diff --git a/terraform/inputs.tf b/terraform/inputs.tf
index 20146b0..72f1862 100644
--- a/terraform/inputs.tf
+++ b/terraform/inputs.tf
@@ -1,34 +1,17 @@
 locals {
-  region                      = "us-east-1"
-  availability_zone           = "us-east-1a"
-  secondary_availability_zone = "us-east-1b"
+  upstream_server_count        = 3
+  upstream_agent_count         = 0
+  upstream_distro_version      = "v1.24.10+k3s1"
+  upstream_san                 = "upstream.local.gd"
+  upstream_kubernetes_api_port = 6445
 
-  bastion_ami = "ami-0abac89b48b8cc3bb" // amazon/suse-sles-15-sp4-byos-v20220621-hvm-ssd-arm64
+  rancher_chart = "https://releases.rancher.com/server-charts/latest/rancher-2.7.1.tgz"
 
-  upstream_instance_type  = "t3a.xlarge"
-  upstream_ami            = "ami-0096528c9fcc1a6a9" // Ubuntu: us-east-1 jammy 22.04 LTS amd64 hvm:ebs-ssd 20221118
-  upstream_server_count   = 3
-  upstream_agent_count    = 0
-  upstream_distro_version = "v1.4.3/rke_darwin-amd64 v1.24.10-rancher4-1"
-  # alternatives:
-  # upstream_distro_version = "v1.24.6+k3s1"
-  # upstream_distro_version = "v1.24.8+rke2r1"
-  rancher_chart           = "https://releases.rancher.com/server-charts/latest/rancher-2.7.0.tgz"
-  upstream_san            = "upstream.local.gd"
-  upstream_kubernetes_api_port          = 6443
-
-  downstream_instance_type  = "t3a.xlarge"
-  downstream_ami            = "ami-0096528c9fcc1a6a9" // Ubuntu: us-east-1 jammy 22.04 LTS amd64 hvm:ebs-ssd 20221118
-  downstream_server_count   = 1
-  downstream_agent_count    = 1
-  downstream_distro_version = "v1.24.6+k3s1"
-  # alternatives:
-  # downstream_distro_version = "v1.24.8+rke2r1"
-  # downstream_distro_version = "v1.4.3/rke_darwin-amd64 v1.24.10-rancher4-1"
-  downstream_san            = "downstream.local.gd"
-  downstream_kubernetes_api_port          = 6444
+  downstream_server_count        = 3
+  downstream_agent_count         = 0
+  downstream_distro_version      = "v1.24.10+k3s1"
+  downstream_san                 = "downstream.local.gd"
+  downstream_kubernetes_api_port = 6446
 
   project_name = "moio"
-  ssh_private_key_path = "~/.ssh/id_ed25519"
-  ssh_public_key_path  = "~/.ssh/id_ed25519.pub"
 }
diff --git a/terraform/main.tf b/terraform/main.tf
index 3e8acc3..6acdb69 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -1,21 +1,13 @@
 terraform {
   required_version = "1.3.7"
   required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "4.31.0"
-    }
-    tls = {
-      source  = "hashicorp/tls"
-      version = "4.0.3"
-    }
     helm = {
       source  = "hashicorp/helm"
       version = "2.7.1"
     }
-    ssh = {
-      source  = "loafoe/ssh"
-      version = "2.2.1"
+    docker = {
+      source  = "kreuzwerker/docker"
+      version = "2.23.1"
     }
     k3d = {
       source  = "pvotal-tech/k3d"
@@ -24,65 +16,32 @@ terraform {
   }
 }
 
-provider "aws" {
-  region = local.region
+provider "docker" {
+  host = "unix:///var/run/docker.sock"
 }
 
-module "aws_shared" {
-  source              = "./aws_shared"
-  project_name        = local.project_name
-  ssh_public_key_path = local.ssh_public_key_path
-}
-
-module "aws_network" {
-  source                      = "./aws_network"
-  region                      = local.region
-  availability_zone           = local.availability_zone
-  secondary_availability_zone = local.secondary_availability_zone
-  project_name                = local.project_name
-}
-
-module "bastion" {
-  depends_on            = [module.aws_network]
-  source                = "./aws_host"
-  ami                   = local.bastion_ami
-  availability_zone     = local.availability_zone
-  project_name          = local.project_name
-  name                  = "bastion"
-  ssh_key_name          = module.aws_shared.key_name
-  ssh_private_key_path  = local.ssh_private_key_path
-  subnet_id             = module.aws_network.public_subnet_id
-  vpc_security_group_id = module.aws_network.public_security_group_id
+module "network" {
+  source       = "./k3d_network"
+  project_name = local.project_name
 }
 
 module "upstream_cluster" {
-  source = "./aws_rke"
-  # alternatives:
-  # source = "./aws_k3s"
-  # source = "./aws_rke2"
-  ami                    = local.upstream_ami
-  instance_type          = local.upstream_instance_type
-  availability_zone      = local.availability_zone
-  project_name           = local.project_name
-  name                   = "upstream"
-  server_count           = local.upstream_server_count
-  agent_count            = local.upstream_agent_count
-  ssh_key_name           = module.aws_shared.key_name
-  ssh_private_key_path   = local.ssh_private_key_path
-  ssh_bastion_host       = module.bastion.public_name
-  subnet_id              = module.aws_network.private_subnet_id
-  vpc_security_group_id  = module.aws_network.private_security_group_id
-  kubernetes_api_port    = local.upstream_kubernetes_api_port
-  additional_ssh_tunnels = [[3000, 443]]
-  distro_version         = local.upstream_distro_version
-  sans                   = [local.upstream_san]
-  # k3s only
-  # secondary_subnet_id    = module.aws_network.secondary_private_subnet_id
+  source                   = "./k3d_k3s"
+  project_name             = local.project_name
+  name                     = "upstream"
+  network_name             = module.network.name
+  server_count             = local.upstream_server_count
+  agent_count              = local.upstream_agent_count
+  distro_version           = local.upstream_distro_version
+  sans                     = [local.upstream_san]
+  kubernetes_api_port      = local.upstream_kubernetes_api_port
+  additional_port_mappings = [[8443, 443]]
 }
 
 provider "helm" {
   kubernetes {
-    config_path = "../config/upstream.yaml"
+    config_path    = "~/.kube/config"
+    config_context = "k3d-${local.project_name}-upstream"
   }
 }
 
@@ -96,24 +55,13 @@ module "rancher" {
 }
 
 module "downstream_cluster" {
-  source = "./aws_k3s"
-  # alternatives:
-  # source = "./aws_rke"
-  # source = "./aws_rke2"
-  ami                   = local.downstream_ami
-  instance_type         = local.downstream_instance_type
-  availability_zone     = local.availability_zone
-  project_name          = local.project_name
-  name                  = "downstream"
-  server_count          = local.downstream_server_count
-  agent_count           = local.downstream_agent_count
-  ssh_key_name          = module.aws_shared.key_name
-  ssh_private_key_path  = local.ssh_private_key_path
-  ssh_bastion_host      = module.bastion.public_name
-  subnet_id             = module.aws_network.private_subnet_id
-  vpc_security_group_id = module.aws_network.private_security_group_id
-  kubernetes_api_port   = local.downstream_kubernetes_api_port
-  distro_version        = local.downstream_distro_version
-  sans                  = [local.downstream_san]
-  secondary_subnet_id   = module.aws_network.secondary_private_subnet_id
+  source              = "./k3d_k3s"
+  project_name        = local.project_name
+  name                = "downstream"
+  network_name        = module.network.name
+  server_count        = local.downstream_server_count
+  agent_count         = local.downstream_agent_count
+  distro_version      = local.downstream_distro_version
+  sans                = [local.downstream_san]
+  kubernetes_api_port = local.downstream_kubernetes_api_port
 }
diff --git a/terraform/outputs.tf b/terraform/outputs.tf
index f5815ff..697bc53 100644
--- a/terraform/outputs.tf
+++ b/terraform/outputs.tf
@@ -1,15 +1,14 @@
 output "rancher_help" {
   value = <<-EOT
-    UPSTREAM CLUSTER ACCESS:
-      export KUBECONFIG=../config/upstream.yaml
-
-    CLUSTER API:
-      https://localhost:6443
+    CLUSTER ACCESS: already added to default kubeconfig
 
     RANCHER UI:
-      https://${local.upstream_san}:3000
+      https://upstream.local.gd:8443
 
-    DOWNSTREAM CLUSTER ACCESS:
-      export KUBECONFIG=../config/downstream.yaml
+    CLUSTER API (upstream):
+      https://upstream.local.gd:6445
+
+    CLUSTER API (downstream):
+      https://downstream.local.gd:6446
  EOT
 }