diff --git a/tfs/aws-eks-vpc/aws-auth.tf b/tfs/aws-eks-vpc/aws-auth.tf
new file mode 100644
index 00000000..f33a39e5
--- /dev/null
+++ b/tfs/aws-eks-vpc/aws-auth.tf
@@ -0,0 +1,58 @@
+locals {
+  workers_role_arns = [aws_iam_role.cluster.arn, aws_iam_role.node.arn]
+
+  # Add worker nodes role ARNs (could be from many un-managed worker groups) to the ConfigMap
+  # Note that we don't need to do this for managed Node Groups since EKS adds their roles to the ConfigMap automatically
+  map_worker_roles = [
+    for role_arn in local.workers_role_arns : {
+      rolearn : role_arn
+      username : "${role_arn}-user"
+      groups : [
+        "system:bootstrappers",
+        "system:masters"
+      ]
+    }
+  ]
+}
+
+
+provider "kubernetes" {
+    host                   = data.null_data_source.cluster.outputs["cluster_endpoint"]
+    cluster_ca_certificate = base64decode(aws_eks_cluster.demo.certificate_authority.0.data)
+    token                  = data.aws_eks_cluster_auth.cluster_auth.token
+}
+
+data "null_data_source" "cluster" {
+   inputs = {
+     cluster_endpoint = aws_eks_cluster.demo.endpoint
+   }
+}
+
+
+resource "kubernetes_config_map" "aws_auth" {
+  depends_on = [aws_eks_cluster.demo]
+
+  metadata {
+    name      = "aws-auth"
+    namespace = "kube-system"
+  }
+
+  data = {
+    mapRoles    = yamlencode(distinct(concat(local.map_worker_roles)))
+  }
+}
+
+resource "null_resource" "wait_for_cluster" {
+  depends_on = [
+    aws_eks_cluster.demo,
+    aws_security_group.demo-cluster
+  ]
+
+  provisioner "local-exec" {
+    command     = var.wait_for_cluster_cmd
+    interpreter = var.wait_for_cluster_interpreter
+    environment = {
+      ENDPOINT = aws_eks_cluster.demo.endpoint
+    }
+  }
+}
\ No newline at end of file
diff --git a/tfs/aws-eks-vpc/eks-cluster.tf b/tfs/aws-eks-vpc/eks-cluster.tf
new file mode 100644
index 00000000..4af95a39
--- /dev/null
+++ b/tfs/aws-eks-vpc/eks-cluster.tf
@@ -0,0 +1,61 @@
+#
+# EKS Cluster Resources
+#  * IAM Role to allow EKS service to manage other AWS services
+#  * EC2 Security Group to allow networking traffic with EKS cluster
+#  * EKS Cluster
+
+# resource "aws_cloudwatch_log_group" "demo" {
+#   # The log group name format is /aws/eks/<cluster-name>/cluster
+#   # Reference: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
+#   name              = "/aws/eks/${aws_eks_cluster.demo.name}/cluster"
+#   retention_in_days = 7
+#   # ... potentially other configuration ...
+# }
+
+resource "aws_security_group" "demo-cluster" {
+  depends_on = [aws_vpc.demo]
+  name        = "eks-demo-cluster-sg-${random_string.cluster.id}"
+  description = "Cluster communication with worker nodes"
+  vpc_id      = aws_vpc.demo.id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "terraform-eks-demo"
+  }
+}
+
+resource "aws_security_group_rule" "demo-cluster-ingress-workstation-https" {
+  depends_on        = [aws_security_group.demo-cluster]
+  cidr_blocks       = [local.workstation-external-cidr]
+  description       = "Allow workstation to communicate with the cluster API Server"
+  from_port         = 443
+  protocol          = "tcp"
+  security_group_id = aws_security_group.demo-cluster.id
+  to_port           = 443
+  type              = "ingress"
+}
+
+resource "aws_eks_cluster" "demo" {
+  enabled_cluster_log_types = ["api", "audit","authenticator","controllerManager","scheduler"]
+  name     = "${var.cluster-name}-${random_string.cluster.id}"
+  role_arn = aws_iam_role.cluster.arn
+
+  vpc_config {
+    security_group_ids = [aws_security_group.demo-cluster.id]
+    subnet_ids         = aws_subnet.demo[*].id
+  }
+
+  depends_on = [
+    aws_internet_gateway.demo,
+    aws_security_group.demo-cluster,
+    aws_iam_role_policy_attachment.cluster-AmazonEKSClusterPolicy,
+    aws_iam_role_policy_attachment.cluster-AmazonEKSVPCResourceController,
+    aws_iam_role_policy_attachment.cluster-AmazonVPCFullAccess,
+  ]
+}
diff --git a/tfs/aws-eks-vpc/eks-worker-nodes.tf b/tfs/aws-eks-vpc/eks-worker-nodes.tf
new file mode 100644
index 00000000..809e9337
--- /dev/null
+++ b/tfs/aws-eks-vpc/eks-worker-nodes.tf
@@ -0,0 +1,90 @@
+#
+# EKS Worker Nodes Resources
+#  * IAM role allowing Kubernetes actions to access other AWS services
+#  * EKS Node Group to launch worker nodes
+#
+
+resource "aws_eks_node_group" "demo" {
+  cluster_name    = aws_eks_cluster.demo.name
+  node_group_name = var.node-group-name
+  node_role_arn   = aws_iam_role.node.arn
+  subnet_ids      = aws_subnet.demo[*].id
+
+  scaling_config {
+    desired_size = 1
+    max_size     = 1
+    min_size     = 1
+  }
+
+  depends_on = [
+    kubernetes_config_map.aws_auth,
+    aws_iam_role_policy_attachment.node-AmazonEKSWorkerNodePolicy,
+    aws_iam_role_policy_attachment.node-AmazonEKS_CNI_Policy,
+    aws_iam_role_policy_attachment.node-AmazonEC2ContainerRegistryReadOnly,
+  ]
+
+}
+
+resource "null_resource" "delete_ingress" {
+  triggers = {
+    cluster_delete_name = aws_eks_cluster.demo.name
+    cluster_region = var.aws_region
+  }
+  depends_on = [
+    helm_release.aws_alb_controller,
+    aws_security_group.demo-cluster,
+    aws_iam_role_policy_attachment.cluster-AmazonEKSClusterPolicy,
+    aws_iam_role_policy_attachment.cluster-AmazonEKSVPCResourceController,
+    aws_iam_role_policy_attachment.cluster-AmazonVPCFullAccess,
+    aws_iam_role_policy_attachment.cluster-AmazonEKSServicePolicy,
+    aws_iam_role_policy_attachment.node-AmazonEKSWorkerNodePolicy,
+    aws_iam_role_policy_attachment.node-AmazonEC2ContainerRegistryReadOnly,
+    aws_iam_role_policy_attachment.node-AmazonVPCFullAccess,
+    aws_iam_instance_profile.node,
+    aws_iam_role_policy_attachment.node-AWSLoadBalancerControllerIAMPolicy,
+    aws_iam_role_policy_attachment.cluster-AWSVisualEditorPolicy,
+    aws_iam_openid_connect_provider.cluster,
+    aws_iam_role.cluster,
+    aws_iam_role.node,
+    aws_iam_policy.AWSLoadBalancerControllerIAMPolicy,
+    aws_route_table_association.demo,
+    module.container-insights,
+    aws_route_table.demo,
+    aws_security_group_rule.demo-cluster-ingress-workstation-https
+    ]
+
+  provisioner "local-exec" {
+    when = destroy
+    command = <<EOT
+      echo "Installing awscli"
+      apk add --no-cache python3 py3-pip
+      pip3 install --upgrade pip
+      pip3 install awscli
+      rm -rf /var/cache/apk/*
+    EOT
+  }
+
+
+  provisioner "local-exec" {
+    when = destroy
+    command = <<EOT
+    apk update && apk add curl
+    curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.18.17/bin/linux/amd64/kubectl
+    chmod u+x kubectl && mv kubectl /bin/kubectl
+    EOT
+  }
+
+  provisioner "local-exec" {
+    when = destroy
+    command = <<EOT
+      echo 'Applying Auth ConfigMap with kubectl...'
+      aws eks update-kubeconfig --name '${self.triggers.cluster_delete_name}' --alias '${self.triggers.cluster_delete_name}-${self.triggers.cluster_region}' --region=${self.triggers.cluster_region}
+    EOT
+  }
+
+  provisioner "local-exec" {
+    when    = destroy
+    command = "kubectl config use-context ${self.triggers.cluster_delete_name}-${self.triggers.cluster_region}; timeout 240 kubectl delete ingress -A --all"
+  }
+
+}
\ No newline at end of file
diff --git a/tfs/aws-eks-vpc/helm.tf b/tfs/aws-eks-vpc/helm.tf
new file mode 100644
index 00000000..8c7e3b4c
--- /dev/null
+++ b/tfs/aws-eks-vpc/helm.tf
@@ -0,0 +1,83 @@
+terraform {
+  required_providers {
+    helm = {
+      source = "hashicorp/helm"
+      version = "2.1.2"
+    }
+  }
+}
+
+module "container-insights" {
+  source       = "Young-ook/eks/aws//modules/container-insights"
+  version      = "1.7.11"
+  cluster_name = aws_eks_cluster.demo.name
+  oidc         = zipmap(
+    ["url", "arn"],
+    [local.oidc["url"], local.oidc["arn"]]
+  )
+  tags         = { env = "demo" }
+  depends_on = [
+    aws_eks_node_group.demo,
+  ]
+}
+
+locals {
+  oidc = {
+    arn = aws_iam_openid_connect_provider.cluster.arn
+    url = replace(aws_iam_openid_connect_provider.cluster.url, "https://", "")
+  }
+}
+
+data "aws_eks_cluster_auth" "cluster_auth" {
+  name = aws_eks_cluster.demo.name
+  depends_on = [null_resource.wait_for_cluster]
+}
+
+provider "helm" {
+  # Configuration options
+  kubernetes {
+    host                   = aws_eks_cluster.demo.endpoint
+    cluster_ca_certificate = base64decode(aws_eks_cluster.demo.certificate_authority.0.data)
+    token                  = data.aws_eks_cluster_auth.cluster_auth.token
+  }
+}
+
+resource helm_release aws_alb_controller {
+  name       = "aws-load-balancer-controller"
+
+  repository = "https://aws.github.io/eks-charts"
+  chart      = "aws-load-balancer-controller"
+  namespace  = "kube-system"
+
+  set {
+    name  = "clusterName"
+    value = aws_eks_cluster.demo.name
+  }
+
+  depends_on = [
+    aws_eks_node_group.demo,
+  ]
+}
+
+# resource "helm_release" "containerinsights" {
+#   count            = var.enabled ? 1 : 0
+#   name             = lookup(var.helm, "name", "eks-cw")
+#   chart            = lookup(var.helm, "chart", "container-insights")
+#   version          = lookup(var.helm, "version", null)
+#   repository       = lookup(var.helm, "repository", join("/", [path.module, "charts"]))
+#   namespace        = local.namespace
+#   create_namespace = true
+#   cleanup_on_fail  = lookup(var.helm, "cleanup_on_fail", true)
+
+#   dynamic "set" {
+#     for_each = {
+#       "cluster.name"                                              = var.cluster_name
+#       "cluster.region"                                            = data.aws_region.current.0.name
+#       "serviceAccount.name"                                       = local.serviceaccount
+#       "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn" = module.irsa[0].arn[0]
+#     }
+#     content {
+#       name  = set.key
+#       value = set.value
+#     }
+#   }
\ No newline at end of file
diff --git a/tfs/aws-eks-vpc/iam.tf b/tfs/aws-eks-vpc/iam.tf
new file mode 100644
index 00000000..251f4785
--- /dev/null
+++ b/tfs/aws-eks-vpc/iam.tf
@@ -0,0 +1,359 @@
+resource "random_string" "role" {
+  length           = 4
+  special          = false
+  upper            = false
+  lower            = true
+}
+
+resource "random_string" "cluster" {
+  length           = 4
+  special          = false
+  upper            = false
+  lower            = true
+}
+
+data "aws_caller_identity" "current" {}
+
+resource "aws_iam_role" "cluster" {
+  name = "test-eks-cluster-role-${random_string.role.id}"
+
+  assume_role_policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "eks.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    },
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_role_policy_attachment" "cluster-AmazonEKSClusterPolicy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
+  role       = aws_iam_role.cluster.name
+}
+
+resource "aws_iam_role_policy_attachment" "cluster-AmazonEKSServicePolicy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
+  role       = aws_iam_role.cluster.name
+}
+
+resource "aws_iam_role_policy_attachment" "cluster-AmazonEKSVPCResourceController" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
+  role       = aws_iam_role.cluster.name
+}
+
+resource "aws_iam_role_policy_attachment" "cluster-AmazonVPCFullAccess" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonVPCFullAccess"
+  role       = aws_iam_role.cluster.name
+}
+
+# NODES
+resource "aws_iam_role" "node" {
+  name = "test-eks-node-role-${random_string.role.id}"
+  assume_role_policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_role_policy_attachment" "node-AmazonEKSWorkerNodePolicy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+  role       = aws_iam_role.node.name
+}
+
+resource "aws_iam_role_policy_attachment" "node-AmazonEKS_CNI_Policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+  role       = aws_iam_role.node.name
+}
+
+resource "aws_iam_role_policy_attachment" "node-AmazonEC2ContainerRegistryReadOnly" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+  role       = aws_iam_role.node.name
+}
+
+resource "aws_iam_role_policy_attachment" "node-AmazonVPCFullAccess" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonVPCFullAccess"
+  role       = aws_iam_role.node.name
+}
+
+resource "aws_iam_instance_profile" "node" {
+  name = "terraform-eks-demo-eks-node-instance-profile-${random_string.role.id}"
+  role = aws_iam_role.node.name
+}
+
+resource "aws_iam_policy" "AWSLoadBalancerControllerIAMPolicy" {
+  name        = "AWSLoadBalancerControllerIAMPolicy-${random_string.role.id}"
+  path        = "/"
+  description = "Policy for AWS Load Balancer Controller for k8s Ingress"
+  policy = <<POLICY
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "iam:CreateServiceLinkedRole",
+                "ec2:DescribeAccountAttributes",
+                "ec2:DescribeAddresses",
+                "ec2:DescribeAvailabilityZones",
+                "ec2:DescribeInternetGateways",
+                "ec2:DescribeVpcs",
+                "ec2:DescribeSubnets",
+                "ec2:DescribeSecurityGroups",
+                "ec2:DescribeInstances",
+                "ec2:DescribeNetworkInterfaces",
+                "ec2:DescribeTags",
+                "ec2:GetCoipPoolUsage",
+                "ec2:DescribeCoipPools",
+                "elasticloadbalancing:DescribeLoadBalancers",
+                "elasticloadbalancing:DescribeLoadBalancerAttributes",
+                "elasticloadbalancing:DescribeListeners",
+                "elasticloadbalancing:DescribeListenerCertificates",
+                "elasticloadbalancing:DescribeSSLPolicies",
+                "elasticloadbalancing:DescribeRules",
+                "elasticloadbalancing:DescribeTargetGroups",
+                "elasticloadbalancing:DescribeTargetGroupAttributes",
+                "elasticloadbalancing:DescribeTargetHealth",
+                "elasticloadbalancing:DescribeTags",
+                "elasticloadbalancing:AddTags"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "cognito-idp:DescribeUserPoolClient",
+                "acm:ListCertificates",
+                "acm:DescribeCertificate",
+                "iam:ListServerCertificates",
+                "iam:GetServerCertificate",
+                "waf-regional:GetWebACL",
+                "waf-regional:GetWebACLForResource",
+                "waf-regional:AssociateWebACL",
+                "waf-regional:DisassociateWebACL",
+                "wafv2:GetWebACL",
+                "wafv2:GetWebACLForResource",
+                "wafv2:AssociateWebACL",
+                "wafv2:DisassociateWebACL",
+                "shield:GetSubscriptionState",
+                "shield:DescribeProtection",
+                "shield:CreateProtection",
+                "shield:DeleteProtection"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:AuthorizeSecurityGroupIngress",
+                "ec2:RevokeSecurityGroupIngress"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:CreateSecurityGroup"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:CreateTags"
+            ],
+            "Resource": "arn:aws:ec2:*:*:security-group/*",
+            "Condition": {
+                "StringEquals": {
+                    "ec2:CreateAction": "CreateSecurityGroup"
+                },
+                "Null": {
+                    "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
+                }
+            }
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:CreateTags",
+                "ec2:DeleteTags"
+            ],
+            "Resource": "arn:aws:ec2:*:*:security-group/*",
+            "Condition": {
+                "Null": {
+                    "aws:RequestTag/elbv2.k8s.aws/cluster": "true",
+                    "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
+                }
+            }
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:AuthorizeSecurityGroupIngress",
+                "ec2:RevokeSecurityGroupIngress",
+                "ec2:DeleteSecurityGroup"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "Null": {
+                    "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
+                }
+            }
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:CreateLoadBalancer",
+                "elasticloadbalancing:CreateTargetGroup"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "Null": {
+                    "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
+                }
+            }
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:CreateListener",
+                "elasticloadbalancing:DeleteListener",
+                "elasticloadbalancing:CreateRule",
+                "elasticloadbalancing:DeleteRule"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:AddTags",
+                "elasticloadbalancing:RemoveTags"
+            ],
+            "Resource": [
+                "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
+                "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
+                "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
+            ],
+            "Condition": {
+                "Null": {
+                    "aws:RequestTag/elbv2.k8s.aws/cluster": "true",
+                    "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
+                }
+            }
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:AddTags",
+                "elasticloadbalancing:RemoveTags"
+            ],
+            "Resource": [
+                "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
+                "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
+                "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
+                "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:ModifyLoadBalancerAttributes",
+                "elasticloadbalancing:SetIpAddressType",
+                "elasticloadbalancing:SetSecurityGroups",
+                "elasticloadbalancing:SetSubnets",
+                "elasticloadbalancing:DeleteLoadBalancer",
+                "elasticloadbalancing:ModifyTargetGroup",
+                "elasticloadbalancing:ModifyTargetGroupAttributes",
+                "elasticloadbalancing:DeleteTargetGroup"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "Null": {
+                    "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
+                }
+            }
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:RegisterTargets",
+                "elasticloadbalancing:DeregisterTargets"
+            ],
+            "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:SetWebAcl",
+                "elasticloadbalancing:ModifyListener",
+                "elasticloadbalancing:AddListenerCertificates",
+                "elasticloadbalancing:RemoveListenerCertificates",
+                "elasticloadbalancing:ModifyRule"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+POLICY
+}
+
+resource "aws_iam_role_policy_attachment" "node-AWSLoadBalancerControllerIAMPolicy" {
+  policy_arn = aws_iam_policy.AWSLoadBalancerControllerIAMPolicy.arn
+  role       = aws_iam_role.node.name
+}
+
+resource "aws_iam_policy" "AWSVisualEditorPolicy" {
+  name        = "AWSVisualEditorPolicy-${random_string.role.id}"
+  path        = "/"
+  description = "Policy for AWS Load Balancer Controller for k8s Ingress"
+  policy = <<POLICY
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": "eks:*",
+            "Resource": "*"
+        }
+    ]
+}
+POLICY
+}
+
+resource "aws_iam_role_policy_attachment" "cluster-AWSVisualEditorPolicy" {
+  policy_arn = aws_iam_policy.AWSVisualEditorPolicy.arn
+  role       = aws_iam_role.cluster.name
+}
+
+
+#OIDC
+
+resource "aws_iam_openid_connect_provider" "cluster" {
+  client_id_list  = ["sts.amazonaws.com"]
+  thumbprint_list = ["9e99a48a9960b14926bb7f3b02e22da2b0ab7280"]
+  url             = aws_eks_cluster.demo.identity.0.oidc.0.issuer
+}
\ No newline at end of file
diff --git a/tfs/aws-eks-vpc/main.tf b/tfs/aws-eks-vpc/main.tf
new file mode 100644
index 00000000..5620f4f2
--- /dev/null
+++ b/tfs/aws-eks-vpc/main.tf
@@ -0,0 +1,15 @@
+terraform {
+  required_version = ">= 0.12"
+}
+
+provider "aws" {
+  region = var.aws_region
+}
+
+data "aws_availability_zones" "available" {}
+
+# Not required: currently used in conjunction with using
+# icanhazip.com to determine local workstation external IP
+# to open EC2 Security Group access to the Kubernetes cluster.
+# See workstation-external-ip.tf for additional information.
+provider "http" {}
diff --git a/tfs/aws-eks-vpc/outputs.tf b/tfs/aws-eks-vpc/outputs.tf
new file mode 100644
index 00000000..6d3e8268
--- /dev/null
+++ b/tfs/aws-eks-vpc/outputs.tf
@@ -0,0 +1,83 @@
+#
+# Outputs
+#
+
+locals {
+  config_map_aws_auth = <<CONFIGMAPAWSAUTH
+
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: aws-auth
+  namespace: kube-system
+data:
+  mapRoles: |
+    - rolearn: ${aws_iam_role.node.arn}
+      username: system:node:{{EC2PrivateDNSName}}
+      groups:
+        - system:bootstrappers
+        - system:nodes
+        - system:masters
+CONFIGMAPAWSAUTH
+
+  kubeconfig = <<KUBECONFIG
+
+
+apiVersion: v1
+clusters:
+- cluster:
+    server: ${aws_eks_cluster.demo.endpoint}
+    certificate-authority-data: ${aws_eks_cluster.demo.certificate_authority[0].data}
+  name: kubernetes
+contexts:
+- context:
+    cluster: kubernetes
+    user: aws
+  name: aws
+current-context: aws
+kind: Config
+preferences: {}
+users:
+- name: aws
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1alpha1
+      command: aws-iam-authenticator
+      args:
+        - "token"
+        - "-i"
+        - "${var.cluster-name}-${random_string.cluster.id}"
+KUBECONFIG
+}
+
+output "config_map_aws_auth" {
+  value = local.config_map_aws_auth
+}
+
+output "kubeconfig" {
+  value = local.kubeconfig
+}
+
+output "cluster_name" {
+  value = aws_eks_cluster.demo.id
+}
+
+output "cluster_endpoint" {
+  value = aws_eks_cluster.demo.endpoint
+}
+
+output "cluster_region" {
+  value = var.aws_region
+}
+
+output "node_arn" {
+  value = aws_iam_role.node.arn
+}
+
+output "eks_arn" {
+  value = aws_iam_role.cluster.arn
+}
+
+
+
diff --git a/tfs/aws-eks-vpc/variables.tf b/tfs/aws-eks-vpc/variables.tf
new file mode 100644
index 00000000..5d77dfeb
--- /dev/null
+++ b/tfs/aws-eks-vpc/variables.tf
@@ -0,0 +1,56 @@
+variable "aws_region" {
+  default = "us-east-2"
+   type    = string
+}
+
+variable "cluster-name" {
+  default = "codepipes-demo"
+  type    = string
+}
+
+variable "node-group-name" {
+  default = "codepipes-cdn-node-group"
+  type    = string
+}
+
+variable "role-eks-demo-node" {
+  default = "codepipes-cdn-eks-demo-node"
+  type    = string
+}
+
+variable "vpc-eks-tag-name" {
+  default = "codepipes-cdn-eks-demo-tag-name"
+  type    = string
+}
+
+variable "cluster_ipv4_cidr" {
+  description = "The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR."
+  default = "10.0.0.0/16"
+  type    = string
+}
+
+
+
+variable "map_additional_iam_roles" {
+  description = "Additional IAM roles to add to `config-map-aws-auth` ConfigMap"
+
+  type = list(object({
+    rolearn  = string
+    username = string
+    groups   = list(string)
+  }))
+
+  default = []
+}
+
+variable "wait_for_cluster_cmd" {
+  description = "Custom local-exec command to execute for determining if the eks cluster is healthy. Cluster endpoint will be available as an environment variable called ENDPOINT"
+  type        = string
+  default     = " apk add curl; for i in `seq 1 60`; do curl -k $ENDPOINT/healthz >/dev/null && exit 0 || true; sleep 5; done; echo TIMEOUT && exit 1"
+}
+
+variable "wait_for_cluster_interpreter" {
+  description = "Custom local-exec command line interpreter for the command to determining if the eks cluster is healthy."
+  type        = list(string)
+  default     = ["/bin/sh", "-c"]
+}
\ No newline at end of file
diff --git a/tfs/aws-eks-vpc/vpc.tf b/tfs/aws-eks-vpc/vpc.tf
new file mode 100644
index 00000000..c4f01f7b
--- /dev/null
+++ b/tfs/aws-eks-vpc/vpc.tf
@@ -0,0 +1,60 @@
+#
+# VPC Resources
+#  * VPC
+#  * Subnets
+#  * Internet Gateway
+#  * Route Table
+#
+
+resource "aws_vpc" "demo" {
+  cidr_block           = var.cluster_ipv4_cidr
+  enable_dns_hostnames = true
+  tags = tomap({
+    "Name"                                                                  = "${var.cluster-name}-${random_string.cluster.id}"
+    "kubernetes.io/cluster/${var.cluster-name}-${random_string.cluster.id}" = "shared"
+  })
+}
+
+resource "aws_subnet" "demo" {
+  depends_on = [aws_vpc.demo]
+  count      = 2
+
+  availability_zone       = data.aws_availability_zones.available.names[count.index]
+  cidr_block              = "10.0.${count.index}.0/24"
+  map_public_ip_on_launch = true
+  vpc_id                  = aws_vpc.demo.id
+
+  tags = tomap({
+    "Name"                                                                  = "${var.cluster-name}-${random_string.cluster.id}"
+    "kubernetes.io/cluster/${var.cluster-name}-${random_string.cluster.id}" = "shared"
+    "kubernetes.io/role/elb"                                                = "1"
+  })
+}
+
+
+resource "aws_internet_gateway" "demo" {
+  depends_on = [aws_vpc.demo]
+  vpc_id     = aws_vpc.demo.id
+
+  tags = {
+    Name = var.vpc-eks-tag-name
+  }
+}
+
+resource "aws_route_table" "demo" {
+  depends_on = [aws_internet_gateway.demo]
+  vpc_id     = aws_vpc.demo.id
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.demo.id
+  }
+}
+
+resource "aws_route_table_association" "demo" {
+  depends_on = [aws_route_table.demo]
+  count      = 2
+
+  subnet_id      = aws_subnet.demo.*.id[count.index]
+  route_table_id = aws_route_table.demo.id
+}
diff --git a/tfs/aws-eks-vpc/workstation-external-ip.tf b/tfs/aws-eks-vpc/workstation-external-ip.tf
new file mode 100644
index 00000000..adb757b8
--- /dev/null
+++ b/tfs/aws-eks-vpc/workstation-external-ip.tf
@@ -0,0 +1,18 @@
+#
+# Workstation External IP
+#
+# This configuration is not required and is
+# only provided as an example to easily fetch
+# the external IP of your local workstation to
+# configure inbound EC2 Security Group access
+# to the Kubernetes cluster.
+#
+
+data "http" "workstation-external-ip" {
+  url = "http://ipv4.icanhazip.com"
+}
+
+# Override with variable or hardcoded value if necessary
+locals {
+  workstation-external-cidr = "${chomp(data.http.workstation-external-ip.body)}/32"
+}