diff --git a/helm/cas-airflow/templates/jobs/terraform-apply.yaml b/helm/cas-airflow/templates/jobs/terraform-apply.yaml
new file mode 100644
index 0000000..ee8d993
--- /dev/null
+++ b/helm/cas-airflow/templates/jobs/terraform-apply.yaml
@@ -0,0 +1,73 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: terraform-apply
+  labels:
+    component: backend
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install, pre-upgrade
+spec:
+  backoffLimit: 0
+  activeDeadlineSeconds: 900
+  template:
+    spec:
+      serviceAccountName: "terraform-kubernetes-service-account"
+      containers:
+        - name: terraform-apply
+          resources: {{ toYaml .Values.devops.resources | nindent 12 }}
+          image: "{{ .Values.devops.image.repository }}:{{ .Values.devops.sourceRepoImageTag | default .Values.devops.image.tag }}"
+          imagePullPolicy: {{ .Values.devops.image.pullPolicy }}
+          volumeMounts:
+            - mountPath: /etc/gcp
+              name: service-account-credentials-volume
+              readOnly: True
+            - mountPath: /etc/tf
+              name: terraform-backend-config-volume
+              readOnly: True
+            - name: tf-cache
+              mountPath: /working
+              readOnly: False
+            - name: terraform-modules
+              mountPath: /terraform
+              readOnly: False
+          env:
+            - name: TF_VAR_project_id
+              valueFrom:
+                secretKeyRef:
+                  name: gcp-credentials-secret
+                  key: gcp_project_id
+            - name: TF_VAR_openshift_namespace
+              value: {{ .Release.Namespace | quote }}
+            - name: TF_VAR_apps
+              value: '["airflow-backups", "airflow-logs"]'
+            - name: kubernetes_host
+              value: "https://api.silver.devops.gov.bc.ca:6443"
+            - name: GOOGLE_APPLICATION_CREDENTIALS
+              value: "/etc/gcp/credentials.json"
+          # Terraform was having an issue pulling kubernetes_host in as a TF_VAR, so we add it as a attribute to the command
+          command:
+            [
+              "/bin/sh",
+              "-c",
+              "cp -r /terraform/. /working && cd working && export TF_VAR_kubernetes_token=$( cat /var/run/secrets/kubernetes.io/serviceaccount/token ) && terraform init -backend-config=/etc/tf/gcs.tfbackend && terraform apply -var=\"kubernetes_host=$kubernetes_host\" -auto-approve",
+            ]
+      restartPolicy: Never
+      volumes:
+        - name: service-account-credentials-volume
+          secret:
+            secretName: gcp-credentials-secret
+            items:
+              - key: sa_json
+                path: credentials.json
+        - name: terraform-backend-config-volume
+          secret:
+            secretName: gcp-credentials-secret
+            items:
+              - key: tf_backend
+                path: gcs.tfbackend
+        - name: tf-cache
+          emptyDir: {}
+        - name: terraform-modules
+          configMap:
+            name: terraform-modules
diff --git a/helm/cas-airflow/templates/jobs/terraform-modules.yaml b/helm/cas-airflow/templates/jobs/terraform-modules.yaml
new file mode 100644
index 0000000..90346a7
--- /dev/null
+++ b/helm/cas-airflow/templates/jobs/terraform-modules.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: terraform-modules
+  namespace: {{ .Release.Namespace }}
+  # Because terraform-apply.yaml is pre-install, pre-upgrade, this configmap needs to be in place before it
+  annotations:
+    "helm.sh/hook": pre-install, pre-upgrade
+    "helm.sh/hook-weight": "-10"
+binaryData:
+{{- range $path, $data := .Files.Glob "terraform/**.tf" }}
+{{ $path | base | indent 2 }}: >-
+{{- $data | toString | b64enc | nindent 4 }}
+{{ end }}
diff --git a/helm/cas-airflow/templates/jobs/terraform-service-account.yaml b/helm/cas-airflow/templates/jobs/terraform-service-account.yaml
new file mode 100644
index 0000000..663ab91
--- /dev/null
+++ b/helm/cas-airflow/templates/jobs/terraform-service-account.yaml
@@ -0,0 +1,35 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: "terraform-secret-admin"
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install, pre-upgrade
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: "terraform-kubernetes-service-account"
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install, pre-upgrade
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: "terraform-kubernetes-service-account-secret-admin-binding"
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install, pre-upgrade
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: "terraform-secret-admin"
+subjects:
+- kind: ServiceAccount
+  name: "terraform-kubernetes-service-account"
+  namespace: {{ .Release.Namespace }}
diff --git a/helm/cas-airflow/values.yaml b/helm/cas-airflow/values.yaml
index f609fc0..5e23741 100644
--- a/helm/cas-airflow/values.yaml
+++ b/helm/cas-airflow/values.yaml
@@ -212,3 +212,17 @@ cas-postgres:
   namespace: ~
   gcs:
     bucketSuffix: ~
+
+devops:
+  image:
+    repository: hashicorp/terraform
+    pullPolicy: Always
+    tag: "1.4.6"
+
+  resources:
+    limits:
+      cpu: 1000m
+      memory: 512Mi
+    requests:
+      cpu: 100m
+      memory: 64Mi