diff --git a/terraform/database.tf b/terraform/database.tf
new file mode 100644
index 000000000..4b44f7d1f
--- /dev/null
+++ b/terraform/database.tf
@@ -0,0 +1,66 @@
+# TODO - likely need to define our own subnet group
+data "aws_db_subnet_group" "database" {
+  name = "dsva-vagov-postgres-db-sng"
+}
+
+resource "aws_rds_cluster" "this" {
+  backup_retention_period       = "7"
+  cluster_identifier            = "dsva-gids-${var.env_name}"
+  copy_tags_to_snapshot         = true
+  database_name                 = "dsva_gids_${var.env_name}"
+  db_subnet_group_name          = data.aws_db_subnet_group.database.name
+  deletion_protection           = true
+  engine                        = "aurora-postgresql"
+  engine_mode                   = "provisioned"
+  engine_version                = "14.4"
+  master_password               = "must_be_eight_characters" # TODO - use `manage_master_user_password` instead?
+  master_username               = "gibct-data-service"
+  port                          = "5432"
+  preferred_backup_window       = var.preferred_backup_window
+  preferred_maintenance_window  = var.preferred_maintenance_window
+  skip_final_snapshot           = true
+  vpc_security_group_ids        = [aws_security_group.this.id]
+
+  serverlessv2_scaling_configuration {
+    max_capacity = 1.0
+    min_capacity = 0.5
+  }
+
+  tags = merge(
+    var.base_tags,
+    {
+      "Name"        = "dsva-gids-${var.env_name}-db"
+      "application" = "gi-bill-data-service"
+    },
+  )
+}
+
+resource "aws_rds_cluster_instance" "this" {
+  cluster_identifier = aws_rds_cluster.this.id
+  instance_class     = "db.serverless"
+  engine             = aws_rds_cluster.this.engine
+  engine_version     = aws_rds_cluster.this.engine_version
+  db_subnet_group_name = data.aws_db_subnet_group.database.name
+}
+
+resource "aws_security_group" "this" {
+  name        = "dsva-gids-${var.env_name}-db-sg"
+  description = "Allow DB access from EKS cluster"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    description      = "Access to DB from EKS cluster"
+    from_port        = 5432
+    to_port          = 5432
+    protocol         = "tcp"
+    security_groups  = [module.eks_cluster.security_group_id]
+  }
+
+  tags = merge(
+    var.base_tags,
+    {
+      "Name"        = "dsva-gids-${var.env_name}-db-sg"
+      "application" = "gi-bill-data-service"
+    },
+  )
+}
\ No newline at end of file
diff --git a/terraform/dev.tfvars b/terraform/dev.tfvars
new file mode 100644
index 000000000..a33e50c12
--- /dev/null
+++ b/terraform/dev.tfvars
@@ -0,0 +1,8 @@
+base_tags = {
+
+}
+
+env_name                        = "dev"
+preferred_backup_window         = 
+preferred_maintenance_window    =
+vpc_id                          = 
\ No newline at end of file
diff --git a/terraform/eks.tf b/terraform/eks.tf
new file mode 100644
index 000000000..a4cea9367
--- /dev/null
+++ b/terraform/eks.tf
@@ -0,0 +1,9 @@
+module "eks_cluster" {
+  source = "git::ssh://git@github.com/department-of-veterans-affairs/vsp-platform-infrastructure.git//terraform/modules/eks-cluster?ref=eks-cluster-v0.1.2"
+
+  vpc_id             = module.join_existing_network.vpc.id
+  subnet_ids         = module.join_existing_network.subnets.ids
+  kubernetes_version = var.kubernetes_version
+
+  context = module.context.context
+}
diff --git a/terraform/helm.tf b/terraform/helm.tf
new file mode 100644
index 000000000..e69de29bb
diff --git a/terraform/iam.tf b/terraform/iam.tf
new file mode 100644
index 000000000..1e4508712
--- /dev/null
+++ b/terraform/iam.tf
@@ -0,0 +1,57 @@
+locals {
+  eks_oidc_issuer = trimprefix(module.eks_cluster.eks_cluster_identity_oidc_issuer, "https://")
+}
+
+resource "aws_iam_role" "app_role" {
+  name               = "${var.eks_cluster_name}-${var.env_name}"
+  assume_role_policy = data.aws_iam_policy_document.AssumeRole.json
+  inline_policy {
+    name   = "policy-${var.eks_cluster_name}-${var.env_name}"
+    policy = data.aws_iam_policy_document.inline.json
+  }
+}
+
+# TODO
+data "aws_iam_policy_document" "AssumeRole" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    principals {
+      type = "Federated"
+      identifiers = [
+        "arn:aws-us-gov:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.eks_oidc_issuer}"
+      ]
+    }
+
+    # Limit the scope so that only our desired service account can assume this role
+    condition {
+      test     = "StringEquals"
+      variable = "${local.eks_oidc_issuer}:sub"
+      values = [
+        "system:serviceaccount:${var.env_name}:vets-api"
+      ]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "${local.eks_oidc_issuer}:aud"
+      values = [
+        "sts.amazonaws.com"
+      ]
+    }
+
+  }
+}
+
+data "aws_iam_policy_document" "inline" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "*"
+    ]
+    resources = [
+      aws_rds_cluster.this.arn,
+      aws_rds_cluster_instance.this.arn,
+    ]
+  }
+}
diff --git a/terraform/kubernetes.tf b/terraform/kubernetes.tf
new file mode 100644
index 000000000..95aa631df
--- /dev/null
+++ b/terraform/kubernetes.tf
@@ -0,0 +1,15 @@
+resource "kubernetes_namespace" "this" {
+  metadata {
+    name = var.env_name
+  }
+}
+
+resource "kubernetes_service_account" "this" {
+  metadata {
+    name      = "vets-api"
+    namespace = kubernetes_namespace.this.metadata.0.name
+    annotations = {
+      "eks.amazonaws.com/role-arn" = aws_iam_role.app_role.arn
+    }
+  }
+}
\ No newline at end of file
diff --git a/terraform/outputs.tf b/terraform/outputs.tf
new file mode 100644
index 000000000..e69de29bb
diff --git a/terraform/prod.tfvars b/terraform/prod.tfvars
new file mode 100644
index 000000000..972be2d2d
--- /dev/null
+++ b/terraform/prod.tfvars
@@ -0,0 +1,8 @@
+base_tags = {
+
+}
+
+env_name                        = "prod"
+preferred_backup_window         = 
+preferred_maintenance_window    =
+vpc_id                          = 
\ No newline at end of file
diff --git a/terraform/providers.tf b/terraform/providers.tf
index 4b88a911a..5926b3177 100644
--- a/terraform/providers.tf
+++ b/terraform/providers.tf
@@ -1,3 +1,24 @@
 provider "aws" {
   region = "us-gov-west-1"
+}
+
+provider "kubernetes" {
+
+}
+
+provider "helm" {
+
+}
+
+
+# TODO Why not require the tools vs require as a provider?
+terraform {
+  required_providers {
+    helm = {
+      source  = "hashicorp/helm"
+      version = ">= 2.6.0"
+    }
+  }
+
+  required_version = "~> 1.0"
 }
\ No newline at end of file
diff --git a/terraform/staging.tfvars b/terraform/staging.tfvars
new file mode 100644
index 000000000..551b7a773
--- /dev/null
+++ b/terraform/staging.tfvars
@@ -0,0 +1,8 @@
+base_tags = {
+
+}
+
+env_name                        = "staging"
+preferred_backup_window         = 
+preferred_maintenance_window    =
+vpc_id                          = 
\ No newline at end of file
diff --git a/terraform/variables.tf b/terraform/variables.tf
index afee37a90..23e7c0fc3 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -1,3 +1,17 @@
 variable "environment" {
-  type = string
+    type    = string
+}
+
+variable "preferred_backup_window" {
+    type    = string
+    default = "00:00-01:00"
+}
+
+variable "preferred_maintenance_window" {
+    type    = string
+    default = "tue:10:01-tue:10:31"
+}
+
+variable "vpc_id" {
+    type    = string
 }
diff --git a/terraform/versions.tf b/terraform/versions.tf
new file mode 100644
index 000000000..3ab9028e7
--- /dev/null
+++ b/terraform/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    kubernetes = {
+      source = "hashicorp/kubernetes"
+      version = "2.23.0"
+    }
+    aws = {
+      source = "hashicorp/aws"
+      version = "5.23.0"
+    }
+  }
+}
\ No newline at end of file