diff --git a/go.mod b/go.mod
index 2073c39c9..8abf4f0ad 100644
--- a/go.mod
+++ b/go.mod
@@ -9,6 +9,7 @@ require (
 	github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1 // indirect
 	github.com/gobuffalo/logger v1.0.1 // indirect
 	github.com/gobuffalo/packr/v2 v2.5.2
+	github.com/google/uuid v1.1.1
 	github.com/gorilla/mux v1.7.3
 	github.com/juju/ansiterm v0.0.0-20180109212912-720a0952cc2a // indirect
 	github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88 // indirect
diff --git a/go.sum b/go.sum
index 3f777d374..64b7e0de4 100644
--- a/go.sum
+++ b/go.sum
@@ -26,6 +26,8 @@ github.com/gobuffalo/packd v0.3.0 h1:eMwymTkA1uXsqxS0Tpoop3Lc0u3kTfiMBE6nKtQU4g4
 github.com/gobuffalo/packd v0.3.0/go.mod h1:zC7QkmNkYVGKPw4tHpBQ+ml7W/3tIebgeo1b36chA3Q=
 github.com/gobuffalo/packr/v2 v2.5.2 h1:4EvjeIpQLZuRIljwnidYgbRXbr1yIzVRrESiLjqKj6s=
 github.com/gobuffalo/packr/v2 v2.5.2/go.mod h1:sgEE1xNZ6G0FNN5xn9pevVu4nywaxHvgup67xisti08=
+github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
+github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/mux v1.7.3 h1:gnP5JzjVOuiZD07fKKToCAOjS0yOpj/qPETTXCCS6hw=
 github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
diff --git a/internal/generate/generate_helper.go b/internal/generate/generate_helper.go
index f1fb24957..bba082b18 100644
--- a/internal/generate/generate_helper.go
+++ b/internal/generate/generate_helper.go
@@ -18,12 +18,12 @@ import (
 
 func GenerateArtifactsHelper(t *templator.Templator, cfg *config.Commit0Config, pathPrefix string, runInit bool, runApply bool) {
 	var wg sync.WaitGroup
-	if !util.ValidateLanguage(cfg.Frontend.Framework) {
+	if cfg.Frontend.Framework != "" && !util.ValidateLanguage(cfg.Frontend.Framework) {
 		log.Fatalln(aurora.Red(emoji.Sprintf(":exclamation: '%s' is not a supported framework.", cfg.Frontend.Framework)))
 	}
 
 	for _, s := range cfg.Services {
-		if !util.ValidateLanguage(cfg.Frontend.Framework) {
+		if !util.ValidateLanguage(s.Language) {
 			log.Fatalln(aurora.Red(emoji.Sprintf(":exclamation: '%s' in service '%s' is not a supported language.", s.Name, s.Language)))
 		}
 	}
diff --git a/internal/generate/terraform/generate.go b/internal/generate/terraform/generate.go
index 7b46c24c1..fee8d78af 100644
--- a/internal/generate/terraform/generate.go
+++ b/internal/generate/terraform/generate.go
@@ -17,11 +17,11 @@ import (
 
 // @TODO : These are specific to a k8s version. If we make the version a config option we will need to change this
 var amiLookup = map[string]string{
-	"us-east-1":    "ami-0392bafc801b7520f",
-	"us-east-2":    "ami-082bb518441d3954c",
-	"us-west-2":    "ami-05d586e6f773f6abf",
-	"eu-west-1":    "ami-059c6874350e63ca9",
-	"eu-central-1": "ami-0e21bc066a9dbabfa",
+	"us-east-1":    "ami-07d6c8e62ce328a10",
+	"us-east-2":    "ami-053250833d1030033",
+	"us-west-2":    "ami-07be7092831897fd6",
+	"eu-west-1":    "ami-02dca57ad67c7bf57",
+	"eu-central-1": "ami-03fbd442f4f3aa689",
 }
 
 func Generate(t *templator.Templator, cfg *config.Commit0Config, wg *sync.WaitGroup, pathPrefix string) {
@@ -68,7 +68,9 @@ func Init(cfg *config.Commit0Config, pathPrefix string) {
 		// @TODO : A check here would be nice to see if this stuff exists first, mostly for testing
 		log.Println(aurora.Cyan(emoji.Sprintf(":alarm_clock: Initializing remote backend...")))
 		util.ExecuteCommand(exec.Command("terraform", "init"), filepath.Join(pathPrefix, "bootstrap/remote-state"), envars)
-		util.ExecuteCommand(exec.Command("terraform", "apply", "-auto-approve"), filepath.Join(pathPrefix, "bootstrap/remote-state"), envars)
+		// @TODO : Properly loop through environments when we support that
+		util.ExecuteCommand(exec.Command("terraform", "apply", "-auto-approve", "-var", "environment=staging", "-state-out=staging.tfstate"), filepath.Join(pathPrefix, "bootstrap/remote-state"), envars)
+		util.ExecuteCommand(exec.Command("terraform", "apply", "-auto-approve", "-var", "environment=production", "-state-out=staging.tfstate"), filepath.Join(pathPrefix, "bootstrap/remote-state"), envars)
 
 		log.Println("Creating users...")
 		util.ExecuteCommand(exec.Command("terraform", "init"), filepath.Join(pathPrefix, "bootstrap/create-users"), envars)
diff --git a/internal/util/util.go b/internal/util/util.go
index 855b5e48a..9c8e5bbce 100644
--- a/internal/util/util.go
+++ b/internal/util/util.go
@@ -12,6 +12,7 @@ import (
 	"text/template"
 
 	"github.com/kyokomi/emoji"
+	"github.com/google/uuid"
 	"github.com/logrusorgru/aurora"
 )
 
@@ -31,6 +32,7 @@ var FuncMap = template.FuncMap{
 	"Title":             strings.Title,
 	"ToLower":           strings.ToLower,
 	"CleanGoIdentifier": CleanGoIdentifier,
+	"GenerateUUID":      uuid.New,
 }
 
 func GetCwd() string {
diff --git a/templates/commit0/commit0.tmpl b/templates/commit0/commit0.tmpl
index 9035c5115..20bd2027b 100644
--- a/templates/commit0/commit0.tmpl
+++ b/templates/commit0/commit0.tmpl
@@ -19,11 +19,13 @@ infrastructure:
       enabled: true
 
 frontend:
-  framework: {{.FrontendFramework}}
+  framework: {{.FrontendFramework }}
   ci:
     system: github
   app:
-    name: {{.ProjectName}}
+    name: {{.ProjectName }}
+  app:
+    name: {{.FrontendHostname }}
 
 services:
   {{range .Services}}
diff --git a/templates/kubernetes/terraform/environments/development/main.tf b/templates/kubernetes/terraform/environments/development/main.tf
index 552440f1b..fbf7e5065 100644
--- a/templates/kubernetes/terraform/environments/development/main.tf
+++ b/templates/kubernetes/terraform/environments/development/main.tf
@@ -1,10 +1,10 @@
 terraform {
   backend "s3" {
-    bucket         = "project-{{ .Config.Name }}-terraform-state"
+    bucket         = "{{ .Config.Name }}-development-terraform-state"
     key            = "infrastructure/terraform/environments/development/kubernetes"
     encrypt        = true
     region         = "{{ .Config.Infrastructure.AWS.Region }}"
-    dynamodb_table = "{{ .Config.Name }}-terraform-state-locks"
+    dynamodb_table = "{{ .Config.Name }}-development-terraform-state-locks"
   }
 }
 
@@ -20,6 +20,10 @@ module "kubernetes" {
 
   # Assume-role policy used by monitoring fluentd daemonset
   assume_role_policy = data.aws_iam_policy_document.assumerole_root_policy.json
+
+  external_dns_zone = "{{ .Config.Frontend.Hostname }}"
+  external_dns_owner_id = "{{ GenerateUUID }}"
+  external_dns_assume_roles = [ "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/k8s-{{ .Config.Infrastructure.AWS.EKS.ClusterName }}-workers" ]
 }
 
 # Data sources for EKS IAM
diff --git a/templates/kubernetes/terraform/environments/production/main.tf b/templates/kubernetes/terraform/environments/production/main.tf
index 9a394bf15..d3fc76c1f 100644
--- a/templates/kubernetes/terraform/environments/production/main.tf
+++ b/templates/kubernetes/terraform/environments/production/main.tf
@@ -1,10 +1,10 @@
 terraform {
   backend "s3" {
-    bucket         = "project-{{ .Config.Name }}-terraform-state"
+    bucket         = "{{ .Config.Name }}-production-terraform-state"
     key            = "infrastructure/terraform/environments/production/kubernetes"
     encrypt        = true
     region         = "{{ .Config.Infrastructure.AWS.Region }}"
-    dynamodb_table = "{{ .Config.Name }}-terraform-state-locks"
+    dynamodb_table = "{{ .Config.Name }}-production-terraform-state-locks"
   }
 }
 
@@ -20,6 +20,10 @@ module "kubernetes" {
 
   # Assume-role policy used by monitoring fluentd daemonset
   assume_role_policy = data.aws_iam_policy_document.assumerole_root_policy.json
+
+  external_dns_zone = "{{ .Config.Frontend.Hostname }}"
+  external_dns_owner_id = "{{ GenerateUUID }}"
+  external_dns_assume_roles = [ "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/k8s-{{ .Config.Infrastructure.AWS.EKS.ClusterName }}-workers" ]
 }
 
 # Data sources for EKS IAM
diff --git a/templates/kubernetes/terraform/environments/staging/main.tf b/templates/kubernetes/terraform/environments/staging/main.tf
index ab3ce52f7..af6345866 100644
--- a/templates/kubernetes/terraform/environments/staging/main.tf
+++ b/templates/kubernetes/terraform/environments/staging/main.tf
@@ -1,10 +1,10 @@
 terraform {
   backend "s3" {
-    bucket         = "project-{{ .Config.Name }}-terraform-state"
+    bucket         = "{{ .Config.Name }}-staging-terraform-state"
     key            = "infrastructure/terraform/environments/staging/kubernetes"
     encrypt        = true
     region         = "{{ .Config.Infrastructure.AWS.Region }}"
-    dynamodb_table = "{{ .Config.Name }}-terraform-state-locks"
+    dynamodb_table = "{{ .Config.Name }}-staging-terraform-state-locks"
   }
 }
 
@@ -20,6 +20,10 @@ module "kubernetes" {
 
   # Assume-role policy used by monitoring fluentd daemonset
   assume_role_policy = data.aws_iam_policy_document.assumerole_root_policy.json
+
+  external_dns_zone = "{{ .Config.Frontend.Hostname }}"
+  external_dns_owner_id = "{{ GenerateUUID }}"
+  external_dns_assume_roles = [ "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/k8s-{{ .Config.Infrastructure.AWS.EKS.ClusterName }}-workers" ]
 }
 
 # Data sources for EKS IAM
diff --git a/templates/kubernetes/terraform/modules/kubernetes/external_dns.tf b/templates/kubernetes/terraform/modules/kubernetes/external_dns.tf
new file mode 100644
index 000000000..a31405fdc
--- /dev/null
+++ b/templates/kubernetes/terraform/modules/kubernetes/external_dns.tf
@@ -0,0 +1,143 @@
+# Trust relationship
+data "aws_iam_policy_document" "external_dns_trust_relationship" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+  }
+
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "AWS"
+      identifiers = var.external_dns_assume_roles
+    }
+  }
+}
+
+# external-dns role
+resource "aws_iam_role" "external_dns_role" {
+  name = "k8s-external-dns-role"
+  assume_role_policy = data.aws_iam_policy_document.external_dns_trust_relationship.json
+}
+
+data "aws_iam_policy_document" "external_dns_policy_doc" {
+  statement {
+    sid    = "k8sExternalDnsRead"
+    effect = "Allow"
+
+    actions = [
+      "route53:ListHostedZones",
+      "route53:ListResourceRecordSets",
+    ]
+
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "k8sExternalDnsWrite"
+    effect = "Allow"
+
+    actions = ["route53:ChangeResourceRecordSets"]
+
+    resources = ["arn:aws:route53:::hostedzone/*"]
+  }
+}
+
+resource "aws_iam_role_policy" "external_dns_policy" {
+  name = "k8s-external-dns-policy"
+  role = aws_iam_role.external_dns_role.id
+  policy = data.aws_iam_policy_document.external_dns_policy_doc.json
+}
+
+resource "kubernetes_service_account" "external_dns" {
+  metadata {
+    name      = "external-dns"
+    namespace = "kube-system"
+  }
+}
+
+resource "kubernetes_cluster_role" "external_dns" {
+  metadata {
+    name = "external-dns"
+  }
+  rule {
+    verbs      = ["get", "list", "watch"]
+    api_groups = [""]
+    resources  = ["pods", "services"]
+  }
+  rule {
+    verbs      = ["get", "list", "watch"]
+    api_groups = ["extensions"]
+    resources  = ["ingresses"]
+  }
+rule {
+    verbs      = ["list"]
+    api_groups = [""]
+    resources  = ["nodes"]
+  }
+}
+
+resource "kubernetes_cluster_role_binding" "external_dns" {
+  metadata {
+    name = "external-dns"
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = "external-dns"
+    namespace = "kube-system"
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "external-dns"
+  }
+}
+
+resource "kubernetes_deployment" "external_dns" {
+  metadata {
+    name      = "external-dns"
+    namespace = "kube-system"
+  }
+  spec {
+    replicas = 1
+    selector {
+      match_labels = {
+        "app"    = "external-dns",
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          "app"    = "external-dns",
+        }
+        annotations = {
+          "iam.amazonaws.com/role" = "k8s-external-dns-role",
+        }
+      }
+      spec {
+        container {
+          name  = "external-dns"
+          image = "registry.opensource.zalan.do/teapot/external-dns:latest"
+          args = [
+            "--source=service",
+            "--source=ingress",
+            "--domain-filter=${var.external_dns_zone}", # Give access only to the specified zone
+            "--provider=aws",
+            "--aws-zone-type=public",
+            "--policy=upsert-only", # Prevent ExternalDNS from deleting any records
+            "--registry=txt",
+            "--txt-owner-id=${var.external_dns_owner_id}", # ID of txt record to manage state
+          ]
+        }
+
+        service_account_name = "external-dns"
+        automount_service_account_token  = true
+      }
+    }
+  }
+}
diff --git a/templates/kubernetes/terraform/modules/kubernetes/kube2iam/main.tf b/templates/kubernetes/terraform/modules/kubernetes/kube2iam/main.tf
index 3d01bd81a..75d16d8d7 100755
--- a/templates/kubernetes/terraform/modules/kubernetes/kube2iam/main.tf
+++ b/templates/kubernetes/terraform/modules/kubernetes/kube2iam/main.tf
@@ -89,7 +89,7 @@ resource "kubernetes_daemonset" "kube2iam" {
           # }
           env {
             name  = "AWS_REGION"
-            value = var.environment
+            value = var.region
           }
           security_context {
             privileged = true
diff --git a/templates/kubernetes/terraform/modules/kubernetes/variables.tf b/templates/kubernetes/terraform/modules/kubernetes/variables.tf
index 050b728b8..e8964d21a 100644
--- a/templates/kubernetes/terraform/modules/kubernetes/variables.tf
+++ b/templates/kubernetes/terraform/modules/kubernetes/variables.tf
@@ -12,4 +12,17 @@ variable "cluster_name" {
 
 variable "assume_role_policy" {
   description = "Assume-role policy for monitoring"
-}
\ No newline at end of file
+}
+
+variable "external_dns_zone" {
+  description = "R53 zone that external-dns will have access to"
+}
+
+variable "external_dns_owner_id" {
+  description = "Unique id of the TXT record that external-dns will use to store state (can just be a uuid)"
+}
+
+variable "external_dns_assume_roles" {
+  type        = "list"
+  description = "List of roles that should be able to assume the external dns role (most likely the role of the cluster worker nodes)"
+}
diff --git a/templates/terraform/bootstrap/remote-state/main.tf b/templates/terraform/bootstrap/remote-state/main.tf
index cbf53d65b..5965bbc42 100644
--- a/templates/terraform/bootstrap/remote-state/main.tf
+++ b/templates/terraform/bootstrap/remote-state/main.tf
@@ -3,7 +3,7 @@ provider "aws" {
 }
 
 resource "aws_s3_bucket" "terraform_remote_state" {
-  bucket  = "project-{{ .Config.Name }}-terraform-state"
+  bucket  = "{{ .Config.Name }}-${var.environment}-terraform-state"
   acl     = "private"
 
   versioning {
@@ -12,8 +12,7 @@ resource "aws_s3_bucket" "terraform_remote_state" {
 }
 
 resource "aws_s3_bucket_public_access_block" "terraform_remote_state" {
-  bucket = "${aws_s3_bucket.terraform_remote_state.id}"
-
+  bucket = aws_s3_bucket.terraform_remote_state.id
 
   block_public_acls       = true
   block_public_policy     = true
@@ -22,7 +21,7 @@ resource "aws_s3_bucket_public_access_block" "terraform_remote_state" {
 }
 
 resource "aws_dynamodb_table" "terraform_state_locks" {
-  name           = "{{ .Config.Name }}-terraform-state-locks"
+  name           = "{{ .Config.Name }}-${var.environment}-terraform-state-locks"
   read_capacity  = 2
   write_capacity = 2
   hash_key       = "LockID"
@@ -32,3 +31,7 @@ resource "aws_dynamodb_table" "terraform_state_locks" {
     type = "S"
   }
 }
+
+variable "environment" {
+  description = "The environment (development/staging/production)"
+}
diff --git a/templates/terraform/environments/development/main.tf b/templates/terraform/environments/development/main.tf
index ce8c94f13..04dbfc64c 100644
--- a/templates/terraform/environments/development/main.tf
+++ b/templates/terraform/environments/development/main.tf
@@ -1,11 +1,11 @@
 terraform {
   required_version = ">= 0.12"
   backend "s3" {
-    bucket         = "project-{{ .Config.Name }}-terraform-state"
+    bucket         = "{{ .Config.Name }}-development-terraform-state"
     key            = "infrastructure/terraform/environments/development/main"
     encrypt        = true
     region         = "{{ .Config.Infrastructure.AWS.Region }}"
-    dynamodb_table = "{{ .Config.Name }}-terraform-state-locks"
+    dynamodb_table = "{{ .Config.Name }}-development-terraform-state-locks"
   }
 }
 
@@ -15,7 +15,7 @@ module "development" {
   environment = "development"
 
   # Project configuration
-  project             = "{{ .Config.Infrastructure.AWS.EKS.ClusterName }}"
+  project             = "{{ .Config.Name }}"
   region              = "{{ .Config.Infrastructure.AWS.Region }}"
   allowed_account_ids = ["{{ .Config.Infrastructure.AWS.AccountId }}"]
 
@@ -25,20 +25,29 @@ module "development" {
 
   # EKS configuration
   eks_worker_instance_type = "t2.small"
-  eks_worker_asg_max_size  = 2
+  eks_worker_asg_min_size  = 1
+  eks_worker_asg_max_size  = 3
 
   # EKS-Optimized AMI for your region: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
   # https://us-east-1.console.aws.amazon.com/systems-manager/parameters/%252Faws%252Fservice%252Feks%252Foptimized-ami%252F1.14%252Famazon-linux-2%252Frecommended%252Fimage_id/description?region=us-east-1
   eks_worker_ami = "{{ .Config.Infrastructure.AWS.EKS.WorkerAMI }}"
   {{- end }}
 
-  # Client configuration
+  {{- if .Config.Infrastructure.AWS.Cognito.Enabled }}
+  # Cognito configuration
   user_pool = "{{ .Config.Name }}-development"
   hostname = "{{ .Config.Frontend.Hostname }}"
-  s3_hosting_bucket_name = "{{ .Config.Name }}-development"
+  {{- end}}
+
+  # Hosting configuration
+  s3_hosting_buckets = [
+    "{{ .Config.Name }}-development"
+  ]
+  s3_hosting_cert_domain = "{{ .Config.Frontend.Hostname}}"
 
 }
 
+{{- if .Config.Infrastructure.AWS.Cognito.Enabled }}
 output "cognito_client_id" {
   value = module.staging.cognito.cognito_client_id
 }
@@ -46,3 +55,4 @@ output "cognito_client_id" {
 output "cognito_pool_id" {
   value = module.staging.cognito.cognito_pool_id
 }
+{{- end}}
diff --git a/templates/terraform/environments/production/main.tf b/templates/terraform/environments/production/main.tf
index 87c2c1368..f07dad488 100644
--- a/templates/terraform/environments/production/main.tf
+++ b/templates/terraform/environments/production/main.tf
@@ -1,11 +1,11 @@
 terraform {
   required_version = ">= 0.12"
   backend "s3" {
-    bucket         = "project-{{ .Config.Name }}-terraform-state"
+    bucket         = "{{ .Config.Name }}-production-terraform-state"
     key            = "infrastructure/terraform/environments/production/main"
     encrypt        = true
     region         = "{{ .Config.Infrastructure.AWS.Region }}"
-    dynamodb_table = "{{ .Config.Name }}-terraform-state-locks"
+    dynamodb_table = "{{ .Config.Name }}-production-terraform-state-locks"
   }
 }
 
@@ -15,7 +15,7 @@ module "production" {
   environment = "production"
 
   # Project configuration
-  project             = "{{ .Config.Infrastructure.AWS.EKS.ClusterName }}"
+  project             = "{{ .Config.Name }}"
   region              = "{{ .Config.Infrastructure.AWS.Region }}"
   allowed_account_ids = ["{{ .Config.Infrastructure.AWS.AccountId }}"]
 
@@ -25,20 +25,29 @@ module "production" {
 
   # EKS configuration
   eks_worker_instance_type = "m4.large"
-  eks_worker_asg_max_size  = 3
+  eks_worker_asg_min_size  = 3
+  eks_worker_asg_max_size  = 6
 
   # EKS-Optimized AMI for your region: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
   # https://us-east-1.console.aws.amazon.com/systems-manager/parameters/%252Faws%252Fservice%252Feks%252Foptimized-ami%252F1.14%252Famazon-linux-2%252Frecommended%252Fimage_id/description?region=us-east-1
   eks_worker_ami = "{{ .Config.Infrastructure.AWS.EKS.WorkerAMI }}"
   {{- end }}
 
-  # Client configuration
+  {{- if .Config.Infrastructure.AWS.Cognito.Enabled }}
+  # Cognito configuration
   user_pool = "{{ .Config.Name }}-production"
   hostname = "{{ .Config.Frontend.Hostname }}"
-  s3_hosting_bucket_name = "{{ .Config.Name }}-production"
+  {{- end}}
+
+  # Hosting configuration
+  s3_hosting_buckets = [
+    "{{ .Config.Name }}-production"
+  ]
+  s3_hosting_cert_domain = "{{ .Config.Frontend.Hostname}}"
 
 }
 
+{{- if .Config.Infrastructure.AWS.Cognito.Enabled }}
 output "cognito_client_id" {
   value = module.staging.cognito.cognito_client_id
 }
@@ -46,3 +55,4 @@ output "cognito_client_id" {
 output "cognito_pool_id" {
   value = module.staging.cognito.cognito_pool_id
 }
+{{- end}}
diff --git a/templates/terraform/environments/staging/main.tf b/templates/terraform/environments/staging/main.tf
index 598216ae8..6be9dfa99 100644
--- a/templates/terraform/environments/staging/main.tf
+++ b/templates/terraform/environments/staging/main.tf
@@ -1,11 +1,11 @@
 terraform {
   required_version = ">= 0.12"
   backend "s3" {
-    bucket         = "project-{{ .Config.Name }}-terraform-state"
+    bucket         = "{{ .Config.Name }}-staging-terraform-state"
     key            = "infrastructure/terraform/environments/staging/main"
     encrypt        = true
     region         = "{{ .Config.Infrastructure.AWS.Region }}"
-    dynamodb_table = "{{ .Config.Name }}-terraform-state-locks"
+    dynamodb_table = "{{ .Config.Name }}-staging-terraform-state-locks"
   }
 }
 
@@ -15,7 +15,7 @@ module "staging" {
   environment = "staging"
 
   # Project configuration
-  project             = "{{ .Config.Infrastructure.AWS.EKS.ClusterName }}"
+  project             = "{{ .Config.Name }}"
   region              = "{{ .Config.Infrastructure.AWS.Region }}"
   allowed_account_ids = ["{{ .Config.Infrastructure.AWS.AccountId }}"]
 
@@ -29,19 +29,28 @@ module "staging" {
 
   # EKS configuration
   eks_worker_instance_type = "t2.small"
-  eks_worker_asg_max_size  = 2
+  eks_worker_asg_min_size  = 2
+  eks_worker_asg_max_size  = 6
 
   # EKS-Optimized AMI for your region: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
   # https://us-east-1.console.aws.amazon.com/systems-manager/parameters/%252Faws%252Fservice%252Feks%252Foptimized-ami%252F1.14%252Famazon-linux-2%252Frecommended%252Fimage_id/description?region=us-east-1
   eks_worker_ami = "{{ .Config.Infrastructure.AWS.EKS.WorkerAMI }}"
 {{- end }}
 
-  # Client configuration
+  {{- if .Config.Infrastructure.AWS.Cognito.Enabled }}
+  # Cognito configuration
   user_pool = "{{ .Config.Name }}-staging"
   hostname = "{{ .Config.Frontend.Hostname }}"
-  s3_hosting_bucket_name = "{{ .Config.Name }}-staging"
+  {{- end }}
+
+  # Hosting configuration
+  s3_hosting_buckets = [
+    "{{ .Config.Name }}-staging"
+  ]
+  s3_hosting_cert_domain = "{{ .Config.Frontend.Hostname}}"
 }
 
+{{- if .Config.Infrastructure.AWS.Cognito.Enabled }}
 output "cognito_client_id" {
   value = module.staging.cognito.cognito_client_id
 }
@@ -49,3 +58,4 @@ output "cognito_client_id" {
 output "cognito_pool_id" {
   value = module.staging.cognito.cognito_pool_id
 }
+{{- end}}
diff --git a/templates/terraform/modules/eks/main.tf b/templates/terraform/modules/eks/main.tf
index ef7f32ba4..c2164ef74 100644
--- a/templates/terraform/modules/eks/main.tf
+++ b/templates/terraform/modules/eks/main.tf
@@ -9,16 +9,18 @@ module "eks" {
   source  = "terraform-aws-modules/eks/aws"
   version = "6.0.2"
 
-  cluster_name    = var.project
+  cluster_name    = var.cluster_name
   cluster_version = "1.14"
   subnets         = var.private_subnets
   vpc_id          = var.vpc_id
 
   worker_groups = [
     {
-      instance_type = var.worker_instance_type
-      asg_max_size  = var.worker_asg_max_size
-      ami_id        = var.worker_ami
+      instance_type         = var.worker_instance_type
+      asg_min_size          = var.worker_asg_min_size
+      asg_desired_capacity  = var.worker_asg_min_size
+      asg_max_size          = var.worker_asg_max_size
+      ami_id                = var.worker_ami
       tags = [{
         key                 = "environment"
         value               = var.environment
@@ -34,6 +36,8 @@ module "eks" {
       groups   = ["system:masters"]
     },
   ]
+  cluster_iam_role_name = "k8s-${var.cluster_name}-cluster"
+  workers_role_name = "k8s-${var.cluster_name}-workers"
 
   # TODO, determine if this should be true/false
   manage_aws_auth = true
diff --git a/templates/terraform/modules/eks/variables.tf b/templates/terraform/modules/eks/variables.tf
index b68fdcd73..780b774ec 100644
--- a/templates/terraform/modules/eks/variables.tf
+++ b/templates/terraform/modules/eks/variables.tf
@@ -6,6 +6,10 @@ variable "environment" {
   description = "The environment (dev/staging/prod)"
 }
 
+variable "cluster_name" {
+  description = "Name to be given to the EKS cluster"
+}
+
 variable "assume_role_policy" {
   description = "IAM policy document for AssumeRole"
 }
@@ -23,6 +27,10 @@ variable "worker_instance_type" {
   description = "Instance type for the EKS workers"
 }
 
+variable "worker_asg_min_size" {
+  description = "Minimum number of instances for the EKS ASG"
+}
+
 variable "worker_asg_max_size" {
   description = "Maximum number of instances for the EKS ASG"
 }
diff --git a/templates/terraform/modules/environment/main.tf b/templates/terraform/modules/environment/main.tf
index 09091c1aa..231ca2f2c 100644
--- a/templates/terraform/modules/environment/main.tf
+++ b/templates/terraform/modules/environment/main.tf
@@ -1,10 +1,15 @@
 # Environment entrypoint
 
+locals {
+  kubernetes_cluster_name = "${var.project}-${var.environment}-${var.region}"
+}
+
 module "vpc" {
-  source      = "../../modules/vpc"
-  project     = var.project
-  environment = var.environment
-  region      = var.region
+  source                  = "../../modules/vpc"
+  project                 = var.project
+  environment             = var.environment
+  region                  = var.region
+  kubernetes_cluster_name = local.kubernetes_cluster_name
 }
 
 # Data sources for EKS IAM
@@ -21,19 +26,23 @@ data "aws_iam_policy_document" "assumerole_root_policy" {
   }
 }
 
-#{{- if ne .Config.Infrastructure.AWS.EKS.ClusterName "" }}
+{{- if ne .Config.Infrastructure.AWS.EKS.ClusterName "" }}
 # Provision the EKS cluster
 module "eks" {
   source               = "../../modules/eks"
   project              = var.project
   environment          = var.environment
+  cluster_name         = local.kubernetes_cluster_name
+  iam_account_id       = data.aws_caller_identity.current.account_id
+
   assume_role_policy   = data.aws_iam_policy_document.assumerole_root_policy.json
   private_subnets      = module.vpc.private_subnets
   vpc_id               = module.vpc.vpc_id
+
   worker_instance_type = var.eks_worker_instance_type
+  worker_asg_min_size  = var.eks_worker_asg_min_size
   worker_asg_max_size  = var.eks_worker_asg_max_size
   worker_ami           = var.eks_worker_ami # EKS-Optimized AMI for your region: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
-  iam_account_id       = data.aws_caller_identity.current.account_id
 }
 
 module "kube2iam" {
@@ -43,13 +52,13 @@ module "kube2iam" {
   eks_worker_iam_role_name = module.eks.worker_iam_role_name
   iam_account_id           = data.aws_caller_identity.current.account_id
 }
-
-#{{- end}}
+{{- end}}
 
 data "aws_iam_user" "ci_user" {
   user_name = "ci-user" # Should have been created in the bootstrap process
 }
-#{{- if .Config.Services }}
+{{- if .Config.Services }}
+
 # Set up ECR repositories
 module "ecr" {
   source            = "../../modules/ecr"
@@ -57,9 +66,9 @@ module "ecr" {
   ecr_repositories  = var.ecr_repositories
   ecr_principals    = [aws_iam_user.id]
 }
-#{{- end}}
+{{- end}}
 
-# {{ if .Config.Infrastructure.AWS.Cognito.Enabled }}
+{{- if .Config.Infrastructure.AWS.Cognito.Enabled }}
 module "cognito" {
   source      = "../../modules/cognito"
   user_pool   = var.user_pool
@@ -69,11 +78,13 @@ module "cognito" {
 output "cognito" {
   value       = module.cognito
 }
-# {{- end}}
+{{- end}}
 
-# {{ if .Config.Infrastructure.AWS.S3Hosting.Enabled }}
+{{ if .Config.Infrastructure.AWS.S3Hosting.Enabled }}
 module "s3_hosting" {
-  source        = "../../modules/s3_hosting"
-  bucket_name   = var.s3_hosting_bucket_name
+  source      = "../../modules/s3_hosting"
+  buckets     = var.s3_hosting_buckets
+  cert_domain = var.s3_hosting_cert_domain
+  project     = var.project
 }
-# {{- end}}
+{{- end}}
diff --git a/templates/terraform/modules/environment/variables.tf b/templates/terraform/modules/environment/variables.tf
index 660894412..2ff27eae7 100644
--- a/templates/terraform/modules/environment/variables.tf
+++ b/templates/terraform/modules/environment/variables.tf
@@ -24,6 +24,10 @@ variable "eks_worker_instance_type" {
   description = "Instance type for the EKS workers"
 }
 
+variable "eks_worker_asg_min_size" {
+  description = "Minimum number of instances for the EKS ASG"
+}
+
 variable "eks_worker_asg_max_size" {
   description = "Maximum number of instances for the EKS ASG"
 }
@@ -32,14 +36,18 @@ variable "eks_worker_ami" {
   description = "The (EKS-optimized) AMI for EKS worker instances"
 }
 
-variable "user_pool" {
-  description = "AWS Cognito pool name"
-} 
-
+{{- if .Config.Infrastructure.AWS.Cognito.Enabled }}
 variable "hostname" {
   description = "Application hostname"
-} 
+}
+{{- end }}
+variable "s3_hosting_buckets" {
+  description = "S3 hosting buckets"
+  type = set(string)
+}
 
-variable "s3_hosting_bucket_name" {
-  description = "S3 hosting bucket name"
+variable "s3_hosting_cert_domain" {
+  description = "Domain of the ACM certificate to lookup for Cloudfront to use"
+  type = string
 }
+
diff --git a/templates/terraform/modules/s3_hosting/main.tf b/templates/terraform/modules/s3_hosting/main.tf
index 2607f019b..f379e93d2 100644
--- a/templates/terraform/modules/s3_hosting/main.tf
+++ b/templates/terraform/modules/s3_hosting/main.tf
@@ -1,26 +1,14 @@
-resource "aws_s3_bucket" "www" {
-  // Our bucket's name is going to be the same as our site's domain name.
-  bucket = "${var.bucket_name}"
-  // Because we want our site to be available on the internet, we set this so
-  // anyone can read this bucket.
-  acl    = "public-read"
-  // We also need to create a policy that allows anyone to view the content.
-  // This is basically duplicating what we did in the ACL but it's required by
-  // AWS. This post: http://amzn.to/2Fa04ul explains why.
-  policy = <<POLICY
-{
-  "Version":"2012-10-17",
-  "Statement":[
-    {
-      "Sid":"AddPerm",
-      "Effect":"Allow",
-      "Principal": "*",
-      "Action":["s3:GetObject"],
-      "Resource":["arn:aws:s3:::${var.bucket_name}/*"]
-    }
-  ]
+locals {
+  assets_access_identity = "${var.project}-client-assets"
 }
-POLICY
+
+resource "aws_s3_bucket" "client_assets" {
+  for_each = var.buckets
+
+  // Our bucket's name is going to be the same as our site's domain name.
+  bucket = each.value
+  acl    = "private" // The contents will be available through cloudfront, they should not be accessible publicly
+
 
   // S3 understands what it means to host a website.
   website {
@@ -30,51 +18,85 @@ POLICY
   }
 }
 
-// TODO commented out for simpler demos
+# Deny public access to this bucket
+resource "aws_s3_bucket_public_access_block" "client_assets" {
+  for_each = var.buckets
 
-// Use the AWS Certificate Manager to create an SSL cert for our domain.
-// This resource won't be created until you receive the email verifying you
-// own the domain and you click on the confirmation link.
-# resource "aws_acm_certificate" "certificate" {
-#   // We want a wildcard cert so we can host subdomains later.
-#   domain_name       = "*.${local.www_domain_name}"
-#   validation_method = "EMAIL"
+  bucket                  = each.value
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
 
-#   // We also want the cert to be valid for the root domain even though we'll be
-#   // redirecting to the www. domain immediately.
-#   subject_alternative_names = ["${local.www_domain_name}"]
-# }
+# Access identity for CF access to S3
+resource "aws_cloudfront_origin_access_identity" "client_assets" {
+  comment = local.assets_access_identity
+}
 
-resource "aws_cloudfront_distribution" "www_distribution" {
-  // origin is where CloudFront gets its content from.
-  origin {
-    // We need to set up a "custom" origin because otherwise CloudFront won't
-    // redirect traffic from the root domain to the www domain, that is from
-    custom_origin_config {
-      // These are all the defaults.
-      http_port              = "80"
-      https_port             = "443"
-      origin_protocol_policy = "http-only"
-      origin_ssl_protocols   = ["TLSv1", "TLSv1.1", "TLSv1.2"]
+# Policy to allow CF access to S3
+data "aws_iam_policy_document" "assets_origin" {
+  for_each = var.buckets
+
+  statement {
+    actions   = ["s3:GetObject"]
+    resources = ["arn:aws:s3:::${each.value}/*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = [aws_cloudfront_origin_access_identity.client_assets.iam_arn]
     }
+  }
+
+  statement {
+    actions   = ["s3:ListBucket"]
+    resources = ["arn:aws:s3:::${each.value}"]
 
-    // Here we're using our S3 bucket's URL!
-    domain_name = "${aws_s3_bucket.www.website_endpoint}"
-    // This can be any name to identify this origin.
-    origin_id   = "${var.bucket_name}"
+    principals {
+      type        = "AWS"
+      identifiers = [aws_cloudfront_origin_access_identity.client_assets.iam_arn]
+    }
   }
+}
+
+# Attach the policy to the bucket
+resource "aws_s3_bucket_policy" "client_assets" {
+  for_each = var.buckets
+
+  bucket = each.value
+  policy = data.aws_iam_policy_document.assets_origin[each.value].json
+}
+
+# Find an already created ACM cert for this domain
+data "aws_acm_certificate" "wildcard_cert" {
+  domain      = var.cert_domain
+  most_recent = "true"
+}
+
+# Create the cloudfront distribution
+resource "aws_cloudfront_distribution" "client_assets_distribution" {
+  for_each = var.buckets
+
+  // origin is where CloudFront gets its content from.
+  origin {
+      domain_name = aws_s3_bucket.client_assets[each.value].bucket_domain_name
+      origin_id   = local.assets_access_identity
+      s3_origin_config {
+        origin_access_identity = aws_cloudfront_origin_access_identity.client_assets.cloudfront_access_identity_path
+      }
+    }
 
   enabled             = true
-  default_root_object = "index.html"
+  is_ipv6_enabled     = true
+  default_root_object = "index.html" # Render this when you hit the root
 
   // All values are defaults from the AWS console.
   default_cache_behavior {
+    target_origin_id       = local.assets_access_identity
     viewer_protocol_policy = "redirect-to-https"
     compress               = true
     allowed_methods        = ["GET", "HEAD"]
     cached_methods         = ["GET", "HEAD"]
-    // This needs to match the `origin_id` above.
-    target_origin_id       = "${var.bucket_name}"
     min_ttl                = 0
     default_ttl            = 86400
     max_ttl                = 31536000
@@ -87,7 +109,9 @@ resource "aws_cloudfront_distribution" "www_distribution" {
     }
   }
 
-  # aliases = ["${local.www_domain_name}"]
+  aliases = [
+    each.value,
+  ]
 
   restrictions {
     geo_restriction {
@@ -95,9 +119,28 @@ resource "aws_cloudfront_distribution" "www_distribution" {
     }
   }
 
+  # Use our cert
   viewer_certificate {
-  #   acm_certificate_arn = "${aws_acm_certificate.certificate.arn}"
-  #   ssl_support_method  = "sni-only"
-      cloudfront_default_certificate = true
-  }
+      acm_certificate_arn      = data.aws_acm_certificate.wildcard_cert.arn
+      minimum_protocol_version = "TLSv1"
+      ssl_support_method       = "sni-only"
+    }
+
+}
+
+# Find the route53 zone
+data "aws_route53_zone" "public" {
+  name         = "${var.cert_domain}."
+  private_zone = false
+}
+
+# Subdomain to point at CF
+resource "aws_route53_record" "client_assets" {
+  for_each = var.buckets
+
+  zone_id = data.aws_route53_zone.public.zone_id
+  name    = each.value
+  type    = "CNAME"
+  ttl     = "120"
+  records = [aws_cloudfront_distribution.client_assets_distribution[each.value].domain_name]
 }
diff --git a/templates/terraform/modules/s3_hosting/variables.tf b/templates/terraform/modules/s3_hosting/variables.tf
index 9f3cad290..dd0742ab7 100644
--- a/templates/terraform/modules/s3_hosting/variables.tf
+++ b/templates/terraform/modules/s3_hosting/variables.tf
@@ -1,3 +1,13 @@
-variable "bucket_name" {
-  description = "S3 hosting bucket name"
-} 
+variable "project" {
+  description = "The name of the project, mostly for tagging"
+}
+
+variable "buckets" {
+  description = "S3 hosting buckets"
+  type = set(string)
+}
+
+variable "cert_domain" {
+  description = "Domain of the ACM certificate to lookup for Cloudfront to use"
+  type = string
+}
diff --git a/templates/terraform/modules/vpc/main.tf b/templates/terraform/modules/vpc/main.tf
index 15fabebf7..5413e5c61 100644
--- a/templates/terraform/modules/vpc/main.tf
+++ b/templates/terraform/modules/vpc/main.tf
@@ -2,21 +2,21 @@ module "vpc" {
   source = "terraform-aws-modules/vpc/aws"
 
   name = "${var.project}-${var.environment}-vpc"
-  cidr = "10.20.0.0/16"
+  cidr = "10.10.0.0/16"
 
   azs              = ["${var.region}a", "${var.region}b", "${var.region}c"] # Most regions have 3+ azs
-  private_subnets  = ["10.20.8.0/22", "10.20.12.0/22", "10.20.16.0/22"]
-  public_subnets   = ["10.20.41.0/24", "10.20.43.0/24", "10.20.45.0/24"]
-  database_subnets = ["10.20.60.0/24", "10.20.62.0/24", "10.20.64.0/24"]
+  private_subnets  = ["10.10.32.0/19", "10.10.64.0/19", "10.10.96.0/19"]
+  public_subnets   = ["10.10.1.0/24",  "10.10.2.0/24",  "10.10.3.0/24"]
+  database_subnets = ["10.10.10.0/24", "10.10.11.0/24", "10.10.12.0/24"]
 
   # Allow kubernetes ALB ingress controller to auto-detect
   private_subnet_tags = {
-    "kubernetes.io/cluster/${var.project}" = "owned"
+    "kubernetes.io/cluster/${var.kubernetes_cluster_name}" = "owned"
     "kubernetes.io/role/internal-elb"      = "1"
   }
 
   public_subnet_tags = {
-    "kubernetes.io/cluster/${var.project}" = "owned"
+    "kubernetes.io/cluster/${var.kubernetes_cluster_name}" = "owned"
     "kubernetes.io/role/elb"               = "1"
   }
 
diff --git a/templates/terraform/modules/vpc/variables.tf b/templates/terraform/modules/vpc/variables.tf
index a7c32fe5a..044299b06 100644
--- a/templates/terraform/modules/vpc/variables.tf
+++ b/templates/terraform/modules/vpc/variables.tf
@@ -3,10 +3,13 @@ variable "project" {
 }
 
 variable "environment" {
-  description = "The environment (dev/staging/prod)"
+  description = "The environment (development/staging/production)"
 }
 
 variable "region" {
   description = "The AWS region"
 }
 
+variable "kubernetes_cluster_name" {
+  description = "Kubernetes cluster name used to associate with subnets for auto LB placement"
+}