diff --git a/hashiqube/basetools.sh b/hashiqube/basetools.sh
index 049ff48..5ebdbc4 100644
--- a/hashiqube/basetools.sh
+++ b/hashiqube/basetools.sh
@@ -83,8 +83,8 @@ else
   printf '\e[33;1;93m'" * Access Consul Web UI:    \e[38;5;198m Open http://localhost:8500\n"
   printf '\e[33;1;93m'" * Get Consul Info:         \e[38;5;198m consul info\n"
   printf '\e[33;1;93m'" * Get Consul Members:      \e[38;5;198m consul members -wan\n"
-  printf '\e[33;1;93m'" * Start Terraform:         \e[38;5;198m bash localstack/localstack.sh\n"
-  printf '\e[33;1;93m'" * Terraform Plan/Apply:    \e[38;5;198m bash localstack/localstack.sh; cd localstack; terraform plan; terraform apply;\n"
+  printf '\e[33;1;93m'" * Start Terraform:         \e[38;5;198m bash /vagrant/localstack/localstack.sh\n"
+  printf '\e[33;1;93m'" * Terraform Plan/Apply:    \e[38;5;198m bash /vagrant/localstack/localstack.sh; cd /vagrant/localstack; terraform plan; terraform apply;\n"
   printf "\n"
 fi
 EOF
diff --git a/localstack/locals.tf b/localstack/locals.tf
new file mode 100644
index 0000000..cf47492
--- /dev/null
+++ b/localstack/locals.tf
@@ -0,0 +1,27 @@
+locals {
+  ec2_instance_with_index = zipmap(
+    range(length(var.ec2_instance)),
+    var.ec2_instance
+  )
+  ec2_instance_disk_allocations_basic = [
+    for instance in var.ec2_instance : [
+      for disk in instance.ebs_disks : {
+        az        = instance.az
+        ami_id    = instance.ami_id
+        subnet_id = instance.subnet_id
+        disksize  = disk.disksize
+        disktype  = disk.disktype
+      }
+    ]
+  ]
+  ec2_instance_disk_allocations_flattened = flatten(local.ec2_instance_disk_allocations_basic)
+  ec2_instance_disk_allocations_indexed = zipmap(
+    range(length(local.ec2_instance_disk_allocations_flattened)),
+    local.ec2_instance_disk_allocations_flattened
+  )
+
+  tunnels_with_index = zipmap(
+    range(length(var.tunnels)),
+    var.tunnels
+  )
+}
\ No newline at end of file
diff --git a/localstack/main.tf b/localstack/main.tf
index 43bedf0..9a61185 100644
--- a/localstack/main.tf
+++ b/localstack/main.tf
@@ -5,35 +5,6 @@
  * https://github.com/localstack/localstack-pro-samples/tree/master/terraform-resources
  * https://blog.wimwauters.com/devops/2022-03-01_terraformusecases/
 */
-
-locals {
-  ec2_instance_with_index = zipmap(
-    range(length(var.ec2_instance)),
-    var.ec2_instance
-  )
-  ec2_instance_disk_allocations_basic = [
-    for instance in var.ec2_instance : [
-      for disk in instance.ebs_disks : {
-        az        = instance.az
-        ami_id    = instance.ami_id
-        subnet_id = instance.subnet_id
-        disksize  = disk.disksize
-        disktype  = disk.disktype
-      }
-    ]
-  ]
-  ec2_instance_disk_allocations_flattened = flatten(local.ec2_instance_disk_allocations_basic)
-  ec2_instance_disk_allocations_indexed = zipmap(
-    range(length(local.ec2_instance_disk_allocations_flattened)),
-    local.ec2_instance_disk_allocations_flattened
-  )
-
-  tunnels_with_index = zipmap(
-    range(length(var.tunnels)),
-    var.tunnels
-  )
-}
-
 resource "null_resource" "ec2_instance_disk_allocations_indexed" {
   for_each = local.ec2_instance_disk_allocations_indexed
   triggers = {
@@ -116,3 +87,10 @@ resource "aws_security_group" "default-sec-group" {
     cidr_blocks = ["0.0.0.0/0"]
   }
 }
+
+# modules - see modules folder for integrations
+
+module "hashicorp-vault" {
+  count  = var.vault_enabled ? 1 : 0
+  source = "./modules/hashicorp/vault"
+}
\ No newline at end of file
diff --git a/localstack/modules.tf b/localstack/modules.tf
new file mode 100644
index 0000000..e69de29
diff --git a/localstack/modules/hashicorp/vault/main.tf b/localstack/modules/hashicorp/vault/main.tf
new file mode 100644
index 0000000..b96524a
--- /dev/null
+++ b/localstack/modules/hashicorp/vault/main.tf
@@ -0,0 +1,29 @@
+# https://registry.terraform.io/providers/hashicorp/vault/latest/docs
+
+# https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/kv_secret_v2
+resource "vault_mount" "kvv2" {
+  path        = "kvv2"
+  type        = "kv"
+  options     = { version = "2" }
+  description = "KV Version 2 secret engine mount"
+}
+
+resource "vault_kv_secret_v2" "example" {
+  mount                      = vault_mount.kvv2.path
+  name                       = "secret"
+  cas                        = 1
+  delete_all_versions        = true
+  data_json                  = jsonencode(
+  {
+    zip       = "zap",
+    foo       = "bar"
+  }
+  )
+  custom_metadata {
+    max_versions = 5
+    data = {
+      foo = "vault@example.com",
+      bar = "12345"
+    }
+  }
+}
\ No newline at end of file
diff --git a/localstack/modules/hashicorp/vault/variables.tf b/localstack/modules/hashicorp/vault/variables.tf
new file mode 100644
index 0000000..e69de29
diff --git a/localstack/provider.tf b/localstack/provider.tf
index ad57ec6..b00c6d9 100644
--- a/localstack/provider.tf
+++ b/localstack/provider.tf
@@ -1,3 +1,24 @@
+terraform {
+  # The configuration for this backend will be filled in by Terragrunt or via a backend.hcl file. See
+  # https://www.terraform.io/docs/backends/config.html#partial-configuration
+  #  backend "s3" {}
+
+  # Only allow this Terraform version. Note that if you upgrade to a newer version, Terraform won't allow you to use an
+  # older version, so when you upgrade, you should upgrade everyone on your team and your CI servers all at once.
+  required_version = "~> 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    vault = {
+      source = "hashicorp/vault"
+      version = "~> 4.0"
+    }
+  }
+}
+
 provider "aws" {
   access_key                  = "mock_access_key"
   secret_key                  = "mock_secret_key"
@@ -100,19 +121,14 @@ provider "aws" {
   }
 }
 
-terraform {
-  # The configuration for this backend will be filled in by Terragrunt or via a backend.hcl file. See
-  # https://www.terraform.io/docs/backends/config.html#partial-configuration
-  #  backend "s3" {}
-
-  # Only allow this Terraform version. Note that if you upgrade to a newer version, Terraform won't allow you to use an
-  # older version, so when you upgrade, you should upgrade everyone on your team and your CI servers all at once.
-  required_version = "~> 1.0"
-
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "~> 5.0"
-    }
-  }
-}
\ No newline at end of file
+provider "vault" {
+  address = "http://127.0.0.1:8200"
+  # # https://registry.terraform.io/providers/hashicorp/vault/latest/docs#example-auth_login-usage
+  # auth_login {
+  #   path = "auth/aws/login"
+  #   method = "aws"
+  #   parameters = {
+  #     role = "dev-role-iam"
+  #   }
+  # }
+}
diff --git a/localstack/variables.tf b/localstack/variables.tf
index 935c6a4..33d70da 100644
--- a/localstack/variables.tf
+++ b/localstack/variables.tf
@@ -122,3 +122,8 @@ variable "tunnels" {
     }
   ]
 }
+
+variable "vault_enabled" {
+  type    = bool
+  default = false
+}