diff --git a/.drone.yml b/.drone.yml
index 04af4068c37b5..98423531a5ae2 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -20,4 +20,6 @@ steps:
       - mkdir ~/.ssh && echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519 && chmod 0600 ~/.ssh/id_ed25519
       - ssh-keyscan -H github.com >> ~/.ssh/known_hosts
       - make -C .terra/superset init
-      - make -C .terra/superset validate
\ No newline at end of file
+      - make -C .terra/superset validate
+      - make -C .terra/insights init
+      - make -C .terra/insights validate
\ No newline at end of file
diff --git a/.terra/insights/Makefile b/.terra/insights/Makefile
new file mode 100644
index 0000000000000..77a642fb3f0c7
--- /dev/null
+++ b/.terra/insights/Makefile
@@ -0,0 +1,53 @@
+AWS_REGION:=$(if $(AWS_REGION),$(AWS_REGION),us-west-2)
+ENVIRONMENT:=qa
+GIT_SHA="$(shell git rev-parse --short=7 HEAD)"
+TERRAFORM:=terraform
+S3_BUCKET_PREFIX:=$(if $(S3_BUCKET_PREFIX),$(S3_BUCKET_PREFIX),zf-terraform)
+
+tf_files := $(shell find . -name "*.tf")
+
+all: plan
+
+check-fmt:
+	$(TERRAFORM) fmt -check=true
+
+format:
+	$(TERRAFORM) fmt
+
+init:
+	$(TERRAFORM) init \
+		-backend-config="bucket=$(S3_BUCKET_PREFIX)-$(ENVIRONMENT)" \
+		-backend-config="region=$(AWS_REGION)"
+
+validate: ${tf_files}
+	$(TERRAFORM) validate
+
+plan: .terraform/terraform.tfstate ${tf_files}
+	$(TERRAFORM) plan \
+		-var "env=$(ENVIRONMENT)" \
+		-var "git_sha=$(GIT_SHA)" \
+		-out terra.plan
+
+apply: plan
+	$(TERRAFORM) apply terra.plan
+
+clean:
+	rm -f *.backup *.plan
+	rm -f .terraform/terraform.tfstate
+
+clobber: clean
+	rm -rf .terraform
+
+plan_destroy: .terraform/terraform.tfstate ${tf_files}
+	$(TERRAFORM) plan -destroy \
+		-var "env=$(ENVIRONMENT)" \
+		-var "git_sha=$(GIT_SHA)" \
+		-out terra_destroy.plan
+
+destroy: plan_destroy
+	$(TERRAFORM) destroy \
+		-var "env=$(ENVIRONMENT)" \
+		-var "git_sha=$(GIT_SHA)" \
+		-auto-approve
+
+.PHONY: all check-fmt format init validate plan apply clean clobber destroy plan_destroy
\ No newline at end of file
diff --git a/.terra/insights/celery_beat/celery_beat.nomad.hcl b/.terra/insights/celery_beat/celery_beat.nomad.hcl
new file mode 100644
index 0000000000000..4036eb75d1a94
--- /dev/null
+++ b/.terra/insights/celery_beat/celery_beat.nomad.hcl
@@ -0,0 +1,106 @@
+group "celery-beat-group" {
+  count = "${count}"
+
+  meta {
+    group = "$${NOMAD_GROUP_NAME}"
+    lang  = "python"
+  }
+
+  task "celery-beat" {
+    driver = "docker"
+    shutdown_delay = "10s"
+
+    config {
+      image   = "${ecr_url}/zf/insights:${git_sha}"
+      command = "celery"
+      args = [
+        "--app=superset.tasks.celery_app:app",
+        "beat",
+      ]
+      force_pull = true
+    }
+
+    resources {
+      cpu    = 1024
+      memory = 1024
+
+      network {
+        mbits = 1
+        port "https" {}
+      }
+    }
+
+    service {
+      name = "$${NOMAD_JOB_NAME}-$${NOMAD_GROUP_NAME}"
+      port = "https"
+
+      check {
+        name     = "$${NOMAD_JOB_NAME}-$${NOMAD_GROUP_NAME} up check"
+        type    = "script"
+        command = "celery"
+        args    = [
+          "-A",
+          "superset.tasks.celery_app:app",
+          "inspect",
+          "ping"
+        ]
+        interval = "30s"
+        timeout  = "10s"
+      }
+    }
+template {
+     data = <<EOH
+{
+  "type": "service_account",
+  {{ with secret "secret/superset/gcp_insights_sa" }}
+  "project_id": "{{ .Data.project_id }}",
+  "private_key_id": "{{ .Data.private_key_id }}",
+  "private_key": "{{ .Data.private_key }}",
+  "client_email": "{{ .Data.client_email }}",
+  "client_id": "{{ .Data.client_id }}",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://accounts.google.com/o/oauth2/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "{{ .Data.client_x509_cert_url }}"{{ end }}
+}
+EOH
+        destination = "secrets/service-acct.json"
+        change_mode="restart"
+      }
+
+    template {
+      data = <<EOH
+GOOGLE_APPLICATION_CREDENTIALS=/secrets/service-acct.json
+
+{{ with secret "database/insights-superset-db/creds/admin" }}
+DATABASE_URL="postgresql://{{ .Data.username }}:{{ .Data.password }}@${db_address}:${db_port}/insights_superset"
+{{ end }}
+
+{{ with secret "secret/superset/insights" }}
+SSO_API_BASE_URL="{{ .Data.SSO_API_BASE_URL }}"
+SSO_CLIENT_ID="{{ .Data.SSO_CLIENT_ID }}"
+SSO_CLIENT_SECRET="{{ .Data.SSO_CLIENT_SECRET }}"
+SUPERSET_SECRET_KEY="{{ .Data.SUPERSET_SECRET_KEY }}"
+{{ end }}
+
+{{ with secret "secret/smtp" }}
+SENDGRID_HOST="{{ .Data.host }}"
+SENDGRID_PORT="{{ .Data.port }}"
+SENDGRID_USERNAME="{{ .Data.username }}"
+SENDGRID_PASSWORD="{{ .Data.password }}"{{ end }}
+
+{{ range ls "${app}/superset/env" }}
+{{ .Key|toUpper }}="{{ .Value }}"
+{{ end }}
+      EOH
+      destination = "secrets/env"
+      change_mode = "restart"
+      env         = true
+    }
+
+    vault {
+      policies    = ["${app}"]
+      change_mode = "restart"
+    }
+  }
+}
\ No newline at end of file
diff --git a/.terra/insights/celery_beat/celery_beat.tf b/.terra/insights/celery_beat/celery_beat.tf
new file mode 100644
index 0000000000000..74c6fbb95b187
--- /dev/null
+++ b/.terra/insights/celery_beat/celery_beat.tf
@@ -0,0 +1,55 @@
+variable "app" {}
+
+variable "env" {}
+
+variable "aws_region" {
+  default = "us-west-2"
+}
+
+variable "git_sha" {}
+
+variable "cmd" {
+  default = "celery-beat"
+}
+
+variable "ecr_url" {}
+
+variable "db_address" {}
+
+variable "db_port" {}
+
+# ----------------------------------------
+# AWS
+# ----------------------------------------
+provider "aws" {
+  region = "${var.aws_region}"
+}
+
+# ----------------------------------------
+# Nomad Configuration
+# ----------------------------------------
+locals {
+  container_counts = {
+    qa   = 1
+    stag = 1
+    prod = 1
+  }
+}
+
+data "template_file" "nomad_group" {
+  template = "${file("./celery_beat/celery_beat.nomad.hcl")}"
+
+  vars {
+    aws_region = "${var.aws_region}"
+    ecr_url    = "${var.ecr_url}"
+    git_sha    = "${var.git_sha}"
+    app        = "${var.app}"
+    db_address = "${var.db_address}"
+    db_port    = "${var.db_port}"
+    count = "${local.container_counts[var.env]}"
+  }
+}
+
+output "nomad_group" {
+  value = "${data.template_file.nomad_group.rendered}"
+}
diff --git a/.terra/insights/celery_flower/celery_flower.nomad.hcl b/.terra/insights/celery_flower/celery_flower.nomad.hcl
new file mode 100644
index 0000000000000..f3e0078093f5a
--- /dev/null
+++ b/.terra/insights/celery_flower/celery_flower.nomad.hcl
@@ -0,0 +1,109 @@
+group "celery-flower-group" {
+  count = "${count}"
+
+  meta {
+    group = "$${NOMAD_GROUP_NAME}"
+    lang  = "python"
+  }
+
+  task "celery-flower" {
+    driver = "docker"
+    shutdown_delay = "10s"
+
+    config {
+      image   = "${ecr_url}/zf/insights:${git_sha}"
+      command = "celery"
+      args = [
+        "--app=superset.tasks.celery_app:app",
+        "flower",
+      ]
+      force_pull = true
+      port_map = {
+          https = 5555
+        }
+    }
+
+    resources {
+      cpu    = 1024
+      memory = 1024
+
+      network {
+        mbits = 1
+        port "https" {}
+      }
+    }
+
+    service {
+      name = "$${NOMAD_JOB_NAME}-$${NOMAD_GROUP_NAME}"
+      port = "https"
+
+      check {
+        name     = "$${NOMAD_JOB_NAME}-$${NOMAD_GROUP_NAME} up check"
+        type     = "script"
+        command  = "celery"
+        args     = [
+          "-A",
+          "superset.tasks.celery_app:app",
+          "inspect",
+          "ping"
+        ]
+        interval = "30s"
+        timeout  = "10s"
+      }
+    }
+  template {
+     data = <<EOH
+{
+  "type": "service_account",
+  {{ with secret "secret/superset/gcp_insights_sa" }}
+  "project_id": "{{ .Data.project_id }}",
+  "private_key_id": "{{ .Data.private_key_id }}",
+  "private_key": "{{ .Data.private_key }}",
+  "client_email": "{{ .Data.client_email }}",
+  "client_id": "{{ .Data.client_id }}",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://accounts.google.com/o/oauth2/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "{{ .Data.client_x509_cert_url }}"{{ end }}
+}
+EOH
+        destination = "secrets/service-acct.json"
+        change_mode="restart"
+      }
+
+    template {
+      data = <<EOH
+GOOGLE_APPLICATION_CREDENTIALS=/secrets/service-acct.json
+
+{{ with secret "database/insights-superset-db/creds/admin" }}
+DATABASE_URL="postgresql://{{ .Data.username }}:{{ .Data.password }}@${db_address}:${db_port}/insights_superset"
+{{ end }}
+
+{{ with secret "secret/superset/insights" }}
+SSO_API_BASE_URL="{{ .Data.SSO_API_BASE_URL }}"
+SSO_CLIENT_ID="{{ .Data.SSO_CLIENT_ID }}"
+SSO_CLIENT_SECRET="{{ .Data.SSO_CLIENT_SECRET }}"
+SUPERSET_SECRET_KEY="{{ .Data.SUPERSET_SECRET_KEY }}"
+{{ end }}
+
+{{ with secret "secret/smtp" }}
+SENDGRID_HOST="{{ .Data.host }}"
+SENDGRID_PORT="{{ .Data.port }}"
+SENDGRID_USERNAME="{{ .Data.username }}"
+SENDGRID_PASSWORD="{{ .Data.password }}"{{ end }}
+
+{{ range ls "${app}/superset/env" }}
+{{ .Key|toUpper }}="{{ .Value }}"
+{{ end }}
+      EOH
+      destination = "secrets/env"
+      change_mode = "restart"
+      env         = true
+    }
+
+    vault {
+      policies    = ["${app}"]
+      change_mode = "restart"
+    }
+  }
+}
\ No newline at end of file
diff --git a/.terra/insights/celery_flower/celery_flower.tf b/.terra/insights/celery_flower/celery_flower.tf
new file mode 100644
index 0000000000000..8c53394e36467
--- /dev/null
+++ b/.terra/insights/celery_flower/celery_flower.tf
@@ -0,0 +1,53 @@
+variable "app" {}
+
+variable "env" {}
+
+variable "aws_region" {}
+
+variable "git_sha" {}
+
+variable "cmd" {
+  default = "celery-flower"
+}
+
+variable "ecr_url" {}
+
+variable "db_address" {}
+
+variable "db_port" {}
+
+# ----------------------------------------
+# AWS
+# ----------------------------------------
+provider "aws" {
+  region = "${var.aws_region}"
+}
+
+# ----------------------------------------
+# Nomad Configuration
+# ----------------------------------------
+locals {
+  container_counts = {
+    qa   = 1
+    stag = 1
+    prod = 1
+  }
+}
+
+data "template_file" "nomad_group" {
+  template = "${file("./celery_flower/celery_flower.nomad.hcl")}"
+
+  vars {
+    aws_region = "${var.aws_region}"
+    ecr_url    = "${var.ecr_url}"
+    git_sha    = "${var.git_sha}"
+    app        = "${var.app}"
+    db_address = "${var.db_address}"
+    db_port    = "${var.db_port}"
+    count = "${local.container_counts[var.env]}"
+  }
+}
+
+output "nomad_group" {
+  value = "${data.template_file.nomad_group.rendered}"
+}
diff --git a/.terra/insights/celery_worker/celery_worker.nomad.hcl b/.terra/insights/celery_worker/celery_worker.nomad.hcl
new file mode 100644
index 0000000000000..d172251295281
--- /dev/null
+++ b/.terra/insights/celery_worker/celery_worker.nomad.hcl
@@ -0,0 +1,106 @@
+group "celery-worker-group" {
+  count = "${count}"
+
+  meta {
+    group = "$${NOMAD_GROUP_NAME}"
+    lang  = "python"
+  }
+
+  task "celery-worker" {
+    driver = "docker"
+    shutdown_delay = "10s"
+
+    config {
+      image   = "${ecr_url}/zf/insights:${git_sha}"
+      command = "celery"
+      args = [
+        "--app=superset.tasks.celery_app:app",
+        "worker",
+      ]
+      force_pull = true
+    }
+
+    resources {
+      cpu  = 4096
+      memory = 4096
+
+      network {
+        mbits = 1
+        port "https" {}
+      }
+    }
+
+    service {
+      name = "$${NOMAD_JOB_NAME}-$${NOMAD_GROUP_NAME}"
+      port = "https"
+
+      check {
+        name     = "$${NOMAD_JOB_NAME}-$${NOMAD_GROUP_NAME} up check"
+        type     = "script"
+        command = "celery"
+        args    = [
+          "-A",
+          "superset.tasks.celery_app:app",
+          "inspect",
+          "ping"
+        ]
+        interval = "30s"
+        timeout  = "10s"
+      }
+    }
+  template {
+     data = <<EOH
+{
+  "type": "service_account",
+  {{ with secret "secret/superset/gcp_insights_sa" }}
+  "project_id": "{{ .Data.project_id }}",
+  "private_key_id": "{{ .Data.private_key_id }}",
+  "private_key": "{{ .Data.private_key }}",
+  "client_email": "{{ .Data.client_email }}",
+  "client_id": "{{ .Data.client_id }}",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://accounts.google.com/o/oauth2/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "{{ .Data.client_x509_cert_url }}"{{ end }}
+}
+EOH
+        destination = "secrets/service-acct.json"
+        change_mode="restart"
+      }
+
+    template {
+      data = <<EOH
+GOOGLE_APPLICATION_CREDENTIALS=/secrets/service-acct.json
+
+{{ with secret "database/insights-superset-db/creds/admin" }}
+DATABASE_URL="postgresql://{{ .Data.username }}:{{ .Data.password }}@${db_address}:${db_port}/insights_superset"
+{{ end }}
+
+{{ with secret "secret/superset/insights" }}
+SSO_API_BASE_URL="{{ .Data.SSO_API_BASE_URL }}"
+SSO_CLIENT_ID="{{ .Data.SSO_CLIENT_ID }}"
+SSO_CLIENT_SECRET="{{ .Data.SSO_CLIENT_SECRET }}"
+SUPERSET_SECRET_KEY="{{ .Data.SUPERSET_SECRET_KEY }}"
+{{ end }}
+
+{{ with secret "secret/smtp" }}
+SENDGRID_HOST="{{ .Data.host }}"
+SENDGRID_PORT="{{ .Data.port }}"
+SENDGRID_USERNAME="{{ .Data.username }}"
+SENDGRID_PASSWORD="{{ .Data.password }}"{{ end }}
+
+{{ range ls "${app}/superset/env" }}
+{{ .Key|toUpper }}="{{ .Value }}"
+{{ end }}
+      EOH
+      destination = "secrets/env"
+      change_mode = "restart"
+      env         = true
+    }
+
+    vault {
+      policies    = ["${app}"]
+      change_mode = "restart"
+    }
+  }
+}
\ No newline at end of file
diff --git a/.terra/insights/celery_worker/celery_worker.tf b/.terra/insights/celery_worker/celery_worker.tf
new file mode 100644
index 0000000000000..85bdbc6f5e74b
--- /dev/null
+++ b/.terra/insights/celery_worker/celery_worker.tf
@@ -0,0 +1,53 @@
+variable "app" {}
+
+variable "env" {}
+
+variable "aws_region" {}
+
+variable "git_sha" {}
+
+variable "cmd" {
+  default = "celery-worker"
+}
+
+variable "ecr_url" {}
+
+variable "db_address" {}
+
+variable "db_port" {}
+
+# ----------------------------------------
+# AWS
+# ----------------------------------------
+provider "aws" {
+  region = "${var.aws_region}"
+}
+
+# ----------------------------------------
+# Nomad Configuration
+# ----------------------------------------
+locals {
+  container_counts = {
+    qa   = 1
+    stag = 1
+    prod = 3
+  }
+}
+
+data "template_file" "nomad_group" {
+  template = "${file("./celery_worker/celery_worker.nomad.hcl")}"
+
+  vars {
+    aws_region = "${var.aws_region}"
+    ecr_url    = "${var.ecr_url}"
+    git_sha    = "${var.git_sha}"
+    app        = "${var.app}"
+    db_address = "${var.db_address}"
+    db_port    = "${var.db_port}"
+    count = "${local.container_counts[var.env]}"
+  }
+}
+
+output "nomad_group" {
+  value = "${data.template_file.nomad_group.rendered}"
+}
diff --git a/.terra/insights/nomad/superset.nomad.hcl b/.terra/insights/nomad/superset.nomad.hcl
new file mode 100644
index 0000000000000..ccea6475ada0a
--- /dev/null
+++ b/.terra/insights/nomad/superset.nomad.hcl
@@ -0,0 +1,120 @@
+group "${cmd}" {
+  count = "${count}"
+
+    task "superset" {
+      driver = "docker"
+      shutdown_delay = "10s"
+
+      config {
+        image      = "${ecr_url}/zf/insights:${git_sha}"
+        force_pull = true
+
+        port_map = {
+          https = 8088
+        }
+      }
+
+      resources {
+        cpu    = 6144
+        memory = 8000
+
+        network {
+          mbits = 1
+          port  "https"{}
+        }
+      }
+
+      service {
+        name = "${app}-superset"
+        tags = [
+          "superset",
+          "no-scrape",
+          "traefik.http.routers.${app}-superset.middlewares=redirect-to-https@file",
+          "traefik.http.routers.${app}-superset.rule=(Host(`${hostname}.zerofox.com`))",
+          "traefik.http.routers.${app}-superset.service=${app}-superset",
+          "traefik.http.routers.${app}-superset-https.rule=(Host(`${hostname}.zerofox.com`))",
+          "traefik.http.routers.${app}-superset-https.service=${app}-superset",
+          "traefik.http.routers.${app}-superset-https.tls=true",
+          "traefik.http.services.${app}-superset.loadbalancer.server.scheme=https",
+        ]
+        port = "https"
+
+        check {
+          type     = "tcp"
+          port     = "https"
+          interval = "30s"
+          timeout  = "2s"
+        }
+      }
+
+      template {
+        data = <<EOH
+{
+  "type": "service_account",
+  {{ with secret "secret/superset/gcp_insights_sa" }}
+  "project_id": "{{ .Data.project_id }}",
+  "private_key_id": "{{ .Data.private_key_id }}",
+  "private_key": "{{ .Data.private_key }}",
+  "client_email": "{{ .Data.client_email }}",
+  "client_id": "{{ .Data.client_id }}",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://accounts.google.com/o/oauth2/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "{{ .Data.client_x509_cert_url }}"{{ end }}
+}
+EOH
+        destination = "secrets/service-acct.json"
+        change_mode="restart"
+      }
+
+      template {
+          data = <<EOH
+{{ $private_ip := env "NOMAD_IP_https" }}
+{{ $ip_sans := printf "ip_sans=%s" $private_ip }}
+{{ with secret "pki/ica/issue/insights" "common_name=insights.service.consul" "alt_names=insights.service.aws-${aws_region}.consul" $ip_sans "format=pem" }}
+{{ .Data.certificate }}
+{{ .Data.issuing_ca }}
+{{ .Data.private_key }}
+{{ end }}
+EOH
+
+        destination = "$${NOMAD_SECRETS_DIR}/server.bundle.pem"
+        change_mode = "restart"
+    }
+
+      template {
+        data = <<EOH
+GOOGLE_APPLICATION_CREDENTIALS=/secrets/service-acct.json
+
+{{ with secret "database/insights-superset-db/creds/admin" }}
+DATABASE_URL="postgresql://{{ .Data.username }}:{{ .Data.password }}@${db_address}:${db_port}/insights_superset"
+{{ end }}
+
+{{ with secret "secret/superset/insights" }}
+SSO_API_BASE_URL="{{ .Data.SSO_API_BASE_URL }}"
+SSO_CLIENT_ID="{{ .Data.SSO_CLIENT_ID }}"
+SSO_CLIENT_SECRET="{{ .Data.SSO_CLIENT_SECRET }}"
+SUPERSET_SECRET_KEY="{{ .Data.SUPERSET_SECRET_KEY }}"
+{{ end }}
+
+{{ with secret "secret/smtp" }}
+SENDGRID_HOST="{{ .Data.host }}"
+SENDGRID_PORT="{{ .Data.port }}"
+SENDGRID_USERNAME="{{ .Data.username }}"
+SENDGRID_PASSWORD="{{ .Data.password }}"{{ end }}
+
+{{ range ls "${app}/superset/env" }}
+{{ .Key|toUpper }}="{{ .Value }}"
+{{ end }}
+EOH
+        destination = "secrets/env"
+        env = true
+        change_mode = "restart"
+      }
+
+      vault {
+        policies    = ["insights"]
+        change_mode = "restart"
+      }
+    }
+  }
\ No newline at end of file
diff --git a/.terra/insights/nomad/superset.tf b/.terra/insights/nomad/superset.tf
new file mode 100644
index 0000000000000..4abd972feeb78
--- /dev/null
+++ b/.terra/insights/nomad/superset.tf
@@ -0,0 +1,71 @@
+variable "app" {
+  default = "insights"
+}
+
+variable "env" {
+  default = "qa"
+}
+
+variable "aws_region" {
+  default = "us-west-2"
+}
+
+variable "git_sha" {
+  default = "master"
+}
+
+variable "cmd" {
+  default = "superset"
+}
+
+variable "ecr_url" {
+  default = "012321959326.dkr.ecr.us-west-2.amazonaws.com"
+}
+
+variable "db_address" {}
+
+variable "db_port" {}
+
+variable "container_count" {
+  type = "map"
+
+  default = {
+    qa   = 1
+    stag = 1
+    prod = 1
+  }
+}
+
+variable "hostname" {
+  type = "map"
+
+  default = {
+    qa   = "insights-qa"
+    stag = "insights-stag"
+    prod = "insights"
+  }
+}
+
+# ------------------------------------------------------------------------
+# Nomad
+# ------------------------------------------------------------------------
+data "template_file" "nomad_group" {
+  template = "${file("./nomad/superset.nomad.hcl")}"
+
+  vars {
+    app        = "${var.app}"
+    cmd        = "${var.cmd}"
+    count      = "${lookup(var.container_count, var.env)}"
+    git_sha    = "${var.git_sha}"
+    env        = "${var.env}"
+    aws_region = "${var.aws_region}"
+    ecr_url    = "${var.ecr_url}"
+    db_address = "${var.db_address}"
+    db_port    = "${var.db_port}"
+    hostname   = "${lookup(var.hostname, var.env)}"
+  }
+}
+
+output "nomad_group" {
+  value = "${data.template_file.nomad_group.rendered}"
+}
diff --git a/.terra/insights/superset.nomad.hcl b/.terra/insights/superset.nomad.hcl
new file mode 100644
index 0000000000000..60f9781321e9d
--- /dev/null
+++ b/.terra/insights/superset.nomad.hcl
@@ -0,0 +1,23 @@
+# vim: filetype=hcl
+job "insights" {
+  datacenters = ["aws-us-west-2-customer"]
+  type        = "service"
+
+  meta {
+    lang = "python"
+    proj = "insights"
+  }
+
+  update {
+    stagger      = "10s"
+    max_parallel = 1
+  }
+
+  ${superset}
+
+  ${celery_worker_group}
+
+  ${celery_flower_group}
+
+  ${celery_beat_group}
+}
\ No newline at end of file
diff --git a/.terra/insights/superset.tf b/.terra/insights/superset.tf
new file mode 100644
index 0000000000000..324f096805bcf
--- /dev/null
+++ b/.terra/insights/superset.tf
@@ -0,0 +1,228 @@
+terraform {
+  backend "s3" {
+    key    = "insights/terraform.tfstate"
+    region = "us-west-2"
+  }
+
+  required_version = "0.11.15"
+}
+
+variable "app" {
+  default = "insights"
+}
+
+variable "env" {
+  default = "qa"
+}
+
+variable "aws_region" {
+  default = "us-west-2"
+}
+
+variable "git_sha" {
+  default = "master"
+}
+
+data "aws_db_instance" "db" {
+  db_instance_identifier = "insights-superset-${var.env}"
+}
+
+variable "ecr_url" {
+  default = "012321959326.dkr.ecr.us-west-2.amazonaws.com"
+}
+
+variable "consul_token" {
+  default = ""
+}
+
+
+# ----------------------------------------
+# Providers
+# ----------------------------------------
+provider "nomad" {
+  address = "https://nomad-${var.env}.zerofox.com"
+  region  = "global"
+}
+
+provider "consul" {
+  address    = "consul-${var.env}.zerofox.com:443"
+  datacenter = "aws-${var.aws_region}"
+  scheme     = "https"
+}
+
+data "terraform_remote_state" "global" {
+  backend = "s3"
+
+  config = {
+    bucket = "zf-terraform-global"
+    key    = "global/terraform.tfstate"
+    region = "us-west-2"
+  }
+}
+
+# ----------------------------------------
+# Superset + Celery Worker + Beat
+# ----------------------------------------
+resource "aws_elasticache_cluster" "cache" {
+  cluster_id           = "${var.app}-${var.env}-cache"
+  engine               = "redis"
+  engine_version       = "5.0.6"
+  node_type            = "cache.t3.small"
+  num_cache_nodes      = 1
+  parameter_group_name = "default.redis5.0"
+  subnet_group_name    = "west-redis"
+
+  security_group_ids = [
+    "${data.terraform_remote_state.global.corporate_sg_ids[var.aws_region]}",
+  ]
+
+  tags {
+    Application = "${var.app}"
+    Environment = "${var.env}"
+  }
+}
+
+module "celery_worker" {
+  source = "./celery_worker"
+
+  app        = "${var.app}"
+  env        = "${var.env}"
+  git_sha    = "${var.git_sha}"
+  aws_region = "${var.aws_region}"
+  ecr_url    = "${var.ecr_url}"
+  db_address = "${data.aws_db_instance.db.address}"
+  db_port    = "${data.aws_db_instance.db.port}"
+}
+
+module "celery_beat" {
+  source = "./celery_beat"
+
+  app        = "${var.app}"
+  env        = "${var.env}"
+  git_sha    = "${var.git_sha}"
+  aws_region = "${var.aws_region}"
+  ecr_url    = "${var.ecr_url}"
+  db_address = "${data.aws_db_instance.db.address}"
+  db_port    = "${data.aws_db_instance.db.port}"
+}
+
+module "celery_flower" {
+  source = "./celery_flower"
+
+  app        = "${var.app}"
+  env        = "${var.env}"
+  git_sha    = "${var.git_sha}"
+  aws_region = "${var.aws_region}"
+  ecr_url    = "${var.ecr_url}"
+  db_address = "${data.aws_db_instance.db.address}"
+  db_port    = "${data.aws_db_instance.db.port}"
+}
+
+module "superset" {
+  source = "./nomad"
+
+  app        = "${var.app}"
+  env        = "${var.env}"
+  git_sha    = "${var.git_sha}"
+  aws_region = "${var.aws_region}"
+  ecr_url    = "${var.ecr_url}"
+  db_address = "${data.aws_db_instance.db.address}"
+  db_port    = "${data.aws_db_instance.db.port}"
+}
+
+# ------------------------------------------------------------------------
+# Nomad
+# ------------------------------------------------------------------------
+data "template_file" "nomad_job_spec" {
+  template = "${file("superset.nomad.hcl")}"
+
+  vars {
+    celery_worker_group   = "${module.celery_worker.nomad_group}"
+    celery_beat_group     = "${module.celery_beat.nomad_group}"
+    celery_flower_group   = "${module.celery_flower.nomad_group}"
+    superset              = "${module.superset.nomad_group}"
+  }
+}
+
+module "nomad-job" {
+  source = "git::ssh://git@github.com/riskive/devops-terraform-modules.git?ref=master//components/nomad-build-run"
+
+  app               = "${var.app}"
+  ecr_url           = "${var.ecr_url}"
+  git_sha           = "${var.git_sha}"
+  docker_file        = "../../Dockerfile"
+  docker_path       = "../.."
+  rendered_template = "${data.template_file.nomad_job_spec.rendered}"
+}
+
+resource "consul_keys" "superset-keys" {
+  datacenter = "aws-${var.aws_region}"
+  token      = "${var.consul_token}"
+
+  key {
+    path  = "${var.app}/superset/env/redis_host"
+    value = "${aws_elasticache_cluster.cache.cache_nodes.0.address}"
+  }
+
+  key {
+    path  = "${var.app}/superset/env/redis_port"
+    value = "${aws_elasticache_cluster.cache.cache_nodes.0.port}"
+  }
+
+  key {
+    path  = "${var.app}/superset/env/env"
+    value = "${var.env}"
+  }
+
+  key {
+    path  = "${var.app}/superset/env/server_limit_request_field_size"
+    value = "8190"
+  }
+
+  key {
+    path  = "${var.app}/superset/env/server_limit_request_line"
+    value = "4094"
+  }
+
+  key {
+    path  = "${var.app}/superset/env/server_limit_request_fields"
+    value = "20"
+  }
+
+  key {
+    path  = "${var.app}/superset/env/gunicorn_timeout"
+    value = "300"
+  }
+
+  key {
+    path  = "${var.app}/superset/env/server_worker_amount"
+    value = "6"
+  }
+
+  key {
+    path  = "${var.app}/superset/env/superset_certfile"
+    value = "/app/server.crt"
+  }
+
+  key {
+    path  = "${var.app}/superset/env/superset_keyfile"
+    value = "/app/server.key"
+  }
+
+  key {
+    path  = "${var.app}/superset/env/gunicorn_keepalive"
+    value = "65"
+  }
+
+  key {
+    path  = "${var.app}/superset/env/superset_access_method"
+    value = "external"
+  }
+
+  key {
+    path  = "${var.app}/superset/env/bq_dataset"
+    value = "insights-391416"
+  }
+}
+
+
diff --git a/.terra/superset/superset.tf b/.terra/superset/superset.tf
index faf52abea956c..7c44190bd2a02 100644
--- a/.terra/superset/superset.tf
+++ b/.terra/superset/superset.tf
@@ -206,6 +206,12 @@ resource "consul_keys" "superset-keys" {
     path = "${var.app}/superset/env/superset_access_method"
     value = "internal"
   }
+
+
+  key {
+    path  = "${var.app}/superset/env/bq_dataset"
+    value = "csdataanalysis"
+  }
 }
 
 
diff --git a/README.md b/README.md
index 861cb2af70745..7f758244f1972 100644
--- a/README.md
+++ b/README.md
@@ -58,14 +58,31 @@ in case that you need to update this repo:
       appbuilder.add_api(ZFIntegrationRestApi)
    ```
 3. Confirm that the folders address on the docker compose are still valid, to transfer our custom code into the superset project.
+in case that you need to update this repo, you can do in two ways
 
-## Missing Things
+## Deploy
 
-1. Configure docker image  + nomad hcl definition
-2. Create Tables of user access
-3. finish RLS and Table generation
+This repo deploys two instances of superset, each one with a different `.terra` configuration:
 
+### Superset internal (aka Superset Big)
 
+Used for internal ZeroFox employees only. It has more internal data and it is only accesible from the VPN.
+
+Links:
+
+- QA: https://build.zerofox.com/job/superset-qa-deploy/
+- Stag: https://build.zerofox.com/job/superset-stag-deploy/
+- Prod: https://build.zerofox.com/job/superset-prod-deploy/
+
+### Insights (aka Superset external or Superset Small)
+
+Used for external users. It has less data and it is accesible from cloud.zerofox.com through ZF-Dashboard. Only ZeroFox employees can access the UI through the VPN.
+
+Links:
+
+- QA: https://build.zerofox.com/job/insights-qa-deploy/
+- Stag: https://build.zerofox.com/job/insights-stag-deploy/
+- Prod: https://build.zerofox.com/job/insights-prod-deploy/
 
 ## Information
 
diff --git a/bi_superset/bi_cli/bi_cli_security_manager.py b/bi_superset/bi_cli/bi_cli_security_manager.py
index 5003261e5d4bb..cf6676ad3c787 100644
--- a/bi_superset/bi_cli/bi_cli_security_manager.py
+++ b/bi_superset/bi_cli/bi_cli_security_manager.py
@@ -253,6 +253,9 @@ def update_dashboard_default_access(self):
                 .one_or_none()
             )
 
+            if dashboard is None:
+                continue
+
             # Assing role to dashboard
             dashboard.roles += [role]
 
diff --git a/bi_superset/bi_security_manager/adapter/bigquery_sql.py b/bi_superset/bi_security_manager/adapter/bigquery_sql.py
index bbd707d4b4b08..c4f8262d1bf78 100644
--- a/bi_superset/bi_security_manager/adapter/bigquery_sql.py
+++ b/bi_superset/bi_security_manager/adapter/bigquery_sql.py
@@ -5,11 +5,12 @@
 import pandas as pd
 import pandas_gbq as gbq
 import google.auth
+from flask import current_app
 
 # Abstract class
 from bi_superset.bi_security_manager.port.a_sql import ASql
 
-
+BQ_DATASET = current_app.config.get("BQ_DATASET")
 class BigquerySQL(ASql):
     def __init__(self) -> None:
         credentials, _ = google.auth.default(
@@ -29,7 +30,7 @@ def get_df(self, query: str) -> pd.DataFrame:
             raise ValueError("query is required")
 
         try:
-            df = gbq.read_gbq(query, project_id="csdataanalysis")
+            df = gbq.read_gbq(query, project_id=BQ_DATASET)
             return df
         except Exception as e:
             raise ValueError(f"Error getting dataframe from bigquery: {e}")
@@ -46,11 +47,11 @@ def get_schema(self, schema_name: str, table_name: str) -> pd.DataFrame:
                 column_name,
                 data_type
             FROM
-            `csdataanalysis.{schema}.INFORMATION_SCHEMA.COLUMNS`
+            `{dataset}.{schema}.INFORMATION_SCHEMA.COLUMNS`
             WHERE 1 = 1
             AND table_name='{table_name}'
         """.format(
-            schema=schema_name, table_name=table_name
+            dataset=BQ_DATASET, schema=schema_name, table_name=table_name
         )
 
         try:
diff --git a/bi_superset/bi_security_manager/services/dashboard_role_access_service.py b/bi_superset/bi_security_manager/services/dashboard_role_access_service.py
index 9a73a51522b9c..6cd73484a10dc 100644
--- a/bi_superset/bi_security_manager/services/dashboard_role_access_service.py
+++ b/bi_superset/bi_security_manager/services/dashboard_role_access_service.py
@@ -5,6 +5,9 @@
 from bi_superset.bi_security_manager.models.models import (
     DashboardRoleAccessExternal,
 )
+from flask import current_app
+
+BQ_DATASET = current_app.config.get("BQ_DATASET")
 
 
 class DashboardRoleAccessService:
@@ -16,7 +19,7 @@ def get_dashboard_role_access_external(self):
         Get dashboard role access for external users
         """
 
-        query = DASHBOARD_ROLE_ACCESS_EXTERNAL
+        query = DASHBOARD_ROLE_ACCESS_EXTERNAL.format(dataset=BQ_DATASET)
 
         df = self.sql.get_df(query)
 
diff --git a/bi_superset/bi_security_manager/services/data_source_permission_service.py b/bi_superset/bi_security_manager/services/data_source_permission_service.py
index 73f8719de824b..080d32b148616 100644
--- a/bi_superset/bi_security_manager/services/data_source_permission_service.py
+++ b/bi_superset/bi_security_manager/services/data_source_permission_service.py
@@ -4,7 +4,9 @@
 from bi_superset.bi_security_manager.models.models import DataSourceAccess
 from bi_superset.bi_security_manager.sql.queries import DATA_SOURCE_PERMISSIONS_QUERY
 from bi_superset.bi_security_manager.models.access_method import AccessMethod
+from flask import current_app
 
+BQ_DATASET = current_app.config.get("BQ_DATASET")
 
 class DataSourcePermissionService:
     """
@@ -28,7 +30,7 @@ def get_data_sources(
             raise ValueError("access_method is required")
 
         query = DATA_SOURCE_PERMISSIONS_QUERY.format(
-            role_name=role_name, access_method=access_method
+            dataset=BQ_DATASET, role_name=role_name, access_method=access_method
         )
 
         df = self.sql.get_df(query)
diff --git a/bi_superset/bi_security_manager/services/role_gatherer_service.py b/bi_superset/bi_security_manager/services/role_gatherer_service.py
index 8a15a2eb91418..0773e406de4f1 100644
--- a/bi_superset/bi_security_manager/services/role_gatherer_service.py
+++ b/bi_superset/bi_security_manager/services/role_gatherer_service.py
@@ -7,10 +7,12 @@
     SupersetRolePermission,
 )
 from bi_superset.bi_security_manager.sql.queries import (
-    ROLES_PER_JOB_TITLE,
     ROLE_DEFINITIONS_QUERY,
     ROLES_QUERY,
 )
+from flask import current_app
+
+BQ_DATASET = current_app.config.get("BQ_DATASET")
 
 
 class RoleGathererService:
@@ -26,7 +28,7 @@ def get_roles(self, access_method: str) -> List[str]:
         if not any(method.value == access_method for method in AccessMethod):
             raise ValueError("access_method is required")
 
-        query = ROLES_QUERY.format(access_method=access_method)
+        query = ROLES_QUERY.format(dataset=BQ_DATASET, access_method=access_method)
 
         df = self.sql.get_df(query)
 
@@ -64,7 +66,7 @@ def get_role_permission(
             raise ValueError("access_method is required")
 
         query = ROLE_DEFINITIONS_QUERY.format(
-            role_name=role_name, access_method=access_method
+            dataset=BQ_DATASET, role_name=role_name, access_method=access_method
         )
 
         df = self.sql.get_df(query)
diff --git a/bi_superset/bi_security_manager/services/roles_per_job_title_service.py b/bi_superset/bi_security_manager/services/roles_per_job_title_service.py
index 2ffcac8d7ccd3..0ca6e34179086 100644
--- a/bi_superset/bi_security_manager/services/roles_per_job_title_service.py
+++ b/bi_superset/bi_security_manager/services/roles_per_job_title_service.py
@@ -3,8 +3,9 @@
 from bi_superset.bi_security_manager.port.a_sql import ASql
 from bi_superset.bi_security_manager.sql.queries import ROLES_PER_JOB_TITLE
 from bi_superset.bi_security_manager.models.models import RolesPerJobTitle
+from flask import current_app
 
-
+BQ_DATASET = current_app.config.get("BQ_DATASET")
 class RolePerJobTitleService:
     def __init__(self, sql: ASql):
         self.sql: ASql = sql
@@ -19,7 +20,7 @@ def get_role_per_job_title(self):
 
         """
 
-        query = ROLES_PER_JOB_TITLE
+        query = ROLES_PER_JOB_TITLE.format(dataset=BQ_DATASET)
 
         df = self.sql.get_df(query)
 
diff --git a/bi_superset/bi_security_manager/sql/queries.py b/bi_superset/bi_security_manager/sql/queries.py
index 166a2f2cf38dd..ed74785b3dd53 100644
--- a/bi_superset/bi_security_manager/sql/queries.py
+++ b/bi_superset/bi_security_manager/sql/queries.py
@@ -4,7 +4,7 @@
 ROLE_DEFINITIONS_QUERY = """
 SELECT
     human_readable as permission_name,
-FROM csdataanalysis.bi_superset_access.role_definitions_{access_method}
+FROM {dataset}.bi_superset_access.role_definitions_{access_method}
 WHERE {role_name} = true
 """
 
@@ -17,7 +17,7 @@
     table_catalog,
     table_schema,
     table_name
-FROM csdataanalysis.bi_superset_access.datasource_access_{access_method}
+FROM {dataset}.bi_superset_access.datasource_access_{access_method}
 WHERE {role_name} = true
 """
 
@@ -28,7 +28,7 @@
 SELECT
     employee,
     role_name
-FROM csdataanalysis.bi_superset_access.roles_per_job_title
+FROM {dataset}.bi_superset_access.roles_per_job_title
 """
 
 
@@ -38,7 +38,7 @@
 
 ROLES_QUERY = """
 SELECT name
-FROM csdataanalysis.bi_superset_access.roles
+FROM {dataset}.bi_superset_access.roles
 WHERE type = '{access_method}'
 """
 
@@ -50,5 +50,5 @@
 SELECT
     dashboard_id,
     role_name
-FROM csdataanalysis.bi_superset_access.dashboard_role_access_exterrnal
+FROM {dataset}.bi_superset_access.dashboard_role_access_exterrnal
 """
diff --git a/bi_superset/superset_config.py b/bi_superset/superset_config.py
index c4d8b1916939e..3d6524ea37e81 100644
--- a/bi_superset/superset_config.py
+++ b/bi_superset/superset_config.py
@@ -96,6 +96,8 @@ def get_env_variable(var_name: str, default: Optional[str] = None) -> str:
     GUEST_TOKEN_JWT_AUDIENCE: None
     ZF_JWT_PUBLIC_SECRET = get_env_variable("ZF_JWT_PUBLIC_SECRET", None)
 
+BQ_DATASET = os.getenv("BQ_DATASET", None)
+
 FEATURE_FLAGS = {
     "ENABLE_TEMPLATE_PROCESSING": True,
     "ESTIMATE_QUERY_COST": True,
diff --git a/bi_superset/superset_config_local.py b/bi_superset/superset_config_local.py
index 7551486387aa3..e5d4c771b6822 100644
--- a/bi_superset/superset_config_local.py
+++ b/bi_superset/superset_config_local.py
@@ -65,6 +65,7 @@ def get_env_variable(var_name: str, default: Optional[str] = None) -> str:
     True if SUPERSET_ACCESS_METHOD == AccessMethod.EXTERNAL.value else False
 )
 
+BQ_DATASET = os.getenv("BQ_DATASET", None)
 
 FEATURE_FLAGS = {
     "ENABLE_TEMPLATE_PROCESSING": True,