diff --git a/.gitignore b/.gitignore
index 2063ae9647..93b98c4ec7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,3 +14,5 @@
 *.swp
 *~
 default.etcd
+*.tfstate
+*.tfstate.backup
diff --git a/README.md b/README.md
index c6f1786980..8a6974b6d7 100644
--- a/README.md
+++ b/README.md
@@ -95,8 +95,10 @@ You can then set up the [expected tables](storage/mysql/storage.sql) in a
 
 ```bash
 ./scripts/resetdb.sh
-Completely wipe and reset database 'test'.
+Warning: about to destroy and reset database 'test'
 Are you sure? y
+> Resetting DB...
+> Reset Complete
 ```
 
 ### Integration Tests
diff --git a/examples/deployment/README.md b/examples/deployment/README.md
new file mode 100644
index 0000000000..b04415a7be
--- /dev/null
+++ b/examples/deployment/README.md
@@ -0,0 +1,65 @@
+Deploying Trillian
+==================
+
+Want to deploy/use the Trillian General Transparency project in the cloud?  Here are some common ways of getting off the ground with Docker.
+
+## Setup
+
+**Clone Source**
+
+Both build and example deployment files are stored within this repo.  For any of the below deployment methods, start here:
+
+```shell
+git clone https://github.com/google/trillian.git/
+cd trillian
+```
+
+## Local Deployments
+
+**Run With Docker Compose**
+
+For simple deployments, running in a container is an easy way to get up and running with a local database.  To use Docker to run and interact with Trillian, start here:
+
+Set a random password and bring up the services defined in the provided compose file.  This includes a local MySQL database, a one-shot container to create the schema and the trillian server:
+
+```shell
+# Set a random password
+export DB_PASSWORD="$(openssl rand -hex 16)"
+
+# Bring up services defined in this compose file.  This includes:
+# - local MySQL database
+# - container to initialize the database
+# - the trillian server
+docker-compose -f examples/deployment/docker-compose.yml up
+```
+
+Verify that your local installation is working by checking the metrics endpoint:
+
+```shell
+curl localhost:8091/metrics
+```
+
+## Cloud Deployments
+
+For better persistence and performance you may want to run in your datacenter or a cloud.  Here are some simple cloud deployment templates:
+
+### Run in GCP
+
+TODO
+
+### Run in AWS
+
+With a pair of AWS keys [accessible to Terraform](https://www.terraform.io/docs/providers/aws/), this template deploys a simple Trillian setup in AWS using EC2 and RDS MySQL.
+
+```shell
+cd examples/deployment/aws/
+
+# Set a random password
+export TF_VAR_DB_PASSWORD="$(openssl rand -hex 16)"
+# Substitute this variable with a block you'll be accessing from
+export TF_VAR_WHITELIST_CIDR="0.0.0.0/0"
+
+# Review and Create Resources
+terraform plan
+terraform apply
+```
diff --git a/examples/deployment/aws/terraform.tf b/examples/deployment/aws/terraform.tf
new file mode 100644
index 0000000000..db8f380156
--- /dev/null
+++ b/examples/deployment/aws/terraform.tf
@@ -0,0 +1,155 @@
+variable "WHITELIST_CIDR" {
+  description="Your IP block to whitelist access from"
+}
+variable "DB_PASSWORD" { }
+
+provider "aws" {
+  region     = "us-west-2"
+}
+
+/* The Database */
+
+resource "aws_rds_cluster" "trillian" {
+  cluster_identifier      = "trillian"
+  database_name           = "test"
+  master_username         = "root"
+  master_password         = "${var.DB_PASSWORD}"
+  skip_final_snapshot     = true
+  port                    = 3306
+  vpc_security_group_ids  = ["${aws_security_group.trillian_db.id}"]
+  availability_zones      = ["us-west-2a", "us-west-2b", "us-west-2c"]
+  storage_encrypted       = true
+  apply_immediately       = true
+
+}
+
+resource "aws_rds_cluster_instance" "cluster_instances" {
+  count               = 2
+  identifier          = "trillian-${count.index}"
+  cluster_identifier  = "${aws_rds_cluster.trillian.id}"
+  instance_class      = "db.r3.large"
+  publicly_accessible = true
+  apply_immediately   = true
+}
+
+resource "aws_security_group" "trillian_db" {
+  name        = "trillian-db"
+  description = "Allow MySQL from Trillian and Development CIDR"
+
+  ingress {
+    from_port   = 3306
+    to_port     = 3306
+    protocol    = "tcp"
+    cidr_blocks = ["${var.WHITELIST_CIDR}"]
+  }
+
+  ingress {
+    from_port   = 3306
+    to_port     = 3306
+    protocol    = "tcp"
+    security_groups = ["${aws_security_group.trillian.id}"]
+  }
+
+  egress {
+    from_port       = 0
+    to_port         = 0
+    protocol        = "-1"
+    cidr_blocks     = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_rds_cluster_parameter_group" "trillian" {
+  name        = "trillian-pg"
+  family      = "aurora5.6"
+
+  # Whether InnoDB returns errors rather than warnings for exceptional conditions.
+  # replaces: `sql_mode = STRICT_ALL_TABLES`
+  parameter {
+    name  = "innodb_strict_mode"
+    value = "1"
+  }
+}
+
+/* The Instance */
+
+/* select the latest official hvm amazon linux release */
+data "aws_ami" "trillian" {
+  most_recent      = true
+  executable_users = ["all"]
+
+  name_regex = "^amzn-ami-hvm"
+  owners     = ["amazon"]
+}
+
+resource "aws_security_group" "trillian" {
+  name        = "trillian"
+  description = "Expose Rest, TPC and SSH endpoint to local cidr"
+
+  ingress {
+    from_port   = 8090
+    to_port     = 8091
+    protocol    = "tcp"
+    cidr_blocks = ["${var.WHITELIST_CIDR}"]
+  }
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["${var.WHITELIST_CIDR}"]
+  }
+
+  egress {
+    from_port       = 0
+    to_port         = 0
+    protocol        = "-1"
+    cidr_blocks     = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_instance" "trillian" {
+  ami                         = "${data.aws_ami.trillian.id}"
+  instance_type               = "t2.medium"
+  vpc_security_group_ids      = ["${aws_security_group.trillian.id}"]
+  associate_public_ip_address = true
+
+  tags {
+    Name = "trillian"
+  }
+
+  user_data =  <<EOF
+#!/bin/bash
+
+set -e
+
+yum update -y
+yum install -y git mysql
+
+# install golang
+curl -o /tmp/go.tar.gz https://storage.googleapis.com/golang/go1.8.3.linux-amd64.tar.gz
+tar -C /usr/local -xzf /tmp/go.tar.gz
+export PATH=$PATH:/usr/local/go/bin
+mkdir -p /go
+export GOPATH=/go
+
+# Install Trillian
+go get github.com/google/trillian/server/trillian_log_server
+
+# Setup the DB
+cd /go/src/github.com/google/trillian
+export DB_USER=root
+export DB_PASSWORD=${var.DB_PASSWORD}
+export DB_HOST=${aws_rds_cluster.trillian.endpoint}
+export DB_DATABASE=test
+./scripts/resetdb.sh --verbose --force -h $DB_HOST
+
+# Startup the Server
+RPC_PORT=8090
+HTTP_PORT=8091
+/go/bin/trillian_log_server \
+	--mysql_uri="${DB_USER}:${DB_PASSWORD}@tcp(${DB_HOST})/${DB_DATABASE}" \
+	--rpc_endpoint="$HOST:$RPC_PORT" \
+	--http_endpoint="$HOST:$HTTP_PORT" \
+	--alsologtostderr
+EOF
+
+}
diff --git a/examples/deployment/docker-compose.yml b/examples/deployment/docker-compose.yml
new file mode 100644
index 0000000000..99f3875e4d
--- /dev/null
+++ b/examples/deployment/docker-compose.yml
@@ -0,0 +1,28 @@
+version: '3'
+services:
+  mysql:
+    image: mysql:8
+    environment:
+      - MYSQL_ROOT_PASSWORD=$DB_PASSWORD
+  trillian-db-seed:
+    build:
+      context: ../..
+      dockerfile: ./examples/deployment/docker/db_client/Dockerfile
+    environment:
+      - DB_USER=root
+      - DB_PASSWORD=$DB_PASSWORD
+    command: ./wait-for-it.sh -t 0 mysql:3306 -- ./scripts/resetdb.sh --verbose --force -h mysql
+  trillian-server:
+    build:
+      context: ../..
+      dockerfile: examples/deployment/docker/log_server/Dockerfile
+    restart: always # retry while mysql is starting up
+    ports:
+      - "8090:8090"
+      - "8091:8091"
+    depends_on:
+      - mysql
+    environment:
+      - DB_USER=root
+      - DB_PASSWORD=$DB_PASSWORD
+      - DB_HOST=mysql:3306
diff --git a/examples/deployment/docker/db_client/Dockerfile b/examples/deployment/docker/db_client/Dockerfile
new file mode 100644
index 0000000000..0b62c6d0a4
--- /dev/null
+++ b/examples/deployment/docker/db_client/Dockerfile
@@ -0,0 +1,17 @@
+FROM golang:1.8
+
+RUN apt-get update && \
+    apt-get install -y mysql-client
+
+ADD . /go/src/github.com/google/trillian
+WORKDIR /go/src/github.com/google/trillian
+
+ENV DB_USER=test \
+    DB_PASSWORD=zaphod \
+    DB_DATABASE=test
+
+# This is used to wait for new MySQL deployments to become ready e.g.
+#  ./wait-for-it.sh localhost:3306 -- mysql
+RUN ./examples/deployment/scripts/download-wait-for-it.sh
+
+CMD [ 'mysql' ]
diff --git a/examples/deployment/docker/log_server/Dockerfile b/examples/deployment/docker/log_server/Dockerfile
new file mode 100644
index 0000000000..f418036701
--- /dev/null
+++ b/examples/deployment/docker/log_server/Dockerfile
@@ -0,0 +1,30 @@
+FROM golang:1.8
+
+ENV DB_USER=test \
+    DB_PASSWORD=zaphod \
+    DB_DATABASE=test \
+    DB_HOST=127.0.0.0:3306
+
+ENV HOST=0.0.0.0 \
+    RPC_PORT=8090 \
+    HTTP_PORT=8091
+
+ENV DUMP_METRICS 0s
+
+ADD . /go/src/github.com/google/trillian
+WORKDIR /go/src/github.com/google/trillian
+
+RUN apt-get update && apt-get install -y libtool libltdl-dev
+RUN go get -v ./server/trillian_log_server
+
+ENTRYPOINT /go/bin/trillian_log_server \
+	--mysql_uri="${DB_USER}:${DB_PASSWORD}@tcp(${DB_HOST})/${DB_DATABASE}" \
+	--rpc_endpoint="$HOST:$RPC_PORT" \
+	--http_endpoint="$HOST:$HTTP_PORT" \
+	--alsologtostderr 
+
+EXPOSE $RPC_PORT
+EXPOSE $HTTP_PORT
+
+HEALTHCHECK --interval=5m --timeout=3s \
+  CMD curl -f http://localhost:$HTTP_PORT/debug/vars || exit 1
diff --git a/examples/deployment/docker/log_signer/Dockerfile b/examples/deployment/docker/log_signer/Dockerfile
new file mode 100644
index 0000000000..5dd33fa5d0
--- /dev/null
+++ b/examples/deployment/docker/log_signer/Dockerfile
@@ -0,0 +1,38 @@
+FROM golang:1.8
+
+ENV DB_USER=test \
+    DB_PASSWORD=zaphod \
+    DB_DATABASE=test \
+    DB_HOST=127.0.0.0:3306
+
+ENV HOST=0.0.0.0 \
+    HTTP_PORT=8091
+
+ENV SEQUENCER_GUARD_WINDOW=0s \
+    FORCE_MASTER=true \
+    SEQUENCER_INTERVAL=10s \
+    NUM_SEQ_FLAG=10 \
+    BATCH_SIZE=50
+
+
+ADD . /go/src/github.com/google/trillian
+WORKDIR /go/src/github.com/google/trillian
+
+RUN apt-get update && apt-get install -y libtool libltdl-dev
+RUN go get ./server/trillian_log_signer
+
+# Run the outyet command by default when the container starts.
+ENTRYPOINT /go/bin/trillian_log_signer \
+	--mysql_uri="${DB_USER}:${DB_PASSWORD}@tcp(${DB_HOST})/${DB_DATABASE}" \
+	--http_endpoint="$HOST:$HTTP_PORT" \
+	--sequencer_guard_window="$SEQUENCER_GUARD_WINDOW" \
+	--sequencer_interval="$SEQUENCER_INTERVAL" \
+	--num_sequencers="$NUM_SEQ_FLAG" \
+	--batch_size="$BATCH_SIZE" \
+	--force_master="$FORCE_MASTER" \
+	--alsologtostderr
+
+EXPOSE $HTTP_PORT
+
+HEALTHCHECK --interval=5m --timeout=3s \
+  CMD curl -f http://localhost:$HTTP_PORT/debug/vars || exit 1
diff --git a/examples/deployment/scripts/download-wait-for-it.sh b/examples/deployment/scripts/download-wait-for-it.sh
new file mode 100755
index 0000000000..20cf44e063
--- /dev/null
+++ b/examples/deployment/scripts/download-wait-for-it.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+download() {
+  COMMIT=8f52a814ef0cc70820b87fbf888273f3aa7f5a9b
+  URL=https://raw.githubusercontent.com/vishnubob/wait-for-it/${COMMIT}/wait-for-it.sh
+  curl -sO $URL
+  chmod a+x wait-for-it.sh
+}
+
+download
+sha256sum --check <( echo "c238c56e2a81b3c97375571eb4f58a0e75cdb4cd957f5802f733ac50621e776a wait-for-it.sh" )
diff --git a/scripts/resetdb.sh b/scripts/resetdb.sh
index 5de24884ed..699a076ece 100755
--- a/scripts/resetdb.sh
+++ b/scripts/resetdb.sh
@@ -1,16 +1,62 @@
 #!/bin/bash
 
-readonly TRILLIAN_PATH=$(go list -f '{{.Dir}}' github.com/google/trillian)
-
-echo "Completely wipe and reset database 'test'."
-read -p "Are you sure? " -n 1 -r
-if [[ $REPLY =~ ^[Yy]$ ]]
-then
-    # User-supplied arguments must be first. This is because some flags, such
-    # as --defaults-extra-file, must be at the start.
-    mysql "$@" -u root -e 'DROP DATABASE IF EXISTS test;'
-    mysql "$@" -u root -e 'CREATE DATABASE test;'
-    mysql "$@" -u root -e "GRANT ALL ON test.* TO 'test'@'localhost' IDENTIFIED BY 'zaphod';"
-    mysql "$@" -u root -D test < ${TRILLIAN_PATH}/storage/mysql/storage.sql
-fi
-echo
+set -e
+
+usage() {
+  echo "$0 [--force] [--verbose] ..."
+  echo "accepts environment variables:"
+  echo " - DB_NAME"
+  echo " - DB_USER"
+  echo " - DB_PASSWORD"
+}
+
+collect_vars() {
+  # set unset environment variables to defaults
+  [ -z ${DB_USER+x} ] && DB_USER="root"
+  [ -z ${DB_NAME+x} ] && DB_NAME="test"
+  FLAGS=()
+
+  # handle flags
+  FORCE=false
+  VERBOSE=false
+  while [[ $# -gt 0 ]]; do
+    case "$1" in
+      --force) FORCE=true ;;
+      --verbose) VERBOSE=true ;;
+      *) FLAGS+=("$1")
+    esac
+    shift 1
+  done
+
+  FLAGS+=(-u "${DB_USER}")
+
+  # Optionally print flags (before appending password)
+  [[ ${VERBOSE} = 'true' ]] && echo "- Using MySQL Flags: ${FLAGS[@]}"
+
+  # append password if supplied
+  [ -z ${DB_PASSWORD+x} ] || FLAGS+=("-p'${DB_PASSWORD}'")
+}
+
+main() {
+  collect_vars "$@"
+
+  readonly TRILLIAN_PATH=$(go list -f '{{.Dir}}' github.com/google/trillian)
+
+  # what we're about to do
+  echo "Warning: about to destroy and reset database '${DB_NAME}'"
+
+  [[ ${FORCE} = true ]] || read -p "Are you sure? [Y/N]: " -n 1 -r
+  echo # Print newline following the above prompt
+
+  if [ -z ${REPLY+x} ] || [[ $REPLY =~ ^[Yy]$ ]]
+  then
+      echo "Resetting DB..."
+      mysql "${FLAGS[@]}" -e "DROP DATABASE IF EXISTS ${DB_NAME};"
+      mysql "${FLAGS[@]}" -e "CREATE DATABASE ${DB_NAME};"
+      mysql "${FLAGS[@]}" -e "GRANT ALL ON ${DB_NAME}.* TO '${DB_NAME}'@'localhost' IDENTIFIED BY 'zaphod';"
+      mysql "${FLAGS[@]}" -D ${DB_NAME} < ${TRILLIAN_PATH}/storage/mysql/storage.sql
+      echo "Reset Complete"
+  fi
+}
+
+main "$@"
diff --git a/server/trillian_log_server/Dockerfile b/server/trillian_log_server/Dockerfile
index 8475693b20..43b79b79dd 100644
--- a/server/trillian_log_server/Dockerfile
+++ b/server/trillian_log_server/Dockerfile
@@ -1,30 +1,11 @@
-FROM golang
+FROM golang:1.8
 
-ENV DB_USER=test \
-    DB_PASSWORD=zaphod \
-    DB_DATABASE=test \
-    DB_HOST=127.0.0.0:3306 
+ADD . /go/src/github.com/google/trillian
+WORKDIR /go/src/github.com/google/trillian
 
-ENV HOST=0.0.0.0 \
-    RPC_PORT=8090 \
-    HTTP_PORT=8091 
+RUN apt-get update && \
+    apt-get install -y libtool libltdl-dev
 
-ENV DUMP_METRICS 0s
+RUN go get ./server/trillian_log_server
 
-ADD . /go/src/github.com/google/trillian 
-WORKDIR /go/src/github.com/google/trillian 
-
-RUN apt-get update && apt-get install -y libtool libltdl-dev
-RUN go get -v ./server/trillian_log_server
-
-ENTRYPOINT /go/bin/trillian_log_server \
-	--mysql_uri="${DB_USER}:${DB_PASSWORD}@tcp(${DB_HOST})/${DB_DATABASE}" \
-	--rpc_endpoint="$HOST:$RPC_PORT" \
-	--http_endpoint="$HOST:$HTTP_PORT" \
-	--alsologtostderr 
-
-EXPOSE $RPC_PORT
-EXPOSE $HTTP_PORT
-
-HEALTHCHECK --interval=5m --timeout=3s \
-  CMD curl -f http://localhost:$HTTP_PORT/debug/vars || exit 1
+ENTRYPOINT ["/go/bin/trillian_log_server"]
diff --git a/server/trillian_log_signer/Dockerfile b/server/trillian_log_signer/Dockerfile
index 954bf63e79..f661a0bf1c 100644
--- a/server/trillian_log_signer/Dockerfile
+++ b/server/trillian_log_signer/Dockerfile
@@ -1,38 +1,11 @@
-FROM golang
-
-ENV DB_USER=test \
-    DB_PASSWORD=zaphod \
-    DB_DATABASE=test \
-    DB_HOST=127.0.0.0:3306
-
-ENV HOST=0.0.0.0 \
-    HTTP_PORT=8091
-
-ENV SEQUENCER_GUARD_WINDOW=0s \
-    FORCE_MASTER=true \
-    SEQUENCER_INTERVAL=10s \
-    NUM_SEQ_FLAG=10 \
-    BATCH_SIZE=50
-
+FROM golang:1.8
 
 ADD . /go/src/github.com/google/trillian
-WORKDIR /go/src/github.com/google/trillian 
+WORKDIR /go/src/github.com/google/trillian
 
-RUN apt-get update && apt-get install -y libtool libltdl-dev
-RUN go get ./server/trillian_log_signer
-
-# Run the outyet command by default when the container starts.
-ENTRYPOINT /go/bin/trillian_log_signer \
-	--mysql_uri="${DB_USER}:${DB_PASSWORD}@tcp(${DB_HOST})/${DB_DATABASE}" \
-	--http_endpoint="$HOST:$HTTP_PORT" \
-	--sequencer_guard_window="$SEQUENCER_GUARD_WINDOW" \
-	--sequencer_interval="$SEQUENCER_INTERVAL" \
-	--num_sequencers="$NUM_SEQ_FLAG" \
-	--batch_size="$BATCH_SIZE" \
-	--force_master="$FORCE_MASTER" \
-	--alsologtostderr
+RUN apt-get update && \
+    apt-get install -y libtool libltdl-dev
 
-EXPOSE $HTTP_PORT
+RUN go get ./server/trillian_log_signer
 
-HEALTHCHECK --interval=5m --timeout=3s \
-  CMD curl -f http://localhost:$HTTP_PORT/debug/vars || exit 1
+ENTRYPOINT ["/go/bin/trillian_log_signer"]
diff --git a/server/trillian_map_server/Dockerfile b/server/trillian_map_server/Dockerfile
index a1cc419988..6702a1817f 100644
--- a/server/trillian_map_server/Dockerfile
+++ b/server/trillian_map_server/Dockerfile
@@ -1,28 +1,11 @@
-FROM golang
-
-ENV DB_USER=test \
-    DB_PASSWORD=zaphod \
-    DB_DATABASE=test \
-    DB_HOST=127.0.0.0:3306 
-
-ENV HOST=0.0.0.0 \
-    RPC_PORT=8090 \
-    HTTP_PORT=8091 
+FROM golang:1.8
 
 ADD . /go/src/github.com/google/trillian
-WORKDIR /go/src/github.com/google/trillian 
-
-RUN apt-get update && apt-get install -y libtool libltdl-dev
-RUN go get ./server/trillian_map_server
-
-ENTRYPOINT /go/bin/trillian_map_server \
-	--mysql_uri="${DB_USER}:${DB_PASSWORD}@tcp(${DB_HOST})/${DB_DATABASE}" \
-	--rpc_endpoint="$HOST:$RPC_PORT" \
-	--http_endpoint="$HOST:$HTTP_PORT" \ 
-	--alsologtostderr
+WORKDIR /go/src/github.com/google/trillian
 
-EXPOSE $HTTP_PORT
+RUN apt-get update && \
+    apt-get install -y libtool libltdl-dev
 
-HEALTHCHECK --interval=5m --timeout=3s \
-  CMD curl -f http://localhost:$HTTP_PORT/debug/vars || exit 1
+RUN go get ./server/trillian_map_server
 
+ENTRYPOINT ["/go/bin/trillian_map_server"]
diff --git a/storage/mysql/storage.sql b/storage/mysql/storage.sql
index 1fb3de94ed..4ae980df84 100644
--- a/storage/mysql/storage.sql
+++ b/storage/mysql/storage.sql
@@ -4,11 +4,6 @@
 -- Tree stuff here
 -- ---------------------------------------------
 
--- Enable strict mode, so invalid data on inserts/updates is treated as error
--- instead of warning.
--- https://dev.mysql.com/doc/refman/5.7/en/sql-mode.html#sql-mode-strict
-SET GLOBAL sql_mode = 'STRICT_ALL_TABLES';
-
 -- Tree parameters should not be changed after creation. Doing so can
 -- render the data in the tree unusable or inconsistent.
 CREATE TABLE IF NOT EXISTS Trees(