diff --git a/terraform-k8s-infrastructure/main.tf b/terraform-k8s-infrastructure/main.tf
index 1a624494..0020c3e3 100644
--- a/terraform-k8s-infrastructure/main.tf
+++ b/terraform-k8s-infrastructure/main.tf
@@ -1,4 +1,3 @@
-# Require TF version to be same as or greater than 0.12.13
 terraform {
   backend "s3" {
     region         = "us-east-1"
@@ -8,6 +7,16 @@ terraform {
   }
 }
 
+# import core state
+data "terraform_remote_state" "core" {
+  backend = "s3"
+  config = {
+    bucket = local.tf_state_bucket
+    region = "us-east-1"
+    key    = "core.tfstate"
+  }
+}
+
 data "aws_eks_cluster" "rw_api" {
   name = "${replace(local.project, " ", "-")}-k8s-cluster-${var.environment}"
 }
@@ -37,6 +46,80 @@ module "k8s_data_layer" {
   backups_bucket             = var.backups_bucket
 }
 
-module "k8s_namespaces" {
-  source = "./modules/k8s_namespaces"
-}
\ No newline at end of file
+module "postgresql" {
+  source               = "./modules/postgresql"
+  postgresql_databases = ["resource-watch-manager"]
+  project              = local.project
+  tags                 = local.tags
+  rds_dbname           = data.terraform_remote_state.core.outputs.aurora_dbname
+  rds_host             = data.terraform_remote_state.core.outputs.aurora_host
+  rds_port             = data.terraform_remote_state.core.outputs.aurora_port
+  rds_username         = data.terraform_remote_state.core.outputs.aurora_user_name
+  rds_password         = var.rds_password
+}
+
+module "resource_watch" {
+  source    = "./modules/k8s_namespaces"
+  namespace = "rw"
+  app_secrets = {
+    RW_GOGGLE_API_TOKEN_SHORTENER = ""
+    RW_MAPBOX_API_TOKEN           = ""
+    RW_SECRET                     = ""
+    RW_SENDGRID_API_KEY           = ""
+    RW_SENDGRID_PASSWORD          = ""
+    RW_SENDGRID_USERNAME          = ""
+    RW_PREPROD_AUTH_USER          = ""
+    RW_PREPROD_AUTH_PASSWORD      = ""
+    RW_STAGING_AUTH_USER          = ""
+    RW_STAGING_AUTH_PASSWORD      = ""
+  }
+  db_secrets = {
+    REDIS_URI                         = ""
+    RESOURCE_WATCH_MANAGER_POSTGRESDB = module.postgresql.passwords["resource-watch-manager"]
+
+  }
+  ms_secrets = {
+    CT_TOKEN             = ""
+    CT_URL               = ""
+    S3_ACCESS_KEY_ID     = ""
+    S3_SECRET_ACCESS_KEY = ""
+  }
+  container_registry_server   = ""
+  container_registry_username = ""
+  container_registry_password = ""
+}
+
+module "gateway" {
+  source    = "./modules/k8s_namespaces"
+  namespace = "gateway"
+}
+
+module "core" {
+  source    = "./modules/k8s_namespaces"
+  namespace = "core"
+}
+
+module "aqueduct" {
+  source    = "./modules/k8s_namespaces"
+  namespace = "aqueduct"
+}
+
+module "gfw" {
+  source    = "./modules/k8s_namespaces"
+  namespace = "gfw"
+}
+
+module "fw" {
+  source    = "./modules/k8s_namespaces"
+  namespace = "fw"
+}
+
+module "prep" {
+  source    = "./modules/k8s_namespaces"
+  namespace = "fw"
+}
+
+module "climate-watch" {
+  source    = "./modules/k8s_namespaces"
+  namespace = "fw"
+}
diff --git a/terraform-k8s-infrastructure/modules/k8s_namespaces/main.tf b/terraform-k8s-infrastructure/modules/k8s_namespaces/main.tf
index 17cb2329..ac337206 100644
--- a/terraform-k8s-infrastructure/modules/k8s_namespaces/main.tf
+++ b/terraform-k8s-infrastructure/modules/k8s_namespaces/main.tf
@@ -1,7 +1,90 @@
-resource "kubernetes_namespace" "namespaces" {
-  count = length(var.namespaces)
+resource "kubernetes_namespace" "namespace" {
 
   metadata {
-    name = var.namespaces[count.index]
+    name = var.namespace
+  }
+}
+
+resource "kubernetes_secret" "ct_secrets" {
+  # only  create secrets  if db_secrets set
+  count = length(var.ct_secrets) > 0 ? 1 : 0
+  metadata {
+    annotations = {
+      name      = "ctsecrets"
+      namespace = var.namespace
+    }
+  }
+
+  type = "Opaque"
+  data = var.db_secrets
+}
+
+resource "kubernetes_secret" "db_secrets" {
+  # only  create secrets  if db_secrets set
+  count = length(var.db_secrets) > 0 ? 1 : 0
+  metadata {
+    annotations = {
+      name      = "dbsecrets"
+      namespace = var.namespace
+    }
+  }
+
+  type = "Opaque"
+  data = var.db_secrets
+}
+
+resource "kubernetes_secret" "app_secrets" {
+  # only  create secrets  if dbsecrets set
+  count = length(var.app_secrets) > 0 ? 1 : 0
+  metadata {
+    annotations = {
+      name      = "appsecrets"
+      namespace = var.namespace
+    }
+  }
+
+  type = "Opaque"
+  data = var.app_secrets
+}
+
+resource "kubernetes_secret" "ms_secrets" {
+  # only  create secrets  if ms_secrets set
+  count = length(var.ms_secrets) > 0 ? 1 : 0
+  metadata {
+    annotations = {
+      name      = "mssecrets"
+      namespace = var.namespace
+    }
+  }
+
+  type = "Opaque"
+  data = var.ms_secrets
+}
+
+
+resource "kubernetes_secret" "container_registry" {
+  # only  create secrets  if container_registry_server set
+  count = length(var.container_registry_server) > 0 ? 1 : 0
+  metadata {
+    annotations = {
+      name      = "regcred"
+      namespace = var.namespace
+    }
+  }
+
+  type = "kubernetes.io/dockerconfigjson"
+  data = {
+    ".dockerconfigjson" = <<DOCKER
+      {
+        "auths": {
+          "${var.container_registry_server}": {
+            "auth": "${base64encode("${var.container_registry_username}:${var.container_registry_password}")}"
+          }
+        },
+        "HttpHeaders": {
+          "User-Agent": "Docker-Client/19.03.2-ce (linux)"
+          }
+      }
+      DOCKER
   }
 }
\ No newline at end of file
diff --git a/terraform-k8s-infrastructure/modules/k8s_namespaces/variables.tf b/terraform-k8s-infrastructure/modules/k8s_namespaces/variables.tf
index f5a0dd41..e6f1d4cb 100644
--- a/terraform-k8s-infrastructure/modules/k8s_namespaces/variables.tf
+++ b/terraform-k8s-infrastructure/modules/k8s_namespaces/variables.tf
@@ -2,4 +2,47 @@ variable "namespaces" {
   description = "Namespace list"
   type        = list(string)
   default     = ["gateway", "core", "aqueduct", "rw", "gfw", "fw", "prep", "climate-watch"]
+}
+
+variable "namespace" {
+  type = string
+}
+
+variable "ct_secrets" {
+  type    = map(string)
+  default = {}
+}
+
+variable "db_secrets" {
+  type    = map(string)
+  default = {}
+}
+
+variable "app_secrets" {
+  type    = map(string)
+  default = {}
+}
+
+
+variable "ms_secrets" {
+  type    = map(string)
+  default = {}
+}
+
+variable "container_registry_server" {
+  type    = string
+  default = ""
+
+}
+
+variable "container_registry_username" {
+  type    = string
+  default = ""
+
+}
+
+variable "container_registry_password" {
+  type    = string
+  default = ""
+
 }
\ No newline at end of file
diff --git a/terraform-k8s-infrastructure/modules/postgresql/main.tf b/terraform-k8s-infrastructure/modules/postgresql/main.tf
new file mode 100644
index 00000000..f6eee7bc
--- /dev/null
+++ b/terraform-k8s-infrastructure/modules/postgresql/main.tf
@@ -0,0 +1,75 @@
+#################
+# Provider using Aurora cluster created in core terraform module
+#################
+
+provider "postgresql" {
+  host     = var.rds_host
+  port     = var.rds_port
+  database = var.rds_dbname
+  username = var.rds_username
+  password = var.rds_password
+
+}
+
+#################
+# Project databases, roles and passwords
+#################
+
+resource "postgresql_database" "default" {
+  count    = length(var.postgresql_databases)
+  name     = element(var.postgresql_databases, count.index)
+  owner    = var.rds_username
+  template = var.rds_dbname
+}
+
+resource "postgresql_role" "default" {
+  count    = length(var.postgresql_databases)
+  name     = element(var.postgresql_databases, count.index)
+  login    = true
+  password = random_password.default[count.index].result
+}
+
+resource "random_password" "default" {
+  count            = length(var.postgresql_databases)
+  length           = 16
+  special          = true
+  override_special = "_%@"
+}
+
+###################
+# AWS Secret Manager
+###################
+
+resource "aws_secretsmanager_secret" "postgresql" {
+  count       = length(var.postgresql_databases)
+  description = "Connection string for PostgreSQL database ${element(var.postgresql_databases, count.index)}"
+  name        = "${var.project}-postgresql-${element(var.postgresql_databases, count.index)}-secret"
+  tags        = var.tags
+}
+
+resource "aws_secretsmanager_secret_version" "postgresql" {
+  count     = length(var.postgresql_databases)
+  secret_id = aws_secretsmanager_secret.postgresql[count.index].id
+  secret_string = jsonencode({
+    "username"             = postgresql_role.default[count.index].name,
+    "engine"               = "postgresql",
+    "dbname"               = postgresql_database.default[count.index].name,
+    "host"                 = var.rds_host,
+    "password"             = random_password.default[count.index].result,
+    "port"                 = var.rds_port
+  })
+}
+
+data "template_file" "secrets_postgresql" {
+  count    = length(var.postgresql_databases)
+  template = file("${path.root}/../terraform/policies/iam_policy_secrets_read.json.tpl")
+  vars = {
+    secret_arn = aws_secretsmanager_secret.postgresql[count.index].arn
+  }
+}
+
+resource "aws_iam_policy" "secrets_postgresql" {
+  count  = length(var.postgresql_databases)
+  name   = "${var.project}-secrets_postgresql-${element(var.postgresql_databases, count.index)}"
+  policy = data.template_file.secrets_postgresql[count.index].rendered
+}
\ No newline at end of file
diff --git a/terraform-k8s-infrastructure/modules/postgresql/outputs.tf b/terraform-k8s-infrastructure/modules/postgresql/outputs.tf
new file mode 100644
index 00000000..e6fe7edd
--- /dev/null
+++ b/terraform-k8s-infrastructure/modules/postgresql/outputs.tf
@@ -0,0 +1,3 @@
+output "passwords" {
+  value = "${zipmap(postgresql_database.default.*.name, random_password.default.*.result)}"
+}
\ No newline at end of file
diff --git a/terraform-k8s-infrastructure/modules/postgresql/variables.tf b/terraform-k8s-infrastructure/modules/postgresql/variables.tf
new file mode 100644
index 00000000..65f80c8d
--- /dev/null
+++ b/terraform-k8s-infrastructure/modules/postgresql/variables.tf
@@ -0,0 +1,33 @@
+variable "project" {
+  type = string
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Tags to add to resources"
+}
+
+variable "rds_host" {
+  type = string
+}
+
+variable "rds_port" {
+  type = number
+}
+variable "rds_dbname" {
+  type = string
+}
+
+variable "rds_username" {
+  type = string
+}
+
+variable "rds_password" {
+  type        = string
+  description = "Superuser Password for Aurora Database"
+}
+
+variable "postgresql_databases" {
+  type        = list(string)
+  description = "List of PG databases to create."
+}
\ No newline at end of file
diff --git a/terraform-k8s-infrastructure/versions.tf b/terraform-k8s-infrastructure/versions.tf
index 23c049a7..eefab420 100644
--- a/terraform-k8s-infrastructure/versions.tf
+++ b/terraform-k8s-infrastructure/versions.tf
@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     aws = {
-      source = "hashicorp/aws"
+      source  = "hashicorp/aws"
       version = "~> 3.0"
     }
   }
diff --git a/terraform/outputs.tf b/terraform/outputs.tf
index 494e2cc2..74a61b63 100644
--- a/terraform/outputs.tf
+++ b/terraform/outputs.tf
@@ -113,4 +113,4 @@ output "aurora_port" {
 }
 output "aurora_dbname" {
   value = module.postgresql.dbname
-}
\ No newline at end of file
+}