diff --git a/docker-demo-3/cloudinit.tf b/docker-demo-3/cloudinit.tf
new file mode 100644
index 0000000..2de0ab7
--- /dev/null
+++ b/docker-demo-3/cloudinit.tf
@@ -0,0 +1,20 @@
+provider "cloudinit" {}
+
+data "template_file" "jenkins-init" {
+  template = "${file("scripts/jenkins-init.sh")}"
+  vars {
+    DEVICE = "${var.INSTANCE_DEVICE_NAME}"
+    JENKINS_VERSION = "${var.JENKINS_VERSION}"
+  }
+}
+data "template_cloudinit_config" "cloudinit-jenkins" {
+
+  gzip = false
+  base64_encode = false
+
+  part {
+    content_type = "text/x-shellscript"
+    content      = "${data.template_file.jenkins-init.rendered}"
+  }
+
+}
diff --git a/docker-demo-3/ecr.tf b/docker-demo-3/ecr.tf
new file mode 100644
index 0000000..c136228
--- /dev/null
+++ b/docker-demo-3/ecr.tf
@@ -0,0 +1,3 @@
+resource "aws_ecr_repository" "myapp" {
+  name = "myapp"
+}
diff --git a/docker-demo-3/ecs.tf b/docker-demo-3/ecs.tf
new file mode 100644
index 0000000..4dc7f7e
--- /dev/null
+++ b/docker-demo-3/ecs.tf
@@ -0,0 +1,28 @@
+# cluster
+resource "aws_ecs_cluster" "example-cluster" {
+    name = "example-cluster"
+}
+resource "aws_launch_configuration" "ecs-example-launchconfig" {
+  name_prefix          = "ecs-launchconfig"
+  image_id             = "${lookup(var.ECS_AMIS, var.AWS_REGION)}"
+  instance_type        = "${var.ECS_INSTANCE_TYPE}"
+  key_name             = "${aws_key_pair.mykeypair.key_name}"
+  iam_instance_profile = "${aws_iam_instance_profile.ecs-ec2-role.id}"
+  security_groups      = ["${aws_security_group.ecs-securitygroup.id}"]
+  user_data            = "#!/bin/bash\necho 'ECS_CLUSTER=example-cluster' > /etc/ecs/ecs.config\nstart ecs"
+  lifecycle              { create_before_destroy = true }
+}
+resource "aws_autoscaling_group" "ecs-example-autoscaling" {
+  name                 = "ecs-example-autoscaling"
+  vpc_zone_identifier  = ["${aws_subnet.main-public-1.id}", "${aws_subnet.main-public-2.id}"]
+  launch_configuration = "${aws_launch_configuration.ecs-example-launchconfig.name}"
+  min_size             = 1
+  max_size             = 1
+  tag {
+      key = "Name"
+      value = "ecs-ec2-container"
+      propagate_at_launch = true
+  }
+}
+
+
diff --git a/docker-demo-3/iam.tf b/docker-demo-3/iam.tf
new file mode 100644
index 0000000..ca5616f
--- /dev/null
+++ b/docker-demo-3/iam.tf
@@ -0,0 +1,113 @@
+# ecs ec2 role
+resource "aws_iam_role" "ecs-ec2-role" {
+    name = "ecs-ec2-role"
+    assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+resource "aws_iam_instance_profile" "ecs-ec2-role" {
+    name = "ecs-ec2-role"
+    roles = ["${aws_iam_role.ecs-ec2-role.name}"]
+}
+
+resource "aws_iam_role" "ecs-consul-server-role" {
+    name = "ecs-consul-server-role"
+    assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "ecs-ec2-role-policy" {
+    name = "ecs-ec2-role-policy"
+    role = "${aws_iam_role.ecs-ec2-role.id}"
+    policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+              "ecs:CreateCluster",
+              "ecs:DeregisterContainerInstance",
+              "ecs:DiscoverPollEndpoint",
+              "ecs:Poll",
+              "ecs:RegisterContainerInstance",
+              "ecs:StartTelemetrySession",
+              "ecs:Submit*",
+              "ecs:StartTask",
+              "ecr:GetAuthorizationToken",
+              "ecr:BatchCheckLayerAvailability",
+              "ecr:GetDownloadUrlForLayer",
+              "ecr:BatchGetImage",
+              "logs:CreateLogStream",
+              "logs:PutLogEvents"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "logs:CreateLogGroup",
+                "logs:CreateLogStream",
+                "logs:PutLogEvents",
+                "logs:DescribeLogStreams"
+            ],
+            "Resource": [
+                "arn:aws:logs:*:*:*"
+            ]
+        }
+    ]
+}
+EOF
+}
+
+# ecs service role
+resource "aws_iam_role" "ecs-service-role" {
+    name = "ecs-service-role"
+    assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ecs.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy_attachment" "ecs-service-attach1" {
+    name = "ecs-service-attach1"
+    roles = ["${aws_iam_role.ecs-service-role.name}"]
+    policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole"
+}
+
diff --git a/docker-demo-3/jenkins.tf b/docker-demo-3/jenkins.tf
new file mode 100644
index 0000000..f8d7a2e
--- /dev/null
+++ b/docker-demo-3/jenkins.tf
@@ -0,0 +1,33 @@
+resource "aws_instance" "jenkins-instance" {
+  ami           = "${lookup(var.AMIS, var.AWS_REGION)}"
+  instance_type = "t2.small"
+
+  # the VPC subnet
+  subnet_id = "${aws_subnet.main-public-1.id}"
+
+  # the security group
+  vpc_security_group_ids = ["${aws_security_group.jenkins-securitygroup.id}"]
+
+  # the public SSH key
+  key_name = "${aws_key_pair.mykeypair.key_name}"
+
+  # user data
+  user_data = "${data.template_cloudinit_config.cloudinit-jenkins.rendered}"
+
+}
+
+resource "aws_ebs_volume" "jenkins-data" {
+    availability_zone = "eu-west-1a"
+    size = 20
+    type = "gp2" 
+    tags {
+        Name = "jenkins-data"
+    }
+}
+
+resource "aws_volume_attachment" "jenkins-data-attachment" {
+  device_name = "${var.INSTANCE_DEVICE_NAME}"
+  volume_id = "${aws_ebs_volume.jenkins-data.id}"
+  instance_id = "${aws_instance.jenkins-instance.id}"
+}
+
diff --git a/docker-demo-3/key.tf b/docker-demo-3/key.tf
new file mode 100644
index 0000000..278a5a9
--- /dev/null
+++ b/docker-demo-3/key.tf
@@ -0,0 +1,7 @@
+resource "aws_key_pair" "mykeypair" {
+  key_name = "mykeypair"
+  public_key = "${file("${var.PATH_TO_PUBLIC_KEY}")}"
+  lifecycle {
+    ignore_changes = ["public_key"]
+  }
+}
diff --git a/docker-demo-3/myapp-vars.tf b/docker-demo-3/myapp-vars.tf
new file mode 100644
index 0000000..27f14ff
--- /dev/null
+++ b/docker-demo-3/myapp-vars.tf
@@ -0,0 +1,2 @@
+variable "MYAPP_SERVICE_ENABLE" { default = "0" }
+variable "MYAPP_VERSION" { default = "0" }
diff --git a/docker-demo-3/myapp.tf b/docker-demo-3/myapp.tf
new file mode 100644
index 0000000..e0c3d36
--- /dev/null
+++ b/docker-demo-3/myapp.tf
@@ -0,0 +1,64 @@
+# app
+
+data "template_file" "myapp-task-definition-template" {
+  template               = "${file("templates/app.json.tpl")}"
+  vars {
+    REPOSITORY_URL = "${replace("${aws_ecr_repository.myapp.repository_url}", "https://", "")}"
+    APP_VERSION = "${var.MYAPP_VERSION}"
+  }
+}
+
+resource "aws_ecs_task_definition" "myapp-task-definition" {
+  family                = "myapp"
+  container_definitions = "${data.template_file.myapp-task-definition-template.rendered}"
+}
+
+resource "aws_ecs_service" "myapp-service" {
+  count = "${var.MYAPP_SERVICE_ENABLE}"
+  name = "myapp"
+  cluster = "${aws_ecs_cluster.example-cluster.id}"
+  task_definition = "${aws_ecs_task_definition.myapp-task-definition.arn}"
+  desired_count = 1
+  iam_role = "${aws_iam_role.ecs-service-role.arn}"
+  depends_on = ["aws_iam_policy_attachment.ecs-service-attach1"]
+
+  load_balancer {
+    elb_name = "${aws_elb.myapp-elb.name}"
+    container_name = "myapp"
+    container_port = 3000
+  }
+  lifecycle { ignore_changes = ["task_definition"] }
+}
+
+# load balancer
+resource "aws_elb" "myapp-elb" {
+  name = "myapp-elb"
+
+  listener {
+    instance_port = 3000
+    instance_protocol = "http"
+    lb_port = 80
+    lb_protocol = "http"
+  }
+
+  health_check {
+    healthy_threshold = 3
+    unhealthy_threshold = 3
+    timeout = 30
+    target = "HTTP:3000/"
+    interval = 60
+  }
+
+  cross_zone_load_balancing = true
+  idle_timeout = 400
+  connection_draining = true
+  connection_draining_timeout = 400
+
+  subnets = ["${aws_subnet.main-public-1.id}","${aws_subnet.main-public-2.id}"]
+  security_groups = ["${aws_security_group.myapp-elb-securitygroup.id}"]
+
+  tags {
+    Name = "myapp-elb"
+  }
+}
+
diff --git a/docker-demo-3/output.tf b/docker-demo-3/output.tf
new file mode 100644
index 0000000..5f4ad4c
--- /dev/null
+++ b/docker-demo-3/output.tf
@@ -0,0 +1,9 @@
+output "elb" {
+  value = "${aws_elb.myapp-elb.dns_name}"
+}
+output "jenkins" {
+  value = "${aws_instance.jenkins-instance.public_ip}"
+}
+output "myapp-repository-URL" {
+  value = "${aws_ecr_repository.myapp.repository_url}"
+}
diff --git a/docker-demo-3/provider.tf b/docker-demo-3/provider.tf
new file mode 100644
index 0000000..ded6d8c
--- /dev/null
+++ b/docker-demo-3/provider.tf
@@ -0,0 +1,3 @@
+provider "aws" { 
+    region = "${var.AWS_REGION}"
+}
diff --git a/docker-demo-3/s3.tf b/docker-demo-3/s3.tf
new file mode 100644
index 0000000..b9afaaf
--- /dev/null
+++ b/docker-demo-3/s3.tf
@@ -0,0 +1,8 @@
+resource "aws_s3_bucket" "terraform-state" {
+    bucket = "terraform-state-a2b6219"
+    acl = "private"
+
+    tags {
+        Name = "Terraform state"
+    }
+}
diff --git a/docker-demo-3/scripts/configure-remote-state.sh b/docker-demo-3/scripts/configure-remote-state.sh
new file mode 100755
index 0000000..43ed9b6
--- /dev/null
+++ b/docker-demo-3/scripts/configure-remote-state.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+terraform remote config -backend=s3 -backend-config="bucket=terraform-state-a2b6219" -backend-config="key=terraform/terraform.tfstate" -backend-config="region=eu-west-1"
diff --git a/docker-demo-3/scripts/jenkins-init.sh b/docker-demo-3/scripts/jenkins-init.sh
new file mode 100644
index 0000000..de209c4
--- /dev/null
+++ b/docker-demo-3/scripts/jenkins-init.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+# volume setup
+vgchange -ay
+
+DEVICE_FS=`blkid -o value -s TYPE ${DEVICE}`
+if [ "`echo -n $DEVICE_FS`" == "" ] ; then 
+	pvcreate ${DEVICE}
+	vgcreate data ${DEVICE}
+	lvcreate --name volume1 -l 100%FREE data
+	mkfs.ext4 /dev/data/volume1
+fi
+mkdir -p /var/lib/jenkins
+echo '/dev/data/volume1 /var/lib/jenkins ext4 defaults 0 0' >> /etc/fstab
+mount /var/lib/jenkins
+
+# install jenkins and docker
+wget -q -O - https://pkg.jenkins.io/debian-stable/jenkins.io.key | sudo apt-key add -
+echo "deb http://pkg.jenkins.io/debian-stable binary/" >> /etc/apt/sources.list
+apt-get update
+apt-get install -y jenkins=${JENKINS_VERSION} unzip docker.io
+
+# enable docker and add perms
+usermod -G docker jenkins
+systemctl enable docker
+service docker start
+service jenkins restart
+
+# install pip
+wget -q https://bootstrap.pypa.io/get-pip.py
+python get-pip.py
+python3 get-pip.py
+rm -f get-pip.py
+# install awscli
+pip install awscli
+
+# install terraform
+cd /usr/local/bin
+wget -q https://releases.hashicorp.com/terraform/0.7.7/terraform_0.7.7_linux_amd64.zip
+unzip terraform_0.7.7_linux_amd64.zip
+# clean up
+apt-get clean
+rm terraform_0.7.7_linux_amd64.zip
diff --git a/docker-demo-3/securitygroup.tf b/docker-demo-3/securitygroup.tf
new file mode 100644
index 0000000..60f749b
--- /dev/null
+++ b/docker-demo-3/securitygroup.tf
@@ -0,0 +1,76 @@
+resource "aws_security_group" "ecs-securitygroup" {
+  vpc_id = "${aws_vpc.main.id}"
+  name = "ecs"
+  description = "security group for ecs"
+  egress {
+      from_port = 0
+      to_port = 0
+      protocol = "-1"
+      cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+      from_port = 3000
+      to_port = 3000
+      protocol = "tcp"
+      security_groups = ["${aws_security_group.myapp-elb-securitygroup.id}"]
+  } 
+  ingress {
+      from_port = 22
+      to_port = 22
+      protocol = "tcp"
+      cidr_blocks = ["0.0.0.0/0"]
+  } 
+  tags {
+    Name = "ecs"
+  }
+}
+resource "aws_security_group" "myapp-elb-securitygroup" {
+  vpc_id = "${aws_vpc.main.id}"
+  name = "myapp-elb"
+  description = "security group for ecs"
+  egress {
+      from_port = 0
+      to_port = 0
+      protocol = "-1"
+      cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+      from_port = 80
+      to_port = 80
+      protocol = "tcp"
+      cidr_blocks = ["0.0.0.0/0"]
+  } 
+  tags {
+    Name = "myapp-elb"
+  }
+}
+# jenkins
+resource "aws_security_group" "jenkins-securitygroup" {
+  vpc_id = "${aws_vpc.main.id}"
+  name = "jenkins-securitygroup"
+  description = "security group that allows ssh and all egress traffic"
+  egress {
+      from_port = 0
+      to_port = 0
+      protocol = "-1"
+      cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+      from_port = 22
+      to_port = 22
+      protocol = "tcp"
+      cidr_blocks = ["0.0.0.0/0"]
+  } 
+  ingress {
+      from_port = 8080
+      to_port = 8080
+      protocol = "tcp"
+      cidr_blocks = ["0.0.0.0/0"]
+  } 
+tags {
+    Name = "jenkins-securitygroup"
+  }
+}
diff --git a/docker-demo-3/templates/app.json.tpl b/docker-demo-3/templates/app.json.tpl
new file mode 100644
index 0000000..59afc10
--- /dev/null
+++ b/docker-demo-3/templates/app.json.tpl
@@ -0,0 +1,18 @@
+[
+  {
+    "essential": true,
+    "memory": 256,
+    "name": "myapp",
+    "cpu": 256,
+    "image": "${REPOSITORY_URL}:${APP_VERSION}",
+    "workingDirectory": "/app",
+    "command": ["npm", "start"],
+    "portMappings": [
+        {
+            "containerPort": 3000,
+            "hostPort": 3000
+        }
+    ]
+  }
+]
+
diff --git a/docker-demo-3/vars.tf b/docker-demo-3/vars.tf
new file mode 100644
index 0000000..466daba
--- /dev/null
+++ b/docker-demo-3/vars.tf
@@ -0,0 +1,37 @@
+variable "AWS_REGION" {
+  default = "eu-west-1"
+}
+variable "PATH_TO_PRIVATE_KEY" {
+  default = "mykey"
+}
+variable "PATH_TO_PUBLIC_KEY" {
+  default = "mykey.pub"
+}
+variable "ECS_INSTANCE_TYPE" {
+  default = "t2.micro"
+}
+variable "ECS_AMIS" {
+  type = "map"
+  default = {
+    us-east-1 = "ami-1924770e"
+    us-west-2 = "ami-56ed4936"
+    eu-west-1 = "ami-c8337dbb"
+  }
+}
+# Full List: http://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html
+
+variable "AMIS" {
+  type = "map"
+  default = {
+    us-east-1 = "ami-13be557e"
+    us-west-2 = "ami-06b94666"
+    eu-west-1 = "ami-844e0bf7"
+  }
+}
+variable "INSTANCE_DEVICE_NAME" {
+  default = "/dev/xvdh"
+}
+variable "JENKINS_VERSION" {
+  default = "2.19.1"
+}
+
diff --git a/docker-demo-3/vpc.tf b/docker-demo-3/vpc.tf
new file mode 100644
index 0000000..1325feb
--- /dev/null
+++ b/docker-demo-3/vpc.tf
@@ -0,0 +1,110 @@
+# Internet VPC
+resource "aws_vpc" "main" {
+    cidr_block = "10.0.0.0/16"
+    instance_tenancy = "default"
+    enable_dns_support = "true"
+    enable_dns_hostnames = "true"
+    enable_classiclink = "false"
+    tags {
+        Name = "main"
+    }
+}
+
+
+# Subnets
+resource "aws_subnet" "main-public-1" {
+    vpc_id = "${aws_vpc.main.id}"
+    cidr_block = "10.0.1.0/24"
+    map_public_ip_on_launch = "true"
+    availability_zone = "eu-west-1a"
+
+    tags {
+        Name = "main-public-1"
+    }
+}
+resource "aws_subnet" "main-public-2" {
+    vpc_id = "${aws_vpc.main.id}"
+    cidr_block = "10.0.2.0/24"
+    map_public_ip_on_launch = "true"
+    availability_zone = "eu-west-1b"
+
+    tags {
+        Name = "main-public-2"
+    }
+}
+resource "aws_subnet" "main-public-3" {
+    vpc_id = "${aws_vpc.main.id}"
+    cidr_block = "10.0.3.0/24"
+    map_public_ip_on_launch = "true"
+    availability_zone = "eu-west-1c"
+
+    tags {
+        Name = "main-public-3"
+    }
+}
+resource "aws_subnet" "main-private-1" {
+    vpc_id = "${aws_vpc.main.id}"
+    cidr_block = "10.0.4.0/24"
+    map_public_ip_on_launch = "false"
+    availability_zone = "eu-west-1a"
+
+    tags {
+        Name = "main-private-1"
+    }
+}
+resource "aws_subnet" "main-private-2" {
+    vpc_id = "${aws_vpc.main.id}"
+    cidr_block = "10.0.5.0/24"
+    map_public_ip_on_launch = "false"
+    availability_zone = "eu-west-1b"
+
+    tags {
+        Name = "main-private-2"
+    }
+}
+resource "aws_subnet" "main-private-3" {
+    vpc_id = "${aws_vpc.main.id}"
+    cidr_block = "10.0.6.0/24"
+    map_public_ip_on_launch = "false"
+    availability_zone = "eu-west-1c"
+
+    tags {
+        Name = "main-private-3"
+    }
+}
+
+# Internet GW
+resource "aws_internet_gateway" "main-gw" {
+    vpc_id = "${aws_vpc.main.id}"
+
+    tags {
+        Name = "main"
+    }
+}
+
+# route tables
+resource "aws_route_table" "main-public" {
+    vpc_id = "${aws_vpc.main.id}"
+    route {
+        cidr_block = "0.0.0.0/0"
+        gateway_id = "${aws_internet_gateway.main-gw.id}"
+    }
+
+    tags {
+        Name = "main-public-1"
+    }
+}
+
+# route associations public
+resource "aws_route_table_association" "main-public-1-a" {
+    subnet_id = "${aws_subnet.main-public-1.id}"
+    route_table_id = "${aws_route_table.main-public.id}"
+}
+resource "aws_route_table_association" "main-public-2-a" {
+    subnet_id = "${aws_subnet.main-public-2.id}"
+    route_table_id = "${aws_route_table.main-public.id}"
+}
+resource "aws_route_table_association" "main-public-3-a" {
+    subnet_id = "${aws_subnet.main-public-3.id}"
+    route_table_id = "${aws_route_table.main-public.id}"
+}