diff --git a/terraform/subscriptions/s940/c2/common/main.tf b/terraform/subscriptions/s940/c2/common/main.tf
index 2b7af2ef..5fc05029 100644
--- a/terraform/subscriptions/s940/c2/common/main.tf
+++ b/terraform/subscriptions/s940/c2/common/main.tf
@@ -209,7 +209,7 @@ module "radix_id_gitrunner" {
       scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}"
     }
     app_registry_contributor = {
-      role = "Contributor"
+      role     = "Contributor"
       scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/common/providers/Microsoft.ContainerRegistry/registries/radix${module.config.environment}app"
     }
   }
diff --git a/terraform/subscriptions/s940/prod/common/main.tf b/terraform/subscriptions/s940/prod/common/main.tf
index 6849d4d3..0434a7b9 100644
--- a/terraform/subscriptions/s940/prod/common/main.tf
+++ b/terraform/subscriptions/s940/prod/common/main.tf
@@ -206,7 +206,7 @@ module "radix_id_gitrunner" {
       scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}"
     }
     app_registry_contributor = {
-      role = "Contributor"
+      role     = "Contributor"
       scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/common/providers/Microsoft.ContainerRegistry/registries/radixprodapp" # TODO: Replace resource name when fixed
     }
   }
diff --git a/terraform/subscriptions/s941/dev/common/main.tf b/terraform/subscriptions/s941/dev/common/main.tf
index ae7723cd..40ddc4ad 100644
--- a/terraform/subscriptions/s941/dev/common/main.tf
+++ b/terraform/subscriptions/s941/dev/common/main.tf
@@ -206,7 +206,7 @@ module "radix_id_gitrunner" {
       scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}"
     }
     app_registry_contributor = {
-      role = "Contributor"
+      role     = "Contributor"
       scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/common/providers/Microsoft.ContainerRegistry/registries/radix${module.config.environment}app"
     }
   }
diff --git a/terraform/subscriptions/s941/playground/common/main.tf b/terraform/subscriptions/s941/playground/common/main.tf
index a52f4f99..4a1af624 100644
--- a/terraform/subscriptions/s941/playground/common/main.tf
+++ b/terraform/subscriptions/s941/playground/common/main.tf
@@ -197,7 +197,7 @@ module "radix_id_gitrunner" {
       scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/${data.azurerm_virtual_network.this.resource_group_name}"
     }
     app_registry_contributor = {
-      role = "Contributor"
+      role     = "Contributor"
       scope_id = "/subscriptions/${module.config.subscription}/resourceGroups/common/providers/Microsoft.ContainerRegistry/registries/radix${module.config.environment}app"
     }
   }
diff --git a/terraform/subscriptions/s941/playground/post-clusters/cert-manager.tf b/terraform/subscriptions/s941/playground/post-clusters/cert-manager.tf
deleted file mode 100644
index 09b2c14e..00000000
--- a/terraform/subscriptions/s941/playground/post-clusters/cert-manager.tf
+++ /dev/null
@@ -1,15 +0,0 @@
-data "azurerm_user_assigned_identity" "cert-manager-mi" {
-  resource_group_name = module.config.common_resource_group
-  name                = "radix-id-certmanager-${module.config.environment}"
-}
-
-resource "azurerm_federated_identity_credential" "cert-manager-mi-fedcred" {
-  for_each = module.clusters.oidc_issuer_url
-
-  audience            = ["api://AzureADTokenExchange"]
-  name                = "k8s-cert-manager-dns01-${each.key}-${module.config.environment}"
-  issuer              = each.value
-  subject             = "system:serviceaccount:cert-manager:cert-manager"
-  parent_id           = data.azurerm_user_assigned_identity.cert-manager-mi.id
-  resource_group_name = data.azurerm_user_assigned_identity.cert-manager-mi.resource_group_name
-}
diff --git a/terraform/subscriptions/s941/playground/pre-clusters/backend.tf b/terraform/subscriptions/s941/playground/pre-clusters/backend.tf
index a3303aa6..20cc1dfc 100644
--- a/terraform/subscriptions/s941/playground/pre-clusters/backend.tf
+++ b/terraform/subscriptions/s941/playground/pre-clusters/backend.tf
@@ -31,3 +31,9 @@ module "config" {
   source = "../../../modules/config"
 }
 
+module "clusters" {
+  source              = "../../../modules/active-clusters"
+  resource_group_name = module.config.cluster_resource_group
+  subscription        = module.config.subscription
+}
+
diff --git a/terraform/subscriptions/s941/playground/pre-clusters/cert-manager.tf b/terraform/subscriptions/s941/playground/pre-clusters/cert-manager.tf
index d0dfe050..ab5c6235 100644
--- a/terraform/subscriptions/s941/playground/pre-clusters/cert-manager.tf
+++ b/terraform/subscriptions/s941/playground/pre-clusters/cert-manager.tf
@@ -3,10 +3,9 @@ data "azurerm_user_assigned_identity" "cert-manager-mi" {
   name                = "radix-id-certmanager-${module.config.environment}"
 }
 
-resource "azurerm_federated_identity_credential" "cert-manager-mi-fedcred" {
-  for_each = module.clusters.oidc_issuer_url
-
-  audience            = ["api://AzureADTokenExchange"]
+module "cert-manager-mi-fedcred" {
+  source              = "../../../modules/federated-credentials"
+  for_each            = module.clusters.oidc_issuer_url
   name                = "k8s-cert-manager-dns01-${each.key}-${module.config.environment}"
   issuer              = each.value
   subject             = "system:serviceaccount:cert-manager:cert-manager"