diff --git a/backend.tf b/backend.tf
new file mode 100644
index 0000000..7a900c4
--- /dev/null
+++ b/backend.tf
@@ -0,0 +1,38 @@
+#
+# Copyright (c) 2021-present Sonatype, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+terraform {
+  backend "s3" {
+    bucket         = "vendorcorp-platform-core"
+    key            = "terraform-state/the-cla"
+    dynamodb_table = "vendorcorp-terraform-state-lock"
+    region         = "us-east-2"
+  }
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.6.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.19.0"
+    }
+    postgresql = {
+      source  = "cyrilgdn/postgresql"
+      version = ">= 1.15.0"
+    }
+  }
+}
\ No newline at end of file
diff --git a/locals.tf b/locals.tf
new file mode 100644
index 0000000..36c0014
--- /dev/null
+++ b/locals.tf
@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2021-present Sonatype, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+locals {
+  cla_db_username  = "the_cla_bot"
+  cla_db_name = "the_cla"
+}
\ No newline at end of file
diff --git a/main.tf b/main.tf
index dff5c5e..f4a37e7 100644
--- a/main.tf
+++ b/main.tf
@@ -14,370 +14,209 @@
 # limitations under the License.
 #
 
-
-data "aws_vpc" "main" {
-    tags = {
-        "use-case"    = "shared-vpcs"
-        "environment" = "ci"
-    }
-}
- 
-data "aws_subnet_ids" "private" {
-    vpc_id = data.aws_vpc.main.id
- 
-    tags = {
-        access = "private"
-    }
-}
- 
-data "aws_subnet_ids" "public" {
-    vpc_id = data.aws_vpc.main.id
- 
-    tags = {
-        access = "public"
-    }
-}
-
-resource "aws_db_subnet_group" "the_cla_rds_subnet_group" {
-  name        = "${var.app_name}-rds-subnet-group"
-  description = "RDS subnet group"
-  subnet_ids  = data.aws_subnet_ids.private.ids
-}
-
-resource "aws_security_group" "the_cla" {
-  vpc_id      = data.aws_vpc.main.id
-  name        = "${var.app_name}-db-access-sg"
-  description = "Allow access to RDS"
-}
-
-resource "aws_security_group" "the_cla_rds_sg" {
-  name = "${var.app_name}-rds-sg"
-  description = "${var.app_name} Security Group"
-  vpc_id = data.aws_vpc.main.id
-
-  // allows traffic from the SG itself
-  ingress {
-      from_port = 0
-      to_port = 0
-      protocol = "-1"
-      self = true
-  }
-
-  // allow traffic for TCP 5432, on the SG that the ecs service is running on
-  ingress {
-      from_port = 5432
-      to_port   = 5432
-      protocol  = "tcp"
-      security_groups = [
-        aws_security_group.the_cla.id
-      ]
+# --------------------------------------------------------------------------
+# Create k8s Namespace
+# --------------------------------------------------------------------------
+resource "kubernetes_namespace" "the_cla" {
+  metadata {
+    name        = "the-cla"
   }
+}
 
-  // allow traffic from external IP, pgAdmin, etc.
-  ingress {
-    from_port = 5432
-    to_port = 5432
-    protocol = "tcp"
-    cidr_blocks = [ var.external_db_cidr_group ]
+# --------------------------------------------------------------------------
+# Create k8s Secrets
+# --------------------------------------------------------------------------
+resource "kubernetes_secret" "the_cla" {
+  metadata {
+    name        = "the-cla"
+    namespace   = kubernetes_namespace.the_cla.metadata[0].name
   }
 
-  // outbound internet access
-  egress {
-    from_port = 0
-    to_port = 0
-    protocol = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
+  data = {
+    "psql_password" = module.database.user_password
   }
-}
 
-resource "aws_db_instance" "the_cla" {
-  allocated_storage    = 50
-  engine               = "postgres"
-  engine_version       = "12.5"
-  instance_class       = "db.t3.micro"
-  identifier           = "the-cla"
-  name                 = var.postgres_db_name
-  username             = var.postgres_username
-  password             = var.postgres_password
-  db_subnet_group_name = aws_db_subnet_group.the_cla_rds_subnet_group.id
-  vpc_security_group_ids = [aws_security_group.the_cla_rds_sg.id]
-  storage_encrypted    = true
-  skip_final_snapshot  = true
+  type = "Opaque"
 }
 
-resource "aws_ecr_repository" "the_cla" {
-  name = "${var.app_name}-app"
-}
-
-resource "aws_ecs_cluster" "the_cla" {
-  name = "${var.app_name}-cluster"
-}
-
-resource "aws_cloudwatch_log_group" "the_cla" {
-  name = "${var.app_name}-cloudwatch-lergs"
-
-  tags = {
-    Application = "${var.app_name}"
+# --------------------------------------------------------------------------
+# Create k8s Deployment
+# --------------------------------------------------------------------------
+resource "kubernetes_deployment" "the_cla" {
+  metadata {
+    name            = "the-cla"
+    namespace       = kubernetes_namespace.the_cla.metadata[0].name
+    labels = {
+      app = "the-cla"
+    }
   }
-}
+  spec {
+    replicas = 1
 
-resource "aws_ecs_task_definition" "the_cla" {
-  family                   = "${var.app_name}-task"
-  container_definitions    = <<DEFINITION
-  [
-    {
-      "name": "${var.app_name}-task",
-      "image": "${aws_ecr_repository.the_cla.repository_url}:latest",
-      "essential": true,
-      "portMappings": [
-        {
-          "containerPort": 4200,
-          "hostPort": 4200
-        }
-      ],
-      "logConfiguration": {
-        "logDriver": "awslogs",
-        "options": {
-          "awslogs-group": "${aws_cloudwatch_log_group.the_cla.name}",
-          "awslogs-region": "${var.aws_region}",
-          "awslogs-stream-prefix": "streaming"
-        }
-      },
-      "memory": 512,
-      "cpu": 256,
-      "environment": [
-        {
-          "name": "PG_PORT",
-          "value": "5432"
-        },
-        {
-          "name": "PG_USERNAME",
-          "value": "${var.postgres_username}"
-        },
-        {
-          "name": "PG_PASSWORD",
-          "value": "${var.postgres_password}"
-        },
-        {
-          "name": "PG_HOST",
-          "value": "${aws_db_instance.the_cla.address}"
-        },
-        {
-          "name": "PG_DB_NAME",
-          "value": "${var.postgres_db_name}"
-        },
-        {
-          "name": "SSL_MODE",
-          "value": "require"
-        }
-      ]
+    selector {
+      match_labels = {
+        app = "the-cla"
+      }
     }
-  ]
-  DEFINITION
-  requires_compatibilities = ["FARGATE"]
-  network_mode             = "awsvpc"
-  memory                   = 512
-  cpu                      = 256
-  execution_role_arn       = "${aws_iam_role.ecsTaskExecutionRole.arn}"
 
-  depends_on = [
-    aws_db_instance.the_cla,
-    aws_cloudwatch_log_group.the_cla
-  ]
-}
-
-resource "aws_iam_role" "ecsTaskExecutionRole" {
-  name_prefix        = "ecsTaskExecutionRole"
-  assume_role_policy = "${data.aws_iam_policy_document.assume_role_policy.json}"
-}
-
-data "aws_iam_policy_document" "assume_role_policy" {
-  statement {
-    actions = ["sts:AssumeRole"]
+    template {
+      metadata {
+        labels = {
+          app = "the-cla"
+        }
+      }
+
+      spec {
+        container {
+          image             = "sonatypecommunity/the-cla:latest"
+          name              = "the-cla"
+          image_pull_policy = "IfNotPresent"
+
+          env {
+            name = "PG_HOST"
+            value = module.shared.pgsql_cluster_endpoint_write
+          }
+
+          env {
+            name = "PG_PORT"
+            value = module.shared.pgsql_cluster_port
+          }
+
+          env {
+            name = "PG_USERNAME"
+            value = local.cla_db_username
+          }
+
+          env {
+            name = "PG_DB_NAME"
+            value = local.cla_db_name
+          }
+
+          env {
+            name = "PG_PASSWORD"
+            value_from {
+              secret_key_ref {
+                name = "the-cla"
+                key  = "psql_password"
+              }
+            }
+          }
+
+          env {
+            name  = "SSL_MODE"
+            value = "require"
+          }
+
+          port {
+            name           = "app"
+            container_port = 4200
+          }
+
+          # security_context {
+          #   run_as_user = 1000
+          # }
+
+          # volume_mount {
+          #   mount_path = "/the-cla-secrets"
+          #   name       = "the-cla-secrets"
+          # }
+        }
 
-    principals {
-      type        = "Service"
-      identifiers = ["ecs-tasks.amazonaws.com"]
+        # volume {
+        #   name = "the-cla-secrets"
+        #   secret {
+        #     secret_name = "the-cla"
+        #   }
+        # }
+
+        # volume {
+        #   name = "nxiq-data"
+        #   persistent_volume_claim {
+        #     claim_name = kubernetes_persistent_volume_claim.nxiq.metadata[0].name
+        #   }
+        # }
+
+        # volume {
+        #   name = "nxiq-config"
+        #   config_map {
+        #     name = kubernetes_config_map.nxiq.metadata[0].name
+        #     items {
+        #       key  = "config.yml"
+        #       path = "config.yml"
+        #     }
+        #   }
+        # }
+      }
     }
   }
 }
 
-resource "aws_iam_role_policy_attachment" "ecsTaskExecutionRole_policy" {
-  role       = "${aws_iam_role.ecsTaskExecutionRole.name}"
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
-}
-
-resource "aws_ecs_service" "the_cla" {
-  name            = "${var.app_name}-service"
-  cluster         = "${aws_ecs_cluster.the_cla.id}"
-  task_definition = "${aws_ecs_task_definition.the_cla.arn}"
-  launch_type     = "FARGATE"
-  desired_count   = 3
-
-  load_balancer {
-    target_group_arn = "${aws_lb_target_group.target_group.arn}"
-    container_name   = "${aws_ecs_task_definition.the_cla.family}"
-    container_port   = 4200
-  }
-
-  network_configuration {
-    subnets          = data.aws_subnet_ids.public.ids
-    assign_public_ip = true
-    security_groups  = [
-      aws_security_group.service_security_group.id,
-      aws_security_group.the_cla.id
-    ]
-  }
-}
-
-resource "aws_alb" "application_load_balancer" {
-  name               = "${var.app_name}-tf"
-  load_balancer_type = "application"
-  subnets = data.aws_subnet_ids.public.ids
-  
-  security_groups = ["${aws_security_group.load_balancer_security_group.id}"]
-}
-
-resource "aws_security_group" "service_security_group" {
-  vpc_id = data.aws_vpc.main.id
-
-  ingress {
-    from_port = 0
-    to_port   = 0
-    protocol  = "-1"
-    security_groups = ["${aws_security_group.load_balancer_security_group.id}"]
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-}
-
-resource "aws_security_group" "load_balancer_security_group" {
-  vpc_id = data.aws_vpc.main.id
-
-  ingress {
-    from_port   = 80
-    to_port     = 80
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  ingress {
-    from_port   = 443
-    to_port     = 443
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-}
-
-resource "aws_lb_target_group" "target_group" {
-  name        = "target-group"
-  port        = 80
-  protocol    = "HTTP"
-  target_type = "ip"
-  vpc_id      = data.aws_vpc.main.id
-
-  health_check {
-    matcher = "200,301,302"
-    path = "/"
-  }
-
-  depends_on = [
-    aws_alb.application_load_balancer
-  ]
-
-  lifecycle {
-    create_before_destroy = true
+# --------------------------------------------------------------------------
+# Create k8s Services
+# --------------------------------------------------------------------------
+resource "kubernetes_service" "the_cla" {
+  metadata {
+    name            = "the-cla-svc"
+    namespace       = kubernetes_namespace.the_cla.metadata[0].name
+    labels = {
+      app = "the-cla"
+    }
   }
-}
+  spec {
+    selector = {
+      app = kubernetes_deployment.the_cla.metadata.0.labels.app
+    }
 
-resource "aws_lb_listener" "listener" {
-  load_balancer_arn = "${aws_alb.application_load_balancer.arn}"
-  certificate_arn   = aws_acm_certificate.this.arn
-  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10"
-  port              = "443"
-  protocol          = "HTTPS"
+    port {
+      name        = "http"
+      port        = 4200
+      target_port = 4200
+      protocol    = "TCP"
+    }
 
-  default_action {
-    type             = "forward"
-    target_group_arn = "${aws_lb_target_group.target_group.arn}"
+    type = "NodePort"
   }
 }
 
-resource "aws_lb_listener" "http_listener" {
-  load_balancer_arn = "${aws_alb.application_load_balancer.arn}"
-  port              = "80"
-  protocol          = "HTTP"
-
-  default_action {
-    type             = "redirect"
-
-    redirect {
-      port = "443"
-      protocol = "HTTPS"
-      status_code = "HTTP_301"
+##############################################################################
+# Create Ingress for NXIQ
+##############################################################################
+resource "kubernetes_ingress_v1" "the_cla" {
+  metadata {
+    name      = "the-cla-ingress"
+    namespace = kubernetes_namespace.the_cla.metadata[0].name
+    labels = {
+      app = "the-cla"
+    }
+    annotations = {
+      "kubernetes.io/ingress.class"               = "alb"
+      "alb.ingress.kubernetes.io/group.name"      = "the-cla-${terraform.workspace}"
+      # "alb.ingress.kubernetes.io/healthcheck-path"= "/assets/index.html"
+      # "alb.ingress.kubernetes.io/inbound-cidrs"   = join(", ", var.ip_cidr_whitelist)
+      "alb.ingress.kubernetes.io/scheme"          = "internal"
+      "alb.ingress.kubernetes.io/certificate-arn" = module.shared_private.bma_cert_arn
+      "external-dns.alpha.kubernetes.io/hostname" = "the-cla.${module.shared_private.dns_zone_bma_name}"
     }
   }
-}
-
-data "aws_route53_zone" "this" {
-  name = var.route53_zone
-  private_zone = false
-}
-
-resource "aws_route53_record" "this" {
-  name = var.dns_record_name
-  type = "CNAME"
-
-  records = [
-    aws_alb.application_load_balancer.dns_name,
-  ]
-
-  zone_id = data.aws_route53_zone.this.zone_id
-  ttl = "60"
-}
-
-resource "aws_acm_certificate" "this" {
-  domain_name       = "${var.dns_record_name}.${var.route53_zone}"
-  validation_method = "DNS"
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
-resource "aws_acm_certificate_validation" "this" {
-  certificate_arn         = aws_acm_certificate.this.arn
-  validation_record_fqdns = [aws_route53_record.web_cert_validation.fqdn]
 
-  lifecycle {
-    create_before_destroy = true
+  spec {
+    rule {
+      host = "the-cla.${module.shared_private.dns_zone_bma_name}"
+      http {
+        path {
+          path = "/*"
+          backend {
+            service {
+              name = kubernetes_service.the_cla.metadata[0].name
+              port {
+                number = 4200
+              }
+            }
+          }
+        }
+      }
+    }
   }
-}
 
-resource "aws_route53_record" "web_cert_validation" {
-  name = element(tolist(aws_acm_certificate.this.domain_validation_options), 0).resource_record_name
-  type = element(tolist(aws_acm_certificate.this.domain_validation_options), 0).resource_record_type
-
-  records = [ 
-    element(tolist(aws_acm_certificate.this.domain_validation_options), 0).resource_record_value 
-  ]
-
-  zone_id = data.aws_route53_zone.this.zone_id
-  ttl     = 60
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
+  wait_for_load_balancer = true
+}
\ No newline at end of file
diff --git a/providers.tf b/providers.tf
index 5421006..53bf2d0 100644
--- a/providers.tf
+++ b/providers.tf
@@ -14,16 +14,10 @@
 # limitations under the License.
 #
 
-
-terraform {
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "~> 3.0"
-    }
-  }
-}
-
-provider "aws" {
-  region  = var.aws_region
-}
+################################################################################
+# Connect to our k8s Cluster
+################################################################################
+provider "kubernetes" {
+  config_path    = "~/.kube/config"
+  config_context = module.shared.eks_cluster_arn
+}
\ No newline at end of file
diff --git a/shared-modules.tf b/shared-modules.tf
new file mode 100644
index 0000000..48bef5e
--- /dev/null
+++ b/shared-modules.tf
@@ -0,0 +1,39 @@
+#
+# Copyright (c) 2021-present Sonatype, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+################################################################################
+# Load Vendor Corp Shared Infra
+################################################################################
+module "shared" {
+  source                   = "git::ssh://git@github.com/vendorcorp/terraform-shared-infrastructure.git?ref=v1.2.0"
+}
+
+module "shared_private" {
+  source                   = "git::ssh://git@github.com/vendorcorp/terraform-shared-private-infrastructure.git?ref=v1.5.0"
+  environment              = var.environment
+}
+
+module "database" {
+  source            = "git::ssh://git@github.com/vendorcorp/terraform-aws-rds-database.git?ref=v0.1.0"
+
+  pg_hostname       = module.shared.pgsql_cluster_endpoint_write
+  pg_port           = module.shared.pgsql_cluster_port
+  pg_admin_username = module.shared.pgsql_cluster_master_username
+  pg_admin_password = module.shared.pgsql_cluster_master_password
+  database_name     = local.cla_db_name
+  user_username     = local.cla_db_username
+  # Password generated and returned
+}
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index e8e83a5..b844b99 100644
--- a/variables.tf
+++ b/variables.tf
@@ -14,50 +14,26 @@
 # limitations under the License.
 #
 
-
-variable "availability_zone_names" {
-  type = list(string)
-  default = ["us-east-1"]
-}
-
-variable "app_name" {
-  type = string
-  default = "the-cla"
-}
-
 variable "aws_region" {
-  type = string
-  default = "us-east-1"
-}
-
-variable "route53_zone" {
-  type = string
-  default = "example.host.com"
-}
-
-variable "dns_record_name" {
-  type = string
-  default = "the-cla"
-}
-
-variable "postgres_username" {
-  type = string
-  default = "the_cla"
-  sensitive = true
-}
-
-variable "postgres_password" {
-  type = string
-  sensitive = true
-}
-
-variable "postgres_db_name" {
-  type = string 
-  default = "thecladatabase"
-  sensitive = true
-}
-
-variable "external_db_cidr_group" {
-  type = string
-  sensitive = true
-}
+  description = "AWS Region that our deployment is targetting"
+  type        = string
+  default     = "eu-west-2"
+}
+
+variable "default_resource_tags" {
+  description = "List of tags to apply to all resources created in AWS"
+  type        = map(string)
+  default = {
+    environment : "production"
+    purpose : "sonatype-community-cla"
+    owner : "phorton@sonatype.com"
+    sonatype-group : "se"
+  }
+}
+
+# See https://docs.sonatype.com/display/OPS/Shared+Infrastructure+Initiative
+variable "environment" {
+  description = "Used as part of Sonatype's Shared AWS Infrastructure"
+  type        = string
+  default     = "production"
+}
\ No newline at end of file