diff --git a/bitbucket.tf b/bitbucket.tf
index 4717222..df88aaf 100644
--- a/bitbucket.tf
+++ b/bitbucket.tf
@@ -1,8 +1,7 @@
 module "bitbucket" {
   for_each = var.bitbucket
 
-  source  = "helecloud/bitbucket-oidc/aws"
-  version = "0.0.1"
+  source = "github.com/opszero/terraform-aws-bitbucket-oidc"
 
   workspace_name = each.value.workspace_name
   workspace_uuid = each.value.workspace_uuid
diff --git a/cloudformation.tf b/cloudformation.tf
deleted file mode 100644
index 6dc44f5..0000000
--- a/cloudformation.tf
+++ /dev/null
@@ -1,18 +0,0 @@
-resource "aws_cloudformation_stack" "opszero_omyac" {
-  count        = var.opszero_omyac_enabled ? 1 : 0
-  name         = "opszero-omyac"
-  template_url = "https://api.opszero.com/omyac/api/cloudformation"
-}
-
-resource "aws_cloudformation_stack" "opszero_ri" {
-  count        = var.opszero_ri_enabled ? 1 : 0
-  name         = "opszero-ri"
-  template_url = "https://api.opszero.com/ri/api/cloudformation"
-}
-
-resource "aws_cloudformation_stack" "opszero_reseller" {
-  count        = var.opszero_reseller_enabled ? 1 : 0
-  name         = "opszero-reseller"
-  template_url = "https://api.opszero.com/reseller/api/cloudformation"
-}
-
diff --git a/github.tf b/github.tf
index 2935e54..43d036b 100644
--- a/github.tf
+++ b/github.tf
@@ -1,8 +1,7 @@
 module "oidc-github" {
   for_each = var.github
 
-  source  = "unfunco/oidc-github/aws"
-  version = "1.5.0"
+  source = "github.com/opszero/terraform-aws-oidc-github"
 
   github_repositories = each.value.repos
 
diff --git a/opszero.tf b/opszero.tf
new file mode 100644
index 0000000..fe715b6
--- /dev/null
+++ b/opszero.tf
@@ -0,0 +1,6 @@
+resource "aws_cloudformation_stack" "opszero" {
+  count = var.opszero_enabled ? 1 : 0
+
+  name         = "opszero"
+  template_url = "https://api.opszero.com/cloud/cloudformation"
+}
diff --git a/vanta.tf b/vanta.tf
new file mode 100644
index 0000000..0e62e2f
--- /dev/null
+++ b/vanta.tf
@@ -0,0 +1,93 @@
+resource "aws_iam_role_policy" "vanta_child" {
+  count = var.vanta_enabled && var.vanta_is_child_account ? 1 : 0
+
+  name = "VantaAdditionalPermissions"
+  role = aws_iam_role.vanta_auditor[0].id
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "identitystore:DescribeGroup",
+        "identitystore:DescribeGroupMembership",
+        "identitystore:DescribeUser",
+        "identitystore:GetGroupId",
+        "identitystore:GetGroupMembershipId",
+        "identitystore:GetUserId",
+        "identitystore:IsMemberInGroups",
+        "identitystore:ListGroupMemberships",
+        "identitystore:ListGroups",
+        "identitystore:ListUsers",
+        "identitystore:ListGroupMembershipsForMember"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Deny",
+      "Action": [
+        "datapipeline:EvaluateExpression",
+        "datapipeline:QueryObjects",
+        "rds:DownloadDBLogFilePortion"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+  EOF
+}
+
+resource "aws_iam_role_policy" "vanta_management" {
+  count = var.vanta_enabled && var.vanta_is_management_account ? 1 : 0
+
+  name = "VantaManagementAccountPermissions"
+  role = aws_iam_role.vanta_auditor[0].id
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Deny",
+      "Action": [
+        "datapipeline:EvaluateExpression",
+        "datapipeline:QueryObjects",
+        "rds:DownloadDBLogFilePortion"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+  EOF
+}
+
+resource "aws_iam_role" "vanta_auditor" {
+  count = var.vanta_enabled ? 1 : 0
+
+  name = "vanta-auditor"
+
+  managed_policy_arns = [
+    "arn:aws:iam::aws:policy/SecurityAudit",
+  ]
+
+  assume_role_policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Effect" : "Allow",
+          "Action" : "sts:AssumeRole",
+          "Principal" : {
+            "AWS" : var.vanta_account_id
+          },
+          "Condition" : {
+            "StringEquals" : {
+              "sts:ExternalId" : var.vanta_external_id
+            }
+          }
+        }
+      ]
+  })
+}
diff --git a/variables.tf b/variables.tf
index face2a8..684c5b3 100644
--- a/variables.tf
+++ b/variables.tf
@@ -71,17 +71,31 @@ variable "bitbucket" {
   # }
 }
 
-variable "opszero_omyac_enabled" {
+variable "opszero_enabled" {
   description = "Deploy opsZero omyac cloudformation stack"
   default     = false
 }
 
-variable "opszero_ri_enabled" {
-  description = "Deploy opsZero ri cloudformation stack"
+variable "vanta_enabled" {
+  default = false
+}
+
+variable "vanta_is_management_account" {
+  description = "Is this an AWS management account that has child accounts?"
   default     = false
 }
 
-variable "opszero_reseller_enabled" {
-  description = "Deploy opsZero reseller cloudformation stack"
+variable "vanta_is_child_account" {
+  description = "Is this an AWS child account?"
   default     = false
 }
+
+variable "vanta_account_id" {
+  description = "Vanta account id"
+  default     = ""
+}
+
+variable "vanta_external_id" {
+  description = "Vanta external id"
+  default     = ""
+}