diff --git a/modules/gce_net_services/cert-manager.tf b/modules/gce_net_services/cert-manager.tf
new file mode 100644
index 00000000..907500d6
--- /dev/null
+++ b/modules/gce_net_services/cert-manager.tf
@@ -0,0 +1,15 @@
+resource "google_compute_firewall" "cert-manager-webhook-allow" {
+  count   = "${var.cert_manager_enabled}"
+  name    = "cert-manager-webhook-allow"
+  network = "${google_compute_network.main.name}"
+  project = "${var.project}"
+
+  source_ranges = ["172.16.0.0/28"]
+
+  allow {
+    protocol = "tcp"
+    ports    = ["6443"]
+  }
+
+  source_tags = "${var.cert_manager_source_tags}"
+}
diff --git a/modules/gce_net_services/variables.tf b/modules/gce_net_services/variables.tf
index 1a93a748..a11ad867 100644
--- a/modules/gce_net_services/variables.tf
+++ b/modules/gce_net_services/variables.tf
@@ -7,3 +7,12 @@ variable "nat_ip_count" {
 variable "services_subnet_cidr_range" {
   default = "10.80.0.0/16"
 }
+
+variable "cert_manager_enabled" {
+  default = 0
+}
+
+variable "cert_manager_source_tags" {
+  type    = "list"
+  default = []
+}
diff --git a/modules/gce_project/project.tf b/modules/gce_project/project.tf
index fbc201de..945e2164 100644
--- a/modules/gce_project/project.tf
+++ b/modules/gce_project/project.tf
@@ -19,6 +19,9 @@ resource "google_project_services" "project" {
     "container.googleapis.com",
     "containerregistry.googleapis.com",
     "storage-component.googleapis.com",
+    "monitoring.googleapis.com",
+    "stackdriver.googleapis.com",
+    "logging.googleapis.com",
   ]
 }
 
diff --git a/travis-ci-prod-services-1/modules.tf b/travis-ci-prod-services-1/modules.tf
index 310f754b..981259a6 100644
--- a/travis-ci-prod-services-1/modules.tf
+++ b/travis-ci-prod-services-1/modules.tf
@@ -7,7 +7,9 @@ module "project" {
 module "networking" {
   source = "../modules/gce_net_services"
 
-  project = "${module.project.project_id}"
+  project                  = "${module.project.project_id}"
+  cert_manager_enabled     = 1
+  cert_manager_source_tags = "${var.node_pool_tags}"
 }
 
 module "kubernetes_cluster" {
diff --git a/travis-ci-prod-services-1/variables.tf b/travis-ci-prod-services-1/variables.tf
index 98a012b7..0ce2e66f 100644
--- a/travis-ci-prod-services-1/variables.tf
+++ b/travis-ci-prod-services-1/variables.tf
@@ -9,3 +9,8 @@ variable "project_id" {
 variable "region" {
   default = "us-central1"
 }
+
+variable "node_pool_tags" {
+  type    = "list"
+  default = ["services"]
+}
diff --git a/travis-ci-staging-services-1/modules.tf b/travis-ci-staging-services-1/modules.tf
index 310f754b..981259a6 100644
--- a/travis-ci-staging-services-1/modules.tf
+++ b/travis-ci-staging-services-1/modules.tf
@@ -7,7 +7,9 @@ module "project" {
 module "networking" {
   source = "../modules/gce_net_services"
 
-  project = "${module.project.project_id}"
+  project                  = "${module.project.project_id}"
+  cert_manager_enabled     = 1
+  cert_manager_source_tags = "${var.node_pool_tags}"
 }
 
 module "kubernetes_cluster" {
diff --git a/travis-ci-staging-services-1/variables.tf b/travis-ci-staging-services-1/variables.tf
index 61a23b62..8d77fac0 100644
--- a/travis-ci-staging-services-1/variables.tf
+++ b/travis-ci-staging-services-1/variables.tf
@@ -9,3 +9,8 @@ variable "project_id" {
 variable "region" {
   default = "us-central1"
 }
+
+variable "node_pool_tags" {
+  type    = "list"
+  default = ["services"]
+}