diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..7c1cae9
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,38 @@
+# Local .terraform directories
+**/.terraform/*
+
+# terraform lock file.
+**/.terraform.lock.hcl
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data,
+# such as password, private keys, and other secrets. These should not be
+# part of version control as they are data points which are potentially
+# sensitive and subject to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources
+# locally and so are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..e861a44
--- /dev/null
+++ b/README.md
@@ -0,0 +1 @@
+# tfmod-istio
diff --git a/copy_images.tf b/copy_images.tf
new file mode 100644
index 0000000..d743799
--- /dev/null
+++ b/copy_images.tf
@@ -0,0 +1,45 @@
+locals {
+  pilot_key = format("%v#%v", "istio/pilot", var.istio_version)
+  proxy_key = format("%v#%v", "istio/proxyv2", var.istio_version)
+
+  image_config = [
+    {
+      enabled         = true
+      dest_path       = null
+      name            = "istio/pilot"
+      source_image    = "istio/pilot"
+      source_registry = "docker.io"
+      source_tag      = var.istio_version
+      tag             = var.istio_version
+    },
+    {
+      enabled         = true
+      dest_path       = null
+      name            = "istio/proxyv2"
+      source_image    = "istio/proxyv2"
+      source_registry = "docker.io"
+      source_tag      = var.istio_version
+      tag             = var.istio_version
+    },
+  ]
+}
+
+module "images" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git"
+
+  profile          = var.profile
+  application_name = var.cluster_name
+  image_config     = local.image_config
+  tags             = {}
+
+  ### optional
+  ##  account_alias        = ""
+  ##  account_id           = ""
+  ##  destination_password = ""
+  ##  destination_username = ""
+  ##  override_prefixes    = {}
+  ##  region               = ""
+  ##  source_password      = ""
+  ##  source_username      = ""
+}
+
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..253a6a4
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,96 @@
+resource "kubernetes_namespace" "ns" {
+  metadata {
+    name = var.namespace
+  }
+}
+
+data "kubernetes_service" "apiserver" {
+  metadata {
+    name = "kubernetes"
+  }
+}
+
+resource "helm_release" "base" {
+  chart      = "base"
+  name       = "istio-base"
+  namespace  = kubernetes_namespace.ns.metadata[0].name
+  version    = var.istio_version
+  repository = "https://istio-release.storage.googleapis.com/charts"
+}
+
+resource "helm_release" "istiod" {
+  depends_on = [helm_release.base]
+
+  chart      = "istiod"
+  name       = "istiod"
+  namespace  = kubernetes_namespace.ns.metadata[0].name
+  version    = var.istio_version
+  repository = "https://istio-release.storage.googleapis.com/charts"
+
+  set {
+    name  = "pilot.image"
+    value = module.images.images[local.pilot_key].dest_full_path
+  }
+  set {
+    name  = "global.hub"
+    value = module.images.images[local.pilot_key].registry
+  }
+  set {
+    name  = "global.proxy.image"
+    value = module.images.images[local.pilot_key].repository
+  }
+  set {
+    name  = "global.proxy_init.image"
+    value = module.images.images[local.pilot_key].repository
+  }
+
+  set {
+    name  = "telemetry.enabled"
+    value = var.enable_telemetry
+  }
+  set {
+    name  = "meshConfig.enableTracing"
+    value = "true"
+  }
+  set {
+    name  = "meshConfig.accessLogFile"
+    value = "/dev/stdout"
+  }
+  set {
+    name  = "globalproxy.excludeIPRanges"
+    value = "${data.kubernetes_service.apiserver.spec[0].cluster_ip}/32"
+  }
+}
+
+resource "helm_release" "ingress" {
+  depends_on = [helm_release.istiod]
+
+  chart      = "gateway"
+  name       = "istio-ingressgateway"
+  namespace  = kubernetes_namespace.ns.metadata[0].name
+  version    = var.istio_version
+  repository = "https://istio-release.storage.googleapis.com/charts"
+
+  set {
+    name  = "service.annotations.service\\.beta\\.kubernetes\\.io/aws-load-balancer-type"
+    value = "nlb"
+  }
+}
+
+resource "helm_release" "egress" {
+  depends_on = [helm_release.istiod]
+
+  count = var.enable_egress_gateway ? 1 : 0
+
+  chart      = "gateway"
+  name       = "istio-egressgateway"
+  namespace  = kubernetes_namespace.ns.metadata[0].name
+  version    = var.istio_version
+  repository = "https://istio-release.storage.googleapis.com/charts"
+
+  set {
+    name  = "service.type"
+    value = "ClusterIP"
+  }
+}
+
diff --git a/requirements.tf b/requirements.tf
new file mode 100644
index 0000000..32e5c6f
--- /dev/null
+++ b/requirements.tf
@@ -0,0 +1,22 @@
+terraform {
+  required_version = ">= 0.13"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.14.0"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = ">= 2.11.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.23.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 3.2.1"
+    }
+  }
+}
diff --git a/variables.tf b/variables.tf
new file mode 100644
index 0000000..7826151
--- /dev/null
+++ b/variables.tf
@@ -0,0 +1,48 @@
+variable "profile" {
+  description = "AWS_PROFILE to use to apply the terraform script."
+  default     = ""
+}
+
+variable "cluster_name" {
+  description = "The name of the cluster into which istio will be installed."
+  type        = string
+}
+
+variable "region" {
+  description = "The region in which the cluster is running."
+  type        = string
+}
+
+variable "namespace" {
+  description = "The namespace to install the istio components. Defaults to 'istio-system'"
+  type        = string
+  default     = "istio-system"
+}
+
+# helm repo add istio https://istio-release.storage.googleapis.com/charts
+# helm search repo istio/istiod
+variable "istio_chart_version" {
+  description = "The version of istio to install into the cluster."
+  type        = string
+  default     = "1.18.2"
+}
+
+# The `APP VERSION` of the output found while determining the chart version
+variable "istio_version" {
+  description = "The version of istio to install into the cluster."
+  type        = string
+  default     = "1.18.2"
+}
+
+variable "enable_telemetry" {
+  description = "Enable Istio's stracing, monitoring, and logging features."
+  type        = string
+  default     = "true"
+}
+
+variable "enable_egress_gateway" {
+  description = "Enable Istio to control outbound traffic from the cluster."
+  type        = bool
+  default     = true
+}
+