diff --git a/.shared-tools b/.shared-tools
index 23ec7072..e797dd96 160000
--- a/.shared-tools
+++ b/.shared-tools
@@ -1 +1 @@
-Subproject commit 23ec7072579d46feca3893b262c5bef7bd91acd8
+Subproject commit e797dd96c88dcae8273bf2e070f497af67ea6bc0
diff --git a/cert.ci.jenkins.io.tf b/cert.ci.jenkins.io.tf
index f87f0296..94ed56f5 100644
--- a/cert.ci.jenkins.io.tf
+++ b/cert.ci.jenkins.io.tf
@@ -79,95 +79,6 @@ module "cert_ci_jenkins_io_aci_agents" {
   controller_service_principal_id = module.cert_ci_jenkins_io.controler_service_principal_id
 }
 
-### ACI Agents
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_role_definition.ephemeral_agents_aci_contributor
-  to   = module.cert_ci_jenkins_io_aci_agents.azurerm_role_definition.ephemeral_agents_aci_contributor
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_role_assignment.controller_ephemeral_agents_aci_contributor
-  to   = module.cert_ci_jenkins_io_aci_agents.azurerm_role_assignment.controller_ephemeral_agents_aci_contributor
-}
-
-### Ephemeral Agents
-# Resources
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_resource_group.ephemeral_agents
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_resource_group.ephemeral_agents
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_storage_account.ephemeral_agents
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_storage_account.ephemeral_agents
-}
-
-# AzureAD
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_role_assignment.controller_contributor_in_ephemeral_agent_resourcegroup
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_role_assignment.controller_contributor_in_ephemeral_agent_resourcegroup
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_role_assignment.controller_io_manage_net_interfaces_subnet_ephemeral_agents
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_role_assignment.controller_io_manage_net_interfaces_subnet_ephemeral_agents
-}
-
-# NSGs
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_group.ephemeral_agents
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_group.ephemeral_agents
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_subnet_network_security_group_association.ephemeral_agents
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_subnet_network_security_group_association.ephemeral_agents
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_inbound_ssh_from_controller_to_ephemeral_agents
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_inbound_ssh_from_controller_to_ephemeral_agents
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_hkp_tcp_from_ephemeral_agents_subnet_to_internet
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_hkp_tcp_from_ephemeral_agents_subnet_to_internet
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_hkp_udp_from_ephemeral_agents_subnet_to_internet
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_hkp_udp_from_ephemeral_agents_subnet_to_internet
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_http_from_ephemeral_agents_to_internet
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_http_from_ephemeral_agents_to_internet
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_jenkins_from_ephemeral_agents_to_controller
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_jenkins_from_ephemeral_agents_to_controller
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_ephemeral_agents_to_internet
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_ssh_from_ephemeral_agents_to_internet
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_rule.deny_all_inbound_from_vnet_to_ephemeral_agents
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_inbound_from_vnet_to_ephemeral_agents
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_internet
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_internet
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_inbound_ssh_from_privatevpn_to_ephemeral_agents
-  to   = module.cert_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_inbound_ssh_from_privatevpn_to_ephemeral_agents
-}
-moved {
-  from = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_controller_to_ephemeral_agents
-  to   = module.cert_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_controller_to_agents
-}
-
 ## Service DNS records
 resource "azurerm_dns_a_record" "cert_ci_jenkins_io_controller" {
   name                = "controller"
diff --git a/ci.jenkins.io.tf b/ci.jenkins.io.tf
index 40b4227a..d35f8d2c 100644
--- a/ci.jenkins.io.tf
+++ b/ci.jenkins.io.tf
@@ -69,6 +69,7 @@ module "ci_jenkins_io_azurevm_agents" {
 }
 
 resource "azurerm_resource_group" "controller_jenkins_sponsorship" {
+  provider = azurerm.jenkins-sponsorship
   name     = module.ci_jenkins_io.controller_resourcegroup_name # Same name on both subscriptions
   location = var.location
   tags     = local.default_tags
@@ -89,6 +90,7 @@ module "ci_jenkins_io_azurevm_agents_jenkins_sponsorship" {
   controller_ips                   = compact([module.ci_jenkins_io.controller_private_ipv4, module.ci_jenkins_io.controller_public_ipv4])
   controller_service_principal_id  = module.ci_jenkins_io.controler_service_principal_id
   default_tags                     = local.default_tags
+  storage_account_name             = "cijenkinsioagentssub" # Max 24 chars
 
   jenkins_infra_ips = {
     privatevpn_subnet = data.azurerm_subnet.private_vnet_data_tier.address_prefixes
@@ -103,99 +105,6 @@ module "ci_jenkins_io_aci_agents" {
   controller_service_principal_id = module.ci_jenkins_io.controler_service_principal_id
 }
 
-### ACI Agents
-moved {
-  from = module.ci_jenkins_io.azurerm_role_definition.ephemeral_agents_aci_contributor
-  to   = module.ci_jenkins_io_aci_agents.azurerm_role_definition.ephemeral_agents_aci_contributor
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_role_assignment.controller_ephemeral_agents_aci_contributor
-  to   = module.ci_jenkins_io_aci_agents.azurerm_role_assignment.controller_ephemeral_agents_aci_contributor
-}
-
-### Ephemeral Agents
-# Resources
-moved {
-  from = module.ci_jenkins_io.azurerm_resource_group.ephemeral_agents
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_resource_group.ephemeral_agents
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_storage_account.ephemeral_agents
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_storage_account.ephemeral_agents
-}
-
-# AzureAD
-moved {
-  from = module.ci_jenkins_io.azurerm_role_assignment.controller_contributor_in_ephemeral_agent_resourcegroup
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_role_assignment.controller_contributor_in_ephemeral_agent_resourcegroup
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_role_assignment.controller_io_manage_net_interfaces_subnet_ephemeral_agents
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_role_assignment.controller_io_manage_net_interfaces_subnet_ephemeral_agents
-}
-
-# NSGs
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_group.ephemeral_agents
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_group.ephemeral_agents
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_subnet_network_security_group_association.ephemeral_agents
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_subnet_network_security_group_association.ephemeral_agents
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_resource_group.ephemeral_agents
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_resource_group.ephemeral_agents
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_rule.allow_inbound_ssh_from_controller_to_ephemeral_agents
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_inbound_ssh_from_controller_to_ephemeral_agents
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_rule.allow_outbound_hkp_tcp_from_ephemeral_agents_subnet_to_internet
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_hkp_tcp_from_ephemeral_agents_subnet_to_internet
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_rule.allow_outbound_hkp_udp_from_ephemeral_agents_subnet_to_internet
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_hkp_udp_from_ephemeral_agents_subnet_to_internet
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_rule.allow_outbound_http_from_ephemeral_agents_to_internet
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_http_from_ephemeral_agents_to_internet
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_rule.allow_outbound_jenkins_from_ephemeral_agents_to_controller
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_jenkins_from_ephemeral_agents_to_controller
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_ephemeral_agents_to_internet
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_ssh_from_ephemeral_agents_to_internet
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_rule.deny_all_inbound_from_vnet_to_ephemeral_agents
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_inbound_from_vnet_to_ephemeral_agents
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_internet
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_internet
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_rule.allow_inbound_ssh_from_privatevpn_to_ephemeral_agents
-  to   = module.ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_inbound_ssh_from_privatevpn_to_ephemeral_agents
-}
-moved {
-  from = module.ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_controller_to_ephemeral_agents
-  to   = module.ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_controller_to_agents
-}
-
 ## Service DNS records
 resource "azurerm_dns_cname_record" "ci_jenkins_io" {
   name                = trimsuffix(trimsuffix(module.ci_jenkins_io.service_fqdn, data.azurerm_dns_zone.jenkinsio.name), ".")
diff --git a/trusted.ci.jenkins.io.tf b/trusted.ci.jenkins.io.tf
index c9e58df9..802d9e8a 100644
--- a/trusted.ci.jenkins.io.tf
+++ b/trusted.ci.jenkins.io.tf
@@ -97,95 +97,6 @@ module "trusted_ci_jenkins_io_aci_agents" {
   controller_service_principal_id = module.trusted_ci_jenkins_io.controler_service_principal_id
 }
 
-### ACI Agents
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_role_definition.ephemeral_agents_aci_contributor
-  to   = module.trusted_ci_jenkins_io_aci_agents.azurerm_role_definition.ephemeral_agents_aci_contributor
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_role_assignment.controller_ephemeral_agents_aci_contributor
-  to   = module.trusted_ci_jenkins_io_aci_agents.azurerm_role_assignment.controller_ephemeral_agents_aci_contributor
-}
-
-### Ephemeral Agents
-# Resources
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_resource_group.ephemeral_agents
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_resource_group.ephemeral_agents
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_storage_account.ephemeral_agents
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_storage_account.ephemeral_agents
-}
-
-# AzureAD
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_role_assignment.controller_contributor_in_ephemeral_agent_resourcegroup
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_role_assignment.controller_contributor_in_ephemeral_agent_resourcegroup
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_role_assignment.controller_io_manage_net_interfaces_subnet_ephemeral_agents
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_role_assignment.controller_io_manage_net_interfaces_subnet_ephemeral_agents
-}
-
-# NSGs
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_group.ephemeral_agents
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_group.ephemeral_agents
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_subnet_network_security_group_association.ephemeral_agents
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_subnet_network_security_group_association.ephemeral_agents
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_inbound_ssh_from_controller_to_ephemeral_agents
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_inbound_ssh_from_controller_to_ephemeral_agents
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_hkp_tcp_from_ephemeral_agents_subnet_to_internet
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_hkp_tcp_from_ephemeral_agents_subnet_to_internet
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_hkp_udp_from_ephemeral_agents_subnet_to_internet
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_hkp_udp_from_ephemeral_agents_subnet_to_internet
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_http_from_ephemeral_agents_to_internet
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_http_from_ephemeral_agents_to_internet
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_jenkins_from_ephemeral_agents_to_controller
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_jenkins_from_ephemeral_agents_to_controller
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_ephemeral_agents_to_internet
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_outbound_ssh_from_ephemeral_agents_to_internet
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.deny_all_inbound_from_vnet_to_ephemeral_agents
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_inbound_from_vnet_to_ephemeral_agents
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_internet
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_internet
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.deny_all_outbound_from_ephemeral_agents_to_vnet
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_inbound_ssh_from_privatevpn_to_ephemeral_agents
-  to   = module.trusted_ci_jenkins_io_azurevm_agents.azurerm_network_security_rule.allow_inbound_ssh_from_privatevpn_to_ephemeral_agents
-}
-moved {
-  from = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_controller_to_ephemeral_agents
-  to   = module.trusted_ci_jenkins_io.azurerm_network_security_rule.allow_outbound_ssh_from_controller_to_agents
-}
-
 resource "azurerm_private_dns_a_record" "trusted_ci_controller" {
   name                = "@"
   zone_name           = azurerm_private_dns_zone.trusted.name