diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 7cedf78..baa9d29 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -26,13 +26,13 @@ jobs:
         with:
           mask-password: "false"
 
-      - name: Build, tag, and push docker image to Amazon ECR
+      - name: Build, tag, and push cube api docker image to Amazon ECR
         env:
           REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-          REPOSITORY: sync-svc-cube
+          REPOSITORY: prod-sync-cube-ecr
           IMAGE_TAG: "${{ github.sha }}"
         run: |
-          docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG .
+          docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG -f docker/cube/Dockerfile .
           docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG
 
       - name: Update cube-api Task Definition with latest image
@@ -41,7 +41,7 @@ jobs:
         with:
           task-definition-family: cube_api
           container-name: cube-api
-          image: ${{ steps.login-ecr.outputs.registry }}/sync-svc-cube:${{ github.sha }}
+          image: ${{ steps.login-ecr.outputs.registry }}/prod-sync-cube-ecr:${{ github.sha }}
 
       - name: Update cube-refresh-worker Task Definition with latest image
         id: cube-refresh-worker-task-def
@@ -49,14 +49,14 @@ jobs:
         with:
           task-definition-family: cube_refresh_worker
           container-name: cube-refresh-worker
-          image: ${{ steps.login-ecr.outputs.registry }}/sync-svc-cube:${{ github.sha }}
+          image: ${{ steps.login-ecr.outputs.registry }}/prod-sync-cube-ecr:${{ github.sha }}
 
       - name: Deploy cube-api task definition
         uses: aws-actions/amazon-ecs-deploy-task-definition@v2.3.0
         with:
           task-definition: ${{ steps.cube-api-task-def.outputs.task-definition }}
           service: cube_api
-          cluster: production
+          cluster: prod-sync_cluster
           wait-for-service-stability: true
 
       - name: Deploy cube-refresh-worker task definition
@@ -64,5 +64,5 @@ jobs:
         with:
           task-definition: ${{ steps.cube-refresh-worker-task-def.outputs.task-definition }}
           service: cube_refresh_worker
-          cluster: production
+          cluster: prod-sync_cluster
           wait-for-service-stability: true
diff --git a/Dockerfile b/Dockerfile
deleted file mode 100644
index 0482573..0000000
--- a/Dockerfile
+++ /dev/null
@@ -1,6 +0,0 @@
-FROM cubejs/cube:v1.1.9
-
-COPY cube.js cube.js
-COPY fetch.js fetch.js
-RUN mkdir model
-COPY model/ model/
diff --git a/deploy_cubestore.sh b/deploy_cubestore.sh
new file mode 100755
index 0000000..22b058f
--- /dev/null
+++ b/deploy_cubestore.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+AWS_REGION="us-east-1"
+ECR_REPOSITORY="prod-sync-cubestore-ecr"
+
+AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
+REGISTRY="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
+IMAGE_TAG=$(git rev-parse --short HEAD 2>/dev/null || date +%s)
+
+aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $REGISTRY
+
+docker build --platform linux/amd64 -t $REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -f docker/cubestore/Dockerfile .
+docker push $REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+
+echo "New cubestore image pushed to ECR: $REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG. Please update terraform cubestore services task definitions accordingly."
\ No newline at end of file
diff --git a/docker/cube/Dockerfile b/docker/cube/Dockerfile
new file mode 100644
index 0000000..6645017
--- /dev/null
+++ b/docker/cube/Dockerfile
@@ -0,0 +1,11 @@
+FROM cubejs/cube:v1.1.9
+
+RUN apt-get update \
+        && apt-get install -y --no-install-recommends curl \
+        && apt-get clean \
+        && rm -rf /var/lib/apt/lists/*
+
+COPY cube.js cube.js
+COPY fetch.js fetch.js
+RUN mkdir model
+COPY model/ model/
diff --git a/docker/cubestore/Dockerfile b/docker/cubestore/Dockerfile
new file mode 100644
index 0000000..2c60062
--- /dev/null
+++ b/docker/cubestore/Dockerfile
@@ -0,0 +1,3 @@
+FROM cubejs/cubestore:latest
+
+RUN apt-get update && apt-get install -y curl
\ No newline at end of file
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
index 968a228..d9fa8e9 100644
--- a/terraform/.terraform.lock.hcl
+++ b/terraform/.terraform.lock.hcl
@@ -23,3 +23,22 @@ provider "registry.terraform.io/hashicorp/aws" {
     "zh:c2329644179f78a0458b6cf2dd5eaadca4c610fc3577a1b50620544d92df13e8",
   ]
 }
+
+provider "registry.terraform.io/hashicorp/null" {
+  version = "3.2.3"
+  hashes = [
+    "h1:I0Um8UkrMUb81Fxq/dxbr3HLP2cecTH2WMJiwKSrwQY=",
+    "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2",
+    "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d",
+    "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3",
+    "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f",
+    "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301",
+    "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670",
+    "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed",
+    "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65",
+    "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd",
+    "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5",
+  ]
+}
diff --git a/terraform/ecr.tf b/terraform/ecr.tf
deleted file mode 100644
index e360052..0000000
--- a/terraform/ecr.tf
+++ /dev/null
@@ -1,33 +0,0 @@
-resource "aws_ecr_repository" "sync_svc_cube_repo" {
-  name                 = "sync-svc-cube"
-  image_tag_mutability = "IMMUTABLE"
-
-  image_scanning_configuration {
-    scan_on_push = true
-  }
-}
-
-resource "aws_ecr_lifecycle_policy" "sync_svc_cube_lf_policy" {
-  repository = aws_ecr_repository.sync_svc_cube_repo.name
-
-  policy = <<EOF
-{
-    "rules": [
-        {
-            "rulePriority": 1,
-            "description": "Keep last 30 images",
-            "selection": {
-                "tagStatus": "tagged",
-                "tagPrefixList": ["v"],
-                "countType": "imageCountMoreThan",
-                "countNumber": 30
-            },
-            "action": {
-                "type": "expire"
-            }
-        }
-    ]
-}
-EOF
-}
-
diff --git a/terraform/main.tf b/terraform/main.tf
index 7d756a7..0244d6c 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -7,3 +7,120 @@ provider "aws" {
     }
   }
 }
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = ">=5.7.1"
+
+  name = "production-vpc"
+  cidr = "10.0.0.0/16"
+
+  azs                  = ["us-east-1a", "us-east-1b", "us-east-1d", "us-east-1c"]
+  private_subnets      = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24", "10.0.4.0/24"]
+  public_subnets       = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24", "10.0.104.0/24"]
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+  enable_nat_gateway   = true
+  create_igw           = true
+}
+
+module "production_cube_cluster" {
+  source = "./modules/cube-cluster"
+
+  cluster_prefix       = "prod-sync"
+  vpc                  = module.vpc
+  cube_api_domain_name = "cube-api.synccomputing.com"
+  cube_shared_env = [
+    {
+      name  = "CUBEJS_DB_SSL"
+      value = "true"
+    },
+    {
+      name  = "CUBEJS_DB_TYPE"
+      value = "postgres"
+    },
+    {
+      name  = "CUBEJS_DB_HOST"
+      value = "ec2-3-221-59-105.compute-1.amazonaws.com"
+    },
+    {
+      name  = "CUBEJS_DB_PORT"
+      value = "5432"
+    },
+    {
+      name  = "CUBEJS_DB_USER"
+      value = "cube"
+    },
+    {
+      name  = "CUBEJS_DB_NAME"
+      value = "d20nhfliefb6aa"
+    },
+    {
+      name  = "CUBEJS_SCHEMA_PATH"
+      value = "model"
+    },
+    {
+      name  = "CUBEJS_DEV_MODE"
+      value = "false"
+    },
+    {
+      name  = "NODE_ENV",
+      value = "production"
+    },
+    {
+      name  = "CUBEJS_JWK_URL"
+      value = "https://sync-prod.us.auth0.com/.well-known/jwks.json"
+    },
+    {
+      name  = "CUBEJS_JWT_AUDIENCE"
+      value = "https://api.synccomputing.com"
+    },
+    {
+      name  = "CUBEJS_JWT_ISSUER"
+      value = "https://login.app.synccomputing.com/"
+    },
+    {
+      name  = "CUBEJS_JWT_ALGS"
+      value = "RS256"
+    },
+    {
+      name  = "CUBEJS_JWT_CLAIMS_NAMESPACE"
+      value = "https://synccomputing.com/"
+    }
+  ]
+  cube_shared_secrets = [
+    { name = "CUBEJS_DB_PASS", valueFrom = aws_secretsmanager_secret.postgres_cube_user_pw.arn },
+    { name = "CUBEJS_JWT_KEY", valueFrom = aws_secretsmanager_secret.auth0_jwt_key.arn },
+  ]
+}
+
+resource "aws_secretsmanager_secret" "postgres_cube_user_pw" {
+  name = "production/postgres-cube-user-pw"
+}
+
+resource "aws_secretsmanager_secret" "auth0_jwt_key" {
+  name = "production/auth0-jwt-key"
+}
+
+resource "aws_iam_openid_connect_provider" "github_openid" {
+  url = "https://token.actions.githubusercontent.com"
+
+  client_id_list = [
+    "sts.amazonaws.com",
+  ]
+
+  thumbprint_list = ["cf23df2207d99a74fbe169e3eba035e633b65d94"]
+}
+
+module "iam_github_oidc_role" {
+  source      = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role"
+  name        = "github_actions_role"
+  path        = "/system/"
+  description = "GitHub IAM role for GitHub actions"
+
+  subjects = ["synccomputingcode/sync-svc-cube-v2:*"]
+
+  policies = {
+    GitHubActionsPolicy = module.production_cube_cluster.cube_repo_ecr_policy.arn
+  }
+}
diff --git a/terraform/cloudfront.tf b/terraform/modules/cube-cluster/cloudfront.tf
similarity index 84%
rename from terraform/cloudfront.tf
rename to terraform/modules/cube-cluster/cloudfront.tf
index 1640f95..931beb9 100644
--- a/terraform/cloudfront.tf
+++ b/terraform/modules/cube-cluster/cloudfront.tf
@@ -14,8 +14,8 @@ data "aws_cloudfront_origin_request_policy" "all_viewers" {
   name = "Managed-AllViewer"
 }
 
-resource "aws_cloudfront_distribution" "sync_svc_cube_cdn" {
-  aliases         = [local.domain_name, "www.${local.domain_name}"]
+resource "aws_cloudfront_distribution" "cube_cdn" {
+  aliases         = [var.cube_api_domain_name]
   comment         = "Cloudfront distribution for cube.dev api"
   price_class     = "PriceClass_100"
   is_ipv6_enabled = true
@@ -25,12 +25,6 @@ resource "aws_cloudfront_distribution" "sync_svc_cube_cdn" {
     domain_name = local.api_domain_name
     origin_id   = local.api_domain_name
 
-    # vpc_origin_config {
-    #   vpc_origin_id            = aws_cloudfront_vpc_origin.alb.id
-    #   origin_keepalive_timeout = 5
-    #   origin_read_timeout      = 30
-    # }
-
     custom_origin_config {
       http_port                = 80
       https_port               = 443
@@ -64,4 +58,4 @@ resource "aws_cloudfront_distribution" "sync_svc_cube_cdn" {
       locations        = []
     }
   }
-}
+}
\ No newline at end of file
diff --git a/terraform/cloudwatch.tf b/terraform/modules/cube-cluster/cloudwatch.tf
similarity index 54%
rename from terraform/cloudwatch.tf
rename to terraform/modules/cube-cluster/cloudwatch.tf
index 94c6ae2..f78d738 100644
--- a/terraform/cloudwatch.tf
+++ b/terraform/modules/cube-cluster/cloudwatch.tf
@@ -1,4 +1,4 @@
 resource "aws_cloudwatch_log_group" "main" {
-  name              = "/ecs/sync-svc-cube/production"
+  name              = "/ecs/${var.cluster_prefix}-cube-logs"
   retention_in_days = 14
 }
diff --git a/terraform/modules/cube-cluster/ecr.tf b/terraform/modules/cube-cluster/ecr.tf
new file mode 100644
index 0000000..38874c1
--- /dev/null
+++ b/terraform/modules/cube-cluster/ecr.tf
@@ -0,0 +1,65 @@
+resource "aws_ecr_repository" "cube_repo" {
+  name                 = "${var.cluster_prefix}-cube-ecr"
+  image_tag_mutability = "IMMUTABLE"
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+}
+
+resource "aws_ecr_lifecycle_policy" "cube_lf_policy" {
+  repository = aws_ecr_repository.cube_repo.name
+
+  policy = <<EOF
+{
+    "rules": [
+        {
+            "rulePriority": 1,
+            "description": "Keep last 30 images",
+            "selection": {
+                "tagStatus": "tagged",
+                "tagPrefixList": ["v"],
+                "countType": "imageCountMoreThan",
+                "countNumber": 30
+            },
+            "action": {
+                "type": "expire"
+            }
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_ecr_repository" "cubestore_repo" {
+  name                 = "${var.cluster_prefix}-cubestore-ecr"
+  image_tag_mutability = "IMMUTABLE"
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+}
+
+resource "aws_ecr_lifecycle_policy" "cubestore_lf_policy" {
+  repository = aws_ecr_repository.cubestore_repo.name
+
+  policy = <<EOF
+{
+    "rules": [
+        {
+            "rulePriority": 1,
+            "description": "Keep last 30 images",
+            "selection": {
+                "tagStatus": "tagged",
+                "tagPrefixList": ["v"],
+                "countType": "imageCountMoreThan",
+                "countNumber": 30
+            },
+            "action": {
+                "type": "expire"
+            }
+        }
+    ]
+}
+EOF
+}
\ No newline at end of file
diff --git a/terraform/ecs.tf b/terraform/modules/cube-cluster/ecs.tf
similarity index 52%
rename from terraform/ecs.tf
rename to terraform/modules/cube-cluster/ecs.tf
index 4098561..aa6132e 100644
--- a/terraform/ecs.tf
+++ b/terraform/modules/cube-cluster/ecs.tf
@@ -1,5 +1,5 @@
 resource "aws_ecs_cluster" "main" {
-  name = "production"
+  name = "${var.cluster_prefix}_cluster"
 
   setting {
     name  = "containerInsights"
@@ -19,18 +19,25 @@ resource "aws_ecs_cluster_capacity_providers" "fargate" {
   }
 }
 
+data "aws_secretsmanager_secret" "secrets" {
+  for_each = { for idx, secret in var.cube_shared_secrets : idx => secret }
+  name     = each.value.valueFrom
+}
+
+locals {
+  secret_arns = [for s in data.aws_secretsmanager_secret.secrets : s.arn]
+}
+
+
 data "aws_iam_policy_document" "ecs_task_execution_role" {
   statement {
-    actions = ["secretsmanager:GetSecretValue"]
-    resources = [
-      aws_secretsmanager_secret.postgres_cube_user_pw.arn,
-      aws_secretsmanager_secret.auth0_jwt_key.arn
-    ]
+    actions   = ["secretsmanager:GetSecretValue"]
+    resources = local.secret_arns
   }
 }
 
 resource "aws_iam_role" "ecs_task_execution_role" {
-  name = "ecs_task_execution_role"
+  name = "${var.cluster_prefix}_ecs_task_execution_role"
 
   assume_role_policy = jsonencode({
     Version = "2012-10-17",
@@ -47,7 +54,7 @@ resource "aws_iam_role" "ecs_task_execution_role" {
 }
 
 resource "aws_iam_role" "ecs_task_role" {
-  name = "ecs_task_role"
+  name = "${var.cluster_prefix}_ecs_task_role"
 
   assume_role_policy = jsonencode({
     Version = "2012-10-17",
@@ -64,9 +71,8 @@ resource "aws_iam_role" "ecs_task_role" {
   })
 }
 
-
 resource "aws_iam_policy" "ecs_task_ssm_policy" {
-  name = "ecs_task_ssm_policy"
+  name = "${var.cluster_prefix}_ecs_task_ssm_policy"
 
   policy = <<EOF
   {
@@ -112,91 +118,37 @@ resource "aws_iam_role_policy_attachment" "ecs_task_role_attach" {
   policy_arn = aws_iam_policy.ecs_task_ssm_policy.arn
 }
 
+locals {
+  cubestore_worker_port       = 80
+  cubestore_worker_port_name  = "cubestore-worker-port"
+  cubestore_worker_dns_prefix = "cubestore-worker"
+  cubestore_task_dns_names    = join(",", [for i in range(var.cubestore_worker_resources.cubestore_worker_count) : "${local.cubestore_worker_dns_prefix}-${i}:${local.cubestore_worker_port}"])
 
-resource "aws_secretsmanager_secret" "postgres_cube_user_pw" {
-  name = "production/postgres-cube-user-pw"
-}
+  cubestore_router_dns_name  = "cubestore-router"
+  cubestore_router_port      = 80
+  cubestore_router_port_name = "cubestore-router-port"
 
-resource "aws_secretsmanager_secret" "auth0_jwt_key" {
-  name = "production/auth0-jwt-key"
-}
+  cubestore_router_http_dns_name  = "cubestore-router-http"
+  cubestore_router_http_port_name = "cubestore-router-http-port"
+  cubestore_router_http_port      = 3030
 
-variable "cubestore_worker_count" {
-  default = 2
-}
+  cubestore_router_status_dns_name  = "cubestore-router-status"
+  cubestore_router_status_port_name = "cubestore-router-status-port"
+  cubestore_router_status_port      = 3031
 
+  cube_api_port = 80
 
-locals {
-  cube_shared_environment = [
-    {
-      name  = "CUBEJS_DB_SSL"
-      value = "true"
-    },
-    {
-      name  = "CUBEJS_DB_TYPE"
-      value = "postgres"
-    },
-    {
-      name  = "CUBEJS_DB_HOST"
-      value = "ec2-3-221-59-105.compute-1.amazonaws.com"
-    },
-    {
-      name  = "CUBEJS_DB_PORT"
-      value = "5432"
-    },
-    {
-      name  = "CUBEJS_DB_USER"
-      value = "cube"
-    },
-    {
-      name  = "CUBEJS_DB_NAME"
-      value = "d20nhfliefb6aa"
-    },
-    {
-      name  = "CUBEJS_SCHEMA_PATH"
-      value = "model"
-    },
-    {
-      name  = "CUBEJS_DEV_MODE"
-      value = "false"
-    },
-    {
-      name  = "NODE_ENV",
-      value = "production"
-    },
-    {
-      name  = "CUBEJS_JWK_URL"
-      value = "https://sync-prod.us.auth0.com/.well-known/jwks.json"
-    },
-    {
-      name  = "CUBEJS_JWT_AUDIENCE"
-      value = "https://api.synccomputing.com"
-    },
-    {
-      name  = "CUBEJS_JWT_ISSUER"
-      value = "https://login.app.synccomputing.com/"
-    },
-    {
-      name  = "CUBEJS_JWT_ALGS"
-      value = "RS256"
-    },
-    {
-      name  = "CUBEJS_JWT_CLAIMS_NAMESPACE"
-      value = "https://synccomputing.com/"
-    }
-  ]
-  cube_shared_secrets = [
-    { name = "CUBEJS_DB_PASS", valueFrom = aws_secretsmanager_secret.postgres_cube_user_pw.arn },
-    { name = "CUBEJS_JWT_KEY", valueFrom = aws_secretsmanager_secret.auth0_jwt_key.arn },
-  ]
-  cubestore_task_dns_names = join(",", [for i in range(var.cubestore_worker_count) : "cubestore-worker-${i}:80"])
-
-  cube_api_container_definitions = jsonencode([
+  private_subnets = var.vpc.private_subnets
+}
+
+resource "aws_ecs_task_definition" "cube_api" {
+  family = "cube_api"
+  container_definitions = jsonencode([
     {
       name      = "cube-api"
-      image     = "${aws_ecr_repository.sync_svc_cube_repo.repository_url}:latest"
-      cpu       = 256
-      memory    = 512
+      image     = "${aws_ecr_repository.cube_repo.repository_url}:latest"
+      cpu       = tonumber(var.cube_api_resources.cpu)
+      memory    = tonumber(var.cube_api_resources.memory)
       essential = true
       logConfiguration = {
         "logDriver" : "awslogs",
@@ -206,15 +158,22 @@ locals {
           "awslogs-stream-prefix" : "ecs"
         }
       }
+      healthCheck = {
+        command     = ["CMD-SHELL", "curl -f http://localhost:${local.cube_api_port}/readyz || exit 1"]
+        interval    = 30
+        retries     = 3
+        startPeriod = 60 # Grace period before starting checks (in seconds)
+        timeout     = 5
+      }
       portMappings = [
         {
-          containerPort = 80,
-          hostPort      = 80,
+          containerPort = local.cube_api_port,
+          hostPort      = local.cube_api_port,
           protocol      = "tcp",
           name          = "cube-api-port"
         },
       ],
-      environment = concat(local.cube_shared_environment,
+      environment = concat(var.cube_shared_env,
         [
           {
             name  = "CUBEJS_REFRESH_WORKER"
@@ -222,137 +181,34 @@ locals {
           },
           {
             name  = "PORT"
-            value = "80"
+            value = tostring(local.cube_api_port)
           },
           {
             name  = "CUBEJS_CUBESTORE_HOST"
-            value = "cubestore-router-http"
+            value = local.cubestore_router_http_dns_name
           },
           {
             name  = "CUBEJS_CUBESTORE_PORT"
-            value = "3030"
+            value = tostring(local.cubestore_router_http_port)
           }
         ]
       ),
-      secrets = local.cube_shared_secrets
+      secrets = var.cube_shared_secrets
     }
   ])
-
-  cube_refresh_worker_container_definitions = jsonencode([
-    {
-      name      = "cube-refresh-worker"
-      image     = "${aws_ecr_repository.sync_svc_cube_repo.repository_url}:latest"
-      cpu       = 256
-      memory    = 512
-      essential = true
-      logConfiguration = {
-        "logDriver" : "awslogs",
-        "options" : {
-          "awslogs-group" : aws_cloudwatch_log_group.main.name,
-          "awslogs-region" : "us-east-1",
-          "awslogs-stream-prefix" : "ecs"
-        }
-      }
-      portMappings = [
-        {
-          containerPort = 80,
-          hostPort      = 80,
-          protocol      = "tcp",
-          name          = "cube-refresh-worker-port"
-        },
-      ],
-      environment = concat(local.cube_shared_environment,
-        [{
-          name  = "CUBEJS_REFRESH_WORKER"
-          value = "true"
-          },
-          {
-            name  = "CUBEJS_CUBESTORE_HOST"
-            value = "cubestore-router-http"
-          },
-          {
-            name  = "CUBEJS_CUBESTORE_PORT"
-            value = "3030"
-        }]
-      ),
-      secrets = local.cube_shared_secrets
-    }
-  ])
-
-  cubestore_router_container_definitions = jsonencode([
-    {
-      name      = "cubestore-router"
-      image     = "${var.cubestore_image}"
-      cpu       = 256
-      memory    = 512
-      essential = true
-      logConfiguration = {
-        "logDriver" : "awslogs",
-        "options" : {
-          "awslogs-group" : aws_cloudwatch_log_group.main.name,
-          "awslogs-region" : "us-east-1",
-          "awslogs-stream-prefix" : "ecs"
-        }
-      }
-      portMappings = [
-        {
-          containerPort = 80,
-          hostPort      = 80,
-          protocol      = "tcp",
-          name          = "cubestore-router-port"
-        },
-        {
-          containerPort = 3030,
-          hostPort      = 3030,
-          protocol      = "tcp",
-          name          = "cubestore-router-http-port"
-        },
-        {
-          containerPort = 3031,
-          hostPort      = 3031,
-          protocol      = "tcp",
-          name          = "cubestore-router-status-port"
-        }
-      ],
-      environment = concat(local.cube_shared_environment,
-        [{
-          name  = "CUBESTORE_SERVER_NAME"
-          value = "cubestore-router:80"
-          },
-          {
-            name  = "CUBESTORE_META_PORT"
-            value = "80"
-          },
-          {
-            name  = "CUBESTORE_WORKERS"
-            value = "${local.cubestore_task_dns_names}"
-          },
-          {
-            name  = "CUBESTORE_REMOTE_DIR"
-            value = "/cube/data"
-        }]
-      ),
-      secrets = local.cube_shared_secrets
-    },
-  ])
-}
-
-resource "aws_ecs_task_definition" "cube_api" {
-  family                   = "cube_api"
-  container_definitions    = local.cube_api_container_definitions
   execution_role_arn       = aws_iam_role.ecs_task_execution_role.arn
   task_role_arn            = aws_iam_role.ecs_task_role.arn
   network_mode             = "awsvpc"
   requires_compatibilities = ["FARGATE"]
-  cpu                      = "256"
-  memory                   = "512"
+  cpu                      = var.cube_api_resources.cpu
+  memory                   = var.cube_api_resources.memory
 }
 
 resource "aws_ecs_service" "cube_api" {
   name                   = "cube_api"
   cluster                = aws_ecs_cluster.main.id
   task_definition        = aws_ecs_task_definition.cube_api.arn
-  desired_count          = 1
+  desired_count          = var.cube_api_resources.desired_worker_count
   launch_type            = "FARGATE"
   wait_for_steady_state  = true
   enable_execute_command = true
@@ -361,13 +217,13 @@ resource "aws_ecs_service" "cube_api" {
   deployment_minimum_healthy_percent = 0
 
   network_configuration {
-    subnets         = module.vpc.private_subnets
+    subnets         = local.private_subnets
     security_groups = [aws_security_group.ecs_service.id]
   }
 
   service_connect_configuration {
     enabled   = true
-    namespace = aws_service_discovery_http_namespace.cubestore.arn
+    namespace = aws_service_discovery_http_namespace.cube.arn
   }
 
   load_balancer {
@@ -378,21 +234,71 @@ resource "aws_ecs_service" "cube_api" {
 }
 
 resource "aws_ecs_task_definition" "cube_refresh_worker" {
-  family                   = "cube_refresh_worker"
-  container_definitions    = local.cube_refresh_worker_container_definitions
+  family = "cube_refresh_worker"
+  container_definitions = jsonencode([
+    {
+      name      = "cube-refresh-worker"
+      image     = "${aws_ecr_repository.cube_repo.repository_url}:latest"
+      cpu       = tonumber(var.cube_refresh_worker_resources.cpu)
+      memory    = tonumber(var.cube_refresh_worker_resources.memory)
+      essential = true
+      logConfiguration = {
+        "logDriver" : "awslogs",
+        "options" : {
+          "awslogs-group" : aws_cloudwatch_log_group.main.name,
+          "awslogs-region" : "us-east-1",
+          "awslogs-stream-prefix" : "ecs"
+        }
+      }
+      healthCheck = {
+        command     = ["CMD-SHELL", "curl -f http://localhost:80/readyz || exit 1"]
+        interval    = 30
+        retries     = 3
+        startPeriod = 60 # Grace period before starting checks (in seconds)
+        timeout     = 5
+      }
+      portMappings = [
+        {
+          containerPort = 80,
+          hostPort      = 80,
+          protocol      = "tcp",
+          name          = "cube-refresh-worker-port"
+        },
+      ],
+      environment = concat(var.cube_shared_env,
+        [{
+          name  = "CUBEJS_REFRESH_WORKER"
+          value = "true"
+          },
+          {
+            name  = "PORT"
+            value = "80"
+          },
+          {
+            name  = "CUBEJS_CUBESTORE_HOST"
+            value = local.cubestore_router_http_dns_name
+          },
+          {
+            name  = "CUBEJS_CUBESTORE_PORT"
+            value = tostring(local.cubestore_router_http_port)
+        }]
+      ),
+      secrets = var.cube_shared_secrets
+    }
+  ])
   execution_role_arn       = aws_iam_role.ecs_task_execution_role.arn
   task_role_arn            = aws_iam_role.ecs_task_role.arn
   network_mode             = "awsvpc"
   requires_compatibilities = ["FARGATE"]
-  cpu                      = "256"
-  memory                   = "512"
+  cpu                      = var.cube_refresh_worker_resources.cpu
+  memory                   = var.cube_refresh_worker_resources.memory
 }
 
 resource "aws_ecs_service" "cube_refresh_worker" {
   name                   = "cube_refresh_worker"
   cluster                = aws_ecs_cluster.main.id
   task_definition        = aws_ecs_task_definition.cube_refresh_worker.arn
-  desired_count          = 1
+  desired_count          = var.cube_refresh_worker_resources.desired_worker_count
   launch_type            = "FARGATE"
   wait_for_steady_state  = true
   enable_execute_command = true
@@ -401,19 +307,19 @@ resource "aws_ecs_service" "cube_refresh_worker" {
   deployment_minimum_healthy_percent = 0
 
   network_configuration {
-    subnets         = module.vpc.private_subnets
+    subnets         = local.private_subnets
     security_groups = [aws_security_group.ecs_service.id]
   }
 
   service_connect_configuration {
     enabled   = true
-    namespace = aws_service_discovery_http_namespace.cubestore.arn
+    namespace = aws_service_discovery_http_namespace.cube.arn
   }
 }
 
-resource "aws_service_discovery_http_namespace" "cubestore" {
-  name        = "cubestore.local"
-  description = "Service discovery namespace for cubestore workers and router"
+resource "aws_service_discovery_http_namespace" "cube" {
+  name        = "${var.cluster_prefix}-cube.local"
+  description = "Service discovery namespace to form a cube cluster"
 }
 
 resource "aws_ecs_service" "cubestore_router" {
@@ -429,13 +335,13 @@ resource "aws_ecs_service" "cubestore_router" {
   deployment_minimum_healthy_percent = 0
 
   network_configuration {
-    subnets         = module.vpc.private_subnets
+    subnets         = local.private_subnets
     security_groups = [aws_security_group.ecs_service.id]
   }
 
   service_connect_configuration {
     enabled   = true
-    namespace = aws_service_discovery_http_namespace.cubestore.arn
+    namespace = aws_service_discovery_http_namespace.cube.arn
     log_configuration {
       log_driver = "awslogs"
       options = {
@@ -445,47 +351,106 @@ resource "aws_ecs_service" "cubestore_router" {
       }
     }
     service {
-      discovery_name = "cubestore-router"
-      port_name      = "cubestore-router-port"
+      discovery_name = local.cubestore_router_dns_name
+      port_name      = local.cubestore_router_port_name
       client_alias {
-        port     = 80
-        dns_name = "cubestore-router"
+        port     = local.cubestore_router_port
+        dns_name = local.cubestore_router_dns_name
       }
     }
 
     service {
-      discovery_name = "cubestore-router-status"
-      port_name      = "cubestore-router-status-port"
+      discovery_name = local.cubestore_router_status_dns_name
+      port_name      = local.cubestore_router_status_port_name
       client_alias {
-        port     = 3031
-        dns_name = "cubestore-router-status"
+        port     = local.cubestore_router_status_port
+        dns_name = local.cubestore_router_status_dns_name
       }
     }
 
     service {
-      discovery_name = "cubestore-router-http"
-      port_name      = "cubestore-router-http-port"
+      discovery_name = local.cubestore_router_http_dns_name
+      port_name      = local.cubestore_router_http_port_name
       client_alias {
-        port     = 3030
-        dns_name = "cubestore-router-http"
+        port     = local.cubestore_router_http_port
+        dns_name = local.cubestore_router_http_dns_name
       }
     }
   }
 }
 
 resource "aws_ecs_task_definition" "cubestore_router" {
-  family                   = "cubestore_router"
-  container_definitions    = local.cubestore_router_container_definitions
+  family = "cubestore_router"
+  container_definitions = jsonencode([
+    {
+      name      = "cubestore-router"
+      image     = "${aws_ecr_repository.cubestore_repo.repository_url}:8311306"
+      cpu       = tonumber(var.cubestore_router_resources.cpu)
+      memory    = tonumber(var.cubestore_router_resources.memory)
+      essential = true
+      logConfiguration = {
+        "logDriver" : "awslogs",
+        "options" : {
+          "awslogs-group" : aws_cloudwatch_log_group.main.name,
+          "awslogs-region" : "us-east-1",
+          "awslogs-stream-prefix" : "ecs"
+        }
+      }
+      healthCheck = {
+        command     = ["CMD-SHELL", "curl -f http://localhost:${local.cubestore_router_status_port}/readyz || exit 1"]
+        interval    = 30
+        retries     = 3
+        startPeriod = 60 # Grace period before starting checks (in seconds)
+        timeout     = 5
+      }
+      portMappings = [
+        {
+          containerPort = local.cubestore_router_port,
+          hostPort      = local.cubestore_router_port,
+          protocol      = "tcp",
+          name          = local.cubestore_router_port_name
+        },
+        {
+          containerPort = local.cubestore_router_http_port,
+          hostPort      = local.cubestore_router_http_port,
+          protocol      = "tcp",
+          name          = local.cubestore_router_http_port_name
+        },
+        {
+          containerPort = local.cubestore_router_status_port,
+          hostPort      = local.cubestore_router_status_port,
+          protocol      = "tcp",
+          name          = local.cubestore_router_status_port_name
+        }
+      ],
+      environment = [{
+        name  = "CUBESTORE_SERVER_NAME"
+        value = "${local.cubestore_router_dns_name}:${local.cubestore_router_port}"
+        },
+        {
+          name  = "CUBESTORE_META_PORT"
+          value = tostring(local.cubestore_router_port)
+        },
+        {
+          name  = "CUBESTORE_WORKERS"
+          value = "${local.cubestore_task_dns_names}"
+        },
+        {
+          name  = "CUBESTORE_REMOTE_DIR"
+          value = "/cube/data"
+      }]
+    },
+  ])
   execution_role_arn       = aws_iam_role.ecs_task_execution_role.arn
   task_role_arn            = aws_iam_role.ecs_task_role.arn
   network_mode             = "awsvpc"
   requires_compatibilities = ["FARGATE"]
-  cpu                      = "256"
-  memory                   = "512"
+  cpu                      = var.cubestore_router_resources.cpu
+  memory                   = var.cubestore_router_resources.memory
 }
 
 resource "aws_ecs_service" "cubestore" {
-  count = var.cubestore_worker_count
+  count = var.cubestore_worker_resources.cubestore_worker_count
 
   name                   = "cubestore_${count.index}"
   cluster                = aws_ecs_cluster.main.id
@@ -500,14 +465,14 @@ resource "aws_ecs_service" "cubestore" {
 
 
   network_configuration {
-    subnets          = module.vpc.private_subnets
+    subnets          = local.private_subnets
     security_groups  = [aws_security_group.ecs_service.id]
     assign_public_ip = true
   }
 
   service_connect_configuration {
     enabled   = true
-    namespace = aws_service_discovery_http_namespace.cubestore.arn
+    namespace = aws_service_discovery_http_namespace.cube.arn
     log_configuration {
       log_driver = "awslogs"
       options = {
@@ -517,37 +482,33 @@ resource "aws_ecs_service" "cubestore" {
       }
     }
     service {
-      discovery_name = "cubestore-worker-${count.index}"
-      port_name      = "cubestore-worker-port"
+      discovery_name = "${local.cubestore_worker_dns_prefix}-${count.index}"
+      port_name      = local.cubestore_worker_port_name
       client_alias {
-        port     = 80
-        dns_name = "cubestore-worker-${count.index}"
+        port     = local.cubestore_worker_port
+        dns_name = "${local.cubestore_worker_dns_prefix}-${count.index}"
       }
     }
   }
-
-  # service_registries {
-  #   registry_arn = aws_service_discovery_service.cubestore[count.index].arn
-  # }
 }
 
 resource "aws_ecs_task_definition" "cubestore" {
-  count = var.cubestore_worker_count
+  count = var.cubestore_worker_resources.cubestore_worker_count
 
   family                   = "cubestore-${count.index}"
   execution_role_arn       = aws_iam_role.ecs_task_execution_role.arn
   task_role_arn            = aws_iam_role.ecs_task_role.arn
   network_mode             = "awsvpc"
   requires_compatibilities = ["FARGATE"]
-  cpu                      = "256"
-  memory                   = "512"
+  cpu                      = var.cubestore_worker_resources.cpu
+  memory                   = var.cubestore_worker_resources.memory
 
   container_definitions = jsonencode([
     {
       name      = "cubestore"
-      image     = "${var.cubestore_image}"
-      cpu       = 256
-      memory    = 512
+      image     = "${aws_ecr_repository.cubestore_repo.repository_url}:8311306"
+      cpu       = tonumber(var.cubestore_worker_resources.cpu)
+      memory    = tonumber(var.cubestore_worker_resources.memory)
       essential = true
       logConfiguration = {
         "logDriver" : "awslogs",
@@ -557,38 +518,44 @@ resource "aws_ecs_task_definition" "cubestore" {
           "awslogs-stream-prefix" : "ecs"
         }
       }
+      # bring back when I figure out where to get a health check port
+      # healthCheck = {
+      #   command     = ["CMD-SHELL", "curl -f http://localhost:3031/readyz || exit 1"]
+      #   interval    = 30
+      #   retries     = 3
+      #   startPeriod = 60 # Grace period before starting checks (in seconds)
+      #   timeout     = 5
+      # }
       portMappings = [
         {
-          containerPort = 80,
-          hostPort      = 80,
+          containerPort = local.cubestore_worker_port,
+          hostPort      = local.cubestore_worker_port,
           protocol      = "tcp",
-          name          = "cubestore-worker-port"
+          name          = local.cubestore_worker_port_name
         }
       ],
-      environment = concat(local.cube_shared_environment,
-        [{
-          name  = "CUBESTORE_SERVER_NAME"
-          value = "cubestore-worker-${count.index}:80"
-          },
-          {
-            name  = "CUBESTORE_WORKER_PORT"
-            value = "80"
-          },
-          {
-            name  = "CUBESTORE_META_ADDR"
-            value = "cubestore-router:80"
-          },
-          {
-            name  = "CUBESTORE_WORKERS"
-            value = "${local.cubestore_task_dns_names}"
-          },
-          {
-            name  = "CUBESTORE_REMOTE_DIR"
-            value = "/cube/data"
-        }]
-      ),
-      secrets = local.cube_shared_secrets
+      environment = [{
+        name  = "CUBESTORE_SERVER_NAME"
+        value = "${local.cubestore_worker_dns_prefix}-${count.index}:${local.cubestore_worker_port}"
+        },
+        {
+          name  = "CUBESTORE_WORKER_PORT"
+          value = tostring(local.cubestore_worker_port)
+        },
+        {
+          name  = "CUBESTORE_META_ADDR"
+          value = "${local.cubestore_router_dns_name}:${local.cubestore_router_port}"
+        },
+        {
+          name  = "CUBESTORE_WORKERS"
+          value = "${local.cubestore_task_dns_names}"
+        },
+        {
+          name  = "CUBESTORE_REMOTE_DIR"
+          value = "/cube/data"
+      }]
     }
   ])
 
 }
+
diff --git a/terraform/iam.tf b/terraform/modules/cube-cluster/iam.tf
similarity index 61%
rename from terraform/iam.tf
rename to terraform/modules/cube-cluster/iam.tf
index bc2ebc0..2cd67af 100644
--- a/terraform/iam.tf
+++ b/terraform/modules/cube-cluster/iam.tf
@@ -1,28 +1,5 @@
-resource "aws_iam_openid_connect_provider" "default" {
-  url = "https://token.actions.githubusercontent.com"
-
-  client_id_list = [
-    "sts.amazonaws.com",
-  ]
-
-  thumbprint_list = ["cf23df2207d99a74fbe169e3eba035e633b65d94"]
-}
-
-module "iam_github_oidc_role" {
-  source      = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role"
-  name        = "github_actions_role"
-  path        = "/system/"
-  description = "GitHub IAM role for GitHub actions"
-
-  subjects = ["synccomputingcode/sync-svc-cube-v2:*"]
-
-  policies = {
-    GitHubActionsPolicy = aws_iam_policy.sync_svc_cube_ecr_policy.arn
-  }
-}
-
-resource "aws_iam_policy" "sync_svc_cube_ecr_policy" {
-  name        = "sync_svc_cube_ecr_policy"
+resource "aws_iam_policy" "cube_repo_ecr_policy" {
+  name        = "${var.cluster_prefix}_cube_repo_ecr_policy"
   path        = "/system/"
   description = "Policy for github role to push/pull containers"
 
@@ -50,7 +27,7 @@ resource "aws_iam_policy" "sync_svc_cube_ecr_policy" {
           "ecr:PutImage",
           "ecr:UploadLayerPart"
         ],
-        "Resource" : aws_ecr_repository.sync_svc_cube_repo.arn
+        "Resource" : [aws_ecr_repository.cube_repo.arn, aws_ecr_repository.cubestore_repo.arn]
       },
       {
         "Sid" : "AllowEcsServiceDeploys",
@@ -74,3 +51,7 @@ resource "aws_iam_policy" "sync_svc_cube_ecr_policy" {
     ]
   })
 }
+
+output "cube_repo_ecr_policy" {
+  value = aws_iam_policy.cube_repo_ecr_policy
+}
\ No newline at end of file
diff --git a/terraform/load_balancer.tf b/terraform/modules/cube-cluster/load_balancer.tf
similarity index 64%
rename from terraform/load_balancer.tf
rename to terraform/modules/cube-cluster/load_balancer.tf
index 2ac1f9d..e9c8a7e 100644
--- a/terraform/load_balancer.tf
+++ b/terraform/modules/cube-cluster/load_balancer.tf
@@ -1,16 +1,20 @@
+locals {
+  public_subnets = var.vpc.public_subnets
+}
+
 resource "aws_lb" "main" {
-  name               = "cube-api-production-lb"
+  name               = "${var.cluster_prefix}-cube-api-lb"
   internal           = false
   load_balancer_type = "application"
   security_groups    = [aws_security_group.lb.id]
-  subnets            = module.vpc.public_subnets
+  subnets            = local.public_subnets
 }
 
 resource "aws_lb_target_group" "main" {
-  name                 = "cube-api-production-tg"
+  name                 = "${var.cluster_prefix}-cube-api-tg"
   port                 = 80
   protocol             = "HTTP"
-  vpc_id               = module.vpc.vpc_id
+  vpc_id               = var.vpc.vpc_id
   target_type          = "ip"
   deregistration_delay = 5
 
@@ -49,18 +53,3 @@ resource "aws_lb_listener" "https" {
     target_group_arn = aws_lb_target_group.main.arn
   }
 }
-
-# resource "aws_cloudfront_vpc_origin" "alb" {
-#   vpc_origin_endpoint_config {
-#     name                   = "cube-alb-vpc-origin"
-#     arn                    = aws_lb.main.arn
-#     http_port              = 80
-#     https_port             = 443
-#     origin_protocol_policy = "https-only"
-
-#     origin_ssl_protocols {
-#       items    = ["TLSv1.2"]
-#       quantity = 1
-#     }
-#   }
-# }
\ No newline at end of file
diff --git a/terraform/route53.tf b/terraform/modules/cube-cluster/route53.tf
similarity index 73%
rename from terraform/route53.tf
rename to terraform/modules/cube-cluster/route53.tf
index 33070c7..52845a4 100644
--- a/terraform/route53.tf
+++ b/terraform/modules/cube-cluster/route53.tf
@@ -1,7 +1,7 @@
 
 locals {
-  domain_name     = "cube-api.synccomputing.com"
-  api_domain_name = "internal-cube-api-lb.${local.domain_name}"
+  domain_name     = var.cube_api_domain_name
+  api_domain_name = "internal-${var.cluster_prefix}-cube-api-lb.${local.domain_name}"
 }
 
 resource "aws_route53_zone" "main" {
@@ -9,9 +9,8 @@ resource "aws_route53_zone" "main" {
 }
 
 resource "aws_acm_certificate" "main" {
-  domain_name               = local.domain_name
-  validation_method         = "DNS"
-  subject_alternative_names = ["www.${local.domain_name}"]
+  domain_name       = local.domain_name
+  validation_method = "DNS"
 
   lifecycle {
     create_before_destroy = true
@@ -76,19 +75,8 @@ resource "aws_route53_record" "main" {
   name    = local.domain_name
   type    = "A"
   alias {
-    name                   = aws_cloudfront_distribution.sync_svc_cube_cdn.domain_name
-    zone_id                = aws_cloudfront_distribution.sync_svc_cube_cdn.hosted_zone_id
-    evaluate_target_health = false
-  }
-}
-
-resource "aws_route53_record" "www" {
-  zone_id = aws_route53_zone.main.zone_id
-  name    = "www.${local.domain_name}"
-  type    = "A"
-  alias {
-    name                   = aws_cloudfront_distribution.sync_svc_cube_cdn.domain_name
-    zone_id                = aws_cloudfront_distribution.sync_svc_cube_cdn.hosted_zone_id
+    name                   = aws_cloudfront_distribution.cube_cdn.domain_name
+    zone_id                = aws_cloudfront_distribution.cube_cdn.hosted_zone_id
     evaluate_target_health = false
   }
 }
diff --git a/terraform/vpc.tf b/terraform/modules/cube-cluster/security_groups.tf
similarity index 56%
rename from terraform/vpc.tf
rename to terraform/modules/cube-cluster/security_groups.tf
index 381823b..239d737 100644
--- a/terraform/vpc.tf
+++ b/terraform/modules/cube-cluster/security_groups.tf
@@ -1,23 +1,6 @@
-module "vpc" {
-  source  = "terraform-aws-modules/vpc/aws"
-  version = ">=5.7.1"
-
-  name = "production-vpc"
-  cidr = "10.0.0.0/16"
-
-  azs                  = ["us-east-1a", "us-east-1b", "us-east-1d", "us-east-1c"]
-  private_subnets      = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24", "10.0.4.0/24"]
-  public_subnets       = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24", "10.0.104.0/24"]
-  enable_dns_hostnames = true
-  enable_dns_support   = true
-  enable_nat_gateway   = true
-  create_igw           = true
-}
-
-
 resource "aws_security_group" "ecs_service" {
-  name_prefix = "ecs-service-"
-  vpc_id      = module.vpc.vpc_id
+  name_prefix = "${var.cluster_prefix}-ecs-service-"
+  vpc_id      = var.vpc.vpc_id
 
   ingress {
     from_port       = 0
@@ -41,10 +24,13 @@ resource "aws_security_group" "ecs_service" {
   }
 }
 
+data "aws_ec2_managed_prefix_list" "cloudfront" {
+  name = "com.amazonaws.global.cloudfront.origin-facing"
+}
 
 resource "aws_security_group" "lb" {
-  name_prefix = "lb-"
-  vpc_id      = module.vpc.vpc_id
+  name_prefix = "${var.cluster_prefix}-lb-"
+  vpc_id      = var.vpc.vpc_id
 
   ingress {
     from_port   = 80
@@ -58,7 +44,7 @@ resource "aws_security_group" "lb" {
     to_port   = 443
     protocol  = "tcp"
     prefix_list_ids = [ # Allow traffic from cloudfront which IPs are stored in an aws managed prefix list
-      "pl-3b927c52",
+      data.aws_ec2_managed_prefix_list.cloudfront.id
     ]
   }
 
diff --git a/terraform/modules/cube-cluster/variables.tf b/terraform/modules/cube-cluster/variables.tf
new file mode 100644
index 0000000..98ac9f9
--- /dev/null
+++ b/terraform/modules/cube-cluster/variables.tf
@@ -0,0 +1,133 @@
+variable "cluster_prefix" {
+  type = string
+}
+
+variable "vpc" {
+  description = "VPC to deploy cube cluster within"
+  type        = any
+}
+
+data "aws_vpc" "selected" {
+  id = var.vpc.vpc_id
+}
+
+data "aws_nat_gateways" "selected" {
+  filter {
+    name   = "vpc-id"
+    values = [var.vpc.vpc_id]
+  }
+}
+
+data "aws_internet_gateway" "selected" {
+  filter {
+    name   = "attachment.vpc-id"
+    values = [var.vpc.vpc_id]
+  }
+}
+
+resource "null_resource" "validate_vpc" {
+  lifecycle {
+    precondition {
+      condition     = data.aws_vpc.selected.enable_dns_support
+      error_message = "The VPC must have enable_dns_support = true"
+    }
+
+    precondition {
+      condition     = data.aws_vpc.selected.enable_dns_hostnames
+      error_message = "The VPC must have enable_dns_hostnames = true"
+    }
+
+    precondition {
+      condition     = length(data.aws_nat_gateways.selected.ids) > 0
+      error_message = "The VPC must have at least one NAT Gateway"
+    }
+
+    precondition {
+      condition     = can(data.aws_internet_gateway.selected.id)
+      error_message = "The VPC must have an Internet Gateway"
+    }
+  }
+}
+
+variable "cubestore_image" {
+  type        = string
+  description = "Image for cube store and cube store router"
+  default     = "cubejs/cubestore"
+}
+
+variable "cube_api_resources" {
+  type = object({
+    cpu                  = string
+    memory               = string
+    desired_worker_count = number
+  })
+
+  default = {
+    cpu                  = "2048"
+    memory               = "4096"
+    desired_worker_count = 2
+  }
+}
+
+variable "cube_refresh_worker_resources" {
+  type = object({
+    cpu                  = string
+    memory               = string
+    desired_worker_count = number
+  })
+
+  default = {
+    cpu                  = "2048"
+    memory               = "4096"
+    desired_worker_count = 1
+  }
+}
+
+
+variable "cubestore_router_resources" {
+  type = object({
+    cpu    = string
+    memory = string
+  })
+
+  default = {
+    cpu    = "4096"
+    memory = "8192"
+  }
+}
+
+variable "cubestore_worker_resources" {
+  type = object({
+    cpu                    = string
+    memory                 = string
+    cubestore_worker_count = number
+  })
+
+  default = {
+    cpu                    = "4096"
+    memory                 = "8192"
+    cubestore_worker_count = 2
+  }
+}
+
+variable "cube_shared_env" {
+  type = list(object({
+    name  = string
+    value = string
+  }))
+  description = "Shared environment variables for cube api and refresh workers."
+  default     = []
+}
+
+variable "cube_shared_secrets" {
+  type = list(object({
+    name      = string
+    valueFrom = string
+  }))
+  description = "Shared environment secrets for cube api and refresh workers."
+  default     = []
+}
+
+variable "cube_api_domain_name" {
+  type = string
+}
\ No newline at end of file
diff --git a/terraform/variables.tf b/terraform/variables.tf
deleted file mode 100644
index 90d00e6..0000000
--- a/terraform/variables.tf
+++ /dev/null
@@ -1,10 +0,0 @@
-variable "cubestore_image" {
-  type        = string
-  description = "Image for cube store and cube store router"
-  default     = "cubejs/cubestore"
-}
-
-variable "aws_account_id" {
-  description = "Target AWS Account ID"
-  type        = string
-}
\ No newline at end of file