diff --git a/terraform-environments/aws/terragrunt-dev/progress.md b/terraform-environments/aws/terragrunt-dev/progress.md
index 3225f0bd7..f54eb6e23 100644
--- a/terraform-environments/aws/terragrunt-dev/progress.md
+++ b/terraform-environments/aws/terragrunt-dev/progress.md
@@ -272,6 +272,8 @@ upstream items that have their own life cycle and releases.  While we dont want
 
 
 # 130-external-secrets
+This installs the external-secrets helm chart which is an operator
+
 PR: https://github.com/ManagedKube/kubernetes-ops/pull/336
 
 Looks like this also has the same helm provider version problem
@@ -280,3 +282,9 @@ Looks like this also has the same helm provider version problem
 Will have to peg all new ones to the older version for now.
 * https://github.com/ManagedKube/kubernetes-ops/pull/337
 
+# 130-external-secrets-store
+This installs the CRDs for external-secrets to tell it what AWS secret store
+to use.
+
+PR: https://github.com/ManagedKube/kubernetes-ops/pull/338
+
diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/130-external-secrets/20-external-secret-store/.terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/130-external-secrets/20-external-secret-store/.terraform.lock.hcl
new file mode 100644
index 000000000..12be14605
--- /dev/null
+++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/130-external-secrets/20-external-secret-store/.terraform.lock.hcl
@@ -0,0 +1,73 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "4.19.0"
+  constraints = ">= 2.23.0"
+  hashes = [
+    "h1:4vAZv9/3q5z78CV+YAumfuaoSNSNwAXDEhI/XnGVM5E=",
+    "zh:22820bfa0065f583298015367f8dc015dffa5b19b76dbd78ecf5da8d7d599573",
+    "zh:31a5c5fade4bd30dbc2b15f448cebb9ed527793c607e8687d3b2101bcf2c4471",
+    "zh:37c9e469e51aa835a5542510561397541de08b62fc15292588382932624fcf88",
+    "zh:398bfe1ba7428ef03293c6618067ddd8c0aaae8bbe764177ae951259228af724",
+    "zh:4610f5a93ef956103d719ae73872a52ecd6cb321452c26a879896348bc27eed9",
+    "zh:4a0d570dc5f01f41538b4eb70086a00dfb25c5d00fd27c950ac209d3609486f6",
+    "zh:4fb65ce84801f82a3beb4e2cb72c5d52ca04d4717ed3890b206da346f02d5def",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:9bb3919bd6d94fb22025540f0c1db5eceec8927bd71b8fbdcd295609c999065f",
+    "zh:ce2623a13f74677cdb948607e456ce00407c57333b8310d5c9d053fc3defbc78",
+    "zh:e0d57e8784e6ccfa96fdd07ae1ddcc947be242bc11e7a5dd16b520b4204e0d09",
+    "zh:f988b7c37e95a5b3a493a6b9dcc5ed270136f97d5c0effa84a51940f71626c12",
+  ]
+}
+provider "registry.terraform.io/hashicorp/helm" {
+  version = "2.5.1"
+  hashes = [
+    "h1:NasRPC0qqlpGqcF3dsSoOFu7uc5hM+zJm+okd8FgrnQ=",
+    "zh:140b9748f0ad193a20d69e59d672f3c4eda8a56cede56a92f931bd3af020e2e9",
+    "zh:17ae319466ed6538ad49e011998bb86565fe0e97bc8b9ad7c8dda46a20f90669",
+    "zh:3a8bd723c21ba70e19f0395ed7096fc8e08bfc23366f1c3f06a9107eb37c572c",
+    "zh:3aae3b82adbe6dca52f1a1c8cf51575446e6b0f01f1b1f3b30de578c9af4a933",
+    "zh:3f65221f40148df57d2888e4f31ef3bf430b8c5af41de0db39a2b964e1826d7c",
+    "zh:650c74c4f46f5eb01df11d8392bdb7ebee3bba59ac0721000a6ad731ff0e61e2",
+    "zh:930fb8ab4cd6634472dfd6aa3123f109ef5b32cbe6ef7b4695fae6751353e83f",
+    "zh:ae57cd4b0be4b9ca252bc5d347bc925e35b0ed74d3dcdebf06c11362c1ac3436",
+    "zh:d15b1732a8602b6726eac22628b2f72f72d98b75b9c6aabceec9fd696fda696a",
+    "zh:d730ede1656bd193e2aea5302acec47c4905fe30b96f550196be4a0ed5f41936",
+    "zh:f010d4f9d8cd15936be4df12bf256cb2175ca1dedb728bd3a866c03d2ee7591f",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version = "2.11.0"
+  hashes = [
+    "h1:pJiAJwZKUaoAJ4x+3ONJkwEVkjrwGROCGFgj7noPO58=",
+    "zh:143a19dd0ea3b07fc5e3d9231f3c2d01f92894385c98a67327de74c76c715843",
+    "zh:1fc757d209e09c3cf7848e4274daa32408c07743698fbed10ee52a4a479b62b6",
+    "zh:22dfebd0685749c51a8f765d51a1090a259778960ac1cd4f32021a325b2b9b72",
+    "zh:3039b3b76e870cd8fc404cf75a29c66b171c6ba9b6182e131b6ae2ca648ec7c0",
+    "zh:3af0a15562fcab4b5684b18802e0239371b2b8ff9197ed069ff4827f795a002b",
+    "zh:50aaf20336d1296a73315adb66f7687f75bd5c6b1f93a894b95c75cc142810ec",
+    "zh:682064fabff895ec351860b4fe0321290bbbb17c2a410b62c9bea0039400650e",
+    "zh:70ac914d5830b3371a2679d8f77cc20c419a6e12925145afae6c977c8eb90934",
+    "zh:710aa02cccf7b0f3fb50880d6d2a7a8b8c9435248666616844ba71f74648cddc",
+    "zh:88e418118cd5afbdec4984944c7ab36950bf48e8d3e09e090232e55eecfb470b",
+    "zh:9cef159377bf23fa331f8724fdc6ce27ad39a217a4bae6df3b1ca408fc643da6",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+provider "registry.terraform.io/hashicorp/template" {
+  version = "2.2.0"
+  hashes = [
+    "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=",
+    "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386",
+    "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53",
+    "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603",
+    "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16",
+    "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776",
+    "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451",
+    "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae",
+    "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde",
+    "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d",
+    "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2",
+  ]
+}
diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/130-external-secrets/20-external-secret-store/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/130-external-secrets/20-external-secret-store/terragrunt.hcl
new file mode 100644
index 000000000..75f2647f2
--- /dev/null
+++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/130-external-secrets/20-external-secret-store/terragrunt.hcl
@@ -0,0 +1,60 @@
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+terraform {
+  source = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/helm/external-secrets/secret_store?ref=v2.0.4"
+}
+
+dependency "eks" {
+  config_path = "${get_terragrunt_dir()}/../../../200-eks"
+
+  mock_outputs = {
+    zone_id = "zzzz"
+  }
+  mock_outputs_allowed_terraform_commands = ["validate", ]
+}
+
+# Generate a Kubernetes provider configuration for authenticating against the EKS cluster.
+generate "k8s_helm" {
+  path      = "k8s_helm_provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents = templatefile(
+    find_in_parent_folders("provider_k8s_helm_for_eks.template.hcl"),
+    {
+      eks_cluster_name = dependency.eks.outputs.cluster_id,
+      kubergrunt_exec = get_env("KUBERGRUNT_EXEC", "kubergrunt")
+    },
+  )
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# Locals are named constants that are reusable within the configuration.
+# ---------------------------------------------------------------------------------------------------------------------
+locals {
+  # Load common variables shared across all accounts
+  common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl"))
+
+  # Load region-level variables
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+
+  # Load environment-level variables
+  environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl"))
+
+  tags = {
+    ops_env              = local.common_vars.locals.environment_name
+    ops_managed_by       = "terraform"
+    ops_source_repo      = local.common_vars.locals.repository_name
+    ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}"
+    ops_owners           = "devops"
+  }
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# MODULE PARAMETERS
+# These are the variables we have to pass in to use the module specified in the terragrunt configuration above
+# ---------------------------------------------------------------------------------------------------------------------
+inputs = {
+  environment_name = local.common_vars.locals.environment_name
+}
\ No newline at end of file