,7 @@ output "node_security_group_id" {
 output "pod_to_node_dns_sg_id" {
   value = aws_security_group.pod-dns-egress.id
 }
+
+output "cluster_oidc_provider_arn" {
+  value = module.eks.oidc_provider_arn
+}
diff --git a/modules/signoz/README.md b/modules/signoz/README.md
index 4cdcfa66..82f5cb67 100644
--- a/modules/signoz/README.md
+++ b/modules/signoz/README.md
@@ -5,13 +5,12 @@ SigNoz is an open-source APM. It helps developers monitor their applications
 & troubleshoot problems, an open-source alternative to DataDog, NewRelic, etc. Open 
 source Application Performance Monitoring (APM) & Observability tool.
 
+## Initial setup
 
-## This module is a work in progress (To be completed before production, or determine if not needed)
-A number of items are needed:
-
-- Setting up backups and data retention: https://sagebionetworks.jira.com/browse/IBCDPE-1094
-- Set up accounts and access to the service declaratively
-
+- Accounts in SigNoz need to be manually set up (SSO is only available in the enterprise version)
+- 120 months for "Total Retention Period" and 1 month for "Move to S3" settings should be set
+- Any dashboards need to be copied or set up
+- Alert channels (Email/Slack) need to be set
 
 ## Setting up SMTP for alertmanager
 Alertmanager is an additional tool that is deployed to the kubernetes cluster that
@@ -107,3 +106,12 @@ Once you're connected via a port-forward session the next item is to make sure t
 application you're sending data from is instrumented with open-telemetry. This is going
 to be application specific so instructions will need to live within the application
 you are using.
+
+### Clickhouse Backups and Restores
+This module uses the `clickhouse-backup` tool to automatically back up the clickhouse database and store the data in an S3 bucket to ensure continuity of the data regardless of the state of the cluster.`clickhouse-backup` is deployed as a sidecar container to the `signoz` helm release. It will perform incremental backups of the database every 8 hours and full backups every 24 hours.
+
+To restore the database from an S3 backup, you can use the following steps:
+1. Scale the replica cluster (`chi-signoz-clickhouse-cluster-0-1`) `StatefulSet` to 0 replicas.
+1. Identify the backup that you would like to restore from. You can get the full list of backups by shelling into the `clickhouse-backup-sidecar` container within the `chi-signoz-clickhouse-cluster-0-0-0` pod and running `clickhouse-backup list`.
+1. Restore the database from your backup by running `clickhouse-backup restore_remote --rm --schema <backup-name>` (assuming the backup from remote storage).
+1. Scale the replica cluster `StatefulSet` back to 1 replica. Once the `chi-signoz-clickhouse-cluster-0-1-0` has fully come back up, you should see the restored data showing in the `signoz` UI.
diff --git a/modules/signoz/main.tf b/modules/signoz/main.tf
index 4a366f9f..ed1f8f2d 100644
--- a/modules/signoz/main.tf
+++ b/modules/signoz/main.tf
@@ -8,104 +8,273 @@ resource "kubernetes_namespace" "signoz" {
   }
 }
 
-resource "kubectl_manifest" "signoz-deployment" {
+resource "kubectl_manifest" "signoz-helm-repo" {
   depends_on = [kubernetes_namespace.signoz]
 
   yaml_body = <<YAML
-apiVersion: argoproj.io/v1alpha1
-kind: Application
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
 metadata:
   name: signoz
-  namespace: argocd
+  namespace: ${var.namespace}
 spec:
-  project: default
-  %{if var.auto_deploy}
-  syncPolicy:
-    automated:
-      prune: ${var.auto_prune}
-  %{endif}
-  sources:
-  - repoURL: 'https://charts.signoz.io'
-    chart: signoz
-    targetRevision: 0.55.1
-    helm:
-      releaseName: signoz
-      # Extra parameters to set (same as setting through values.yaml, but these take precedence)
-      parameters:
-      - name: "clickhouse.password"
-        value: ${random_password.clickhouse-admin-password.result}
-      %{if local.alertmanager_enabled}
-      - name: "alertmanager.enabled"
-        value: "true"
-      - name: "alertmanager.additionalEnvs.ALERTMANAGER_SMTP_FROM"
-        value: ${var.smtp_from}
-      - name: "alertmanager.additionalEnvs.ALERTMANAGER_SMTP_AUTH_USERNAME"
-        value: ${var.smtp_user}
-      - name: "alertmanager.additionalEnvs.ALERTMANAGER_SMTP_AUTH_PASSWORD"
-        value: ${var.smtp_password}
-      %{else}
-      - name: "alertmanager.enabled"
-        value: "false"
-      %{endif}
-      valueFiles:
-      - $values/modules/signoz/templates/values.yaml
-  - repoURL: 'https://github.com/Sage-Bionetworks-Workflows/eks-stack.git'
-    targetRevision: ${var.git_revision}
-    ref: values
-  %{if var.enable_otel_ingress}
-  - repoURL: 'https://github.com/Sage-Bionetworks-Workflows/eks-stack.git'
-    targetRevision: ${var.git_revision}
-    path: modules/signoz/resources-otel-ingress
-    kustomize:
-      patches:
-      - target:
-          kind: ReferenceGrant
-        patch: |-
-          - op: replace
-            path: /spec/from/0/namespace
-            value: ${var.gateway_namespace}
-      - target:
-          kind: HTTPRoute
-        patch: |-
-          - op: replace
-            path: /metadata/namespace
-            value: ${var.gateway_namespace}
-          - op: replace
-            path: /spec/rules/0/backendRefs/0/namespace
-            value: ${var.namespace}
-      - target:
-          kind: SecurityPolicy
-        patch: |-
-          - op: replace
-            path: /metadata/namespace
-            value: ${var.gateway_namespace}
-          - op: replace
-            path: /spec/jwt/providers
-            value:
-              - name: auth0
-                remoteJWKS:
-                  uri: ${var.auth0_jwks_uri}
-                audiences:
-                  - ${var.auth0_identifier}
-          - op: replace
-            path: /spec/authorization
-            value:
-              defaultAction: Deny
-              rules:
-              - name: allow
-                action: Allow
-                principal:
-                  jwt:
-                    provider: auth0
-                    scopes:
-                      - write:telemetry
-  %{endif}
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: ${var.namespace}
+  interval: 24h
+  url: https://charts.signoz.io
 YAML
 }
 
+resource "kubernetes_config_map" "signoz-values" {
+  metadata {
+    name      = "signoz-values"
+    namespace = var.namespace
+  }
+
+  data = {
+    "signoz_values.yaml" = "${file("${path.module}/templates/values.yaml")}"
+  }
+
+}
+
+resource "kubectl_manifest" "signoz-helm-release" {
+  depends_on = [kubernetes_namespace.signoz]
+
+  yaml_body = <<YAML
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: signoz
+  namespace: ${var.namespace}
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: signoz
+      version: '0.55.1'
+      sourceRef:
+        kind: HelmRepository
+        name: signoz
+        namespace: ${var.namespace}
+      interval: 10m
+      reconcileStrategy: Revision
+  values:
+    clickhouse:
+      serviceAccount:
+        annotations:
+          eks.amazonaws.com/role-arn: ${var.s3_access_role_arn}
+      coldStorage:
+        enabled: true
+        defaultKeepFreeSpaceBytes: "10485760" # 10MiB
+        type: s3
+        endpoint: https://${var.s3_backup_bucket_name}.s3.amazonaws.com/coldstorage/
+        role:
+          enabled: true
+          annotations:
+            eks.amazonaws.com/role-arn: ${var.s3_access_role_arn}
+  valuesFrom:
+    - kind: ConfigMap
+      name: signoz-values
+      valuesKey: signoz_values.yaml
+    - kind: Secret
+      name: clickhouse-admin-password
+      valuesKey: password
+      targetPath: clickhouse.password
+    - kind: Secret
+      name: signoz-smtp-config
+      valuesKey: smtp_config.yaml
+  postRenderers:
+    - kustomize:
+        patches:
+          # Add the sidecar container
+          - target:
+              kind: ClickHouseInstallation
+            patch: |
+              - op: add
+                path: /spec/templates/podTemplates/0/spec/containers/-
+                value:
+                  name: clickhouse-backup-sidecar
+                  image: altinity/clickhouse-backup:2.6.3
+                  imagePullPolicy: IfNotPresent
+                  args: ["server", "--watch"]
+                  resources:
+                    requests:
+                      cpu: "100m"
+                      memory: "128Mi"
+                    limits:
+                      cpu: "500m"
+                      memory: "256Mi"
+                  env:
+                    - name: LOG_LEVEL
+                      value: "debug"
+                    - name: ALLOW_EMPTY_BACKUPS
+                      value: "true"
+                    - name: API_LISTEN
+                      value: "0.0.0.0:7171"
+                    - name: API_CREATE_INTEGRATION_TABLES
+                      value: "true"
+                    - name: BACKUPS_TO_KEEP_LOCAL
+                      value: "1"
+                    - name: BACKUPS_TO_KEEP_REMOTE
+                      value: "3"
+                    - name: REMOTE_STORAGE
+                      value: "s3"
+                    - name: WATCH_INTERVAL
+                      value: "8h"
+                    - name: FULL_INTERVAL
+                      value: "24h"
+                    - name: BACKUP_NAME
+                      value: "${var.s3_backup_bucket_name}"
+                    - name: S3_BUCKET
+                      value: "${var.s3_backup_bucket_name}"
+                    - name: S3_PATH
+                      value: "backup/shard-{shard}"
+                    - name: S3_OBJECT_DISK_PATH
+                      value: "backup-object-disks/shard-{shard}"
+                  ports:
+                    - name: backup-rest
+                      containerPort: 7171
+          - target:
+              kind: ClickHouseInstallation
+            patch: |
+              - op: replace
+                path: /spec/configuration/files/config.d~1storage.xml
+                value: |
+                  <clickhouse>
+                    <storage_configuration>
+                        <disks>
+                          <default>
+                            <keep_free_space_bytes>10485760</keep_free_space_bytes>
+                          </default>
+                          <s3>
+                            <type>s3</type>
+                            <endpoint>https://${var.s3_backup_bucket_name}.s3.amazonaws.com/coldstorage/</endpoint>
+                            <use_environment_credentials>true</use_environment_credentials>
+                            <region>us-east-1</region>
+                          </s3>
+                        </disks>
+                        <policies>
+                          <tiered>
+                            <volumes>
+                              <default>
+                                <disk>default</disk>
+                              </default>
+                              <s3>
+                                <disk>s3</disk>
+                                <perform_ttl_move_on_insert>0</perform_ttl_move_on_insert>
+                                <prefer_not_to_merge>1</prefer_not_to_merge>
+                              </s3>
+                            </volumes>
+                            <move_factor>0</move_factor>
+                          </tiered>
+                        </policies>
+                      </storage_configuration>
+                    </clickhouse>
+YAML
+}
+
+resource "kubectl_manifest" "signoz-git-repo" {
+  depends_on = [kubectl_manifest.signoz-helm-release]
+
+  yaml_body = <<YAML
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: signoz-git-repo
+  namespace: ${var.namespace}
+spec:
+  interval: 1m
+  ref:
+    branch: ${var.git_revision}
+  url: https://github.com/Sage-Bionetworks-Workflows/eks-stack
+YAML
+}
+
+resource "kubectl_manifest" "signoz-kustomization-service-scrape" {
+  depends_on = [kubectl_manifest.signoz-git-repo, kubectl_manifest.signoz-helm-release]
+
+  yaml_body = <<YAML
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: signoz-additional-resources-service-scrape
+  namespace: ${var.namespace}
+spec:
+  targetNamespace: ${var.namespace}
+  interval: 1h
+  retryInterval: 2m
+  timeout: 5m
+  wait: true
+  prune: true
+  path: "./modules/signoz/resources-service-scrape"
+  sourceRef:
+    kind: GitRepository
+    name: signoz-git-repo
+YAML
+}
+
+resource "kubectl_manifest" "signoz-kustomization-telemetry-ingress" {
+  depends_on = [kubectl_manifest.signoz-git-repo, kubectl_manifest.signoz-helm-release]
+
+  yaml_body = <<YAML
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: signoz-telemetry-ingress
+  namespace: ${var.namespace}
+spec:
+  targetNamespace: ${var.namespace}
+  interval: 1h
+  retryInterval: 2m
+  timeout: 5m
+  wait: true
+  prune: true
+  path: "./modules/signoz/resources-otel-ingress"
+  sourceRef:
+    kind: GitRepository
+    name: signoz-git-repo
+  patches:
+    - target:
+        kind: ReferenceGrant
+      patch: |-
+        - op: replace
+          path: /spec/from/0/namespace
+          value: ${var.gateway_namespace}
+    - target:
+        kind: HTTPRoute
+      patch: |-
+        - op: replace
+          path: /metadata/namespace
+          value: ${var.gateway_namespace}
+        - op: replace
+          path: /spec/rules/0/backendRefs/0/namespace
+          value: ${var.namespace}
+    - target:
+        kind: SecurityPolicy
+      patch: |-
+        - op: replace
+          path: /metadata/namespace
+          value: ${var.gateway_namespace}
+        - op: replace
+          path: /spec/jwt/providers
+          value:
+            - name: auth0
+              remoteJWKS:
+                uri: ${var.auth0_jwks_uri}
+              audiences:
+                - ${var.auth0_identifier}
+        - op: replace
+          path: /spec/authorization
+          value:
+            defaultAction: Deny
+            rules:
+            - name: allow
+              action: Allow
+              principal:
+                jwt:
+                  provider: auth0
+                  scopes:
+                    - write:telemetry
+YAML
+}
 
 resource "random_password" "clickhouse-admin-password" {
   length  = 32
@@ -124,3 +293,23 @@ resource "kubernetes_secret" "clickhouse-admin-password" {
 
   depends_on = [kubernetes_namespace.signoz]
 }
+
+resource "kubernetes_secret" "signoz-smtp-config" {
+  metadata {
+    name      = "signoz-smtp-config"
+    namespace = var.namespace
+  }
+
+  data = {
+    "smtp_config.yaml" = <<YAML
+alertmanager:
+  enabled: ${local.alertmanager_enabled ? "true" : "false"}
+  additionalEnvs:
+    ALERTMANAGER_SMTP_FROM: ${local.alertmanager_enabled ? var.smtp_from : ""}
+    ALERTMANAGER_SMTP_AUTH_USERNAME: ${local.alertmanager_enabled ? var.smtp_user : ""}
+    ALERTMANAGER_SMTP_AUTH_PASSWORD: ${local.alertmanager_enabled ? var.smtp_password : ""}
+YAML
+  }
+
+  depends_on = [kubernetes_namespace.signoz]
+}
diff --git a/modules/signoz/resources-service-scrape/kustomization.yaml b/modules/signoz/resources-service-scrape/kustomization.yaml
new file mode 100644
index 00000000..d5325338
--- /dev/null
+++ b/modules/signoz/resources-service-scrape/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - scrape.yaml
\ No newline at end of file
diff --git a/modules/signoz/resources-service-scrape/scrape.yaml b/modules/signoz/resources-service-scrape/scrape.yaml
new file mode 100644
index 00000000..dbee6b13
--- /dev/null
+++ b/modules/signoz/resources-service-scrape/scrape.yaml
@@ -0,0 +1,10 @@
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMServiceScrape
+metadata:
+  name: clickhouse-vmservicescrape
+spec:
+  endpoints:
+    - port: signoz-clickhouse-operator-metrics
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: clickhouse
diff --git a/modules/signoz/templates/values.yaml b/modules/signoz/templates/values.yaml
index fa93d5fe..03503707 100644
--- a/modules/signoz/templates/values.yaml
+++ b/modules/signoz/templates/values.yaml
@@ -41,6 +41,11 @@ imagePullSecrets: []
 clickhouse:
   # -- Whether to install clickhouse. If false, `clickhouse.host` must be set
   enabled: true
+  storage:
+  type: s3
+  endpoint: s3.amazonaws.com
+  bucket: clickhouse-backup-${aws_account_id}-${cluster_name}
+  region: us-east-1
 
   # Zookeeper default values
   # Ref: https://github.com/bitnami/charts/blob/main/bitnami/zookeeper/values.yaml
@@ -363,9 +368,9 @@ clickhouse:
     # For GCS, endpoint should be https://storage.googleapis.com/<bucket-name>/data/
     endpoint: https://<bucket-name>.s3-<region>.amazonaws.com/data/
     # -- Access Key for S3 or GCS
-    accessKey: <access_key_id>
+    # accessKey: <access_key_id>
     # -- Secret Access Key for S3 or GCS
-    secretAccess: <secret_access_key>
+    # secretAccess: <secret_access_key>
     # AWS role configuration - to use environment variables instead of passing access and secret keys
     role:
       # -- Whether to enable AWS IAM ARN role.
@@ -1286,7 +1291,7 @@ schemaMigrator:
   annotations: {}
   # In Helm, this is needed to apply helm hooks for pre-upgrade, delete policy and hook weight.
   # For ArgoCD, this is needed to apply the sync wave - ArgoCD equivalent of hook weight.
-  upgradeHelmHooks: true
+  upgradeHelmHooks: false
 
   # -- Whether to enable replication for schemaMigrator
   enableReplication: true
diff --git a/modules/signoz/variables.tf b/modules/signoz/variables.tf
index 344c8f60..2370bdc6 100644
--- a/modules/signoz/variables.tf
+++ b/modules/signoz/variables.tf
@@ -70,3 +70,13 @@ variable "smtp_from" {
   type        = string
   default     = ""
 }
+
+variable "s3_backup_bucket_name" {
+  description = "The name of the S3 bucket to use for backups"
+  type        = string
+}
+
+variable "s3_access_role_arn" {
+  description = "The ARN of the role to use for accessing the S3 bucket"
+  type        = string
+}
diff --git a/modules/victoria-metrics/templates/values.yaml b/modules/victoria-metrics/templates/values.yaml
index c4e84892..1cf22307 100644
--- a/modules/victoria-metrics/templates/values.yaml
+++ b/modules/victoria-metrics/templates/values.yaml
@@ -808,6 +808,10 @@ grafana:
         gnetId: 20417
         revision: 3
         datasource: VictoriaMetrics
+      altinity-clickhouse-operator-dashboard:
+        gnetId: 12163
+        revision: 2
+        datasource: VictoriaMetrics
 
   defaultDashboardsTimezone: utc