diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 0000000..271822f
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,13 @@
+root = true
+
+[*]
+charset = utf-8
+indent_style = space
+indent_size = 2
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.md]
+insert_final_newline = false
+trim_trailing_whitespace = false
diff --git a/.envrc.example b/.envrc.example
index 00fa3f6..c983c85 100644
--- a/.envrc.example
+++ b/.envrc.example
@@ -1,13 +1,9 @@
-#!/bin/sh
+#!/usr/bin/env bash
 
-PATH_add scripts
-
-export AWS_ACCESS_KEY_ID=
-export AWS_SECRET_ACCESS_KEY=
-export AWS_DEFAULT_REGION=
+export CLOUDFLARE_EMAIL=
+export CLOUDFLARE_TOKEN=
 
-export TF_VAR_aws_account_num=
-export TF_VAR_aws_region=${AWS_DEFAULT_REGION}
+export ROLE_ARN_stg=
+export ROLE_ARN_prod=
 
-export CLOUDFLARE_EMAIL=
-export CLOUDFLARE_TOKEN=
\ No newline at end of file
+export TF_VAR_newrelic_license_key=
diff --git a/.gitignore b/.gitignore
index c482008..28de410 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,6 @@
 .DS_Store
 .envrc
+.bundle
 
 # IDE junk
 .idea/*
@@ -8,3 +9,7 @@
 
 # tfstate is saved on remote
 .terraform
+terraform.tfstate.d
+terraform.log
+
+functions/*.zip
diff --git a/.travis.yml b/.travis.yml
index 923b43c..03d0a32 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,41 +1,38 @@
 ---
 sudo: required
 dist: trusty
-language: ruby
-rvm:
-  - 2.2.3
-cache:
-  directories:
-  - vendor/bundle
-
-before_install:
-  - gem install travis -v 1.8.2 --no-rdoc --no-ri
-  - wget https://releases.hashicorp.com/terraform/0.6.14/terraform_0.6.14_linux_amd64.zip -O /tmp/terraform.zip
+language: python
+cache: pip
+python:
+- '2.7'
+
+install:
+  # Install AWS CLI
+  - pip install awscli
+  - aws --version
+  # Install Terraform
+  - TERRAFORM_VERSION="0.10.2"
+  - wget https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip -O /tmp/terraform.zip
   - sudo unzip -d /usr/local/bin/ /tmp/terraform.zip
 
 before_script:
-  - export TF_VAR_aws_account_num=${AWS_ACCOUNT_NUMBER}
-  - export TF_VAR_aws_region=${AWS_DEFAULT_REGION}
-script:
-  # If branch name was matched with deploy/xxx, continue to apply.
+  # Determine environment
   - export ENV=$(echo "${TRAVIS_BRANCH}" | perl -ne "print $& if /(?<=deploy\/).*/")
-  - if [ -z "${ENV}" ]; then exit ; fi
-
-  # Enable Terraform Remote
-  - scripts/terraform-enable-remote.sh
-
-  # Save current output to compare later
-  - terraform output | grep endpoint | tee out_before
-
-  # Execute Terraform and create tfstate on remote
-  - scripts/terraform-wrapper.sh plan
-  - scripts/terraform-wrapper.sh apply
-
-  # Save current output to compare later
-  - terraform output | grep endpoint | tee out_after
-
-  # Compare output and take over building if endpoints were changed.
-  - diff out_before out_after || scripts/build-provisionings.sh
-
-  # Deploy app when initial deployment
-  - if [ ! -s out_before ]; then scripts/build-app.sh ; fi
+script:
+  - |
+    if [ -z "${ENV}" ]; then
+      echo "${TRAVIS_BRANCH} is not a branch to deploy."
+    else
+      source ./scripts/switch-role.sh
+      terraform init
+      terraform get
+      terraform workspace select ${ENV}
+      terraform plan
+    fi
+
+deploy:
+  - provider: script
+    script: terraform apply
+    skip_cleanup: true
+    on:
+      branch: deploy/*
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..24afa34
--- /dev/null
+++ b/README.md
@@ -0,0 +1,47 @@
+# micropost-formation
+
+## Core components
+
+* AWS VPC
+* AWS ECS with ALB and AutoScaling
+* AWS RDS
+* Cloudflare DNS and CDN
+
+## Dependencies
+
+* Terraform
+* AWS CLI
+* direnv
+
+## Getting started
+
+Configure settings.
+
+```
+$ cp .envrc.example .envrc
+$ vi .envrc
+$ direnv allow
+```
+
+Init
+```
+$ export ENV=stg
+$ source ./scripts/switch-role.sh
+$ terraform init
+$ terraform get
+$ terraform workspace select ${ENV}
+```
+
+Plan and Apply
+
+```
+$ ./terraform-env.sh stg plan
+$ ./terraform-env.sh stg apply
+```
+
+## Related Projects
+
+* [Angular 2 app](https://github.com/springboot-angular2-tutorial/angular2-app)
+* [Spring Boot app](https://github.com/springboot-angular2-tutorial/boot-app)
+* [Android app](https://github.com/springboot-angular2-tutorial/android-app)
+* [Lambda functions by Serverless](https://github.com/springboot-angular2-tutorial/micropost-functions)
diff --git a/autoscaling.tf b/autoscaling.tf
deleted file mode 100644
index 0b467fe..0000000
--- a/autoscaling.tf
+++ /dev/null
@@ -1,77 +0,0 @@
-resource "aws_launch_configuration" "web" {
-  name_prefix = "web-${var.env}-"
-  image_id = "${var.ami_web}"
-  instance_type = "t2.micro"
-  security_groups = [
-    "${aws_security_group.internal.id}",
-    "${aws_security_group.ssh.id}",
-  ]
-  key_name = "akirasosa"
-  associate_public_ip_address = true
-  iam_instance_profile = "${aws_iam_instance_profile.web.id}"
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
-resource "aws_autoscaling_group" "web" {
-  name = "web-${var.env}"
-  max_size = 4
-  min_size = 0
-  health_check_grace_period = 300
-  health_check_type = "ELB"
-  desired_capacity = 0
-  force_delete = true
-  launch_configuration = "${aws_launch_configuration.web.id}"
-  vpc_zone_identifier = [
-    "${aws_subnet.public-a.id}",
-    "${aws_subnet.public-b.id}",
-  ]
-  load_balancers = ["${aws_elb.web.name}"]
-}
-
-resource "aws_autoscaling_policy" "web-scale-out" {
-  name = "Instance-ScaleOut-CPU-High"
-  scaling_adjustment = 1
-  adjustment_type = "ChangeInCapacity"
-  cooldown = 300
-  autoscaling_group_name = "${aws_autoscaling_group.web.name}"
-}
-
-resource "aws_cloudwatch_metric_alarm" "web-gte-threshold" {
-  alarm_name = "web-${var.env}-CPU-Utilization-High-30"
-  comparison_operator = "GreaterThanOrEqualToThreshold"
-  evaluation_periods = "1"
-  metric_name = "CPUUtilization"
-  namespace = "AWS/EC2"
-  period = "120"
-  statistic = "Average"
-  threshold = "80"
-  dimensions {
-    AutoScalingGroupName = "${aws_autoscaling_group.web.name}"
-  }
-  alarm_actions = ["${aws_autoscaling_policy.web-scale-out.arn}"]
-}
-
-resource "aws_autoscaling_policy" "web-scale-in" {
-  name = "Instance-ScaleIn-CPU-Low"
-  scaling_adjustment = -1
-  adjustment_type = "ChangeInCapacity"
-  cooldown = 300
-  autoscaling_group_name = "${aws_autoscaling_group.web.name}"
-}
-
-resource "aws_cloudwatch_metric_alarm" "web-lt-threshold" {
-  alarm_name = "web-${var.env}-CPU-Utilization-Low-5"
-  comparison_operator = "LessThanThreshold"
-  evaluation_periods = "1"
-  metric_name = "CPUUtilization"
-  namespace = "AWS/EC2"
-  period = "120"
-  statistic = "Average"
-  threshold = "5"
-  dimensions {
-    AutoScalingGroupName = "${aws_autoscaling_group.web.name}"
-  }
-  alarm_actions = ["${aws_autoscaling_policy.web-scale-in.arn}"]
-}
diff --git a/bastion/main.tf b/bastion/main.tf
new file mode 100644
index 0000000..a92f840
--- /dev/null
+++ b/bastion/main.tf
@@ -0,0 +1,51 @@
+data "aws_ami" "ubuntu" {
+  most_recent = true
+  filter {
+    name = "name"
+    values = [
+      "*ubuntu-xenial-16.04*"
+    ]
+  }
+  filter {
+    name = "architecture"
+    values = [
+      "x86_64"
+    ]
+  }
+  filter {
+    name = "root-device-type"
+    values = [
+      "ebs"
+    ]
+  }
+  filter {
+    name = "virtualization-type"
+    values = [
+      "hvm"
+    ]
+  }
+  filter {
+    name = "block-device-mapping.volume-type"
+    values = [
+      "gp2"
+    ]
+  }
+  owners = [
+    # Canonical
+    "099720109477"
+  ]
+}
+
+resource "aws_instance" "bastion" {
+  ami = "${data.aws_ami.ubuntu.id}"
+  instance_type = "t2.micro"
+  subnet_id = "${var.subnet_id}"
+  vpc_security_group_ids = [
+    "${var.security_groups}"
+  ]
+  key_name = "${var.key_name}"
+  associate_public_ip_address = true
+  tags {
+    Name = "bastion"
+  }
+}
\ No newline at end of file
diff --git a/bastion/variables.tf b/bastion/variables.tf
new file mode 100644
index 0000000..cd8f0ab
--- /dev/null
+++ b/bastion/variables.tf
@@ -0,0 +1,13 @@
+variable "subnet_id" {
+  description = "Public subnet for bastion server"
+}
+
+variable "security_groups" {
+  type = "list"
+  description = "Security groups for bastion server"
+  default = []
+}
+
+variable "key_name" {
+  description = "SSH key to login to bastion server"
+}
\ No newline at end of file
diff --git a/codedeploy.tf b/codedeploy.tf
deleted file mode 100644
index 30138a7..0000000
--- a/codedeploy.tf
+++ /dev/null
@@ -1,11 +0,0 @@
-resource "aws_codedeploy_app" "micropost" {
-  name = "micropost-${var.env}"
-}
-
-resource "aws_codedeploy_deployment_group" "web" {
-  app_name = "${aws_codedeploy_app.micropost.name}"
-  deployment_group_name = "web"
-  service_role_arn = "${aws_iam_role.codedeploy-service.arn}"
-  autoscaling_groups = ["${aws_autoscaling_group.web.id}"]
-  deployment_config_name = "CodeDeployDefault.OneAtATime"
-}
diff --git a/dbservers/main.tf b/dbservers/main.tf
new file mode 100644
index 0000000..4f0de4d
--- /dev/null
+++ b/dbservers/main.tf
@@ -0,0 +1,27 @@
+resource "aws_db_instance" "main" {
+  snapshot_identifier = "${var.snapshot_identifier}"
+  skip_final_snapshot = true
+  allocated_storage = 5
+  engine = "mysql"
+  engine_version = "5.7.17"
+  instance_class = "db.t2.micro"
+  parameter_group_name = "${aws_db_parameter_group.main.name}"
+  vpc_security_group_ids = [
+    "${var.security_groups}",
+  ]
+  db_subnet_group_name = "${aws_db_subnet_group.main.name}"
+}
+
+resource "aws_db_subnet_group" "main" {
+  name = "main"
+  description = "main group of subnets"
+  subnet_ids = [
+    "${var.subnets}"
+  ]
+}
+
+# It's not used.
+resource "aws_db_parameter_group" "main" {
+  name = "main"
+  family = "mysql5.7"
+}
diff --git a/dbservers/outputs.tf b/dbservers/outputs.tf
new file mode 100644
index 0000000..c385baa
--- /dev/null
+++ b/dbservers/outputs.tf
@@ -0,0 +1,3 @@
+output "endpoint" {
+  value = "${aws_db_instance.main.endpoint}"
+}
\ No newline at end of file
diff --git a/dbservers/variables.tf b/dbservers/variables.tf
new file mode 100644
index 0000000..bb13128
--- /dev/null
+++ b/dbservers/variables.tf
@@ -0,0 +1,15 @@
+variable "security_groups" {
+  type = "list"
+  description = "Security groups for db servers"
+  default = []
+}
+
+variable "subnets" {
+  type = "list"
+  description = "Subnets for db servers"
+  default = []
+}
+
+variable "snapshot_identifier" {
+  description = "Initial snapshot to restore"
+}
diff --git a/dns.tf b/dns.tf
index 4635e11..f88b62c 100644
--- a/dns.tf
+++ b/dns.tf
@@ -1,6 +1,23 @@
-resource "cloudflare_record" "micropost" {
-  domain = "hana053.com"
-  name = "micropost-${var.env}"
-  value = "${aws_elb.web.dns_name}"
+resource "cloudflare_record" "main" {
+  domain = "${var.domain}"
+  name = "${var.web_host_name}-${terraform.workspace}"
+  value = "${module.webservers.dns_name}"
   type = "CNAME"
-}
\ No newline at end of file
+}
+
+resource "cloudflare_record" "main_prod" {
+  count = "${terraform.workspace == "prod" ? 1 : 0}"
+  domain = "${var.domain}"
+  name = "${var.web_host_name}"
+  value = "${module.webservers.dns_name}"
+  type = "CNAME"
+}
+
+resource "cloudflare_record" "cdn" {
+  domain = "${var.domain}"
+  name = "cdn-${terraform.workspace}"
+  value = "${cloudflare_record.main.name}.hana053.com"
+  proxied = true
+  type = "CNAME"
+}
+
diff --git a/elasticache.tf b/elasticache.tf
deleted file mode 100644
index b92c6a9..0000000
--- a/elasticache.tf
+++ /dev/null
@@ -1,22 +0,0 @@
-resource "aws_elasticache_cluster" "micropost" {
-  cluster_id = "micropost-${var.env}"
-  engine = "redis"
-  engine_version = "2.8.24"
-  node_type = "cache.t2.micro"
-  port = 6379
-  num_cache_nodes = 1
-  parameter_group_name = "default.redis2.8"
-  security_group_ids = [
-    "${aws_security_group.internal.id}",
-  ]
-  subnet_group_name = "${aws_elasticache_subnet_group.micropost.name}"
-}
-
-resource "aws_elasticache_subnet_group" "micropost" {
-  name = "micropost-${var.env}"
-  description = "main subnet group"
-  subnet_ids = [
-    "${aws_subnet.private-a.id}",
-    "${aws_subnet.private-b.id}",
-  ]
-}
\ No newline at end of file
diff --git a/elasticsearch.tf b/elasticsearch.tf
deleted file mode 100644
index 38b87f4..0000000
--- a/elasticsearch.tf
+++ /dev/null
@@ -1,40 +0,0 @@
-resource "aws_elasticsearch_domain" "logserver" {
-  domain_name = "micropost-${var.env}"
-  access_policies = <<CONFIG
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "es:*",
-      "Principal": {
-        "AWS": "arn:aws:iam::${var.aws_account_num}:root"
-      },
-      "Effect": "Allow",
-      "Resource": "arn:aws:es:${var.aws_region}:${var.aws_account_num}:domain/micropost-${var.env}/*"
-    },
-    {
-      "Action": "es:*",
-      "Principal": "*",
-      "Effect": "Allow",
-      "Condition": {
-        "IpAddress": {
-          "aws:SourceIp": "${var.cidr.office}"
-        }
-      },
-      "Resource": "arn:aws:es:${var.aws_region}:${var.aws_account_num}:domain/micropost-${var.env}/*"
-    }
-  ]
-}
-CONFIG
-  snapshot_options {
-    automated_snapshot_start_hour = 23
-  }
-  cluster_config {
-    instance_type = "t2.micro.elasticsearch"
-  }
-  ebs_options {
-    ebs_enabled = true
-    volume_size = 10
-    volume_type = "gp2"
-  }
-}
\ No newline at end of file
diff --git a/elb.tf b/elb.tf
deleted file mode 100644
index c199815..0000000
--- a/elb.tf
+++ /dev/null
@@ -1,40 +0,0 @@
-resource "aws_elb" "web" {
-  name = "web-${var.env}"
-  subnets = [
-    "${aws_subnet.public-a.id}",
-    "${aws_subnet.public-b.id}",
-  ]
-  security_groups = [
-    "${aws_security_group.internal.id}",
-    "${aws_security_group.http.id}",
-    "${aws_security_group.https.id}",
-  ]
-  listener {
-    instance_port = 80
-    instance_protocol = "tcp"
-    lb_port = 80
-    lb_protocol = "tcp"
-  }
-  listener {
-    instance_port = 443
-    instance_protocol = "tcp"
-    lb_port = 443
-    lb_protocol = "tcp"
-  }
-  health_check {
-    healthy_threshold = 2
-    unhealthy_threshold = 2
-    timeout = 5
-    target = "HTTP:81/manage/health"
-    interval = 30
-  }
-  cross_zone_load_balancing = true
-  idle_timeout = 400
-  connection_draining = true
-  connection_draining_timeout = 400
-}
-
-resource "aws_proxy_protocol_policy" "web" {
-  load_balancer = "${aws_elb.web.name}"
-  instance_ports = ["80", "443"]
-}
\ No newline at end of file
diff --git a/iam.tf b/iam.tf
deleted file mode 100644
index 3906316..0000000
--- a/iam.tf
+++ /dev/null
@@ -1,133 +0,0 @@
-resource "aws_iam_instance_profile" "web" {
-  name = "web-${var.env}"
-  roles = [
-    "${aws_iam_role.web.name}"
-  ]
-}
-
-resource "aws_iam_role" "web" {
-  name = "web-${var.env}"
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Sid": "",
-      "Effect": "Allow",
-      "Principal": {
-        "Service": "ec2.amazonaws.com"
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
-}
-EOF
-}
-
-resource "aws_iam_role_policy" "es-client" {
-  name = "es-client"
-  role = "${aws_iam_role.web.id}"
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": [
-        "es:*"
-      ],
-      "Effect": "Allow",
-      "Resource": "*"
-    }
-  ]
-}
-EOF
-}
-
-resource "aws_iam_role_policy" "letsencrypt-cache-client" {
-  name = "es-client"
-  role = "${aws_iam_role.web.id}"
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": [
-        "s3:Get*",
-        "s3:Put*"
-      ],
-      "Effect": "Allow",
-      "Resource": "*"
-    }
-  ]
-}
-EOF
-}
-
-resource "aws_iam_role_policy" "codedeploy-client" {
-  name = "codedeploy-client"
-  role = "${aws_iam_role.web.id}"
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": [
-        "s3:Get*",
-        "s3:List*"
-      ],
-      "Effect": "Allow",
-      "Resource": "*"
-    }
-  ]
-}
-EOF
-}
-
-resource "aws_iam_role" "codedeploy-service" {
-  name = "codedeploy-service-${var.env}"
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Sid": "",
-      "Effect": "Allow",
-      "Principal": {
-        "Service": [
-          "codedeploy.amazonaws.com"
-        ]
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
-}
-EOF
-}
-
-resource "aws_iam_role_policy" "codedeploy-service-policy" {
-  name = "codedeploy-service"
-  role = "${aws_iam_role.codedeploy-service.id}"
-  policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "autoscaling:CompleteLifecycleAction",
-                "autoscaling:DeleteLifecycleHook",
-                "autoscaling:DescribeAutoScalingGroups",
-                "autoscaling:DescribeLifecycleHooks",
-                "autoscaling:PutLifecycleHook",
-                "autoscaling:RecordLifecycleActionHeartbeat",
-                "ec2:DescribeInstances",
-                "ec2:DescribeInstanceStatus",
-                "tag:GetTags",
-                "tag:GetResources"
-            ],
-            "Resource": "*"
-        }
-    ]
-}
-EOF
-}
diff --git a/keypair.tf b/keypair.tf
new file mode 100644
index 0000000..1e707b1
--- /dev/null
+++ b/keypair.tf
@@ -0,0 +1,4 @@
+resource "aws_key_pair" "micropost" {
+  key_name = "micropost"
+  public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbCML308PObiUCSJwkX8JsX434d7TStWTeEiIyOb96JTuT3dxgz4eCGBDcYH3McmSpg4jz4HJAmwxWeeyFhHiAwNoCsND3AaKiG0pzNsfCc7I6IFdFJHubVaAZf+YivoZQUSCzQhZmANMOGF7BPMN3OL5cZMm+7MDdHDJVOtxrM1QhsM9aHxTgWxgn4uKvQoxxDmx/0kbrIC0al3Fi0p+kK8lXbSJ+dIDbWPtX0ntxMK2K8n5lWP8bwBQIh+tSPG4pxgxD++GjZ94PiKcsHLaxhyiI1/H29bQq2+dyO1enHux3JWmPRa0EOXAricyoWxpXskT6UxtEupP4Q+nd6tW/ akira@Macintosh.local"
+}
\ No newline at end of file
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..cfd9f78
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,61 @@
+provider "aws" {
+  region = "ap-northeast-1"
+}
+
+data "aws_caller_identity" "current" {}
+
+module "vpc" {
+  source = "./vpc"
+  name = "micropost"
+}
+
+module "webservers" {
+  source = "./webservers"
+  env = "${terraform.workspace}"
+  dbserver_endpoint = "${module.dbservers.endpoint}"
+  newrelic_license_key = "${var.newrelic_license_key}"
+  key_name = "${aws_key_pair.micropost.key_name}"
+  web_subnets = [
+    "${module.vpc.public_subnets}"
+  ]
+  web_security_groups = [
+    "${module.security_groups.internal}",
+  ]
+  alb_subnets = [
+    "${module.vpc.public_subnets}"
+  ]
+  alb_security_groups = [
+    "${module.security_groups.internal}",
+    "${module.security_groups.internet_in_http}",
+    "${module.security_groups.internet_in_https}",
+  ]
+  vpc_id = "${module.vpc.vpc_id}"
+  log_bucket = "${aws_s3_bucket.log.bucket}"
+}
+
+//module "bastion" {
+//  source = "./bastion"
+//  subnet_id = "${module.vpc.public_subnets[0]}"
+//  security_groups = [
+//    "${module.security_groups.internal}",
+//    "${module.security_groups.internet_in_ssh}",
+//  ]
+//  key_name = "${aws_key_pair.micropost.key_name}"
+//}
+
+module "dbservers" {
+  source = "./dbservers"
+  security_groups = [
+    "${module.security_groups.internal}",
+  ]
+  subnets = [
+    "${module.vpc.private_subnets}",
+  ]
+  snapshot_identifier = "micropost-init"
+}
+
+module "security_groups" {
+  source = "./security_groups"
+  vpc_id = "${module.vpc.vpc_id}"
+  ssh_allowed_segments = ["${var.allowed_segments}"]
+}
diff --git a/output_before.txt b/output_before.txt
deleted file mode 100644
index e69de29..0000000
diff --git a/outputs.tf b/outputs.tf
deleted file mode 100644
index 9e8bfc3..0000000
--- a/outputs.tf
+++ /dev/null
@@ -1,20 +0,0 @@
-output "ami_web" {
-  value = "${aws_launch_configuration.web.image_id}"
-}
-
-output "logserver_endpoint" {
-  value = "${aws_elasticsearch_domain.logserver.endpoint}"
-}
-
-output "rds_endpoint" {
-  value = "${aws_db_instance.micropost.endpoint}"
-}
-
-// I have only one node..
-output "redis_endpoint" {
-  value = "${aws_elasticache_cluster.micropost.cache_nodes.0.address}:${aws_elasticache_cluster.micropost.cache_nodes.0.port}"
-}
-
-output "web_endpoint" {
-  value = "${cloudflare_record.micropost.hostname}"
-}
diff --git a/providers.tf b/providers.tf
deleted file mode 100644
index ae660c8..0000000
--- a/providers.tf
+++ /dev/null
@@ -1,8 +0,0 @@
-provider "aws" {
-  region = "${var.aws_region}"
-}
-
-provider "cloudflare" {
-  email = ""
-  token = ""
-}
\ No newline at end of file
diff --git a/rds.tf b/rds.tf
deleted file mode 100644
index a3ac802..0000000
--- a/rds.tf
+++ /dev/null
@@ -1,22 +0,0 @@
-resource "aws_db_instance" "micropost" {
-  identifier = "micropost-${var.env}"
-  snapshot_identifier = "micropost-init"
-  allocated_storage    = 5
-  engine               = "mysql"
-  engine_version       = "5.7.10"
-  instance_class       = "db.t2.micro"
-  db_subnet_group_name = "${aws_db_subnet_group.micropost.name}"
-  parameter_group_name = "default.mysql5.7"
-  vpc_security_group_ids = [
-    "${aws_security_group.internal.id}",
-  ]
-}
-
-resource "aws_db_subnet_group" "micropost" {
-  name = "micropost-${var.env}"
-  description = "Our main group of subnets"
-  subnet_ids = [
-    "${aws_subnet.private-a.id}",
-    "${aws_subnet.private-b.id}",
-  ]
-}
diff --git a/remote.tf b/remote.tf
new file mode 100644
index 0000000..7266947
--- /dev/null
+++ b/remote.tf
@@ -0,0 +1,7 @@
+terraform {
+  backend "s3" {
+    bucket = "state.hana053.com"
+    key    = "micropost"
+    region = "ap-northeast-1"
+  }
+}
diff --git a/s3.tf b/s3.tf
new file mode 100644
index 0000000..8255352
--- /dev/null
+++ b/s3.tf
@@ -0,0 +1,23 @@
+resource "aws_s3_bucket" "log" {
+  bucket = "log-${terraform.workspace}.${var.domain}"
+  force_destroy = true
+  policy = <<CONFIG
+{
+  "Id": "LogBucketPolicy",
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "WriteAccess",
+      "Action": [
+        "s3:PutObject"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::log-${terraform.workspace}.${var.domain}/alb-web/AWSLogs/${data.aws_caller_identity.current.account_id}/*",
+      "Principal": {
+        "AWS":"arn:aws:iam::582318560864:root"
+      }
+    }
+  ]
+}
+CONFIG
+}
diff --git a/scripts/build-app.sh b/scripts/build-app.sh
deleted file mode 100755
index d6725fc..0000000
--- a/scripts/build-app.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/sh
-
-travis login --org --skip-completion-check --github-token ${GH_TOKEN}
-token=$(travis token --org)
-body=$(cat << EOS
-{
-  "request": {
-    "branch":"${TRAVIS_BRANCH}"
-  }
-}
-EOS
-)
-curl -s -X POST \
-  -H "Content-Type: application/json" \
-  -H "Accept: application/json" \
-  -H "Travis-API-Version: 3" \
-  -H "Authorization: token ${token}" \
-  -d "${body}" \
-  https://api.travis-ci.org/repo/akirasosa%2Ftestapp1/requests
diff --git a/scripts/build-provisionings.sh b/scripts/build-provisionings.sh
deleted file mode 100755
index f1c4156..0000000
--- a/scripts/build-provisionings.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/sh
-
-travis login --org --skip-completion-check --github-token ${GH_TOKEN}
-token=$(travis token --org)
-body=$(cat << EOS
-{
-  "request": {
-    "branch":"${TRAVIS_BRANCH}"
-  }
-}
-EOS
-)
-curl -s -X POST \
-  -H "Content-Type: application/json" \
-  -H "Accept: application/json" \
-  -H "Travis-API-Version: 3" \
-  -H "Authorization: token ${token}" \
-  -d "${body}" \
-  https://api.travis-ci.org/repo/springboot-angular2-tutorial%2Fmicropost-provisionings/requests
diff --git a/scripts/switch-role.sh b/scripts/switch-role.sh
new file mode 100755
index 0000000..023abbd
--- /dev/null
+++ b/scripts/switch-role.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+# Parse variable such as ROLE_ARN_stg, ROLE_ARN_prod and etc.
+ROLE_ARN=$(eval echo '$ROLE_ARN_'${ENV})
+
+CREDENTIALS=$(aws sts assume-role --role-arn ${ROLE_ARN} --role-session-name travisci)
+
+export AWS_ACCESS_KEY_ID=$(echo ${CREDENTIALS} | jq --raw-output .Credentials.AccessKeyId)
+export AWS_SECRET_ACCESS_KEY=$(echo ${CREDENTIALS} | jq --raw-output .Credentials.SecretAccessKey)
+export AWS_SESSION_TOKEN=$(echo ${CREDENTIALS} | jq --raw-output .Credentials.SessionToken)
diff --git a/scripts/terraform-enable-remote.sh b/scripts/terraform-enable-remote.sh
deleted file mode 100755
index a5ae967..0000000
--- a/scripts/terraform-enable-remote.sh
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/sh
-
-if [ -z ${ENV} ]; then
-  echo "ENV is required."
-  exit 1
-fi
-
-terraform remote config \
-  -state="${ENV}.tfstate" \
-  -backend=S3 \
-  -backend-config="region=ap-southeast-1" \
-  -backend-config="bucket=deploy.hana053.com" \
-  -backend-config="key=${ENV}.tfstate"
-terraform remote pull
diff --git a/scripts/terraform-wrapper.sh b/scripts/terraform-wrapper.sh
deleted file mode 100755
index b785da7..0000000
--- a/scripts/terraform-wrapper.sh
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/bin/sh
-
-. $(dirname $0)/terraform-enable-remote.sh
-
-# If TF_VAR_ami_web is defined already, use it.
-# If TF_VAR_ami_web is not defined, get it from tfstate.
-TF_VAR_ami_web=${TF_VAR_ami_web:=$(terraform output ami_web)}
-if [ -n "${TF_VAR_ami_web}" ]; then
-  export TF_VAR_ami_web
-fi
-
-terraform $@ \
-  -state="${ENV}.tfstate" \
-  -refresh=true \
-  -var "env=${ENV}"
-
-terraform remote push
diff --git a/security_group.tf b/security_groups/main.tf
similarity index 77%
rename from security_group.tf
rename to security_groups/main.tf
index 3a67189..a95eddb 100644
--- a/security_group.tf
+++ b/security_groups/main.tf
@@ -1,5 +1,5 @@
 resource "aws_security_group" "internal" {
-  vpc_id = "${aws_vpc.vpc.id}"
+  vpc_id = "${var.vpc_id}"
   name_prefix = "internal-"
   description = "Allow internal traffic"
   ingress {
@@ -16,17 +16,16 @@ resource "aws_security_group" "internal" {
       "0.0.0.0/0"
     ]
   }
-  tags {
-    Name = "internal"
-    Env = "${var.env}"
-  }
   lifecycle {
     create_before_destroy = true
   }
+  tags {
+    Name = "internal"
+  }
 }
 
-resource "aws_security_group" "ssh" {
-  vpc_id = "${aws_vpc.vpc.id}"
+resource "aws_security_group" "internet_in_ssh" {
+  vpc_id = "${var.vpc_id}"
   name_prefix = "ssh-"
   description = "Allow ssh inbound traffic"
   ingress {
@@ -34,8 +33,7 @@ resource "aws_security_group" "ssh" {
     to_port = 22
     protocol = "tcp"
     cidr_blocks = [
-      "${var.cidr.office}",
-      "115.76.85.4/32",
+      "${var.ssh_allowed_segments}"
     ]
   }
   egress {
@@ -46,17 +44,16 @@ resource "aws_security_group" "ssh" {
       "0.0.0.0/0"
     ]
   }
-  tags {
-    Name = "ssh"
-    Env = "${var.env}"
-  }
   lifecycle {
     create_before_destroy = true
   }
+  tags {
+    Name = "internet-in-ssh"
+  }
 }
 
-resource "aws_security_group" "http" {
-  vpc_id = "${aws_vpc.vpc.id}"
+resource "aws_security_group" "internet_in_http" {
+  vpc_id = "${var.vpc_id}"
   name_prefix = "http-"
   description = "Allow http inbound traffic"
   ingress {
@@ -75,17 +72,16 @@ resource "aws_security_group" "http" {
       "0.0.0.0/0"
     ]
   }
-  tags {
-    Name = "http"
-    Env = "${var.env}"
-  }
   lifecycle {
     create_before_destroy = true
   }
+  tags {
+    Name = "internet-in-http"
+  }
 }
 
-resource "aws_security_group" "https" {
-  vpc_id = "${aws_vpc.vpc.id}"
+resource "aws_security_group" "internet_in_https" {
+  vpc_id = "${var.vpc_id}"
   name_prefix = "https-"
   description = "Allow https inbound traffic"
   ingress {
@@ -104,11 +100,10 @@ resource "aws_security_group" "https" {
       "0.0.0.0/0"
     ]
   }
-  tags {
-    Name = "https"
-    Env = "${var.env}"
-  }
   lifecycle {
     create_before_destroy = true
   }
+  tags {
+    Name = "internet-in-https"
+  }
 }
\ No newline at end of file
diff --git a/security_groups/outputs.tf b/security_groups/outputs.tf
new file mode 100644
index 0000000..656f307
--- /dev/null
+++ b/security_groups/outputs.tf
@@ -0,0 +1,15 @@
+output "internal" {
+  value = "${aws_security_group.internal.id}"
+}
+
+output "internet_in_ssh" {
+  value = "${aws_security_group.internet_in_ssh.id}"
+}
+
+output "internet_in_http" {
+  value = "${aws_security_group.internet_in_http.id}"
+}
+
+output "internet_in_https" {
+  value = "${aws_security_group.internet_in_https.id}"
+}
diff --git a/security_groups/variables.tf b/security_groups/variables.tf
new file mode 100644
index 0000000..cd7fa92
--- /dev/null
+++ b/security_groups/variables.tf
@@ -0,0 +1,7 @@
+variable "vpc_id" {
+}
+
+variable "ssh_allowed_segments" {
+  type = "list"
+  default = []
+}
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index 732b31b..2666e66 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1,18 +1,18 @@
-variable "env" {
-  description = "dev, stg, prod and etc."
-  default = "dev"
+variable "allowed_segments" {
+  type = "list"
+  default = [
+    "101.53.23.34/32",
+  ]
 }
-variable "aws_account_num" {
+
+variable "domain" {
+  default = "hana053.com"
 }
-variable "aws_region" {
-  default = "ap-southeast-1"
+
+variable "web_host_name" {
+  default = "micropost"
 }
-variable "ami_web" {
-  default = "ami-25c00c46"
+
+variable "newrelic_license_key" {
+  description = "New Relic licence key"
 }
-variable "cidr" {
-  type = "map"
-  default = {
-    office = "42.116.5.4/32"
-  }
-}
\ No newline at end of file
diff --git a/vpc.tf b/vpc.tf
deleted file mode 100644
index ed29b9f..0000000
--- a/vpc.tf
+++ /dev/null
@@ -1,77 +0,0 @@
-resource "aws_vpc" "vpc" {
-  cidr_block = "10.1.0.0/16"
-  tags {
-    Name = "micropost"
-    Env = "${var.env}"
-  }
-}
-
-resource "aws_internet_gateway" "igw" {
-  vpc_id = "${aws_vpc.vpc.id}"
-}
-
-resource "aws_route_table" "public-route" {
-  vpc_id = "${aws_vpc.vpc.id}"
-  route {
-    cidr_block = "0.0.0.0/0"
-    gateway_id = "${aws_internet_gateway.igw.id}"
-  }
-}
-
-// -------- public a
-
-resource "aws_subnet" "public-a" {
-  vpc_id = "${aws_vpc.vpc.id}"
-  cidr_block = "10.1.1.0/24"
-  availability_zone = "${var.aws_region}a"
-  tags {
-    Name = "public-a"
-    Env = "${var.env}"
-  }
-}
-
-resource "aws_route_table_association" "puclic-a" {
-  subnet_id = "${aws_subnet.public-a.id}"
-  route_table_id = "${aws_route_table.public-route.id}"
-}
-
-// -------- public b
-
-resource "aws_subnet" "public-b" {
-  vpc_id = "${aws_vpc.vpc.id}"
-  cidr_block = "10.1.2.0/24"
-  availability_zone = "${var.aws_region}b"
-  tags {
-    Name = "public-b"
-    Env = "${var.env}"
-  }
-}
-
-resource "aws_route_table_association" "puclic-b" {
-  subnet_id = "${aws_subnet.public-b.id}"
-  route_table_id = "${aws_route_table.public-route.id}"
-}
-
-// -------- private a
-
-resource "aws_subnet" "private-a" {
-  vpc_id = "${aws_vpc.vpc.id}"
-  cidr_block = "10.1.3.0/24"
-  availability_zone = "${var.aws_region}a"
-  tags {
-    Name = "private-a"
-    Env = "${var.env}"
-  }
-}
-
-// -------- private b
-
-resource "aws_subnet" "private-b" {
-  vpc_id = "${aws_vpc.vpc.id}"
-  cidr_block = "10.1.4.0/24"
-  availability_zone = "${var.aws_region}b"
-  tags {
-    Name = "private-b"
-    Env = "${var.env}"
-  }
-}
diff --git a/vpc/main.tf b/vpc/main.tf
new file mode 100644
index 0000000..814ef8b
--- /dev/null
+++ b/vpc/main.tf
@@ -0,0 +1,52 @@
+resource "aws_vpc" "main" {
+  cidr_block = "${var.cidr}"
+  tags {
+    Name = "${var.name}"
+  }
+}
+
+resource "aws_internet_gateway" "main" {
+  vpc_id = "${aws_vpc.main.id}"
+  tags {
+    Name = "${var.name}"
+  }
+}
+
+resource "aws_route_table" "public" {
+  vpc_id = "${aws_vpc.main.id}"
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = "${aws_internet_gateway.main.id}"
+  }
+  tags {
+    Name = "${var.name}"
+  }
+}
+
+resource "aws_subnet" "public" {
+  count = "${length(var.public_subnets)}"
+  vpc_id = "${aws_vpc.main.id}"
+  cidr_block = "${var.public_subnets[count.index]}"
+  availability_zone = "${var.azs[count.index]}"
+  map_public_ip_on_launch = true
+  tags {
+    Name = "${var.name}-public"
+  }
+}
+
+resource "aws_route_table_association" "puclic" {
+  count = "${length(var.public_subnets)}"
+  subnet_id = "${element(aws_subnet.public.*.id, count.index)}"
+  route_table_id = "${aws_route_table.public.id}"
+}
+
+resource "aws_subnet" "private" {
+  count = "${length(var.public_subnets)}"
+  vpc_id = "${aws_vpc.main.id}"
+  cidr_block = "${var.private_subnets[count.index]}"
+  availability_zone = "${var.azs[count.index]}"
+  tags {
+    Name = "${var.name}-private"
+  }
+}
+
diff --git a/vpc/outputs.tf b/vpc/outputs.tf
new file mode 100644
index 0000000..f83e9cc
--- /dev/null
+++ b/vpc/outputs.tf
@@ -0,0 +1,11 @@
+output "private_subnets" {
+  value = ["${aws_subnet.private.*.id}"]
+}
+
+output "public_subnets" {
+  value = ["${aws_subnet.public.*.id}"]
+}
+
+output "vpc_id" {
+  value = "${aws_vpc.main.id}"
+}
\ No newline at end of file
diff --git a/vpc/variables.tf b/vpc/variables.tf
new file mode 100644
index 0000000..eff193f
--- /dev/null
+++ b/vpc/variables.tf
@@ -0,0 +1,33 @@
+variable "name" {
+}
+
+variable "cidr" {
+  default = "10.1.0.0/16"
+}
+
+variable "public_subnets" {
+  type = "list"
+  description = "A list of public subnets inside the VPC."
+  default = [
+    "10.1.0.0/24",
+    "10.1.1.0/24",
+  ]
+}
+
+variable "private_subnets" {
+  type = "list"
+  description = "A list of private subnets inside the VPC."
+  default = [
+    "10.1.2.0/24",
+    "10.1.3.0/24",
+  ]
+}
+
+variable "azs" {
+  type = "list"
+  description = "A list of Availability zones in the region"
+  default = [
+    "ap-northeast-1a",
+    "ap-northeast-1c",
+  ]
+}
diff --git a/webservers/alb.tf b/webservers/alb.tf
new file mode 100644
index 0000000..b9bd17c
--- /dev/null
+++ b/webservers/alb.tf
@@ -0,0 +1,90 @@
+data "aws_acm_certificate" "main" {
+  domain = "*.hana053.com"
+  statuses = ["ISSUED"]
+}
+
+resource "aws_alb" "web" {
+  name = "web"
+  internal = false
+  security_groups = [
+    "${var.alb_security_groups}"
+  ]
+  subnets = [
+    "${var.alb_subnets}"
+  ]
+  access_logs {
+    bucket = "${var.log_bucket}"
+    prefix = "alb-web"
+  }
+}
+
+// --------- frontend -----------
+
+resource "aws_alb_target_group" "frontend" {
+  name = "frontend"
+  port = 80
+  protocol = "HTTP"
+  vpc_id = "${var.vpc_id}"
+  health_check {
+    interval = 30
+    path = "/"
+    protocol = "HTTP"
+    timeout = 5
+    unhealthy_threshold = 2
+  }
+}
+
+// --------- backend -----------
+
+resource "aws_alb_target_group" "backend" {
+  name = "backend"
+  port = 8080
+  protocol = "HTTP"
+  vpc_id = "${var.vpc_id}"
+  health_check {
+    interval = 30
+    path = "/manage/health"
+    protocol = "HTTP"
+    timeout = 5
+    unhealthy_threshold = 2
+  }
+}
+
+// --------- listeners -----------
+
+resource "aws_alb_listener" "http" {
+  load_balancer_arn = "${aws_alb.web.arn}"
+  port = "80"
+  protocol = "HTTP"
+  default_action {
+    target_group_arn = "${aws_alb_target_group.frontend.arn}"
+    type = "forward"
+  }
+}
+
+resource "aws_alb_listener" "https" {
+  load_balancer_arn = "${aws_alb.web.arn}"
+  port = "443"
+  protocol = "HTTPS"
+  ssl_policy = "ELBSecurityPolicy-2015-05"
+  certificate_arn = "${data.aws_acm_certificate.main.arn}"
+  default_action {
+    target_group_arn = "${aws_alb_target_group.frontend.arn}"
+    type = "forward"
+  }
+}
+
+resource "aws_alb_listener_rule" "backend" {
+  listener_arn = "${aws_alb_listener.https.arn}"
+  priority = 100
+  condition {
+    field = "path-pattern"
+    values = [
+      "/api/*"
+    ]
+  }
+  action {
+    type = "forward"
+    target_group_arn = "${aws_alb_target_group.backend.arn}"
+  }
+}
diff --git a/webservers/backend.json b/webservers/backend.json
new file mode 100644
index 0000000..d17c7b0
--- /dev/null
+++ b/webservers/backend.json
@@ -0,0 +1,36 @@
+[
+  {
+    "cpu": 400,
+    "essential": true,
+    "image": "${account_number}.dkr.ecr.${region}.amazonaws.com/micropost/backend:latest",
+    "memory": 400,
+    "name": "backend",
+    "environment": [
+      {
+        "name": "SPRING_PROFILES_ACTIVE",
+        "value": "${env}"
+      },
+      {
+        "name": "MYSQL_ENDPOINT",
+        "value": "${dbserver_endpoint}"
+      },
+      {
+        "name": "NEW_RELIC_LICENSE_KEY",
+        "value": "${newrelic_license_key}"
+      }
+    ],
+    "portMappings": [
+      {
+        "containerPort": 8080,
+        "hostPort": 0
+      }
+    ],
+    "logConfiguration": {
+      "logDriver": "awslogs",
+      "options": {
+        "awslogs-group": "${log_group_name}",
+        "awslogs-region": "${region}"
+      }
+    }
+  }
+]
diff --git a/webservers/backend.tf b/webservers/backend.tf
new file mode 100644
index 0000000..1553058
--- /dev/null
+++ b/webservers/backend.tf
@@ -0,0 +1,116 @@
+// ------ service -------
+
+resource "aws_ecs_service" "backend" {
+  name = "backend"
+  cluster = "${aws_ecs_cluster.main.id}"
+  task_definition = "${aws_ecs_task_definition.backend.arn}"
+  desired_count = 1
+  iam_role = "${aws_iam_role.ecs_service.arn}"
+  depends_on = [
+    "aws_iam_policy_attachment.ecs_service"
+  ]
+
+  load_balancer {
+    target_group_arn = "${aws_alb_target_group.backend.id}"
+    container_name = "backend"
+    container_port = "8080"
+  }
+}
+
+// ------ task -------
+
+data "template_file" "backend_task_definition" {
+  template = "${file("./webservers/backend.json")}"
+  vars {
+    account_number = "${data.aws_caller_identity.current.account_id}"
+    region = "${data.aws_region.current.id}"
+    env = "${var.env}"
+    dbserver_endpoint = "${var.dbserver_endpoint}"
+    newrelic_license_key = "${var.newrelic_license_key}"
+    log_group_name = "${aws_cloudwatch_log_group.backend.name}"
+  }
+}
+
+resource "aws_ecs_task_definition" "backend" {
+  family = "micropost-backend"
+  container_definitions = "${data.template_file.backend_task_definition.rendered}"
+}
+
+resource "aws_cloudwatch_log_group" "backend" {
+  name = "backend"
+}
+
+// ------ application autoscaling -------
+
+resource "aws_appautoscaling_target" "backend" {
+  service_namespace = "ecs"
+  scalable_dimension = "ecs:service:DesiredCount"
+  resource_id = "service/${aws_ecs_cluster.main.name}/${aws_ecs_service.backend.name}"
+  role_arn = "${aws_iam_role.ecs_autoscale.arn}"
+  min_capacity = 1
+  max_capacity = 2
+}
+
+resource "aws_appautoscaling_policy" "backend_scale_out" {
+  name = "backend-ScaleOut-CPU-High"
+  resource_id = "${aws_appautoscaling_target.backend.resource_id}"
+  adjustment_type = "ChangeInCapacity"
+  cooldown = 300
+  metric_aggregation_type = "Average"
+  step_adjustment {
+    metric_interval_lower_bound = 0
+    scaling_adjustment = 1
+  }
+  service_namespace = "ecs"
+  scalable_dimension = "ecs:service:DesiredCount"
+}
+
+resource "aws_cloudwatch_metric_alarm" "backend_cpu_high" {
+  alarm_name = "backend-CPU-Utilization-High"
+  comparison_operator = "GreaterThanOrEqualToThreshold"
+  evaluation_periods = "1"
+  metric_name = "CPUUtilization"
+  namespace = "AWS/ECS"
+  period = "300"
+  statistic = "Average"
+  threshold = "80"
+  dimensions {
+    ClusterName = "${aws_ecs_cluster.main.name}"
+    ServiceName = "${aws_ecs_service.backend.name}"
+  }
+  alarm_actions = [
+    "${aws_appautoscaling_policy.backend_scale_out.arn}"
+  ]
+}
+
+resource "aws_appautoscaling_policy" "backend_scale_in" {
+  name = "backend-ScaleIn-CPU-Low"
+  resource_id = "${aws_appautoscaling_target.backend.resource_id}"
+  adjustment_type = "ChangeInCapacity"
+  cooldown = 300
+  metric_aggregation_type = "Average"
+  step_adjustment {
+    metric_interval_upper_bound = 0
+    scaling_adjustment = -1
+  }
+  service_namespace = "ecs"
+  scalable_dimension = "ecs:service:DesiredCount"
+}
+
+resource "aws_cloudwatch_metric_alarm" "backend_cpu_low" {
+  alarm_name = "backend-CPU-Utilization-Low"
+  comparison_operator = "LessThanThreshold"
+  evaluation_periods = "1"
+  metric_name = "CPUUtilization"
+  namespace = "AWS/ECS"
+  period = "60"
+  statistic = "Average"
+  threshold = "5"
+  dimensions {
+    ClusterName = "${aws_ecs_cluster.main.name}"
+    ServiceName = "${aws_ecs_service.backend.name}"
+  }
+  alarm_actions = [
+    "${aws_appautoscaling_policy.backend_scale_in.arn}"
+  ]
+}
diff --git a/webservers/current.tf b/webservers/current.tf
new file mode 100644
index 0000000..ccb0993
--- /dev/null
+++ b/webservers/current.tf
@@ -0,0 +1,5 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {
+  current = true
+}
diff --git a/webservers/ecs.tf b/webservers/ecs.tf
new file mode 100644
index 0000000..959c876
--- /dev/null
+++ b/webservers/ecs.tf
@@ -0,0 +1,59 @@
+// ------ cluster -------
+
+resource "aws_ecs_cluster" "main" {
+  name = "micropost"
+}
+
+// ------ iam for ecs service -------
+
+resource "aws_iam_role" "ecs_service" {
+  name = "ecs-service"
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": [
+          "ecs.amazonaws.com"
+        ]
+      },
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy_attachment" "ecs_service" {
+  name = "ecs-service"
+  roles = ["${aws_iam_role.ecs_service.name}"]
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole"
+}
+
+// ------ iam for application autoscaling -------
+
+resource "aws_iam_role" "ecs_autoscale" {
+  name = "ecs-autoscale"
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "application-autoscaling.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy_attachment" "ecs_autoscale" {
+  name = "ecs-autoscale"
+  roles = ["${aws_iam_role.ecs_autoscale.name}"]
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceAutoscaleRole"
+}
diff --git a/webservers/frontend.json b/webservers/frontend.json
new file mode 100644
index 0000000..f29ce4c
--- /dev/null
+++ b/webservers/frontend.json
@@ -0,0 +1,22 @@
+[
+  {
+    "cpu": 10,
+    "essential": true,
+    "image": "${account_number}.dkr.ecr.${region}.amazonaws.com/micropost/frontend:latest",
+    "memory": 50,
+    "name": "frontend",
+    "portMappings": [
+      {
+        "containerPort": 80,
+        "hostPort": 0
+      }
+    ],
+    "logConfiguration": {
+      "logDriver": "awslogs",
+      "options": {
+        "awslogs-group": "${log_group_name}",
+        "awslogs-region": "${region}"
+      }
+    }
+  }
+]
diff --git a/webservers/frontend.tf b/webservers/frontend.tf
new file mode 100644
index 0000000..a4edfc6
--- /dev/null
+++ b/webservers/frontend.tf
@@ -0,0 +1,113 @@
+// ------ service -------
+
+resource "aws_ecs_service" "frontend" {
+  name = "frontend"
+  cluster = "${aws_ecs_cluster.main.id}"
+  task_definition = "${aws_ecs_task_definition.frontend.arn}"
+  desired_count = 1
+  iam_role = "${aws_iam_role.ecs_service.arn}"
+  depends_on = [
+    "aws_iam_policy_attachment.ecs_service"
+  ]
+
+  load_balancer {
+    target_group_arn = "${aws_alb_target_group.frontend.id}"
+    container_name = "frontend"
+    container_port = "80"
+  }
+}
+
+// ------ task -------
+
+data "template_file" "frontend_task_definition" {
+  template = "${file("./webservers/frontend.json")}"
+  vars {
+    account_number = "${data.aws_caller_identity.current.account_id}"
+    region = "${data.aws_region.current.id}"
+    log_group_name = "${aws_cloudwatch_log_group.frontend.name}"
+  }
+}
+
+resource "aws_ecs_task_definition" "frontend" {
+  family = "micropost-frontend"
+  container_definitions = "${data.template_file.frontend_task_definition.rendered}"
+}
+
+resource "aws_cloudwatch_log_group" "frontend" {
+  name = "frontend"
+}
+
+// ------ application autoscaling -------
+
+resource "aws_appautoscaling_target" "frontend" {
+  service_namespace = "ecs"
+  scalable_dimension = "ecs:service:DesiredCount"
+  resource_id = "service/${aws_ecs_cluster.main.name}/${aws_ecs_service.frontend.name}"
+  role_arn = "${aws_iam_role.ecs_autoscale.arn}"
+  min_capacity = 1
+  max_capacity = 2
+}
+
+resource "aws_appautoscaling_policy" "frontend_scale_out" {
+  name = "frontend-ScaleOut-CPU-High"
+  resource_id = "${aws_appautoscaling_target.frontend.resource_id}"
+  adjustment_type = "ChangeInCapacity"
+  cooldown = 300
+  metric_aggregation_type = "Average"
+  step_adjustment {
+    metric_interval_lower_bound = 0
+    scaling_adjustment = 1
+  }
+  service_namespace = "ecs"
+  scalable_dimension = "ecs:service:DesiredCount"
+}
+
+resource "aws_cloudwatch_metric_alarm" "frontend_cpu_high" {
+  alarm_name = "frontend-CPU-Utilization-High"
+  comparison_operator = "GreaterThanOrEqualToThreshold"
+  evaluation_periods = "1"
+  metric_name = "CPUUtilization"
+  namespace = "AWS/ECS"
+  period = "120"
+  statistic = "Average"
+  threshold = "80"
+  dimensions {
+    ClusterName = "${aws_ecs_cluster.main.name}"
+    ServiceName = "${aws_ecs_service.frontend.name}"
+  }
+  alarm_actions = [
+    "${aws_appautoscaling_policy.frontend_scale_out.arn}"
+  ]
+}
+
+resource "aws_appautoscaling_policy" "frontend_scale_in" {
+  name = "frontend-ScaleIn-CPU-Low"
+  resource_id = "${aws_appautoscaling_target.frontend.resource_id}"
+  adjustment_type = "ChangeInCapacity"
+  cooldown = 300
+  metric_aggregation_type = "Average"
+  step_adjustment {
+    metric_interval_upper_bound = 0
+    scaling_adjustment = -1
+  }
+  service_namespace = "ecs"
+  scalable_dimension = "ecs:service:DesiredCount"
+}
+
+resource "aws_cloudwatch_metric_alarm" "frontend_cpu_low" {
+  alarm_name = "frontend-CPU-Utilization-Low"
+  comparison_operator = "LessThanThreshold"
+  evaluation_periods = "1"
+  metric_name = "CPUUtilization"
+  namespace = "AWS/ECS"
+  period = "60"
+  statistic = "Average"
+  threshold = "5"
+  dimensions {
+    ClusterName = "${aws_ecs_cluster.main.name}"
+    ServiceName = "${aws_ecs_service.frontend.name}"
+  }
+  alarm_actions = [
+    "${aws_appautoscaling_policy.frontend_scale_in.arn}"
+  ]
+}
diff --git a/webservers/host_instances.tf b/webservers/host_instances.tf
new file mode 100644
index 0000000..1dc43c8
--- /dev/null
+++ b/webservers/host_instances.tf
@@ -0,0 +1,146 @@
+data "aws_ami" "ecs" {
+  most_recent = true
+  owners = ["amazon"]
+  filter {
+    name = "name"
+    values = ["amzn-ami-*-amazon-ecs-optimized"]
+  }
+}
+
+data "template_file" "user_data" {
+  template = "${file("./webservers/user_data.sh")}"
+  vars {
+    cluster_name = "${aws_ecs_cluster.main.name}"
+    newrelic_license_key  = "${var.newrelic_license_key}"
+  }
+}
+
+resource "aws_launch_configuration" "web" {
+  name_prefix = "web-"
+  image_id = "${data.aws_ami.ecs.id}"
+  instance_type = "t2.micro"
+  security_groups = [
+    "${var.web_security_groups}"
+  ]
+  key_name = "${var.key_name}"
+  associate_public_ip_address = true
+  iam_instance_profile = "${aws_iam_instance_profile.web.id}"
+  user_data = "${data.template_file.user_data.rendered}"
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_autoscaling_group" "web" {
+  name = "web"
+  launch_configuration = "${aws_launch_configuration.web.id}"
+  max_size = 2
+  min_size = 1
+  health_check_type = "ELB"
+  force_delete = true
+  vpc_zone_identifier = [
+    "${var.web_subnets}"
+  ]
+}
+
+// ------ scale out -------
+
+resource "aws_autoscaling_policy" "web_scale_out" {
+  name = "web-Instance-ScaleOut-CPU-High"
+  scaling_adjustment = 1
+  adjustment_type = "ChangeInCapacity"
+  cooldown = 300
+  autoscaling_group_name = "${aws_autoscaling_group.web.name}"
+}
+
+resource "aws_cloudwatch_metric_alarm" "web_gte_threshold" {
+  alarm_name = "web-CPU-Utilization-High-80"
+  comparison_operator = "GreaterThanOrEqualToThreshold"
+  evaluation_periods = "1"
+  metric_name = "CPUUtilization"
+  namespace = "AWS/ECS"
+  period = "300"
+  statistic = "Average"
+  threshold = "80"
+  dimensions {
+    ClusterName = "${aws_ecs_cluster.main.name}"
+  }
+  alarm_actions = [
+    "${aws_autoscaling_policy.web_scale_out.arn}"
+  ]
+}
+
+// ------ scale in -------
+
+resource "aws_autoscaling_policy" "web_scale_in" {
+  name = "web-Instance-ScaleIn-CPU-Low"
+  scaling_adjustment = -1
+  adjustment_type = "ChangeInCapacity"
+  cooldown = 300
+  autoscaling_group_name = "${aws_autoscaling_group.web.name}"
+}
+
+resource "aws_cloudwatch_metric_alarm" "web_lt_threshold" {
+  alarm_name = "web-CPU-Utilization-Low-5"
+  comparison_operator = "LessThanThreshold"
+  evaluation_periods = "1"
+  metric_name = "CPUUtilization"
+  namespace = "AWS/ECS"
+  period = "60"
+  statistic = "Average"
+  threshold = "5"
+  dimensions {
+    ClusterName = "${aws_ecs_cluster.main.name}"
+  }
+  alarm_actions = [
+    "${aws_autoscaling_policy.web_scale_in.arn}"
+  ]
+}
+
+// ------ notification -------
+
+resource "aws_autoscaling_notification" "web" {
+  group_names = [
+    "${aws_autoscaling_group.web.name}",
+  ]
+  notifications  = [
+    "autoscaling:EC2_INSTANCE_LAUNCH",
+    "autoscaling:EC2_INSTANCE_TERMINATE",
+    "autoscaling:EC2_INSTANCE_LAUNCH_ERROR"
+  ]
+  topic_arn = "arn:aws:sns:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:web_autoscaled"
+}
+
+// ------ iam -------
+
+resource "aws_iam_instance_profile" "web" {
+  name = "web"
+  role = "${aws_iam_role.web.name}"
+
+}
+
+resource "aws_iam_role" "web" {
+  name = "web"
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy_attachment" "ecs_host" {
+  name = "ecs-host"
+  roles = ["${aws_iam_role.web.name}"]
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
+}
+
diff --git a/webservers/outputs.tf b/webservers/outputs.tf
new file mode 100644
index 0000000..f524578
--- /dev/null
+++ b/webservers/outputs.tf
@@ -0,0 +1,3 @@
+output "dns_name" {
+  value = "${aws_alb.web.dns_name}"
+}
diff --git a/webservers/user_data.sh b/webservers/user_data.sh
new file mode 100644
index 0000000..d283e47
--- /dev/null
+++ b/webservers/user_data.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# Install New Relic
+rpm -Uvh https://yum.newrelic.com/pub/newrelic/el5/x86_64/newrelic-repo-5-3.noarch.rpm
+yum install -y newrelic-sysmond
+nrsysmond-config --set license_key=${newrelic_license_key}
+usermod -a -G docker newrelic
+/etc/init.d/newrelic-sysmond start
+
+# Register ecs cluster
+echo "ECS_CLUSTER=${cluster_name}" >> /etc/ecs/ecs.config
diff --git a/webservers/variables.tf b/webservers/variables.tf
new file mode 100644
index 0000000..6257660
--- /dev/null
+++ b/webservers/variables.tf
@@ -0,0 +1,47 @@
+variable "env" {
+  description = "Application environment like stg, prod eg..."
+}
+
+variable "dbserver_endpoint" {
+  description = "MySQL endpoint"
+}
+
+variable "newrelic_license_key" {
+  description = "New Relic licence key"
+}
+
+variable "key_name" {
+  description = "SSH key name for web servers"
+}
+
+variable "web_subnets" {
+  type = "list"
+  description = "Subnets for web servers"
+  default = []
+}
+
+variable "web_security_groups" {
+  type = "list"
+  description = "Security groups for web servers"
+  default = []
+}
+
+variable "alb_subnets" {
+  type = "list"
+  description = "Subnets for alb"
+  default = []
+}
+
+variable "alb_security_groups" {
+  type = "list"
+  description = "Security groups for alb"
+  default = []
+}
+
+variable "vpc_id" {
+  description = "vpc id for alb target group"
+}
+
+variable "log_bucket" {
+  description = "s3 bucket to save log"
+}