diff --git a/modules/aws_ecs_fargate/README.md b/modules/aws_ecs_fargate/README.md
new file mode 100644
index 0000000..e720b65
--- /dev/null
+++ b/modules/aws_ecs_fargate/README.md
@@ -0,0 +1,23 @@
+# AWS ECS + Fargate Module
+
+This module deploys and ECS cluster with AWS Fargate. This eliminates the need to manually provision, scale and manage compute instances.
+
+# Prerequisites
+
+- A VPC
+  - with 2+ private and 2+ public subnets,
+  - and a route from the private subnets to the Internet (perhaps via a NAT gateway with EIP)
+
+# Key Design Decisions
+
+The module will deploy an RDS instance in the same VPC as the Fargate cluster.
+
+# Usage
+
+1. Directly use our module in your existing Terraform configuration and provide the required variables
+
+```
+module "retool" {
+    ...
+}
+```
diff --git a/modules/aws_ecs_fargate/loadbalancers.tf b/modules/aws_ecs_fargate/loadbalancers.tf
new file mode 100644
index 0000000..0efeb49
--- /dev/null
+++ b/modules/aws_ecs_fargate/loadbalancers.tf
@@ -0,0 +1,53 @@
+resource "aws_lb" "this" {
+  name         = "${var.deployment_name}-alb"
+  idle_timeout = var.alb_idle_timeout
+
+  security_groups = [aws_security_group.alb.id]
+  subnets         = var.alb_subnet_ids
+}
+
+resource "aws_lb_listener" "this" {
+  load_balancer_arn = aws_lb.this.arn
+  port              = 80
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.this.arn
+  }
+}
+
+resource "aws_lb_listener_rule" "this" {
+  listener_arn = aws_lb_listener.this.arn
+  priority     = 1
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.this.arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/"]
+    }
+  }
+}
+
+resource "aws_lb_target_group" "this" {
+  name                 = "${var.deployment_name}-target"
+  vpc_id               = var.vpc_id
+  deregistration_delay = 30
+  port                 = 80
+  protocol             = "HTTP"
+  target_type          = "ip"
+
+
+  health_check {
+    interval            = 10
+    path                = "/api/checkHealth"
+    protocol            = "HTTP"
+    timeout             = 5
+    healthy_threshold   = 3
+    unhealthy_threshold = 2
+  }
+}
\ No newline at end of file
diff --git a/modules/aws_ecs_fargate/locals.tf b/modules/aws_ecs_fargate/locals.tf
new file mode 100644
index 0000000..a13bd66
--- /dev/null
+++ b/modules/aws_ecs_fargate/locals.tf
@@ -0,0 +1,72 @@
+locals {
+  environment_variables = concat(
+    var.additional_env_vars, # add additional environment variables
+    [
+      {
+        name  = "NODE_ENV"
+        value = var.node_env
+      },
+      {
+        name  = "FORCE_DEPLOYMENT"
+        value = tostring(var.force_deployment)
+      },
+      {
+        name  = "POSTGRES_DB"
+        value = "hammerhead_production"
+      },
+      {
+        name  = "POSTGRES_HOST"
+        value = aws_db_instance.this.address
+      },
+      {
+        name  = "POSTGRES_SSL_ENABLED"
+        value = "true"
+      },
+      {
+        name  = "POSTGRES_PORT"
+        value = "5432"
+      },
+      {
+        "name"  = "POSTGRES_USER",
+        "value" = var.rds_username
+      },
+      {
+        "name"  = "POSTGRES_PASSWORD",
+        "value" = random_string.rds_password.result
+      },
+      {
+        "name" : "JWT_SECRET",
+        "value" : random_string.jwt_secret.result
+      },
+      {
+        "name" : "ENCRYPTION_KEY",
+        "value" : random_string.encryption_key.result
+      },
+      {
+        "name" : "LICENSE_KEY",
+        "value" : var.retool_license_key
+      }
+    ]
+  )
+
+  stack_name                          = "${var.deployment_name}"
+  database_name                       =  aws_db_instance.this.db_name
+  db_subnet_group_name                = "${var.deployment_name}-subnet-group"
+  retool_image                        = "${var.ecs_retool_image}"
+  retool_alb_ingress_port             = var.alb_listener_certificate_arn != null ? "443" : var.retool_alb_ingress_port
+  retool_alb_listener_protocol        = var.alb_listener_certificate_arn != null ? "HTTPS" : var.aws_lb_listener_protocol
+  retool_alb_listener_ssl_policy      = var.alb_listener_certificate_arn != null ? var.alb_listener_ssl_policy : null
+  retool_alb_listener_certificate_arn = var.alb_listener_certificate_arn
+  retool_url_port                     = local.retool_alb_ingress_port != "443" ? ":${local.retool_alb_ingress_port}" : ""
+
+  retool_jwt_secret = {
+    password = aws_secretsmanager_secret_version.jwt_secret
+  }
+  retool_encryption_key_secret = {
+    password = random_string.encryption_key.result
+  }
+  retool_rds_secret = {
+    username = "retool"
+    password = aws_secretsmanager_secret.rds_password
+  }
+}
diff --git a/modules/aws_ecs_fargate/main.tf b/modules/aws_ecs_fargate/main.tf
new file mode 100644
index 0000000..a9b647a
--- /dev/null
+++ b/modules/aws_ecs_fargate/main.tf
@@ -0,0 +1,240 @@
+terraform {
+  required_providers {
+    aws = {
+        source = "hashicorp/aws"
+        version = "~> 4.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.aws_region
+}
+
+resource "aws_ecs_cluster" "this" {
+  name = "${var.deployment_name}-ecs"
+
+  setting {
+    name  = "containerInsights"
+    value = var.ecs_insights_enabled
+  }
+}
+
+resource "aws_cloudwatch_log_group" "this" {
+  name              = "${var.deployment_name}-ecs-log-group"
+  retention_in_days = var.log_retention_in_days
+}
+
+resource "aws_db_subnet_group" "this" {
+  name       = local.db_subnet_group_name
+  subnet_ids = var.rds_subnet_ids
+}
+
+resource "aws_db_instance" "this" {
+  identifier                    = "${var.deployment_name}-rds-instance"
+  allocated_storage            = 80
+  instance_class               = var.rds_instance_class
+  engine                       = "postgres"
+  engine_version               = "13.7"
+  db_name                      = "hammerhead_production"
+  username                     = aws_secretsmanager_secret_version.rds_username.secret_string
+  password                     = aws_secretsmanager_secret_version.rds_password.secret_string
+  port                         = 5432
+  publicly_accessible          = var.rds_publicly_accessible
+  db_subnet_group_name         = local.db_subnet_group_name
+  vpc_security_group_ids       = [aws_security_group.rds.id]
+  performance_insights_enabled = var.rds_performance_insights_enabled
+  
+  skip_final_snapshot          = true
+  apply_immediately           = true
+
+  depends_on = [
+    aws_db_subnet_group.this
+  ]
+}
+
+resource "aws_ecs_service" "retool" {
+  name                               = "${var.deployment_name}-main-service"
+  cluster                            = aws_ecs_cluster.this.id
+  task_definition                    = aws_ecs_task_definition.retool.arn
+  desired_count                      = var.ecs_service_count
+  deployment_maximum_percent         = var.maximum_percent
+  deployment_minimum_healthy_percent = var.minimum_healthy_percent
+  launch_type                        = "FARGATE"
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.this.arn
+    container_name   = "retool"
+    container_port   = 3000
+  }
+
+  network_configuration {
+    subnets         = var.ecs_tasks_subnet_ids
+    security_groups = [aws_security_group.ecs_tasks.id]
+  }
+}
+
+resource "aws_ecs_task_definition" "retool" {
+    family                   = "${var.deployment_name}-backend"
+    requires_compatibilities = ["FARGATE"]
+    network_mode             = var.ecs_task_network_mode
+    cpu                      = var.ecs_task_cpu
+    memory                   = var.ecs_task_memory
+    task_role_arn            = aws_iam_role.task_role.arn
+    execution_role_arn       = aws_iam_role.execution_role.arn
+    container_definitions    = <<TASK_DEFINITION
+[
+  {
+    "command": ["./docker_scripts/start_api.sh"],
+    "environment": [
+      {"name": "NODE_ENV", "value": "${var.node_env}"},
+      {"name": "SERVICE_TYPE", "value": "MAIN_BACKEND,DB_CONNECTOR"},
+      {"name": "FORCE_DEPLOYMENT", "value": "${var.force_deployment}"},
+      {"name": "POSTGRES_DB", "value": "hammerhead_production"},
+      {"name": "POSTGRES_HOST", "value": "${aws_db_instance.this.address}"},
+      {"name": "POSTGRES_SSL_ENABLED", "value": "${var.postgresql_ssl_enabled}"},
+      {"name": "POSTGRES_PORT", "value": "${var.postgresql_db_port}"},
+      {"name": "POSTGRES_USER", "value": "${aws_secretsmanager_secret_version.rds_username.secret_string}"},
+      {"name": "POSTGRES_PASSWORD", "value": "${aws_secretsmanager_secret_version.rds_password.secret_string}"},
+      {"name": "JWT_SECRET", "value": "${random_string.jwt_secret.result}"},
+      {"name": "ENCRYPTION_KEY", "value": "${random_string.encryption_key.result}"},
+      {"name": "LICENSE_KEY", "value": "${var.retool_license_key}"},
+      {"name": "COOKIE_INSECURE", "value": "${var.cookie_insecure}"}
+    ],
+    "logConfiguration": {
+      "logDriver": "${var.retool_ecs_tasks_logdriver}",
+      "options": {
+        "awslogs-group": "${aws_cloudwatch_log_group.this.name}",
+        "awslogs-region": "${var.aws_region}",
+        "awslogs-stream-prefix": "${var.retool_ecs_tasks_log_prefix}"
+      }
+    },
+    "essential": true,
+    "image": "${local.retool_image}",
+    "name": "${var.retool_task_container_name}",
+    "portMappings": [
+      {
+        "containerPort": ${var.retool_task_container_port}
+      }
+    ]
+  }
+]
+TASK_DEFINITION
+}
+
+resource "aws_ecs_service" "jobs_runner" {
+  name            = "${var.deployment_name}-jobs-runner-service"
+  cluster         = aws_ecs_cluster.this.id
+  desired_count   = 1
+  task_definition = aws_ecs_task_definition.retool_jobs_runner.arn
+  launch_type     = "FARGATE"
+
+  network_configuration {
+    subnets         = var.ecs_tasks_subnet_ids
+    security_groups = [aws_security_group.ecs_tasks.id]
+  }
+}
+
+resource "aws_ecs_task_definition" "retool_jobs_runner" {
+    family                   = "${var.deployment_name}-jobs-runner"
+    requires_compatibilities = ["FARGATE"]
+    network_mode             = var.ecs_task_network_mode
+    cpu                      = var.ecs_task_cpu
+    memory                   = var.ecs_task_memory
+    task_role_arn            = aws_iam_role.task_role.arn
+    execution_role_arn       = aws_iam_role.execution_role.arn
+    container_definitions    = <<TASK_DEFINITION
+[
+  {
+    "command": ["./docker_scripts/start_api.sh"],
+    "environment": [
+      {"name": "NODE_ENV", "value": "${var.node_env}"},
+      {"name": "SERVICE_TYPE", "value": "JOBS_RUNNER"},
+      {"name": "FORCE_DEPLOYMENT", "value": "${var.force_deployment}"},
+      {"name": "POSTGRES_DB", "value": "hammerhead_production"},
+      {"name": "POSTGRES_HOST", "value": "${aws_db_instance.this.address}"},
+      {"name": "POSTGRES_SSL_ENABLED", "value": "${var.postgresql_ssl_enabled}"},
+      {"name": "POSTGRES_PORT", "value": "${var.postgresql_db_port}"},
+      {"name": "POSTGRES_USER", "value": "${aws_secretsmanager_secret_version.rds_username.secret_string}"},
+      {"name": "POSTGRES_PASSWORD", "value": "${aws_secretsmanager_secret_version.rds_password.secret_string}"},
+      {"name": "JWT_SECRET", "value": "${random_string.jwt_secret.result}"},
+      {"name": "ENCRYPTION_KEY", "value": "${random_string.encryption_key.result}"},
+      {"name": "LICENSE_KEY", "value": "${var.retool_license_key}"},
+      {"name": "COOKIE_INSECURE", "value": "${var.cookie_insecure}"}
+    ],
+    "logConfiguration": {
+      "logDriver": "${var.retool_ecs_tasks_logdriver}",
+      "options": {
+        "awslogs-group": "${aws_cloudwatch_log_group.this.name}",
+        "awslogs-region": "${var.aws_region}",
+        "awslogs-stream-prefix": "${var.retool_ecs_tasks_log_prefix}"
+      }
+    },
+    "essential": true,
+    "image": "${local.retool_image}",
+    "name": "${var.retool_task_container_name}",
+    "portMappings": [
+      {
+        "containerPort": ${var.retool_task_container_port}
+      }
+    ]
+  }
+]
+TASK_DEFINITION
+}
+
+# resource "aws_iam_role" "retool_service_role" {
+#   name = "${var.deployment_name}-service-role"
+#   path = "/"
+#   assume_role_policy = jsonencode({
+#     Version = "2012-10-17"
+#     Statement = [
+#       {
+#         Action = "sts:AssumeRole"
+#         Effect = "Allow"
+#         Principal = {
+#           Service = "ecs.amazonaws.com"
+#         }
+#       }
+#     ]
+#   })
+
+#   inline_policy {
+#     name = "${var.deployment_name}-env-service-policy"
+
+#     policy = jsonencode({
+#       Version = "2012-10-17"
+#       Statement = [
+#         {
+#           Action = [
+#             "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
+#             "elasticloadbalancing:DeregisterTargets",
+#             "elasticloadbalancing:Describe*",
+#             "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
+#             "elasticloadbalancing:RegisterTargets",
+#             "ec2:Describe*",
+#             "ec2:AuthorizeSecurityGroupIngress"
+#           ]
+#           Effect   = "Allow"
+#           Resource = "*"
+#       }]
+#     })
+#   }
+# }
+
+# resource "aws_iam_role" "retool_task_role" {
+#   name = "${var.deployment_name}-task-role"
+#   path = "/"
+#   assume_role_policy = jsonencode({
+#     Version = "2012-10-17"
+#     Statement = [
+#       {
+#         Action = "sts:AssumeRole"
+#         Effect = "Allow"
+#         Principal = {
+#           Service = "ecs-tasks.amazonaws.com"
+#         }
+#       }
+#     ]
+#   })
+# }
diff --git a/modules/aws_ecs_fargate/outputs.tf b/modules/aws_ecs_fargate/outputs.tf
new file mode 100644
index 0000000..84a7018
--- /dev/null
+++ b/modules/aws_ecs_fargate/outputs.tf
@@ -0,0 +1,44 @@
+output "ecs_alb_url" {
+  value       = aws_lb.this.dns_name
+  description = "Retool ALB DNS url (where Retool is running)"
+}
+
+output "ecs_alb_arn" {
+  value       = aws_lb.this.arn
+  description = "Retool ALB arn"
+}
+
+output "ecs_cluster_name" {
+  value       = aws_ecs_cluster.this.name
+  description = "Name of AWS ECS Cluster"
+}
+
+output "ecs_cluster_arn" {
+  value       = aws_ecs_cluster.this.arn
+  description = "ARN of AWS ECS Cluster"
+}
+
+output "ecs_cluster_id" {
+  value       = aws_ecs_cluster.this.id
+  description = "ID of AWS ECS Cluster"
+}
+
+output "rds_instance_id" {
+  value       = aws_db_instance.this.id
+  description = "ID of AWS RDS instance"
+}
+
+output "rds_instance_address" {
+  value       = aws_db_instance.this.address
+  description = "Hostname of the RDS instance"
+}
+
+output "rds_instance_arn" {
+  value       = aws_db_instance.this.arn
+  description = "ARN of RDS instance"
+}
+
+output "rds_instance_name" {
+  value       = aws_db_instance.this.db_name
+  description = "Name of RDS instance"
+}
diff --git a/modules/aws_ecs_fargate/roles.tf b/modules/aws_ecs_fargate/roles.tf
new file mode 100644
index 0000000..fff5cfa
--- /dev/null
+++ b/modules/aws_ecs_fargate/roles.tf
@@ -0,0 +1,96 @@
+data "aws_iam_policy_document" "service_role_assume_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "task_role_assume_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "task_role" {
+  name               = "${var.deployment_name}-task-role"
+  assume_role_policy = data.aws_iam_policy_document.task_role_assume_policy.json
+  path               = "/"
+}
+
+
+data "aws_iam_policy_document" "service_role_policy" {
+  statement {
+    actions = [
+      "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
+      "elasticloadbalancing:DeregisterTargets",
+      "elasticloadbalancing:Describe*",
+      "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
+      "elasticloadbalancing:RegisterTargets",
+      "ec2:Describe*",
+      "ec2:AuthorizeSecurityGroupIngress"
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_role" "service_role" {
+  name               = "${var.deployment_name}-service-role"
+  assume_role_policy = data.aws_iam_policy_document.service_role_assume_policy.json
+  path               = "/"
+
+  inline_policy {
+    name   = "${var.deployment_name}-service-policy"
+    policy = data.aws_iam_policy_document.service_role_policy.json
+  }
+}
+
+resource "aws_iam_role" "execution_role" {
+  name = "${var.deployment_name}-execution-role"
+  path = "/"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "ecs-tasks.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  inline_policy {
+    name = "${var.deployment_name}-env-execution-policy"
+
+    policy = jsonencode({
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Action = [
+            "ecr:GetAuthorizationToken",
+            "ecr:BatchCheckLayerAvailability",
+            "ecr:GetDownloadUrlForLayer",
+            "ecr:BatchGetImage",
+            "ecr:PutImage",
+            "ecr:InitiateLayerUpload",
+            "ecr:UploadLayerPart",
+            "ecr:CompleteLayerUpload",
+            "logs:CreateLogStream",
+            "logs:PutLogEvents"
+          ]
+          Effect   = "Allow"
+          Resource = "*"
+      }]
+    })
+  }
+}
\ No newline at end of file
diff --git a/modules/aws_ecs_fargate/secrets.tf b/modules/aws_ecs_fargate/secrets.tf
new file mode 100644
index 0000000..f47ca3a
--- /dev/null
+++ b/modules/aws_ecs_fargate/secrets.tf
@@ -0,0 +1,59 @@
+resource "random_string" "rds_password" {
+  length  = var.secret_length
+  special = false
+}
+
+resource "aws_secretsmanager_secret" "rds_password" {
+  name        = "${var.deployment_name}-rds-password"
+  description = "This is the password for the Retool RDS instance"
+  recovery_window_in_days = 0
+}
+
+resource "aws_secretsmanager_secret_version" "rds_password" {
+  secret_id     = aws_secretsmanager_secret.rds_password.id
+  secret_string = random_string.rds_password.result
+}
+
+resource "aws_secretsmanager_secret" "rds_username" {
+  name        = "${var.deployment_name}-rds-username"
+  description = "This is the username for the Retool RDS instance"
+  recovery_window_in_days = 0
+}
+
+resource "aws_secretsmanager_secret_version" "rds_username" {
+  secret_id     = aws_secretsmanager_secret.rds_username.id
+  secret_string = var.rds_username
+}
+
+resource "random_string" "jwt_secret" {
+  length  = var.secret_length
+  special = false
+}
+
+resource "aws_secretsmanager_secret" "jwt_secret" {
+  name        = "${var.deployment_name}-jwt-secret"
+  description = "This is the secret for Retool JWTs"
+  recovery_window_in_days = 0
+}
+
+resource "aws_secretsmanager_secret_version" "jwt_secret" {
+  secret_id     = aws_secretsmanager_secret.jwt_secret.id
+  secret_string = random_string.jwt_secret.result
+}
+
+
+resource "random_string" "encryption_key" {
+  length  = var.secret_length
+  special = false
+}
+
+resource "aws_secretsmanager_secret" "encryption_key" {
+  name        = "${var.deployment_name}-encryption-key"
+  description = "This is the secret for encrypting credentials"
+  recovery_window_in_days = 0
+}
+
+resource "aws_secretsmanager_secret_version" "encryption_key" {
+  secret_id     = aws_secretsmanager_secret.encryption_key.id
+  secret_string = random_string.encryption_key.result
+}
diff --git a/modules/aws_ecs_fargate/security.tf b/modules/aws_ecs_fargate/security.tf
new file mode 100644
index 0000000..63161a0
--- /dev/null
+++ b/modules/aws_ecs_fargate/security.tf
@@ -0,0 +1,87 @@
+resource "aws_security_group" "rds" {
+  name        = "${var.deployment_name}-rds-security-group"
+  description = "Retool database security group"
+  vpc_id      = var.vpc_id
+}
+
+resource "aws_vpc_security_group_ingress_rule" "rds_ingress_from_ecs_tasks" {
+  security_group_id = aws_security_group.rds.id
+
+  description                  = "Postgres ingress from ECS tasks"
+  from_port                    = "5432"
+  to_port                      = "5432"
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = aws_security_group.ecs_tasks.id
+}
+
+resource "aws_security_group" "alb" {
+  name        = "${var.deployment_name}-alb-security-group"
+  description = "Retool load balancer security group"
+  vpc_id      = var.vpc_id
+}
+
+resource "aws_vpc_security_group_ingress_rule" "alb_ingress" {
+  for_each = var.alb_ingress_rules_map
+
+  security_group_id = aws_security_group.alb.id
+
+  description                  = each.value.description
+  from_port                    = each.value.from_port
+  to_port                      = each.value.to_port
+  ip_protocol                  = each.value.ip_protocol
+  cidr_ipv4                    = each.value.cidr_ipv4
+  cidr_ipv6                    = each.value.cidr_ipv6
+  prefix_list_id               = each.value.prefix_list_id
+  referenced_security_group_id = each.value.referenced_security_group_id
+}
+
+resource "aws_vpc_security_group_egress_rule" "alb_egress_to_ecs_tasks" {
+  security_group_id = aws_security_group.alb.id
+
+  description                  = "HTTP to ECS tasks"
+  from_port                    = var.retool_task_container_port
+  to_port                      = var.retool_task_container_port
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = aws_security_group.ecs_tasks.id
+}
+
+resource "aws_security_group" "ecs_tasks" {
+  name        = "${var.deployment_name}-ecs-tasks-security-group"
+  description = "Retool ECS tasks security group"
+  vpc_id      = var.vpc_id
+}
+
+resource "aws_vpc_security_group_ingress_rule" "ecs_tasks_ingress_from_alb" {
+  security_group_id = aws_security_group.ecs_tasks.id
+
+  description                  = "HTTP from ALB"
+  from_port                    = var.retool_task_container_port
+  to_port                      = var.retool_task_container_port
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = aws_security_group.alb.id
+}
+
+resource "aws_vpc_security_group_egress_rule" "ecs_tasks_egress_to_rds" {
+  security_group_id = aws_security_group.ecs_tasks.id
+
+  description                  = "Postgres egress to RDS"
+  from_port                    = "5432"
+  to_port                      = "5432"
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = aws_security_group.rds.id
+}
+
+resource "aws_vpc_security_group_egress_rule" "ecs_tasks_egress_extra" {
+  for_each = var.ecs_tasks_extra_egress_rules_map
+
+  security_group_id = aws_security_group.ecs_tasks.id
+
+  description                  = each.value.description
+  from_port                    = each.value.from_port
+  to_port                      = each.value.to_port
+  ip_protocol                  = each.value.ip_protocol
+  cidr_ipv4                    = each.value.cidr_ipv4
+  cidr_ipv6                    = each.value.cidr_ipv6
+  prefix_list_id               = each.value.prefix_list_id
+  referenced_security_group_id = each.value.referenced_security_group_id
+}
diff --git a/modules/aws_ecs_fargate/variables.tf b/modules/aws_ecs_fargate/variables.tf
new file mode 100644
index 0000000..86c25ad
--- /dev/null
+++ b/modules/aws_ecs_fargate/variables.tf
@@ -0,0 +1,323 @@
+variable "aws_region" {
+  type        = string
+  default     = "us-east-1"
+  description = "AWS region. Defaults to `us-east-1`"
+}
+
+variable "node_env" {
+  type        = string
+  default     = "production"
+  description = "Value for NODE_ENV variable. Defaults to `production` and should not be set to any other value, regardless of environment."
+}
+
+variable "vpc_id" {
+  type        = string
+  description = "Select a VPC that allows instances access to the Internet."
+}
+
+variable "ecs_tasks_subnet_ids" {
+  type        = list(string)
+  description = "Subnets for Fargate tasks (probably private)."
+}
+
+variable "deployment_name" {
+  type        = string
+  description = "Name prefix for created resources. Defaults to `retool`."
+  default     = "retool"
+}
+
+variable "alb_subnet_ids" {
+  type        = list(string)
+  description = "Public subnets for Load Balancer."
+}
+
+variable "ecs_insights_enabled" {
+  type        = string
+  default     = "enabled"
+  description = "Whether or not to enable ECS Container Insights. Defaults to `enabled`"
+}
+
+variable "retool_license_key" {
+  type        = string
+  description = "Retool license key"
+  default     = "EXPIRED-LICENSE-KEY-TRIAL"
+}
+
+variable "cookie_insecure" {
+  type        = bool
+  default     = true
+  description = "Whether to allow insecure cookies. Should be turned off when serving on HTTPS. Defaults to true."
+}
+
+variable "ecs_task_cpu" {
+  type        = number
+  default     = 1024
+  description = "Amount of CPU provisioned for each task. Defaults to 1024."
+}
+
+variable "ecs_task_memory" {
+  type        = number
+  default     = 2048
+  description = "Amount of memory provisioned for each task. Defaults to 2048."
+}
+
+variable "ecs_task_network_mode" {
+  description = "The Docker networking mode to use for the containers in the task"
+  type        = string
+  default     = "awsvpc"
+}
+
+variable "log_retention_in_days" {
+  type        = number
+  default     = 14
+  description = "Number of days to retain logs in CloudWatch. Defaults to 14."
+}
+
+variable "rds_username" {
+  type        = string
+  default     = "retool"
+  description = "Master username for the RDS instance. Defaults to Retool."
+}
+
+variable "rds_instance_class" {
+  type        = string
+  default     = "db.m6g.large"
+  description = "Instance class for RDS. Defaults to `db.m6g.large`"
+}
+
+variable "rds_publicly_accessible" {
+  type        = bool
+  default     = false
+  description = "Whether the RDS instance should be publicly accessible. Defaults to false."
+}
+
+variable "rds_performance_insights_enabled" {
+  type        = bool
+  default     = true
+  description = "Whether to enable Performance Insights for RDS. Defaults to true."
+}
+
+variable "rds_subnet_ids" {
+  type        = list(string)
+  description = "Select at least two subnets for the RDS instance."
+}
+
+variable "secret_length" {
+  type        = number
+  default     = 48
+  description = "Length of secrets generated (e.g. ENCRYPTION_KEY, RDS_PASSWORD). Defaults to 48."
+}
+
+variable "ecs_service_count" {
+  description = "Number of instances of the task definition to place and keep running"
+  type        = number
+  default     = "2"
+}
+
+variable "maximum_percent" {
+  type        = number
+  default     = 250
+  description = "Maximum percentage of tasks to run during a deployment. Defaults to 250."
+}
+
+variable "minimum_healthy_percent" {
+  type        = number
+  default     = 50
+  description = "Minimum percentage of tasks to run during a deployment. Defaults to 50."
+}
+
+variable "ecs_retool_image" {
+  type        = string
+  description = "Container image for desired Retool version. Defaults to `2.106.2`"
+  default     = "tryretool/backend:2.106.2"
+}
+
+variable "alb_listener_certificate_arn" {
+  description = "Certificate Manager ARN use in ALB listener"
+  type        = string
+  default     = null
+}
+
+variable "alb_ingress_rules_map" {
+  type = map(
+    object({
+      description                  = string
+      from_port                    = string
+      to_port                      = string
+      ip_protocol                  = string
+      cidr_ipv4                    = string # preferably optional(string) but reqs tf v1.3+
+      cidr_ipv6                    = string # preferably optional(string) but reqs tf v1.3+
+      prefix_list_id               = string # preferably optional(string) but reqs tf v1.3+
+      referenced_security_group_id = string # preferably optional(string) but reqs tf v1.3+
+    })
+  )
+  default = {
+    global_http_in = {
+      description                  = "Global HTTP inbound"
+      from_port                    = "80"
+      to_port                      = "80"
+      ip_protocol                  = "tcp"
+      cidr_ipv4                    = "0.0.0.0/0"
+      cidr_ipv6                    = "::/0"
+      prefix_list_id               = null # not needed if optional(string) implemented above
+      referenced_security_group_id = null # not needed if optional(string) implemented above
+    }
+  }
+  description = "Ingress rules for load balancer"
+}
+
+variable "alb_extra_egress_rules_map" {
+  type = map(
+    object({
+      description                  = string
+      from_port                    = string
+      to_port                      = string
+      ip_protocol                  = string
+      cidr_ipv4                    = string
+      cidr_ipv6                    = string
+      prefix_list_id               = string
+      referenced_security_group_id = string
+    })
+  )
+  default     = {}
+  description = "Extra egress rules (beyond connectivity to Fargate tasks) for load balancer"
+}
+
+variable "ecs_tasks_extra_ingress_rules_map" {
+  type = map(
+    object({
+      description                  = string
+      from_port                    = string
+      to_port                      = string
+      ip_protocol                  = string
+      cidr_ipv4                    = string # preferably optional(string) but reqs tf v1.3+
+      cidr_ipv6                    = string # preferably optional(string) but reqs tf v1.3+
+      prefix_list_id               = string # preferably optional(string) but reqs tf v1.3+
+      referenced_security_group_id = string # preferably optional(string) but reqs tf v1.3+
+    })
+  )
+  default     = {}
+  description = "Extra ingress rules for ECS tasks (beyond connectivity from ALB)"
+}
+
+variable "ecs_tasks_extra_egress_rules_map" {
+  type = map(
+    object({
+      description                  = string
+      from_port                    = string
+      to_port                      = string
+      ip_protocol                  = string
+      cidr_ipv4                    = string
+      cidr_ipv6                    = string
+      prefix_list_id               = string
+      referenced_security_group_id = string
+    })
+  )
+  default = {
+    global_https_out_ipv4 = {
+      description                  = "Global HTTPS outbound IPv4"
+      from_port                    = "443"
+      to_port                      = "443"
+      ip_protocol                  = "tcp"
+      cidr_ipv4                    = "0.0.0.0/0"
+      cidr_ipv6                    = null # not needed if optional(string) implemented above
+      prefix_list_id               = null # not needed if optional(string) implemented above
+      referenced_security_group_id = null # not needed if optional(string) implemented above
+    }
+    global_https_out_ipv6 = {
+      description                  = "Global HTTPS outbound IPv6"
+      from_port                    = "443"
+      to_port                      = "443"
+      ip_protocol                  = "tcp"
+      cidr_ipv4                    = null # not needed if optional(string) implemented above
+      cidr_ipv6                    = "::/0"
+      prefix_list_id               = null # not needed if optional(string) implemented above
+      referenced_security_group_id = null # not needed if optional(string) implemented above
+    }
+  }
+  description = "Extra egress rules for Fargate tasks (beyond connectivity to RDS) (must allow outbound to container registry; also see https://docs.retool.com/docs/network-storage-requirements)"
+}
+
+variable "alb_idle_timeout" {
+  type        = number
+  default     = 60
+  description = "The time in seconds that the connection is allowed to be idle. Defaults to 60."
+}
+
+variable "additional_env_vars" {
+  type        = list(map(string))
+  default     = []
+  description = "Additional environment variables (e.g. BASE_DOMAIN)"
+}
+
+variable "force_deployment" {
+  type        = string
+  default     = false
+  description = "Used to force the deployment even when the image and parameters are otherwised unchanged. Defaults to false."
+}
+
+variable "alb_listener_ssl_policy" {
+  description = "retool_alb_listener_ssl_policy"
+  type        = string
+  default     = "ELBSecurityPolicy-2016-08"
+}
+
+variable "aws_lb_listener_protocol" {
+  description = "AWS ALB listening protocol e.g HTTP, HTTPS etc"
+  type        = string
+  default     = "HTTP"
+}
+
+variable "aws_alb_target_group_protocol" {
+  description = "Protocol ALB should use to talk with target group e.g HTTP, HTTPS etc"
+  type        = string
+  default     = "HTTP"
+}
+
+variable "retool_alb_ingress_port" {
+  description = "Retool ALB ingress port"
+  type        = number
+  default     = "3000"
+}
+
+variable "retool_task_container_port" {
+  description = "Retool task listening port"
+  type        = number
+  default     = "3000"
+}
+
+variable "retool_task_container_name" {
+  description = "Name of Retool task"
+  type        = string
+  default     = "retool"
+}
+
+variable "retool_task_container_cookie_insecure" {
+  description = "Allow cookies to be insecure e.g. not using Retool over https"
+  type        = bool
+  default     = true
+}
+
+variable "postgresql_ssl_enabled" {
+  description = "Enable or disable postgresql SSL"
+  type        = bool
+  default     = true
+}
+
+variable "postgresql_db_port" {
+  description = "Postgresql RDS listening port"
+  type        = number
+  default     = "5432"
+}
+
+variable "retool_ecs_tasks_logdriver" {
+  description = "Send log information to CloudWatch Logs"
+  type        = string
+  default     = "awslogs"
+}
+
+variable "retool_ecs_tasks_log_prefix" {
+  description = "Associate a log stream with the specified prefix, the container name, and the ID of the Amazon ECS task that the container belongs to"
+  type        = string
+  default     = "SERVICE_RETOOL"
+}