diff --git a/qpizza-tf/bastion/main.tf b/qpizza-tf/bastion/main.tf
new file mode 100644
index 0000000..6d9e69c
--- /dev/null
+++ b/qpizza-tf/bastion/main.tf
@@ -0,0 +1,46 @@
+resource "tls_private_key" "that" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "aws_key_pair" "that" {
+  key_name   = var.key_name
+  public_key = tls_private_key.that.public_key_openssh
+}
+
+resource "aws_security_group" "bastion_sg" {
+  description = "Security group for Bastion"
+  vpc_id = var.vpc_id
+  
+  ingress {
+    from_port = 22
+    to_port = 22
+    protocol = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port = 0
+    to_port = 0
+    protocol = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+data "aws_ssm_parameter" "ami_id" {
+  name = "/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-arm64"
+}
+
+
+resource "aws_instance" "bastion" {
+  ami           = data.aws_ssm_parameter.ami_id.value
+  instance_type = var.bastion_instance_type
+  subnet_id = var.subnet_id
+  vpc_security_group_ids = [aws_security_group.bastion_sg.id]
+  key_name = aws_key_pair.that.key_name
+  user_data = <<EOF
+  #!/bin/bash
+  yum -y install mariadb105
+  EOF
+}
+
diff --git a/qpizza-tf/bastion/outputs.tf b/qpizza-tf/bastion/outputs.tf
new file mode 100644
index 0000000..e69de29
diff --git a/qpizza-tf/bastion/variables.tf b/qpizza-tf/bastion/variables.tf
new file mode 100644
index 0000000..f364bf4
--- /dev/null
+++ b/qpizza-tf/bastion/variables.tf
@@ -0,0 +1,17 @@
+variable "vpc_id" {
+    type = string
+}
+
+variable "subnet_id" {
+    type = string
+}
+
+variable "key_name" {
+    type = string
+    default = "tfkeypair"
+}
+
+variable "bastion_instance_type" {
+    type = string
+    default = "t4g.micro"
+}
\ No newline at end of file
diff --git a/qpizza-tf/database/main.tf b/qpizza-tf/database/main.tf
new file mode 100644
index 0000000..5b38dc0
--- /dev/null
+++ b/qpizza-tf/database/main.tf
@@ -0,0 +1,59 @@
+resource "aws_security_group" "aurora_sg" {
+  description = "Security group for RDS"
+  vpc_id = var.vpc_id
+  ingress {
+    from_port = 3306
+    to_port = 3306
+    protocol = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port = 0
+    to_port = 0
+    protocol = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_db_subnet_group" "that" {
+  subnet_ids = var.subnet_ids
+  description = "Subnet group for RDS"
+}
+
+#TODO: Prefix the parameter names with the environment name
+data "aws_ssm_parameter" "master_username" {
+  name = "master_username"
+}
+
+data "aws_ssm_parameter" "master_password" {
+  name = "master_password"
+}
+
+resource "aws_rds_cluster" "aurora_cluster" {
+  engine                  = "aurora-mysql"
+  engine_mode             = "provisioned"
+  engine_version          = "8.0"
+  
+  db_subnet_group_name    = aws_db_subnet_group.that.name
+  master_username         = data.aws_ssm_parameter.master_username.value
+  master_password         = data.aws_ssm_parameter.master_password.value
+  backup_retention_period = 7
+  preferred_backup_window = "07:00-09:00"
+  vpc_security_group_ids  = [aws_security_group.aurora_sg.id]
+  storage_encrypted       = true
+  skip_final_snapshot     = true
+  enable_http_endpoint    = true
+
+  serverlessv2_scaling_configuration {
+    min_capacity = 0.5
+    max_capacity = 8
+  }
+}
+
+resource "aws_rds_cluster_instance" "cluster_instances" {
+  cluster_identifier = aws_rds_cluster.aurora_cluster.id
+  instance_class = "db.serverless"
+  engine = aws_rds_cluster.aurora_cluster.engine
+  engine_version = aws_rds_cluster.aurora_cluster.engine_version
+}
\ No newline at end of file
diff --git a/qpizza-tf/database/outputs.tf b/qpizza-tf/database/outputs.tf
new file mode 100644
index 0000000..4feb8d9
--- /dev/null
+++ b/qpizza-tf/database/outputs.tf
@@ -0,0 +1,3 @@
+output "aurora_sg_id" {
+  value = aws_security_group.aurora_sg.id
+}
\ No newline at end of file
diff --git a/qpizza-tf/database/variables.tf b/qpizza-tf/database/variables.tf
new file mode 100644
index 0000000..24afe24
--- /dev/null
+++ b/qpizza-tf/database/variables.tf
@@ -0,0 +1,8 @@
+variable vpc_id {
+    type = string
+}
+
+variable subnet_ids {
+    type = list(string)
+}
+
diff --git a/qpizza-tf/main.tf b/qpizza-tf/main.tf
index 33f6137..1b4ce4e 100644
--- a/qpizza-tf/main.tf
+++ b/qpizza-tf/main.tf
@@ -12,6 +12,22 @@ provider "aws" {
 }
 
 module "networking" {
-    source = "./networking"
-    aws_region = var.aws_region
+  source = "./networking"
+}
+
+module "secrets" {
+  source = "./secrets"
+}
+
+module "database" {
+  source = "./database"
+  depends_on = [ module.networking, module.secrets ]
+  vpc_id = module.networking.vpc_id
+  subnet_ids = module.networking.private_subnet_ids
+}
+
+module "bastion" {
+ source = "./bastion"
+ vpc_id = module.networking.vpc_id
+ subnet_id = module.networking.public_subnet_ids[0] 
 }
\ No newline at end of file
diff --git a/qpizza-tf/networking/variables.tf b/qpizza-tf/networking/variables.tf
index 95b6cde..e69de29 100644
--- a/qpizza-tf/networking/variables.tf
+++ b/qpizza-tf/networking/variables.tf
@@ -1,3 +0,0 @@
-variable "aws_region" {
-  default = "us-west-2"
-}
\ No newline at end of file
diff --git a/qpizza-tf/outputs.tf b/qpizza-tf/outputs.tf
index e6a12b2..e465226 100644
--- a/qpizza-tf/outputs.tf
+++ b/qpizza-tf/outputs.tf
@@ -8,4 +8,8 @@ output "private_subnet_ids" {
 
 output "public_subnet_ids" {
   value = module.networking.public_subnet_ids
-}
\ No newline at end of file
+}
+
+output "aurora_sg_id" {
+  value = module.database.aurora_sg_id
+}
diff --git a/qpizza-tf/secrets/main.tf b/qpizza-tf/secrets/main.tf
new file mode 100644
index 0000000..0f1f0f3
--- /dev/null
+++ b/qpizza-tf/secrets/main.tf
@@ -0,0 +1,11 @@
+resource "aws_ssm_parameter" "master_username" {
+  name  = "master_username"
+  type  = "String"
+  value = var.master_username
+}
+
+resource "aws_ssm_parameter" "master_password" {
+  name  = "master_password"
+  type  = "String"
+  value = (var.master_password != "" ? var.master_password : uuid())
+}
\ No newline at end of file
diff --git a/qpizza-tf/secrets/outputs.tf b/qpizza-tf/secrets/outputs.tf
new file mode 100644
index 0000000..e69de29
diff --git a/qpizza-tf/secrets/variables.tf b/qpizza-tf/secrets/variables.tf
new file mode 100644
index 0000000..1ec88a5
--- /dev/null
+++ b/qpizza-tf/secrets/variables.tf
@@ -0,0 +1,9 @@
+variable "master_username" {
+  type = string
+  default = "admin"
+}
+
+variable "master_password" {
+  type = string
+  default = ""
+}
\ No newline at end of file
diff --git a/qpizza-tf/variables.tf b/qpizza-tf/variables.tf
index 95b6cde..ed48e21 100644
--- a/qpizza-tf/variables.tf
+++ b/qpizza-tf/variables.tf
@@ -1,3 +1,3 @@
 variable "aws_region" {
-  default = "us-west-2"
+  default = "us-east-1"
 }
\ No newline at end of file