diff --git a/README.md b/README.md
new file mode 100644
index 0000000..ab23309
--- /dev/null
+++ b/README.md
@@ -0,0 +1,3 @@
+# Sombra module for self hosted Transcend.io
+
+This module is a work in progress
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..18a1b18
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,282 @@
+#################
+# Load Balancer #
+#################
+
+module load_balancer {
+  source  = "terraform-aws-modules/alb/aws"
+  version = "~> 4.0"
+
+  # General Settings
+  load_balancer_name         = "${var.deploy_env}-sombra-${var.project_id}-alb"
+  enable_deletion_protection = false
+
+  # Log settings
+  log_bucket_name     = var.log_bucket_name
+  log_location_prefix = "${var.deploy_env}-alb-sombra-${var.project_id}"
+
+  # VPC Settings
+  subnets         = var.public_subnet_ids
+  vpc_id          = var.vpc_id
+  security_groups = [aws_security_group.alb.id]
+
+  # Listeners
+  https_listeners = [
+    # Internal Listener
+    {
+      certificate_arn    = var.certificate_arn
+      port               = var.internal_port
+      ssl_policy         = "ELBSecurityPolicy-2016-08"
+      target_group_index = 0
+    },
+    # External Listener
+    {
+      certificate_arn    = var.certificate_arn
+      port               = var.external_port
+      ssl_policy         = "ELBSecurityPolicy-FS-2018-06"
+      target_group_index = 1
+    },
+  ]
+  https_listeners_count = 2
+
+  # Target groups
+  target_groups = [
+    # Internal group
+    {
+      name              = "${var.deploy_env}-${var.project_id}-internal"
+      health_check_path = "/health"
+      backend_protocol  = "HTTPS"
+      target_type       = "ip"
+      backend_port      = var.internal_port
+      health_check_port = var.internal_port
+    },
+    # External group
+    {
+      name              = "${var.deploy_env}-${var.project_id}-external"
+      health_check_path = "/health"
+      backend_protocol  = "HTTPS"
+      target_type       = "ip"
+      backend_port      = var.external_port
+      health_check_port = var.external_port
+    },
+  ]
+  target_groups_count = 2
+}
+
+resource "aws_security_group" "alb" {
+  name        = "${var.deploy_env}-${var.project_id}-sombra-alb-security-group"
+  description = "Security group for sombra alb"
+  vpc_id      = var.vpc_id
+
+  # Allow external port
+  ingress {
+    protocol    = "tcp"
+    from_port   = var.external_port
+    to_port     = var.external_port
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # Allow internal port from the calling companies IP range
+  ingress {
+    protocol    = "tcp"
+    from_port   = var.internal_port
+    to_port     = var.internal_port
+    cidr_blocks = [var.incoming_cidr_range]
+  }
+
+  egress {
+    protocol    = "tcp"
+    from_port   = var.internal_port
+    to_port     = var.internal_port
+    cidr_blocks = var.private_subnets_cidr_blocks
+  }
+
+  egress {
+    protocol    = "tcp"
+    from_port   = var.external_port
+    to_port     = var.external_port
+    cidr_blocks = var.private_subnets_cidr_blocks
+  }
+
+  timeouts {
+    create = "45m"
+    delete = "45m"
+  }
+}
+
+############
+# ECS Task #
+############
+
+module container_definition {
+  source = "./modules/fargate_container_definition"
+
+  name           = "${var.deploy_env}-${var.project_id}-container"
+  image          = var.ecr_image
+  containerPorts = [var.internal_port, var.external_port]
+  ssm_prefix     = var.project_id
+
+  use_cloudwatch_logs = var.use_cloudwatch_logs
+  log_configuration   = var.log_configuration
+  log_secrets         = var.log_secrets
+
+  environment = {
+    # General Settings
+    EXTERNAL_PORT_HTTPS = var.external_port
+    INTERNAL_PORT_HTTPS = var.internal_port
+    USE_TLS_AUTH        = false
+
+    # JWT
+    JWT_AUTHENTICATION_PUBLIC_KEY = var.jwt_authentication_public_key
+
+    # AWS KMS
+    AWS_KMS_KEY_ARN = var.use_local_kms ? "" : aws_kms_key.key.0.arn
+    KMS_PROVIDER    = var.use_local_kms ? "local" : "AWS"
+    AWS_REGION      = var.aws_region
+
+    # Override internal key
+    INTERNAL_KEY_HASH = var.internal_key_hash
+
+    # Cycle
+    HMAC_NONCE_KEY_CYCLE      = var.hmac_nonce_key_cycle
+    KEY_ENCRYPTION_BASE_CYCLE = var.key_encryption_base_cycle
+
+    NODE_ENV                    = "production"
+    TRANSCEND_URL               = var.transcend_backend_url
+    TRANSCEND_CN                = var.transcend_certificate_common_name
+    LOG_LEVEL                   = var.log_level
+    ENCRYPTED_SAAS_HTTP_METHODS = join(",", var.encrypted_saas_http_methods)
+
+    # Global Settings
+    ORGANIZATION_URI                    = var.subdomain
+    DATA_SUBJECT_AUTHENTICATION_METHODS = join(",", var.data_subject_auth_methods)
+    EMPLOYEE_AUTHENTICATION_METHODS     = join(",", var.employee_auth_methods)
+
+    # Employee Single Sign On
+    SAML_ENTRYPOINT             = var.saml_config.entrypoint
+    SAML_ISSUER                 = var.saml_config.issuer
+    SAML_CERT                   = var.saml_config.cert
+    SAML_AUDIENCE               = var.saml_config.audience
+    SAML_ACCEPT_CLOCK_SKEWED_MS = var.saml_config.accepted_clock_skew_ms
+
+    # Data Subject OAuth
+    OAUTH_SCOPES                      = join(",", var.oauth_config.scopes)
+    OAUTH_CLIENT_ID                   = var.oauth_config.client_id
+    OAUTH_GET_TOKEN_URL               = var.oauth_config.get_token_url
+    OAUTH_GET_CORE_ID_URL             = var.oauth_config.get_core_id_url
+    OAUTH_GET_CORE_ID_PATH            = var.oauth_config.get_core_id_path
+    OAUTH_GET_PROFILE_URL             = var.oauth_config.get_profile_url
+    OAUTH_GET_TOKEN_BODY_REDIRECT_URI = var.oauth_config.get_token_body_redirect_uri
+    OAUTH_GET_PROFILE_PATH            = var.oauth_config.get_profile_path
+    OAUTH_GET_EMAIL_PATH              = var.oauth_config.get_email_path
+    OAUTH_PROFILE_PICTURE_PATH        = var.oauth_config.profile_picture_path
+    OAUTH_EMAIL_IS_VERIFIED_PATH      = var.oauth_config.email_is_verified_path
+    OAUTH_EMAIL_IS_VERIFIED           = var.oauth_config.email_is_verified
+  }
+
+  secret_environment = {
+    for key, val in {
+      OAUTH_CLIENT_SECRET       = var.oauth_config.secret_id
+      JWT_ECDSA_KEY             = var.jwt_ecdsa_key
+      SOMBRA_TLS_KEY            = var.tls_config.key
+      SOMBRA_TLS_KEY_PASSPHRASE = var.tls_config.passphrase
+      SOMBRA_TLS_CERT           = var.tls_config.cert
+    } :
+    key => val
+    if length(val) > 0
+  }
+
+  deploy_env = var.deploy_env
+  aws_region = var.aws_region
+  tags       = var.tags
+}
+
+###############
+# ECS Service #
+###############
+
+module service {
+  source = "./modules/fargate_service"
+
+  name                   = "${var.deploy_env}-${var.project_id}-sombra-service"
+  desired_count          = var.desired_count
+  cpu                    = var.cpu
+  memory                 = var.memory
+  cluster_id             = var.cluster_id
+  vpc_id                 = var.vpc_id
+  subnet_ids             = var.private_subnet_ids
+  alb_security_group_ids = [aws_security_group.alb.id]
+  container_definitions = format(
+    "[%s]",
+    join(",", setunion(
+      [module.container_definition.json_map],
+      var.extra_container_definitions
+    ))
+  )
+
+  additional_task_policy_arns = concat([
+    module.container_definition.secrets_policy_arn,
+    aws_iam_policy.kms_policy.arn,
+  ], var.extra_task_policy_arns)
+  additional_task_policy_arns_count = 2 + length(var.extra_task_policy_arns)
+
+  load_balancers = [
+    # Internal target group manager
+    {
+      target_group_arn = module.load_balancer.target_group_arns[0]
+      container_name   = module.container_definition.container_name
+      container_port   = var.internal_port
+    },
+    # External target group manager
+    {
+      target_group_arn = module.load_balancer.target_group_arns[1]
+      container_name   = module.container_definition.container_name
+      container_port   = var.external_port
+    }
+  ]
+
+  deploy_env = var.deploy_env
+  aws_region = var.aws_region
+  tags       = var.tags
+}
+
+##############
+# KMS Policy #
+##############
+
+resource "aws_kms_key" "key" {
+  count       = var.use_local_kms ? 0 : 1
+  description = "Encryption key for ${var.deploy_env} ${var.project_id} Sombra"
+  tags        = var.tags
+}
+
+data "aws_iam_policy_document" "kms_policy_doc" {
+  statement {
+    sid    = "AllowReadingKms"
+    effect = "Allow"
+    # TODO: Make the actions tighter.
+    actions   = ["kms:*"]
+    resources = var.use_local_kms ? ["*"] : [aws_kms_key.key.0.arn]
+  }
+}
+
+resource "aws_iam_policy" "kms_policy" {
+  name        = "${var.deploy_env}-${var.project_id}-sombra-kms-policy"
+  description = "Allows Sombra instances to get the KMS key"
+  policy      = data.aws_iam_policy_document.kms_policy_doc.json
+}
+
+#######
+# DNS #
+#######
+
+resource "aws_route53_record" "alb_alias" {
+  zone_id = var.zone_id
+  name    = "${var.subdomain}.${var.root_domain}"
+  type    = "A"
+
+  alias {
+    name                   = module.load_balancer.dns_name
+    zone_id                = module.load_balancer.load_balancer_zone_id
+    evaluate_target_health = false
+  }
+}
diff --git a/modules/fargate_container_definition/main.tf b/modules/fargate_container_definition/main.tf
new file mode 100644
index 0000000..ff855dd
--- /dev/null
+++ b/modules/fargate_container_definition/main.tf
@@ -0,0 +1,110 @@
+resource "aws_ssm_parameter" "params" {
+  for_each = var.secret_environment
+
+  description = "Param for the ${each.key} env var in the container: ${var.name}"
+
+  name  = "${var.deploy_env}-${var.ssm_prefix}-${each.key}"
+  value = each.value
+
+  type = "SecureString"
+  tier = length(each.value) > 4096 ? "Advanced" : "Standard"
+
+  tags = var.tags
+}
+
+resource "aws_ssm_parameter" "secret_log_options" {
+  for_each = var.log_secrets
+
+  description = "Log option named ${each.key} in the container: ${var.name}"
+
+  name  = "${var.deploy_env}-logOptions-${var.ssm_prefix}-${each.key}"
+  value = each.value
+
+  type = "SecureString"
+  tier = length(each.value) > 4096 ? "Advanced" : "Standard"
+
+  tags = var.tags
+}
+
+data "aws_iam_policy_document" "secret_access_policy_doc" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "ssm:GetParameters",
+      "secretsmanager:GetSecretValue",
+    ]
+    resources = [
+      for name, outputs in merge(
+        aws_ssm_parameter.params,
+        aws_ssm_parameter.secret_log_options,
+      ) :
+      outputs.arn
+    ]
+  }
+}
+
+resource "aws_iam_policy" "secret_access_policy" {
+  name_prefix = "${var.deploy_env}-${var.name}-secret-access-policy"
+  description = "Gives access to read ssm env vars"
+  policy      = data.aws_iam_policy_document.secret_access_policy_doc.json
+}
+
+module "definition" {
+  source  = "cloudposse/ecs-container-definition/aws"
+  version = "v0.21.0"
+
+  container_name  = var.name
+  container_image = var.image
+
+  container_cpu    = var.cpu
+  container_memory = var.memory
+
+  port_mappings = [
+    for port in var.containerPorts :
+    {
+      containerPort = port
+      hostPort      = port
+      protocol      = "tcp"
+    }
+  ]
+
+  log_configuration = var.use_cloudwatch_logs ? {
+    logDriver = "awslogs"
+    options = {
+      "awslogs-region"        = var.aws_region
+      "awslogs-group"         = aws_cloudwatch_log_group.log_group[0].name
+      "awslogs-stream-prefix" = "ecs--${var.name}"
+    }
+    secretOptions = []
+    } : merge(var.log_configuration, {
+      secretOptions = [
+        for name, outputs in aws_ssm_parameter.secret_log_options :
+        {
+          name      = name
+          valueFrom = outputs.arn
+        }
+      ]
+  })
+
+  environment = [
+    for name, value in var.environment :
+    {
+      name  = name
+      value = value
+    }
+  ]
+
+  secrets = [
+    for name, outputs in aws_ssm_parameter.params :
+    {
+      name      = name
+      valueFrom = outputs.arn
+    }
+  ]
+}
+
+resource "aws_cloudwatch_log_group" "log_group" {
+  count = var.use_cloudwatch_logs ? 1 : 0
+  name  = "${var.name}-log-group"
+  tags  = var.tags
+}
diff --git a/modules/fargate_container_definition/outputs.tf b/modules/fargate_container_definition/outputs.tf
new file mode 100644
index 0000000..db64646
--- /dev/null
+++ b/modules/fargate_container_definition/outputs.tf
@@ -0,0 +1,19 @@
+output json {
+  value = module.definition.json
+}
+
+output json_map {
+  value = module.definition.json_map
+}
+
+output secrets_policy_arn {
+  value = aws_iam_policy.secret_access_policy.arn
+}
+
+output container_name {
+  value = var.name
+}
+
+output container_ports {
+  value = var.containerPorts
+}
diff --git a/modules/fargate_container_definition/variables.tf b/modules/fargate_container_definition/variables.tf
new file mode 100644
index 0000000..42d958a
--- /dev/null
+++ b/modules/fargate_container_definition/variables.tf
@@ -0,0 +1,130 @@
+variable name {
+  type        = string
+  description = <<EOF
+  The name of a container. Up to 255 letters (uppercase and lowercase), numbers, hyphens,
+  and underscores are allowed. If you are linking multiple containers together in a task
+  definition, the name of one container can be entered in the links of another container
+  to connect the containers.
+  EOF
+}
+
+variable image {
+  type        = string
+  description = <<EOF
+  The image used to start a container. This string is passed directly to the Docker daemon.
+  Images in the Docker Hub registry are available by default. You can also specify other
+  repositories with either repository-url/image:tag or repository-url/image@digest. Up to 255
+  letters (uppercase and lowercase), numbers, hyphens, underscores, colons, periods, forward
+  slashes, and number signs are allowed.
+  EOF
+}
+
+variable cpu {
+  type        = number
+  default     = 512
+  description = <<EOF
+  The number of cpu units the Amazon ECS container agent will reserve for the container.
+  EOF
+}
+
+variable memory {
+  type        = number
+  default     = 1024
+  description = <<EOF
+  The amount (in MiB) of memory to present to the container. If your container attempts to
+  exceed the memory specified here, the container is killed. The total amount of memory reserved
+  for all containers within a task must be lower than the task memory value, if one is specified.
+  EOF
+}
+
+variable containerPorts {
+  type        = list(number)
+  default     = []
+  description = <<EOF
+  Port mappings allow containers to access ports on the host container instance to send or receive traffic.
+  Each port number given will be mapped from the container to the host over the tcp protocol.
+  EOF
+}
+
+variable environment {
+  type        = map(string)
+  default     = {}
+  description = <<EOF
+  The non-secret environment variables to pass to a container.
+
+  Usage would be something like:
+  environment = {
+    SOME_ENV_VAR = "123"
+    SOME_OTHER_ENV_VAR = "nice"
+  }
+  EOF
+}
+
+variable secret_environment {
+  type        = map(string)
+  default     = {}
+  description = <<EOF
+  The secret environment variables to pass to a container.
+
+  Usage would be something like:
+  environment = {
+    SOME_ENV_VAR = "123"
+    SOME_OTHER_ENV_VAR = "nice"
+  }
+
+  These will be made into SSM SecureString parameters, which
+  will be dynamically fetched and set as env vars on boot.
+  EOF
+}
+
+variable tags {
+  type        = map(string)
+  description = "Tags to apply to all resources that support them"
+}
+
+variable ssm_prefix {
+  type        = string
+  description = "Prefix to put in front of all ssm parameter keys"
+  default     = "ssm"
+}
+
+variable deploy_env {
+  type        = string
+  description = "The environment resources are to be created in. Usually dev, staging, or prod"
+}
+
+variable aws_region {
+  type        = string
+  description = "The AWS region to create resources in."
+  default     = "eu-west-1"
+}
+
+variable use_cloudwatch_logs {
+  type        = bool
+  description = "If true, a cloudwatch group will be created and written to."
+  default     = true
+}
+
+# https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_LogConfiguration.html
+variable log_configuration {
+  type = object({
+    logDriver = string
+    options   = map(string)
+  })
+  description = <<EOF
+  Log configuration options to send to a custom log driver for the container.
+  For more details, see https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_LogConfiguration.html
+
+  This parameter is ignored if use_cloudwatch_logs is true, and a log group will be automatically
+  written to.
+
+  Use log_secrets to set extra options here that should be secret, such as API keys for third party loggers.
+  EOF
+  default     = null
+}
+
+variable log_secrets {
+  type        = map(string)
+  default     = {}
+  description = "Used to add extra options to log_configuration.options that should be secret, such as third party API keys"
+}
diff --git a/modules/fargate_service/execution_role.tf b/modules/fargate_service/execution_role.tf
new file mode 100644
index 0000000..f1347c3
--- /dev/null
+++ b/modules/fargate_service/execution_role.tf
@@ -0,0 +1,39 @@
+data "aws_iam_policy_document" "ecs_cloudwatch_doc" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    effect  = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "execution_role" {
+  name_prefix        = "${var.deploy_env}-ecs-execution-role"
+  assume_role_policy = data.aws_iam_policy_document.ecs_cloudwatch_doc.json
+}
+
+/**
+ * This resource code seems pretty gross, but 'tis the way it has to be.
+ *
+ * If you were to use a for_each loop, the code would work cleanly like:
+ * for_each = setunion(var.additional_task_policy_arns, ["arn:..."])
+ *
+ * The issue with that is that terraform doesn't then know how many resources
+ * to create until the variable additional_task_policy_arns is fully realized,
+ * which may be a computed value from the calling module. In that case, you
+ * would have to use `-target other_targets.that.determine.the.var` before
+ * you could create this resource, which is buggy and messes up CI.
+ *
+ * By forcing the calling module to pass an explicit count, we can always know how
+ * many resources will be created at plan time.
+ */
+resource "aws_iam_role_policy_attachment" "ecs_role_policy" {
+  count = var.additional_task_policy_arns_count + 1
+  role  = aws_iam_role.execution_role.name
+  policy_arn = concat(
+    var.additional_task_policy_arns,
+    ["arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"]
+  )[count.index]
+}
diff --git a/modules/fargate_service/main.tf b/modules/fargate_service/main.tf
new file mode 100644
index 0000000..3d940cb
--- /dev/null
+++ b/modules/fargate_service/main.tf
@@ -0,0 +1,80 @@
+resource "aws_ecs_service" "service" {
+  name          = var.name
+  cluster       = var.cluster_id
+  desired_count = var.desired_count
+
+  task_definition = aws_ecs_task_definition.task.arn
+  launch_type     = "FARGATE"
+
+  network_configuration {
+    security_groups  = [aws_security_group.service_security_group.id]
+    subnets          = var.subnet_ids
+    assign_public_ip = false
+  }
+
+  deployment_controller {
+    type = "ECS"
+  }
+
+  health_check_grace_period_seconds = length(var.load_balancers) > 0 ? 60 : 0
+
+  dynamic "load_balancer" {
+    for_each = var.load_balancers
+    content {
+      target_group_arn = load_balancer.value.target_group_arn
+      container_name   = load_balancer.value.container_name
+      container_port   = load_balancer.value.container_port
+    }
+  }
+
+  # Allow external changes to service count without Terraform plan difference
+  lifecycle {
+    ignore_changes = [desired_count]
+  }
+
+  propagate_tags = "SERVICE"
+  tags           = var.tags
+}
+
+resource "aws_ecs_task_definition" "task" {
+  family                   = "${var.name}-task"
+  requires_compatibilities = ["FARGATE"]
+  network_mode             = "awsvpc"
+  cpu                      = var.cpu
+  memory                   = var.memory
+  execution_role_arn       = aws_iam_role.execution_role.arn
+  task_role_arn            = aws_iam_role.execution_role.arn
+  container_definitions    = var.container_definitions
+  tags                     = var.tags
+}
+
+resource "aws_security_group" "service_security_group" {
+  name        = "${var.name}-ecs-security-group"
+  description = "Allows inbound access to an ECS service only through its alb"
+  vpc_id      = var.vpc_id
+
+  dynamic "ingress" {
+    for_each = var.load_balancers
+    content {
+      from_port       = ingress.value.container_port
+      to_port         = ingress.value.container_port
+      security_groups = var.alb_security_group_ids
+      protocol        = "tcp"
+    }
+  }
+
+  # Allow all outgoing access
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  timeouts {
+    create = "45m"
+    delete = "45m"
+  }
+
+  tags = var.tags
+}
diff --git a/modules/fargate_service/variables.tf b/modules/fargate_service/variables.tf
new file mode 100644
index 0000000..1ded52b
--- /dev/null
+++ b/modules/fargate_service/variables.tf
@@ -0,0 +1,90 @@
+variable name {
+  description = "The name of the service. Used as a prefix for other resource names"
+}
+
+variable cluster_id {
+  description = <<EOF
+  The id of the ECS cluster this service belongs to.
+
+  Having multiple related services in one service can decrease cost
+  by more efficiently using a shared pool of resources.
+  EOF
+}
+
+variable desired_count {
+  type        = number
+  description = "The number of tasks to keep alive at all times"
+}
+
+variable vpc_id {
+  description = "ID of the VPC the alb is in"
+}
+
+variable subnet_ids {
+  type        = list(string)
+  description = "List of subnets tasks can be run in."
+}
+
+variable load_balancers {
+  type = list(object({
+    target_group_arn = string
+    container_name   = string
+    container_port   = string
+  }))
+
+  description = <<EOF
+  When using ECS services, the service will ensure that at least
+  {@variable desired_count} tasks are running at all times. Because
+  there can be multiple tasks running at once, we set up a load
+  balancer to ditribute traffic.
+
+  `target_group_arn` is the arn of the target group on that alb that will
+  be set to watch over the tasks managed by this service.
+  EOF
+}
+
+variable tags {
+  type        = map(string)
+  description = "Tags to set on all resources that support them"
+}
+
+variable cpu {
+  default     = 512
+  description = "How much CPU should be allocated to each app instance?"
+}
+
+variable memory {
+  default     = 1024
+  description = "How much memory should be allocated to each app instance?"
+}
+
+variable container_definitions {
+  type        = string
+  description = "JSON encoded list of container definitions"
+}
+
+variable additional_task_policy_arns {
+  type        = list(string)
+  description = "IAM Policy arns to be added to the tasks"
+}
+
+variable additional_task_policy_arns_count {
+  type        = number
+  description = "The number of items in var.additional_task_policy_arns. Terraform is not quite smart enough to figure this out on its own."
+}
+
+variable alb_security_group_ids {
+  type        = list(string)
+  description = "The ids of all security groups set on the ALB. We require that the tasks can only talk to the ALB"
+}
+
+variable deploy_env {
+  type        = string
+  description = "The environment resources are to be created in. Usually dev, staging, or prod"
+}
+
+variable aws_region {
+  type        = string
+  description = "The AWS region to create resources in."
+  default     = "eu-west-1"
+}
diff --git a/outputs.tf b/outputs.tf
new file mode 100644
index 0000000..aafe698
--- /dev/null
+++ b/outputs.tf
@@ -0,0 +1,7 @@
+output internal_url {
+  value = "https://${aws_route53_record.alb_alias.name}:${var.internal_port}"
+}
+
+output external_url {
+  value = "https://${aws_route53_record.alb_alias.name}:${var.external_port}"
+}
diff --git a/variables.tf b/variables.tf
new file mode 100644
index 0000000..0084d85
--- /dev/null
+++ b/variables.tf
@@ -0,0 +1,322 @@
+######################
+# Required Variables #
+######################
+
+variable project_id {
+  description = <<EOF
+  A name to use in resources, such as the name of your company.
+  EOF
+}
+
+variable vpc_id {
+  description = "The ID of the VPC to put this application into"
+}
+
+# TODO: Conditionally create this
+variable log_bucket_name {
+  description = "The name of the s3 bucket to log alb access requests to"
+}
+
+# TODO: Default this to the main sombra ECR repo we share with clients
+variable ecr_image {
+  description = "Url of the ECR repo, including the tag"
+}
+
+# TODO: Conditionally create this
+variable cluster_id {
+  description = "ID of the ECS cluster this service should run in"
+}
+
+variable desired_count {
+  description = "The number of ECS tasks that the service should keep alive"
+}
+
+variable public_subnet_ids {
+  type        = list(string)
+  description = "The subnets the ALB can be placed into"
+}
+
+variable private_subnet_ids {
+  type        = list(string)
+  description = "The subnets the ECS tasks can be placed into"
+}
+
+variable private_subnets_cidr_blocks {
+  type        = list(string)
+  description = "CIDR blocks that an ECS task could be in"
+}
+
+variable zone_id {
+  description = "The ID of the Route53 hosted zone where the sombra subdomain will be created"
+}
+
+variable certificate_arn {
+  description = "Arn of the ACM cert that exists on the ALB"
+}
+
+variable subdomain {
+  description = <<EOF
+  The subdomain to create the sombra services at.
+
+  If subdomain is "sombra" and the root_domain is "test.com" then
+  the sombra services would be available at "sombra.test.com"
+  EOF
+}
+
+variable root_domain {
+  description = <<EOF
+  The root domain to create the sombra services at.
+
+  If subdomain is "sombra" and the root_domain is "test.com" then
+  the sombra services would be available at "sombra.test.com"
+  EOF
+}
+
+variable deploy_env {
+  description = "The environment to deploy to, usually dev, staging, or prod"
+}
+
+variable data_subject_auth_methods {
+  type        = list(string)
+  description = "Supported data subject authentication methods"
+}
+
+variable employee_auth_methods {
+  type        = list(string)
+  description = "Supported customer employee authentication methods"
+}
+
+variable jwt_ecdsa_key {
+  description = <<EOF
+  The JSON Web Token asymmetric key for signing Sombra payloads, using the Elliptic
+  Curve Digital Signature Algorithm"
+  EOF
+}
+
+variable tls_config {
+  type = object({
+    passphrase = string
+    cert       = string
+    key        = string
+  })
+  description = "Sombra TLS Support. These values are sensitive."
+}
+
+######################
+# Optional Variables #
+######################
+
+variable incoming_cidr_range {
+  description = <<EOF
+  If you want to restrict the IP addresses that can talk to the
+  internal sombra service, you can do so with this cidr block.
+
+  Oftentimes, this will be the cidr block of the VPC containing the
+  application you are calling the sombra api from.
+  EOF
+  default     = "0.0.0.0/0"
+}
+
+variable use_local_kms {
+  default     = true
+  description = "When true, local KMS will be used. When false, AWS will be used"
+}
+
+variable internal_key_hash {
+  default     = ""
+  description = "This will override the generated internal key"
+}
+
+variable hmac_nonce_key_cycle {
+  default     = ""
+  description = "Cycled HMAC nonce key (384 bits), held around during a key cycle process for requests made before the cycle"
+}
+
+variable key_encryption_base_cycle {
+  default     = ""
+  description = "Cycled High entropy secret value for local KMS (256 bits)"
+}
+
+variable transcend_backend_url {
+  default     = "https://api.transcend.io:443"
+  description = "URL of Transcend's backend"
+}
+
+variable transcend_certificate_common_name {
+  default     = "*.transcend.io"
+  description = "Transcend's certificate Common NameTranscend's certificate Common Name"
+}
+
+variable encrypted_saas_http_methods {
+  default     = ["GET"]
+  type        = list(string)
+  description = "Whitelisted HTTP methods when probing a SaaS tool for valid auth credentials"
+}
+
+variable saml_config {
+  type = object({
+    entrypoint             = string
+    issuer                 = string
+    cert                   = string
+    audience               = string
+    accepted_clock_skew_ms = number
+  })
+  default = {
+    entrypoint             = ""
+    cert                   = ""
+    issuer                 = "transcend"
+    audience               = "transcend"
+    accepted_clock_skew_ms = 0
+  }
+  description = <<EOF
+  Info about SAML logins, used if SAML is an enabled auth_method.
+
+  __Fields__
+  entrypoint: identity provider entrypoint (is required to be spec-compliant when the request is signed)
+  issuer: issuer string to supply to identity provider
+  cert: the IDP's public signing certificate used to validate the signatures of the incoming SAML Responses
+  audience: expected saml response Audience (if not provided, Audience won't be verified)
+  acceptedClockSkewMs: Time in milliseconds of skew that is acceptable between client and server when
+                       checking OnBefore and NotOnOrAfter assertion condition validity timestamps.
+                       Setting to -1 will disable checking these conditions entirely.
+  EOF
+}
+
+variable oauth_config {
+  type = object({
+    scopes                      = list(string)
+    client_id                   = string
+    secret_id                   = string
+    get_token_url               = string
+    get_core_id_url             = string
+    get_core_id_path            = string
+    get_profile_url             = string
+    get_token_body_redirect_uri = string
+    get_profile_path            = string
+    get_email_path              = string
+    profile_picture_path        = string
+    email_is_verified_path      = string
+    email_is_verified           = bool
+  })
+  default = {
+    scopes                      = []
+    client_id                   = ""
+    secret_id                   = ""
+    get_token_url               = ""
+    get_core_id_url             = ""
+    get_core_id_path            = ""
+    get_profile_url             = ""
+    get_token_body_redirect_uri = ""
+    get_profile_path            = ""
+    get_email_path              = ""
+    profile_picture_path        = ""
+    email_is_verified_path      = ""
+    email_is_verified           = false
+  }
+  description = <<EOF
+  Info about OAuth logins, used if OAuth is an enabled auth_method.
+
+  The secret_id field is sensitive.
+  EOF
+}
+
+variable jwt_authentication_public_key {
+  default     = ""
+  description = "Customer's data subject authentication via JWT public key"
+}
+
+variable aws_region {
+  description = "The AWS region to deploy resources to"
+  default     = "eu-west-1"
+}
+
+variable internal_port {
+  description = "The port the internal sombra should run on. This is the server that your internal services will have access to."
+  default     = 443
+}
+
+variable external_port {
+  description = "The port the external sombra should run on, this is the server that only Transcend's API talks to."
+  default     = 5041
+}
+
+variable log_level {
+  description = "The level at which logs should go to console: see https://github.com/pinojs/pino"
+  default     = "warn"
+}
+
+variable use_cloudwatch_logs {
+  type        = bool
+  description = "If true, a cloudwatch group will be created and written to."
+  default     = true
+}
+
+# https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_LogConfiguration.html
+variable log_configuration {
+  type = object({
+    logDriver = string
+    options   = map(string)
+  })
+  description = <<EOF
+  Log configuration options to send to a custom log driver for the container.
+  For more details, see https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_LogConfiguration.html
+
+  This parameter is ignored if use_cloudwatch_logs is true, and a log group will be automatically
+  written to.
+
+  Use log_secrets to set extra options here that should be secret, such as API keys for third party loggers.
+  EOF
+  default     = null
+}
+
+variable log_secrets {
+  type        = map(string)
+  default     = {}
+  description = "Used to add extra options to log_configuration.options that should be secret, such as third party API keys"
+}
+
+variable extra_container_definitions {
+  type        = list(string)
+  description = <<EOF
+  Extra ECS container definitions to add to the task.
+
+  This can be used to add sidecar containers such as AWS firelens, Datadog agent, etc.
+
+  If you're using the fargate_container_definition module from this
+  repo, then each value in the list can be the `json_map` output.
+  EOF
+  default     = []
+}
+
+variable cpu {
+  default     = 512
+  description = "How much CPU should be allocated to the task?"
+}
+
+variable memory {
+  default     = 1024
+  description = "How much memory should be allocated to the task?"
+}
+
+variable extra_task_policy_arns {
+  type        = list(string)
+  description = <<EOF
+  ARNs of any additional IAM Policies you want to attach to the ECS Task.
+
+  This module already comes with policies for doing sombra things like reading
+  from KMS and for reading SSM parameters made from var.log_secrets or any
+  secret env vars it creates.
+
+  So the only real time you'd need this is if you are sidecaring containers
+  using var.extra_container_definitions, and those containers need extra
+  permissions.
+  EOF
+  default     = []
+}
+
+variable tags {
+  type        = map(string)
+  description = "Tags to apply to all resources that support them"
+  default     = {}
+}
+