diff --git a/README.md b/README.md
index c8cf80e..13267bd 100644
--- a/README.md
+++ b/README.md
@@ -7,29 +7,34 @@ This terraform module can create a cross zone vpc.
 ###### Result
 
 This will create a vpc across multiple zone with a couple of subnet, routing 
-table, bastion instance, elb ans Managed NAT
+table, bastion instance, elb and Managed NAT
 
 ### Subnet
 
-There will be two level of subnet the front and the back and there will be 
-a subnet per type per zone
+There will be two level of subnet the public and the private and there will be 
+a subnet per level per zone
 
 ### route table
 
-two routing table are create one public and one private the public is linked to 
-the front subnets and the Gateway
-the private to the back subnets and the Managed NAT
+one routing table are create one public and one for each subnet in private 
+subnets.
+the public is linked to the public's subnets and the Internet Gateway, the 
+private to the private's subnets and the Managed NAT
 
 ### bastion instance and routing
 
-all bastion instance will be launched in an auto scaling group in the from subnets
-When a new Bastion instance is spawned a command to change the EIP association
-is run to make sure we always have the same IP
+A bastion is launched through an auto scaling group in all public's subnets.
+In each subnet an ENI and EIP is created.
+When a new Bastion instance is booted a command to change the ENI association
+is run to make sure he always have associated with one ENI/EIP.
+Some DNS record and healh-check will route to bastion no matter with ENI is 
+using.
 
 ### NAT
 
-All front subnet have one Managed NAT gateway and a routing table is create for
- each back subnet with a route from the subnet to the (AZ) corresponding NAT gateway
+All public's subnet have one Managed NAT gateway and a routing table is create 
+for each private's subnet with a route from the subnet to the (AZ) 
+corresponding NAT gateway
 
 ## Schema for 3 zone
 
@@ -48,7 +53,7 @@ All front subnet have one Managed NAT gateway and a routing table is create for
 |  .---------.   .---------.   .---------.  |
 |  |         |   |         |   |         |  |
 |  | subnet  |   | subnet  |   | subnet  |  |
-|  | front a |   | front b |   | front c |  |
+|  | pub   a |   | pub   b |   | pub   c |  |
 |  |         |   |         |   |         |  |
 |  |  .---.  |   |  .---.  |   |  .---.  |  |
 |  |  |NAT|  |   |  |NAT|  |   |  |NAT|  |  |
@@ -64,7 +69,7 @@ All front subnet have one Managed NAT gateway and a routing table is create for
 |  .---------.   .---------.   .---------.  |
 |  |         |   |         |   |         |  |
 |  | subnet  |   | subnet  |   | subnet  |  |
-|  | back  a |   | back  b |   | back  c |  |
+|  | priv  a |   | priv  b |   | priv  c |  |
 |  |         |   |         |   |         |  |
 |  |         |   |         |   |         |  |
 |  |         |   |         |   |         |  |
@@ -82,8 +87,10 @@ All front subnet have one Managed NAT gateway and a routing table is create for
 As input you need to specified the following variable:
 
 
-region: the region you want you vpc on
-azs_name: the zone you want your vps on
+region: the region you want your vpc on
+azs_name: the zone you want your vpc on
+azs_count: number of zone you want your vpc on, must be not be superior of the 
+number of zone available on the region
 
 network_network: a number to determine the network prefix 
 (10,<network_number>.0.0/24)
@@ -105,7 +112,7 @@ tags: all tag who should be on every resources
 
 vpc_id: id of the vpc newly created
 
-subnets: all subnet id from the private area value
+subnets: all subnet id from the private
 
 default_sg:  the default SecurityGroup for the vpc
 
diff --git a/bastion.tf b/bastion.tf
new file mode 100644
index 0000000..cb8db1d
--- /dev/null
+++ b/bastion.tf
@@ -0,0 +1,127 @@
+# bastion configuration
+
+resource "aws_eip" "bastion" {
+  count = "${var.azs_count}"
+
+  # count = "${length(aws_network_interface.bastion.*.id)}"
+  network_interface = "${element(aws_network_interface.bastion.*.id,count.index)}"
+  vpc               = true
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_network_interface" "bastion" {
+  count = "${var.azs_count}"
+
+  # count          = "${length(aws_subnet.public.*.id)}"
+  subnet_id       = "${element(aws_subnet.public.*.id,count.index)}"
+  description     = "${var.cluster_name}_bastion endpoint for ${element(aws_subnet.public.*.availability_zone,count.index)}"
+  security_groups = ["${aws_security_group.allow_bastion_ingress.id}"]
+
+  tags {
+    Name    = "${var.cluster_name}_eni-bastion-${element(aws_subnet.public.*.id,count.index)}"
+    cluster = "${var.cluster_name}"
+    product = "${var.tag_product}"
+    purpose = "${var.tag_purpose}"
+    builder = "terraform"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_autoscaling_group" "bastion" {
+  name             = "${var.cluster_name}_bastion"
+  max_size         = 1
+  min_size         = 1
+  desired_capacity = 1
+
+  health_check_grace_period = 120
+  health_check_type         = "EC2"
+  force_delete              = true
+  launch_configuration      = "${aws_launch_configuration.bastion.name}"
+  vpc_zone_identifier       = ["${aws_subnet.public.*.id}"]
+
+  tag {
+    key                 = "Name"
+    value               = "${var.cluster_name}_bastion"
+    propagate_at_launch = true
+  }
+
+  tag {
+    key                 = "builder"
+    value               = "terraform"
+    propagate_at_launch = true
+  }
+
+  tag {
+    key                 = "cluster"
+    value               = "${var.cluster_name}"
+    propagate_at_launch = true
+  }
+
+  tag {
+    key                 = "product"
+    value               = "${var.tag_product}"
+    propagate_at_launch = true
+  }
+
+  tag {
+    key                 = "purpose"
+    value               = "${var.tag_purpose}"
+    propagate_at_launch = true
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_launch_configuration" "bastion" {
+  name_prefix                 = "${var.cluster_name}_bastion-"
+  image_id                    = "${lookup(var.ami_bastion, var.region)}"
+  instance_type               = "${var.instance_type_bastion}"
+  key_name                    = "${var.aws_key_name}"
+  associate_public_ip_address = true
+  iam_instance_profile        = "${aws_iam_instance_profile.bastion_profile.name}"
+  security_groups             = ["${aws_security_group.allow_bastion_ingress.id}", "${aws_security_group.bastion.id}"]
+
+  user_data = "${template_file.launch_bastion.rendered}\n${var.user_data}"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "template_file" "launch_bastion" {
+  vars {
+    region   = "${var.region}"
+    enis_map = "${join(" ",template_file.enis_map.*.rendered)}"
+  }
+
+  template = "${file("${path.module}/bastion_user_data.tpl")}"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "template_file" "enis_map" {
+  # count = "${length(aws_network_interface.bastion.*.id)}"
+
+  count = "${var.azs_count}"
+
+  vars {
+    zone = "${replace(element(split(" ", element(aws_network_interface.bastion.*.description,count.index)),3),"${var.region}","")}"
+    eni  = "${element(aws_network_interface.bastion.*.id,count.index)}"
+  }
+
+  template = "[\"${zone}\"]=\"${eni}\""
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
diff --git a/bastion_user_data.tpl b/bastion_user_data.tpl
index 294cc15..a380da6 100644
--- a/bastion_user_data.tpl
+++ b/bastion_user_data.tpl
@@ -1,32 +1,11 @@
 #!/bin/bash -v
+ZONE=$(wget -qO - http://169.254.169.254/latest/meta-data/placement/availability-zone)
+INSTANCE_ID=$$(wget http://169.254.169.254/latest/meta-data/instance-id -O - -q)
 
-EC2_URL=https://ec2.${region}.amazonaws.com
+declare -A enis_map
+enis_map=(${enis_map})
+eni=$${enis_map[$${ZONE: -1}]}
+/usr/bin/aws ec2 attach-network-interface --network-interface-id $${eni} --instance-id $${INSTANCE_ID} --device-index 1 --region '${region}'
+/bin/sleep 60
 
-# set fqdn pointing to instance ip
-if [[ -n "${route53_zone_id}" && -n "${fqdn}" ]]; then
-	MYMAC=$(wget http://169.254.169.254/latest/meta-data/network/interfaces/macs/ -O - -q)
-	MYIP=$(wget http://169.254.169.254/latest/meta-data/network/interfaces/macs/$MYMAC/ipv4-associations -O - -q)
-
-	cat << EOF > /tmp/route53-change.json
-{
-	"Comment": "Updating Bastion Host Record",
-	"Changes": [
-		{
-			"Action": "UPSERT",
-			"ResourceRecordSet": {
-				"Name": "bastion-${fqdn}",
-				"Type": "A",
-				"TTL": 60,
-				"ResourceRecords": [
-					{
-						"Value": "$MYIP"
-					}
-				]
-			}
-		}
-	]
-}
-EOF
-	aws route53 change-resource-record-sets --hosted-zone-id "${route53_zone_id}" --change-batch file:///tmp/route53-change.json
-	rm -rf /tmp/route53-change.json
-fi
+ec2ifscan
diff --git a/dns.tf b/dns.tf
new file mode 100644
index 0000000..3bde97d
--- /dev/null
+++ b/dns.tf
@@ -0,0 +1,36 @@
+resource "aws_route53_record" "bastion" {
+  #count = "${length(aws_network_interface.bastion.*.private_ips)}"
+  count = "${var.azs_count}"
+
+  name            = "bastion-${var.cluster_name}"
+  zone_id         = "${var.route_zone_id}"
+  type            = "A"
+  set_identifier  = "${count.index}"
+  weight          = "${count.index}"
+  records         = ["${element(aws_eip.bastion.*.public_ip,count.index)}"]
+  ttl             = 60
+  health_check_id = "${element(aws_route53_health_check.bastion_check.*.id,count.index)}"
+}
+
+resource "aws_route53_health_check" "bastion_check" {
+  count = "${var.azs_count}"
+
+  #count = "${length(aws_route53_record.bastion.*.)}"
+  ip_address        = "${element(aws_eip.bastion.*.public_ip,count.index)}"
+  port              = 22
+  type              = "TCP"
+  failure_threshold = "2"
+  request_interval  = "10"
+
+  tags {
+    Name    = "${var.cluster_name}_bastion-check"
+    cluster = "${var.cluster_name}"
+    product = "${var.tag_product}"
+    purpose = "${var.tag_purpose}"
+    builder = "terraform"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
diff --git a/iam.tf b/iam.tf
new file mode 100644
index 0000000..fe18f04
--- /dev/null
+++ b/iam.tf
@@ -0,0 +1,58 @@
+resource "aws_iam_role" "bastion_role" {
+  name = "${var.cluster_name}_bastion_role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+	{
+	  "Action": "sts:AssumeRole",
+	  "Principal": {
+		"Service": "ec2.amazonaws.com"
+	  },
+	  "Effect": "Allow",
+	  "Sid": ""
+	}
+  ]
+}
+EOF
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_iam_instance_profile" "bastion_profile" {
+  name  = "${var.cluster_name}_bastion_profile"
+  roles = ["${aws_iam_role.bastion_role.name}"]
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_iam_role_policy" "bastion_policy" {
+  name = "${var.cluster_name}_bastion_policy"
+  role = "${aws_iam_role.bastion_role.id}"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": {
+	"Effect": "Allow",
+	"Action": [
+	  "ec2:AttachNetworkInterface",
+	  "ec2:DescribeNetworkInterfaces",
+	  "ec2:DetachNetworkInterface"
+	],
+	"Resource": [
+	  "*"
+	]
+  }
+}
+EOF
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
diff --git a/nat.tf b/nat.tf
new file mode 100644
index 0000000..9261128
--- /dev/null
+++ b/nat.tf
@@ -0,0 +1,23 @@
+# NAT
+resource "aws_eip" "gw_ip" {
+  count = "${var.azs_count}"
+
+  # count = "${length(aws_subnet.public.*.id)}"
+  vpc = true
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_nat_gateway" "gw" {
+  count = "${var.azs_count}"
+
+  # count = "${length(aws_eip.gw_ip.*.id)}"
+
+  allocation_id = "${element(aws_eip.gw_ip.*.id, count.index)}"
+  subnet_id     = "${element(aws_subnet.public.*.id, count.index)}"
+  lifecycle {
+    create_before_destroy = true
+  }
+}
diff --git a/output.tf b/output.tf
index 48dc00e..8a80ddc 100644
--- a/output.tf
+++ b/output.tf
@@ -1,11 +1,31 @@
-output "vpc_id" {
+output "id" {
   value = "${aws_vpc.main.id}"
 }
 
-output "subnets" {
-  value = "${join(",",aws_subnet.back.*.id)}"
+output "subnets_private" {
+  value = "${join(",",aws_subnet.private.*.id)}"
 }
 
-output "default_sg" {
+output "subnets_public" {
+  value = "${join(",",aws_subnet.public.*.id)}"
+}
+
+output "azs" {
+  value = "${var.region}${replace(lookup(var.azs_name, var.region),",",",${var.region}")}"
+}
+
+output "nat_ip" {
+  value = "${join(",",aws_nat_gateway.gw.*.public_ip)}"
+}
+
+output "sg_bastion" {
+  value = "${aws_security_group.bastion.id}"
+}
+
+output "sg_default" {
   value = "${aws_vpc.main.default_security_group_id}"
 }
+
+output "cidr_block" {
+  value = "${aws_vpc.main.cidr_block}"
+}
diff --git a/private.tf b/private.tf
new file mode 100644
index 0000000..940d0a1
--- /dev/null
+++ b/private.tf
@@ -0,0 +1,59 @@
+# private network
+
+resource "aws_subnet" "private" {
+  count = "${var.azs_count}"
+
+  #count = "${length(compact(split(",",lookup(var.azs_name, var.region))))}"
+  vpc_id            = "${aws_vpc.main.id}"
+  cidr_block        = "10.${var.network_number}.1${count.index}.0/24"
+  availability_zone = "${var.region}${element(split(",",lookup(var.azs_name, var.region)), count.index)}"
+
+  tags {
+    Name    = "${var.cluster_name}_private-${element(split(",",lookup(var.azs_name, var.region)), count.index)}"
+    cluster = "${var.cluster_name}"
+    product = "${var.tag_product}"
+    purpose = "${var.tag_purpose}"
+    builder = "terraform"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_route_table" "private" {
+  count = "${var.azs_count}"
+
+  # count  = "${length(aws_subnet.private.*.id)}"
+  vpc_id = "${aws_vpc.main.id}"
+
+  route {
+    cidr_block     = "0.0.0.0/0"
+    nat_gateway_id = "${element(aws_nat_gateway.gw.*.id, count.index)}"
+  }
+
+  tags {
+    Name    = "${var.cluster_name}_private-${count.index}"
+    cluster = "${var.cluster_name}"
+    product = "${var.tag_product}"
+    purpose = "${var.tag_purpose}"
+    builder = "terraform"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+    ignore_changes        = ["route"]
+  }
+}
+
+resource "aws_route_table_association" "private" {
+  count = "${var.azs_count}"
+
+  # count          = "${length(aws_subnet.private.*.id)}"
+  subnet_id      = "${element(aws_subnet.private.*.id,count.index)}"
+  route_table_id = "${element(aws_route_table.private.*.id,count.index)}"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
diff --git a/public.tf b/public.tf
new file mode 100644
index 0000000..c0b0ab5
--- /dev/null
+++ b/public.tf
@@ -0,0 +1,55 @@
+# public network
+
+resource "aws_subnet" "public" {
+  count = "${var.azs_count}"
+
+  #count = "${length(split(",", lookup(var.azs_name, var.region)))}"
+
+  vpc_id            = "${aws_vpc.main.id}"
+  cidr_block        = "10.${var.network_number}.${count.index}.0/24"
+  availability_zone = "${var.region}${element(split(",", lookup(var.azs_name, var.region)), count.index)}"
+  tags {
+    Name    = "${var.cluster_name}_public-${element(split(",", lookup(var.azs_name, var.region)), count.index)}"
+    cluster = "${var.cluster_name}"
+    product = "${var.tag_product}"
+    purpose = "${var.tag_purpose}"
+    builder = "terraform"
+  }
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_route_table" "public" {
+  vpc_id = "${aws_vpc.main.id}"
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = "${aws_internet_gateway.default.id}"
+  }
+
+  tags {
+    Name    = "${var.cluster_name}_public"
+    cluster = "${var.cluster_name}"
+    product = "${var.tag_product}"
+    purpose = "${var.tag_purpose}"
+    builder = "terraform"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+    ignore_changes        = ["route"]
+  }
+}
+
+resource "aws_route_table_association" "public" {
+  count = "${var.azs_count}"
+
+  # count          = "${length(aws_subnet.public.*.id)}"
+  subnet_id      = "${element(aws_subnet.public.*.id,count.index)}"
+  route_table_id = "${aws_route_table.public.id}"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
diff --git a/security.tf b/security.tf
new file mode 100644
index 0000000..7843dc8
--- /dev/null
+++ b/security.tf
@@ -0,0 +1,59 @@
+resource "aws_security_group" "allow_bastion_ingress" {
+  name        = "${var.cluster_name}_allow-bastion-ingress"
+  description = "Allow all inbound traffic"
+  vpc_id      = "${aws_vpc.main.id}"
+
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "TCP"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags {
+    Name    = "${var.cluster_name}_allow-bastion-ingress"
+    cluster = "${var.cluster_name}"
+    product = "${var.tag_product}"
+    purpose = "${var.tag_purpose}"
+    builder = "terraform"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_security_group" "bastion" {
+  name        = "${var.cluster_name}_bastion"
+  description = "Allow all inbound traffic"
+  vpc_id      = "${aws_vpc.main.id}"
+
+  tags {
+    Name    = "${var.cluster_name}_bastion"
+    cluster = "${var.cluster_name}"
+    product = "${var.tag_product}"
+    purpose = "${var.tag_purpose}"
+    builder = "terraform"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_security_group_rule" "bastion" {
+  type                     = "ingress"
+  from_port                = 0
+  to_port                  = 0
+  protocol                 = "-1"
+  source_security_group_id = "${aws_security_group.bastion.id}"
+
+  security_group_id = "${aws_security_group.bastion.id}"
+}
diff --git a/variables.tf b/variables.tf
index fd09ec8..eed45f3 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1,4 +1,7 @@
-variable "region" {
+variable "region" {}
+
+variable "azs_count" {
+  default = 3
 }
 
 variable "azs_name" {
@@ -46,7 +49,7 @@ variable "cluster_name" {
   default = "vpc-test"
 }
 
-variable "zone_id" {
+variable "route_zone_id" {
   default     = ""
   description = "dn zone where you want the dn record in, AWS ID of the FLD"
 }
@@ -56,6 +59,11 @@ variable "fqdn" {
   description = "domain name that you want the bastion on, should use a subdomain, result bastion-<cluster_name>.<fqdn>"
 }
 
+variable "user_data" {
+  default     = ""
+  description = "extra user data added to the bastion, must be shell"
+}
+
 variable "tag_product" {
   default = "devops"
 }
diff --git a/vpc.tf b/vpc.tf
index ba8ee88..2fd920f 100644
--- a/vpc.tf
+++ b/vpc.tf
@@ -1,3 +1,7 @@
+provider "aws" {
+  region = "${var.region}"
+}
+
 resource "aws_vpc" "main" {
   cidr_block           = "10.${var.network_number}.0.0/16"
   enable_dns_support   = true
@@ -10,127 +14,43 @@ resource "aws_vpc" "main" {
     purpose = "${var.tag_purpose}"
     builder = "terraform"
   }
-}
-
-resource "aws_internet_gateway" "default" {
-  vpc_id = "${aws_vpc.main.id}"
-
-  tags {
-    Name    = "${var.cluster_name}"
-    cluster = "${var.cluster_name}"
-    product = "${var.tag_product}"
-    purpose = "${var.tag_purpose}"
-    builder = "terraform"
-  }
-}
 
-# public (front) network 
-
-resource "aws_subnet" "front" {
-  count = 3
-
-  #count = "${length(split(",", lookup(var.azs_name, var.region)))}"
-
-  vpc_id                  = "${aws_vpc.main.id}"
-  cidr_block              = "10.${var.network_number}.${count.index}.0/24"
-  availability_zone       = "${var.region}${element(split(",", lookup(var.azs_name, var.region)), count.index)}"
-  map_public_ip_on_launch = true
-  tags {
-    Name    = "front-${var.cluster_name}-${var.region}${element(split(",", lookup(var.azs_name, var.region)), count.index)}"
-    cluster = "${var.cluster_name}"
-    product = "${var.tag_product}"
-    purpose = "${var.tag_purpose}"
-    builder = "terraform"
-  }
-}
-
-resource "aws_route_table" "public" {
-  vpc_id = "${aws_vpc.main.id}"
-
-  route {
-    cidr_block = "0.0.0.0/0"
-    gateway_id = "${aws_internet_gateway.default.id}"
-  }
-
-  tags {
-    Name    = "public-${var.cluster_name}"
-    cluster = "${var.cluster_name}"
-    product = "${var.tag_product}"
-    purpose = "${var.tag_purpose}"
-    builder = "terraform"
+  lifecycle {
+    create_before_destroy = true
   }
 }
 
-resource "aws_route_table_association" "front" {
-  count = 3
-   
-  # count          = "${length(aws_subnet.front.*.id)}"
-  subnet_id      = "${element(aws_subnet.front.*.id,count.index)}"
-  route_table_id = "${aws_route_table.public.id}"
-}
-
-# NAT
-resource "aws_eip" "gw_ip" {
-  count = 3
-   
-  # count = "${length(aws_subnet.front.*.id)}"
-  vpc   = true
-}
-
-resource "aws_nat_gateway" "gw" {
-  count = 3
-   
-  # count = "${length(aws_eip.gw_ip.*.id)}"
-
-  allocation_id = "${element(aws_eip.gw_ip.*.id, count.index)}"
-  subnet_id     = "${element(aws_subnet.front.*.id, count.index)}"
+resource "aws_vpc_dhcp_options_association" "dns_resolver" {
+  vpc_id          = "${aws_vpc.main.id}"
+  dhcp_options_id = "${aws_vpc_dhcp_options.search.id}"
 }
 
-# private (back) network 
-
-resource "aws_subnet" "back" {
-  count = 3
-
-  #count = "${length(compact(split(",",lookup(var.azs_name, var.region))))}"
-  vpc_id            = "${aws_vpc.main.id}"
-  cidr_block        = "10.${var.network_number}.1${count.index}.0/24"
-  availability_zone = "${var.region}${element(split(",",lookup(var.azs_name, var.region)), count.index)}"
+resource "aws_vpc_dhcp_options" "search" {
+  domain_name         = "${var.fqdn} ${var.region}.compute.internal"
+  domain_name_servers = ["AmazonProvidedDNS"]
 
   tags {
-    Name    = "back-${var.cluster_name}-${var.region}${element(split(",",lookup(var.azs_name, var.region)), count.index)}"
+    Name    = "${var.cluster_name}_default_search"
     cluster = "${var.cluster_name}"
     product = "${var.tag_product}"
     purpose = "${var.tag_purpose}"
-    builder = "terraform"
   }
 }
 
-resource "aws_route_table" "private" {
-  count = 3
-   
-  # count  = "${length(aws_subnet.back.*.id)}"
+resource "aws_internet_gateway" "default" {
   vpc_id = "${aws_vpc.main.id}"
 
-  route {
-    cidr_block     = "0.0.0.0/0"
-    nat_gateway_id = "${element(aws_nat_gateway.gw.*.id, count.index)}"
-  }
-
   tags {
-    Name    = "private-${count.index}-${var.cluster_name}"
+    Name    = "${var.cluster_name}_ig"
     cluster = "${var.cluster_name}"
     product = "${var.tag_product}"
     purpose = "${var.tag_purpose}"
     builder = "terraform"
   }
-}
 
-resource "aws_route_table_association" "back" {
-  count = 3
-   
-  # count          = "${length(aws_subnet.back.*.id)}"
-  subnet_id      = "${element(aws_subnet.back.*.id,count.index)}"
-  route_table_id = "${element(aws_route_table.private.*.id,count.index)}"
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
 # s3 endpoint
@@ -138,171 +58,6 @@ resource "aws_vpc_endpoint" "private-s3" {
   vpc_id          = "${aws_vpc.main.id}"
   service_name    = "com.amazonaws.${var.region}.s3"
   route_table_ids = ["${aws_route_table.private.*.id}", "${aws_route_table.public.id}"]
-}
-
-# bastion configuration
-
-resource "aws_security_group" "allow_bastion" {
-  description = "Allow all inbound traffic"
-  vpc_id      = "${aws_vpc.main.id}"
-
-  ingress {
-    from_port   = 22
-    to_port     = 22
-    protocol    = "TCP"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags {
-    Name    = "allow-bastion"
-    cluster = "${var.cluster_name}"
-    product = "${var.tag_product}"
-    purpose = "${var.tag_purpose}"
-    builder = "terraform"
-  }
-}
-
-resource "aws_autoscaling_group" "bastion" {
-  name             = "bastion-${var.cluster_name}"
-  max_size         = 1
-  min_size         = 1
-  desired_capacity = 1
-
-  health_check_grace_period = 10
-  health_check_type         = "EC2"
-  force_delete              = true
-  launch_configuration      = "${aws_launch_configuration.bastion.name}"
-  vpc_zone_identifier       = ["${aws_subnet.front.*.id}"]
-
-  lifecycle {
-    create_before_destroy = true
-  }
-
-  tag {
-    key                 = "Name"
-    value               = "bastion-${var.cluster_name}"
-    propagate_at_launch = true
-  }
-
-  tag {
-    key                 = "builder"
-    value               = "terraform"
-    propagate_at_launch = true
-  }
-
-  tag {
-    key                 = "cluster"
-    value               = "${var.cluster_name}"
-    propagate_at_launch = true
-  }
-
-  tag {
-    key                 = "product"
-    value               = "${var.tag_product}"
-    propagate_at_launch = true
-  }
-
-  tag {
-    key                 = "purpose"
-    value               = "${var.tag_purpose}"
-    propagate_at_launch = true
-  }
-}
-
-resource "aws_iam_role" "bastion_role" {
-  name = "bastion_role_${var.cluster_name}"
-
-  assume_role_policy = <<EOF
-{
-	"Version": "2012-10-17",
-	"Statement": [
-		{
-			"Action": "sts:AssumeRole",
-			"Principal": {
-				"Service": "ec2.amazonaws.com"
-			},
-			"Effect": "Allow",
-			"Sid": ""
-		}
-	]
-}
-EOF
-}
-
-resource "aws_iam_instance_profile" "bastion_profile" {
-  name  = "bastion_profile_${var.cluster_name}"
-  roles = ["${aws_iam_role.bastion_role.name}"]
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
-resource "aws_iam_role_policy" "bastion_policy" {
-  name = "bastion_policy_${var.cluster_name}"
-  role = "${aws_iam_role.bastion_role.id}"
-
-  policy = <<EOF
-{
-	"Version": "2012-10-17",
-	"Statement": [
-		{
-			"Effect": "Allow",
-			"Action": [
-				"route53:ChangeResourceRecordSets"
-			],
-			"Resource": "*"
-		}
-	]
-}
-EOF
-}
-
-resource "aws_route53_record" "bastion" {
-  name    = "bastion-${var.cluster_name}"
-  zone_id = "${var.zone_id}"
-  type    = "A"
-  records = ["10.0.0.0"]
-  ttl     = 60
-
-  lifecycle {
-    # this will be updated with the user_data of the launch configuration
-    # https://github.com/hashicorp/terraform/issues/5627
-    ignore_changes = ["records"]
-  }
-}
-
-resource "aws_launch_configuration" "bastion" {
-  name_prefix                 = "bastion-${var.cluster_name}-"
-  image_id                    = "${lookup(var.ami_bastion, var.region)}"
-  instance_type               = "${var.instance_type_bastion}"
-  key_name                    = "${var.aws_key_name}"
-  associate_public_ip_address = true
-  iam_instance_profile        = "${aws_iam_instance_profile.bastion_profile.name}"
-  security_groups             = ["${aws_security_group.allow_bastion.id}", "${aws_vpc.main.default_security_group_id}"]
-
-  user_data = "${template_file.launch_bastion.rendered}"
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
-resource "template_file" "launch_bastion" {
-  vars {
-    region          = "${var.region}"
-    route53_zone_id = "${var.zone_id}"
-    fqdn            = "${var.fqdn}"
-  }
-
-  template = "${file("${path.module}/bastion_user_data.tpl")}"
 
   lifecycle {
     create_before_destroy = true