diff --git a/.gitignore b/.gitignore
index cf7ed26e..5da147d2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,3 +25,5 @@ env/
 poetry.lock
 .venv/
 srv/isc-agent/requirements.txt
+
+
diff --git a/README_Terraform.md b/README_Terraform.md
new file mode 100644
index 00000000..b0ed4a62
--- /dev/null
+++ b/README_Terraform.md
@@ -0,0 +1,60 @@
+### For instructions on how to install `terraform`, please consult the following: [HashiCorp Terraform Installation](https://learn.hashicorp.com/tutorials/terraform/install-cli)  
+
+### Install `git` if not part of the default OS packages:
+`sudo <OS package manager here> install git`  
+(_could be apt, yum, dpkg, etc._)
+
+### Clone this repository:
+`git clone https://github.com/DShield-ISC/dshield`
+
+### Change into the `cloud provider` automation directory of choice:
+- To deploy honeypots using AWS' infrastructure: 
+  - `cd dshield/terraform/aws/`
+
+- To deploy honeypots using Microsoft Azure's infrastructure: 
+  - `cd dshield/terraform/azure/`
+
+### Adjust the required and optional variables to reflect the environment:
+`<insert your editor of choice here> variables.tf `  
+(_no judgement if the editor isn't `vi`_)
+
+### Define the following **required** variables:
+- **dshield_email**
+- **dshield_apikey**
+- **dshield_userid**
+- **aws_ssh_key_pub**  _OR_ **azure_ssh_key_pub**  _depending on provider_
+- **aws_ssh_key_priv** _OR_ **azure_ssh_key_priv** _depending on provider_
+- **aws_credentials**       _if using **AWS**_
+- **azure_tenant_id**       _if using **Azure Service Principal**_
+- **azure_subscription_id** _if using **Azure Service Principal**_
+- **azure_client_id**       _if using **Azure Service Principal**_
+- **azure_client_secret**   _if using **Azure Service Principal**_
+
+### Optional variables:
+- **honeypot_nodes** (default: `1` *increase to scale horizontally*)
+- **aws_region** (default: `us-east-1`)            _if using **AWS**_
+- **aws_ec2_size** (default: `t2.micro`)           _if using **AWS**_
+- **azure_region** (default: `East US`)            _if using **Azure**_
+- **azure_image_size** (default: `Standard_B1ls`)  _if using **Azure**_
+- **honeypot_network** (default: `10.40.0.0/16` for VPC & `10.40.0.0/24` for SG)
+- **honeypot_ssh_port** (default: `12222`)
+- **dshield_ca_country** (default: `US`)
+- **dshield_ca_state** (default: `Florida`)
+- **dshield_ca_city** (default: `Jacksonville`)
+- **dshield_ca_company** (default: `DShield`)
+- **dshield_ca_depart** (default: `Decoy`)
+
+### General assumptions (**please update to reflect the appropriate locations as denoted above**):
+- AWS credentials are contained in the default location: 
+  - `~/.aws/credentials`
+
+- Azure credentials are successfully validated using `az login` prior to plan/apply
+
+- SSH credentials are contained in the default location: 
+  - `~/.ssh/id_rsa`
+  - `~/.ssh/id_rsa.pub`
+
+### After completing the above items, run the following commands to begin the installation:
+```terraform init; terraform plan -out=honeypot; terraform apply "honeypot"```  
+**OR**  
+```terraform init; terraform apply``` and type `yes` when prompted
diff --git a/terraform/aws/main.tf b/terraform/aws/main.tf
new file mode 100644
index 00000000..c893684f
--- /dev/null
+++ b/terraform/aws/main.tf
@@ -0,0 +1,194 @@
+terraform {
+  required_providers {
+    aws = {
+      version = "~> 3.73.0"
+    }
+    http = {
+      version = ">= 2.1.0"
+    }
+    null = {
+      version = ">= 3.1.0"
+    }
+    local = {
+      version = ">= 2.1.0"
+    }
+    template = {
+      version = ">= 2.2.0"
+    }
+  }
+
+  required_version = "~> 1.1.4"
+}
+
+provider "aws" {
+  shared_credentials_file = var.aws_credentials
+  region                  = var.aws_region
+  # if using separate profiles, otherwise leave at "default" or comment out
+  profile                 = var.aws_profile
+}
+
+data "http" "local_ip" {
+  url = "https://ipv4.icanhazip.com"
+}
+
+data "aws_availability_zones" "available" {
+  state = "available"
+}
+
+data "aws_ami" "ubuntu_ami" {
+  owners = [var.aws_ami_owner]
+  most_recent = true
+  filter {
+    name   = "name"
+    values = [ var.aws_ami_name ]
+  }
+}
+
+# switched from template_file to local_file due to: https://github.com/hashicorp/terraform/issues/24616
+resource "local_file" "enable_logging" {
+  content = templatefile("${path.module}/../templates/install_honeypot.tpl", {output_logging  = var.output_logging})
+  filename = "${path.module}/../scripts/install_honeypot.sh"
+}
+
+# upload ssh key to provision / configure ec2
+resource "aws_key_pair" "honeypot_key" {
+  key_name   = "dshield_honeypot"
+  public_key = file(var.aws_ssh_key_pub)
+}
+
+# Create a VPC to launch our instances into
+resource "aws_vpc" "honeypot_vpc" {
+  cidr_block = "${var.honeypot_network}/16"
+}
+
+# Create an internet gateway to give our subnet access to the outside world
+resource "aws_internet_gateway" "honeypot_gw" {
+  vpc_id     = aws_vpc.honeypot_vpc.id
+}
+
+# Grant the VPC internet access on its main route table
+resource "aws_route" "honeypot_internet" {
+  route_table_id         = aws_vpc.honeypot_vpc.main_route_table_id
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = aws_internet_gateway.honeypot_gw.id
+}
+
+# Create a subnet to launch our instances into
+resource "aws_subnet" "honeypot_subnet" {
+  vpc_id                  = aws_vpc.honeypot_vpc.id
+  cidr_block              = "${var.honeypot_network}/24"
+  availability_zone       = data.aws_availability_zones.available.names[0]
+  map_public_ip_on_launch = true 
+}
+
+resource "aws_security_group" "honeypot_security_group" {
+  name   = "honeypot_security_group"
+  vpc_id = aws_vpc.honeypot_vpc.id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  ingress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_instance" "honeypot" {
+  ami                    = data.aws_ami.ubuntu_ami.id
+  instance_type          = var.aws_ec2_size
+  key_name               = aws_key_pair.honeypot_key.id
+  vpc_security_group_ids = [ aws_security_group.honeypot_security_group.id ]
+  subnet_id              = aws_subnet.honeypot_subnet.id
+  count                  = var.honeypot_nodes
+
+  tags = {
+    Name = var.aws_tag
+  }
+}
+
+resource "null_resource" "upload" {
+  count    = var.honeypot_nodes
+  triggers = {
+    ec2_public_ip = element(aws_instance.honeypot.*.public_ip, count.index) 
+  }
+
+  connection {
+    type        = "ssh"
+    user        = var.aws_ami_user
+    host        = element(aws_instance.honeypot.*.public_ip, count.index)
+    private_key = file(var.aws_ssh_key_priv)
+  }
+
+  provisioner "file" {
+    destination = "/tmp/dshield.ini"
+    content     = templatefile("${path.module}/../templates/dshield_ini.tpl", {
+     dshield_email  = var.dshield_email
+     dshield_userid = var.dshield_userid
+     dshield_apikey = var.dshield_apikey
+     public_ip      = element(aws_instance.honeypot.*.public_ip, count.index)
+     public_ssh     = var.honeypot_ssh_port
+     private_ip     = join("/", [var.honeypot_network, "24"])
+     deploy_ip      = chomp(data.http.local_ip.body)
+    })
+  }
+  
+  provisioner "file" {
+    destination = "/tmp/dshield.sslca"
+    content     = templatefile("${path.module}/../templates/dshield_sslca.tpl", {
+     dshield_ca_country  = var.dshield_ca_country
+     dshield_ca_state    = var.dshield_ca_state
+     dshield_ca_city     = var.dshield_ca_city
+     dshield_ca_company  = var.dshield_ca_company
+     dshield_ca_depart   = var.dshield_ca_depart
+    })
+  }
+
+  # upload our provisioning scripts
+  provisioner "file" {
+    source      = "${path.module}/../scripts/"
+    destination = "/tmp/"
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "sudo sed -i.bak 's/^[#\\s]*Port 22\\s*$/Port ${var.honeypot_ssh_port}/' /etc/ssh/sshd_config",
+      "sudo mv /tmp/dshield.ini /etc/",
+      "sudo mv /tmp/dshield.sslca /etc/"
+    ]
+  }
+
+  # install required packages
+  provisioner "remote-exec" {
+    script = "${path.module}/../scripts/install_reqs.sh"
+  }
+
+  depends_on = [ aws_instance.honeypot ]
+}
+
+resource "null_resource" "install" {
+  count    = var.honeypot_nodes
+  triggers = {
+    ec2_public_ip = element(aws_instance.honeypot.*.public_ip, count.index) 
+  }
+
+  connection {
+    type        = "ssh"
+    user        = var.aws_ami_user
+    host        = element(aws_instance.honeypot.*.public_ip, count.index)
+    port        = var.honeypot_ssh_port
+    private_key = file(var.aws_ssh_key_priv)
+  }
+
+  # install dshield honeypot
+  provisioner "remote-exec" {
+    script = "${path.module}/../scripts/install_honeypot.sh"
+  }
+
+  depends_on = [null_resource.upload]
+}
diff --git a/terraform/aws/output.tf b/terraform/aws/output.tf
new file mode 100644
index 00000000..12d67df4
--- /dev/null
+++ b/terraform/aws/output.tf
@@ -0,0 +1,16 @@
+output "begin" {
+  value = <<EOF
+
+Your DShield honeypots have been configured and should be sending logs for further investigation!!
+
+Run the following SSH command if it's necessary to manage any honeypot:
+
+ssh -tt -o StrictHostKeyChecking=no ${var.aws_ami_user}@HONEYPOT_IP -p ${var.honeypot_ssh_port}
+
+EOF
+}
+
+output "honeypots" {
+  value = [ for honeypot in aws_instance.honeypot : honeypot.public_ip ]
+  description = "DShield Honeypot IPs"
+}
diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf
new file mode 100644
index 00000000..ac998c06
--- /dev/null
+++ b/terraform/aws/variables.tf
@@ -0,0 +1,100 @@
+# number of honeypot instances to deploy
+variable "honeypot_nodes" {
+  default = 1
+}
+
+variable "dshield_email" {
+}
+
+variable "dshield_userid" {
+}
+
+variable "dshield_apikey" {
+}
+
+# location of YOUR ssh PUBLIC key to be uploaded to AWS
+# complimentary key pair to PRIVATE key below
+variable "aws_ssh_key_pub" {
+  default = "~/.ssh/id_rsa.pub"
+}
+
+# location of YOUR ssh PRIVATE key to run remote-exec provisioners
+# complimentary key pair to PUBLIC key above
+variable "aws_ssh_key_priv" {
+  default = "~/.ssh/id_rsa"
+}
+
+# location of AWS credentials on local machine
+variable "aws_credentials" {
+  default = "~/.aws/credentials"
+}
+
+# AWS region in which ec2 instances should be deployed
+variable "aws_region" {
+  default = "us-east-1"
+}
+
+# AWS profile (if using multiple) 
+variable "aws_profile" {
+  default = "default"
+}
+
+# Canonical AWS OwnerId
+variable "aws_ami_owner" {
+  default = "099720109477"   
+}
+
+variable "aws_ami_name" {
+  description = "Ubuntu 20.04 LTS"
+  type        = string
+  default     = "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"
+}
+
+variable "aws_ami_user" {
+  description = "Ubuntu AMI default user"
+  type        = string
+  default     = "ubuntu"
+}
+
+variable "aws_ec2_size" {
+  default = "t2.micro"
+}
+
+variable "aws_tag" {
+  default = "dshield_honeypot"
+}
+
+# CIDR is declared in aws_vpc & aws_subnet code blocks in main.tf
+variable "honeypot_network" {
+  default = "10.40.0.0"
+}
+
+variable "honeypot_ssh_port" {
+  default = "12222"
+}
+
+variable "dshield_ca_country" {
+  default = "US"
+}
+
+variable "dshield_ca_state" {
+  default = "Florida"
+}
+
+variable "dshield_ca_city" {
+  default = "Jacksonville"
+}
+
+variable "dshield_ca_company" {
+  default = "DShield"
+}
+
+variable "dshield_ca_depart" {
+  default = "Decoy"
+}
+
+# true or false whether cowrie should output json
+# also appends logrotate policy in /etc/logrotate.d/dshield
+variable "output_logging" {
+  default = true
+}
diff --git a/terraform/azure/main.tf b/terraform/azure/main.tf
new file mode 100644
index 00000000..1cb76658
--- /dev/null
+++ b/terraform/azure/main.tf
@@ -0,0 +1,221 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "= 2.91.0"
+    }
+    http = {
+      version = ">= 2.1.0"
+    }
+    null = {
+      version = ">= 3.1.0"
+    }
+    local = {
+      version = ">= 2.1.0"
+    }
+    template = {
+      version = ">= 2.2.0"
+    }
+  }
+
+  required_version = "~> 1.1.4"
+}
+
+provider "azurerm" {
+  features {}
+
+  # uncomment the lines below and
+  # following this link https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_secret
+  # for Service Principal authentication
+  #subscription_id = var.azure_subscription_id
+  #client_id       = var.azure_client_id
+  #client_secret   = var.azure_client_secret
+  #tenant_id       = var.azure_tenant_id
+}
+
+data "http" "local_ip" {
+  url = "https://ipv4.icanhazip.com"
+}
+
+resource "azurerm_resource_group" "honeypot" {
+  name     = "honeypot-resource-group"
+  location =  var.azure_region
+}
+
+resource "azurerm_network_security_group" "honeypot" {
+  name                = "honeypot-security-group"
+  location            = azurerm_resource_group.honeypot.location
+  resource_group_name = azurerm_resource_group.honeypot.name
+
+  security_rule {
+    name                       = "allow_all"
+    priority                   = 100
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "*"
+    source_port_range          = "*"
+    destination_port_range     = "*"
+    source_address_prefix      = "*"
+    destination_address_prefix = "*"
+  }
+
+  tags = {
+    environment = var.azure_tag
+  }
+}
+
+resource "azurerm_virtual_network" "honeypot" {
+  name                = "honeypot-network"
+  resource_group_name = azurerm_resource_group.honeypot.name
+  location            = azurerm_resource_group.honeypot.location
+  address_space       = ["${var.honeypot_network}/16"]
+}
+
+resource "azurerm_subnet" "honeypot" {
+  name                 = "honeypot-subnet"
+  resource_group_name  = azurerm_resource_group.honeypot.name
+  virtual_network_name = azurerm_virtual_network.honeypot.name
+  address_prefixes     = ["${var.honeypot_network}/24"]
+}
+
+resource "azurerm_public_ip" "honeypot" {
+  name                = "honeypot-public-ip-${count.index}"
+  location            = azurerm_resource_group.honeypot.location
+  resource_group_name = azurerm_resource_group.honeypot.name
+  allocation_method   = "Dynamic"
+  count               = var.honeypot_nodes
+}
+
+resource "azurerm_network_interface" "honeypot" {
+  name                = "honeypot-nic-${count.index}"
+  location            = azurerm_resource_group.honeypot.location
+  resource_group_name = azurerm_resource_group.honeypot.name
+  count               = var.honeypot_nodes
+
+  ip_configuration {
+    name                          = "internal"
+    subnet_id                     = azurerm_subnet.honeypot.id
+    private_ip_address_allocation = "Dynamic"
+    public_ip_address_id          = element(azurerm_public_ip.honeypot.*.id, count.index)
+  }
+  
+  tags = {
+    environment = var.azure_tag
+  }
+}
+
+resource "azurerm_network_interface_security_group_association" "honeypot" {
+  network_interface_id      = element(azurerm_network_interface.honeypot.*.id, count.index)
+  network_security_group_id = azurerm_network_security_group.honeypot.id
+  count                     = var.honeypot_nodes
+}
+
+resource "azurerm_linux_virtual_machine" "honeypot" {
+  name                  = "ubuntu-linux-vm-${count.index}"
+  location              = azurerm_resource_group.honeypot.location
+  resource_group_name   = azurerm_resource_group.honeypot.name
+  network_interface_ids = [element(azurerm_network_interface.honeypot.*.id, count.index)]
+  size                  = var.azure_image_size
+  count                 = var.honeypot_nodes
+  source_image_reference {
+    publisher = var.azure_image_owner
+    offer     = var.azure_image_offer
+    sku       = var.azure_image_sku
+    version   = "latest"
+  }
+  admin_username        = var.azure_image_user
+  admin_ssh_key {
+    username   = var.azure_image_user
+    public_key = file("${var.azure_ssh_key_pub}")
+  }  
+  os_disk {
+    name                 = "ubuntu-linux-vm-osdisk-${count.index}"
+    caching              = "ReadWrite"
+    storage_account_type = var.azure_hdd_size
+  }
+  tags = {
+    environment = var.azure_tag
+  }
+}
+
+resource "null_resource" "upload" {
+  count    = var.honeypot_nodes
+  triggers = {
+    azure_public_ip = element(azurerm_public_ip.honeypot.*.ip_address, count.index) 
+  }
+
+  connection {
+    type        = "ssh"
+    user        = var.azure_image_user
+    host        = element(azurerm_public_ip.honeypot.*.ip_address, count.index)
+    private_key = file(var.azure_ssh_key_priv)
+  }
+
+  provisioner "file" {
+    destination = "/tmp/dshield.ini"
+    content     = templatefile("${path.module}/../templates/dshield_ini.tpl", {
+     dshield_email  = var.dshield_email
+     dshield_userid = var.dshield_userid
+     dshield_apikey = var.dshield_apikey
+     public_ip      = element(azurerm_public_ip.honeypot.*.ip_address, count.index)
+     public_ssh     = var.honeypot_ssh_port
+     private_ip     = join("/", [var.honeypot_network, "24"])
+     deploy_ip      = chomp(data.http.local_ip.body)
+    })
+  }
+  
+  provisioner "file" {
+    destination = "/tmp/dshield.sslca"
+    content     = templatefile("${path.module}/../templates/dshield_sslca.tpl", {
+     dshield_ca_country  = var.dshield_ca_country
+     dshield_ca_state    = var.dshield_ca_state
+     dshield_ca_city     = var.dshield_ca_city
+     dshield_ca_company  = var.dshield_ca_company
+     dshield_ca_depart   = var.dshield_ca_depart
+    })
+  }
+
+  # upload our provisioning scripts
+  provisioner "file" {
+    source      = "${path.module}/../scripts/"
+    destination = "/tmp/"
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "sudo sed -i.bak 's/^[#\\s]*Port 22\\s*$/Port ${var.honeypot_ssh_port}/' /etc/ssh/sshd_config",
+      "sudo mv /tmp/dshield.ini /etc/",
+      "sudo mv /tmp/dshield.sslca /etc/"
+    ]
+  }
+
+  # install required packages
+  provisioner "remote-exec" {
+    script = "${path.module}/../scripts/install_reqs.sh"
+  }
+
+  # depends on at least one honeypot 
+  depends_on = [ azurerm_public_ip.honeypot[0] ]
+}
+
+resource "null_resource" "install" {
+  count    = var.honeypot_nodes
+  triggers = {
+    azure_public_ip = element(azurerm_public_ip.honeypot.*.ip_address, count.index) 
+  }
+
+  connection {
+    type        = "ssh"
+    user        = var.azure_image_user
+    host        = element(azurerm_public_ip.honeypot.*.ip_address, count.index)
+    port        = var.honeypot_ssh_port
+    private_key = file(var.azure_ssh_key_priv)
+  }
+
+  # install dshield honeypot
+  provisioner "remote-exec" {
+    script = "${path.module}/../scripts/install_honeypot.sh"
+  }
+
+  depends_on = [null_resource.upload]
+}
diff --git a/terraform/azure/variables.tf b/terraform/azure/variables.tf
new file mode 100644
index 00000000..207b1429
--- /dev/null
+++ b/terraform/azure/variables.tf
@@ -0,0 +1,116 @@
+# number of honeypot instances to deploy
+variable "honeypot_nodes" {
+  default = 1
+}
+
+variable "dshield_email" {
+}
+
+variable "dshield_userid" {
+}
+
+variable "dshield_apikey" {
+}
+
+# location of YOUR ssh PUBLIC key to be uploaded to AZURE
+# complimentary key pair to PRIVATE key below
+variable "azure_ssh_key_pub" {
+  default = "~/.ssh/id_rsa.pub"
+}
+
+# location of YOUR ssh PRIVATE key to run remote-exec provisioners
+# complimentary key pair to PUBLIC key above
+variable "azure_ssh_key_priv" {
+  default = "~/.ssh/id_rsa"
+}
+
+# Azure tenant id (global UID) for M365 tenancy
+variable "azure_tenant_id" {
+}
+
+# Azure subscription id (global UID) for M365 subscription
+variable "azure_subscription_id" {
+}
+
+# if using Service Principal and not `az login`
+# Azure client id and client secret
+variable "azure_client_id" {
+}
+
+variable "azure_client_secret" {
+}
+
+# Azure region in which instances should be deployed
+variable "azure_region" {
+  default = "East US"
+}
+
+# Canonical Azure OwnerId
+variable "azure_image_owner" {
+  default = "Canonical"
+}
+
+variable "azure_image_offer" {
+  description = "Ubuntu Server"
+  type        = string
+  default     = "UbuntuServer"
+}
+
+variable "azure_image_sku" {
+  description = "18.04 LTS"
+  type        = string
+  default     = "18.04-LTS"
+}
+
+variable "azure_image_user" {
+  description = "Ubuntu default user"
+  type        = string
+  default     = "ubuntu"
+}
+
+variable "azure_image_size" {
+  default = "Standard_B1ls"
+}
+
+variable "azure_hdd_size" {
+  default = "Standard_LRS"
+}
+
+variable "azure_tag" {
+  default = "dshield_honeypot"
+}
+
+# CIDR is declared in azurerm_virtual_network & azurerm_subnet code blocks in main.tf
+variable "honeypot_network" {
+  default = "10.40.0.0"
+}
+
+variable "honeypot_ssh_port" {
+  default = "12222"
+}
+
+variable "dshield_ca_country" {
+  default = "US"
+}
+
+variable "dshield_ca_state" {
+  default = "Florida"
+}
+
+variable "dshield_ca_city" {
+  default = "Jacksonville"
+}
+
+variable "dshield_ca_company" {
+  default = "DShield"
+}
+
+variable "dshield_ca_depart" {
+  default = "Decoy"
+}
+
+# true or false whether cowrie should output json
+# also appends logrotate policy in /etc/logrotate.d/dshield
+variable "output_logging" {
+  default = true
+}
diff --git a/terraform/scripts/enable_logging.sh b/terraform/scripts/enable_logging.sh
new file mode 100644
index 00000000..de254ce1
--- /dev/null
+++ b/terraform/scripts/enable_logging.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+sudo tee -a /srv/cowrie/cowrie.cfg << EOF 
+
+[output_jsonlog]
+enabled = true
+logfile = \${honeypot:log_path}/cowrie.json
+epoch_timestamp = false
+EOF
+
+sudo tee -a /etc/logrotate.d/dshield << EOF
+
+/srv/cowrie/var/log/cowrie/cowrie.json
+{
+	rotate 4
+	daily
+	missingok
+	notifempty
+	compress
+	maxsize 100M
+}
+EOF
diff --git a/terraform/scripts/install_reqs.sh b/terraform/scripts/install_reqs.sh
new file mode 100644
index 00000000..22b381a7
--- /dev/null
+++ b/terraform/scripts/install_reqs.sh
@@ -0,0 +1,11 @@
+#! /bin/bash
+sudo tee /etc/apt/apt.conf.d/00-local << EOF 
+Dpkg::Options {
+   "--force-confdef";
+   "--force-confold";
+}
+EOF
+export DEBIAN_FRONTEND=noninteractive && \
+sudo -E apt update && \
+sudo -E apt full-upgrade -y && \
+sudo systemctl restart sshd
diff --git a/terraform/scripts/makecert2.sh b/terraform/scripts/makecert2.sh
new file mode 100644
index 00000000..ed5a1319
--- /dev/null
+++ b/terraform/scripts/makecert2.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+# this is simply a low budget, non-dialogue version of the original makecert.sh script
+f=$0
+f=`echo $f | sed 's/^\.//'`
+f=`pwd`$f
+d=`echo $f | sed -E 's/[^\/]+$//'`
+
+if [ -f /etc/dshield.sslca ] ; then
+    . /etc/dshield.sslca
+    country=$Country
+    state=$State
+    city=$City
+    company=$Company
+    department=$Depart
+else
+    country="US"
+    state="Florida"
+    city="Jacksonville"
+    company="DShield"
+    department="Decoy"
+fi
+hostname=`hostname`
+
+
+if [ ! -f $d/../etc/CA/keys/$hostname.key ]; then
+  openssl req -sha256 -new -newkey rsa:2048 -keyout $d/../etc/CA/keys/$hostname.key -out $d/../etc/CA/requests/$hostname.csr -nodes -subj "/C=$country/ST=$state/L=$city/O=$company/OU=$department/CN=$hostname"
+openssl req -in $d/../etc/CA/requests/$hostname.csr -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64 > $d/../etc/CA/requests/$hostname.keypin
+fi
+
+if [ ! -f $d/../etc/CA/keys/$hostname-spare.key ]; then
+  openssl req -sha256 -new -newkey rsa:2048 -keyout $d/../etc/CA/keys/$hostname-spare.key -out $d/../etc/CA/requests/$hostname-spare.csr -nodes -subj "/C=$country/ST=$state/L=$city/O=$company/OU=$department/CN=$hostname"
+openssl req -in $d/../etc/CA/requests/$hostname-spare.csr -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64 > $d/../etc/CA/requests/$hostname-spare.keypin
+fi
+
+if [ ! -f $d/../etc/CA/keys/dshieldca.key ] ; then
+    openssl genrsa -aes256 -out $d/../etc/CA/keys/dshieldca.key -passout pass:raspi 4096
+    openssl rsa -in $d/../etc/CA/keys/dshieldca.key -out $d/../etc/CA/keys/dshieldcanp.key -passin pass:raspi
+    mv $d/../etc/CA/keys/dshieldcanp.key $d/../etc/CA/keys/dshieldca.key
+fi
+if [ ! -f $d/../etc/CA/certs/dshieldca.crt ]; then
+    openssl req -new -x509 -days 3652 -key $d/../etc/CA/keys/dshieldca.key -out $d/../etc/CA/certs/dshieldca.crt -subj "/C=$country/ST=$state/L=$city/O=$company/OU=$department/CN=ROOT CA"
+fi
+
+# we will only sign the primary CSR, not the spare one for now.
+touch ../etc/CA/index.txt
+
+sed -r --in-place=.bak "s|^dir\s=.*$|dir = $cadir|" ../etc/openssl.cnf
+
+openssl ca -batch -config ../etc/openssl.cnf -policy signing_policy -extensions signing_req -out ../etc/CA/certs/$hostname.crt -infiles ../etc/CA/requests/$hostname.csr    
diff --git a/terraform/templates/dshield_ini.tpl b/terraform/templates/dshield_ini.tpl
new file mode 100644
index 00000000..511bc2d9
--- /dev/null
+++ b/terraform/templates/dshield_ini.tpl
@@ -0,0 +1,21 @@
+[DShield]
+interface=eth0
+version=93
+email=${dshield_email}
+userid=${dshield_userid}
+apikey=${dshield_apikey}
+piid=
+# the following lines will be used by a new feature of the submit code:
+# replace IP with other value and / or anonymize parts of the IP
+honeypotip=${public_ip}
+replacehoneypotip=
+anonymizeip=
+anonymizemask=
+fwlogfile=/var/log/dshield.log
+nofwlogging=${private_ip} ${deploy_ip}
+localips=${deploy_ip}
+adminports=${public_ssh}
+nohoneyips=${deploy_ip}
+nohoneyports='2222 2223 8000'
+manualupdates=0
+telnet=true
diff --git a/terraform/templates/dshield_sslca.tpl b/terraform/templates/dshield_sslca.tpl
new file mode 100644
index 00000000..9a8f4fac
--- /dev/null
+++ b/terraform/templates/dshield_sslca.tpl
@@ -0,0 +1,5 @@
+Country="${dshield_ca_country}"
+State="${dshield_ca_state}"
+City="${dshield_ca_city}"
+Company="${dshield_ca_company}"
+Depart="${dshield_ca_depart}"
diff --git a/terraform/templates/install_honeypot.tpl b/terraform/templates/install_honeypot.tpl
new file mode 100644
index 00000000..1c7338fc
--- /dev/null
+++ b/terraform/templates/install_honeypot.tpl
@@ -0,0 +1,14 @@
+#! /bin/bash
+cd ~/
+mkdir install
+cd install
+git clone https://github.com/DShield-ISC/dshield.git
+cd dshield/bin
+mv /tmp/makecert2.sh makecert.sh
+chmod +x makecert.sh
+sudo ./install.sh --upgrade
+if [ ${output_logging} = true ]; then
+  chmod +x /tmp/enable_logging.sh
+  sudo /tmp/enable_logging.sh
+fi
+sudo reboot