diff --git a/docker-registry-production-1/Makefile b/docker-registry-production-1/Makefile
new file mode 100644
index 00000000..9552b6f6
--- /dev/null
+++ b/docker-registry-production-1/Makefile
@@ -0,0 +1,36 @@
+ENV_SHORT := production
+INFRA := docker-registry
+VAULT_SOURCE_PATH := docker-registry
+VAULT_SECRET_KEY := docker-registry
+VAULT_GCP_SECRET_KEY := docker-gcp-registry-prod-1
+TOP := $(shell git rev-parse --show-toplevel)
+
+ifeq ($(VAULT_ADDR),)
+  $(error VAULT_ADDR is not set)
+endif
+
+ifeq ($(VAULT_TOKEN),)
+  $(error VAULT_TOKEN is not set)
+endif
+
+include $(TOP)/terraform-common.mk
+include $(TOP)/trvs.mk
+
+# Use terraform v0.12.29
+PROD_TF_VERSION := v0.12.29
+TERRAFORM := $(TF_INSTALLATION_PREFIX)/terraform-$(PROD_TF_VERSION)
+
+export PROD_TF_VERSION
+export TERRAFORM
+
+.config: $(ENV_NAME).auto.tfvars $(TRVS_INFRA_ENV_TFVARS)
+
+$(ENV_NAME).auto.tfvars:
+	@echo "" >$@
+
+$(TRVS_INFRA_ENV_TFVARS):
+	vault kv get -format=json -field=data ${VAULT_SOURCE_PATH}/${VAULT_SECRET_KEY} > ${VAULT_SECRET_KEY}.auto.tfvars.json
+	vault kv get -format=json -field=data ${VAULT_SOURCE_PATH}/${VAULT_GCP_SECRET_KEY} > ${VAULT_GCP_SECRET_KEY}.auto.tfvars.json
+
+$(TRVS_ENV_NAME_TFVARS):
+	@echo "" >$@
diff --git a/docker-registry-production-1/main.tf b/docker-registry-production-1/main.tf
new file mode 100644
index 00000000..54f5cebf
--- /dev/null
+++ b/docker-registry-production-1/main.tf
@@ -0,0 +1,83 @@
+variable "env" {
+  default = "production"
+}
+
+variable "index" {
+  default = 1
+}
+
+variable "project" {
+  default = "eco-emissary-99515"
+}
+
+variable "region" {
+  default = "us-central1"
+}
+
+variable "machine_type" {
+  default = "n1-standard-4"
+}
+
+variable "target_size" {
+  default = 2
+}
+
+variable "REGISTRY_HTTP_TLS_CERTIFICATE" {}
+variable "REGISTRY_HTTP_TLS_KEY" {}
+
+variable "APPLICATION_DEFAULT_CREDENTIALS" {}
+
+terraform {
+  backend "s3" {
+    bucket         = "travis-terraform-state"
+    key            = "terraform-config/docker-registry-production-1.tfstate"
+    region         = "us-east-1"
+    encrypt        = "true"
+    dynamodb_table = "travis-terraform-state"
+  }
+}
+
+provider "google" {
+  project = var.project
+  region  = var.region
+}
+
+provider "google-beta" {
+  project = var.project
+  region  = var.region
+}
+
+module "docker_registry" {
+  source = "../modules/docker_registry"
+
+  cache_size_mb  = 3000
+  env            = var.env
+  index          = var.index
+  machine_type   = var.machine_type
+  target_size    = var.target_size
+
+  REGISTRY_HTTP_TLS_CERTIFICATE = var.REGISTRY_HTTP_TLS_CERTIFICATE
+  REGISTRY_HTTP_TLS_KEY = var.REGISTRY_HTTP_TLS_KEY
+
+  APPLICATION_DEFAULT_CREDENTIALS = var.APPLICATION_DEFAULT_CREDENTIALS
+}
+
+module "docker_registry_east" {
+  source = "../modules/docker_registry"
+
+  cache_size_mb  = 3000
+  env            = var.env
+  index          = var.index
+  machine_type   = var.machine_type
+  target_size    = var.target_size
+  network        = "main-us-east1"
+
+  REGISTRY_HTTP_TLS_CERTIFICATE = var.REGISTRY_HTTP_TLS_CERTIFICATE
+  REGISTRY_HTTP_TLS_KEY = var.REGISTRY_HTTP_TLS_KEY
+
+  APPLICATION_DEFAULT_CREDENTIALS = var.APPLICATION_DEFAULT_CREDENTIALS
+
+  prefix = "-east"
+  region = "us-east1"
+  zones  = ["b", "c", "d"]
+}
diff --git a/docker-registry-production-2/Makefile b/docker-registry-production-2/Makefile
new file mode 100644
index 00000000..69500420
--- /dev/null
+++ b/docker-registry-production-2/Makefile
@@ -0,0 +1,36 @@
+ENV_SHORT := production
+INFRA := docker-registry
+VAULT_SOURCE_PATH := docker-registry
+VAULT_SECRET_KEY := docker-registry
+VAULT_GCP_SECRET_KEY := docker-gcp-registry-prod-2
+TOP := $(shell git rev-parse --show-toplevel)
+
+ifeq ($(VAULT_ADDR),)
+  $(error VAULT_ADDR is not set)
+endif
+
+ifeq ($(VAULT_TOKEN),)
+  $(error VAULT_TOKEN is not set)
+endif
+
+include $(TOP)/terraform-common.mk
+include $(TOP)/trvs.mk
+
+# Use terraform v0.12.29
+PROD_TF_VERSION := v0.12.29
+TERRAFORM := $(TF_INSTALLATION_PREFIX)/terraform-$(PROD_TF_VERSION)
+
+export PROD_TF_VERSION
+export TERRAFORM
+
+.config: $(ENV_NAME).auto.tfvars $(TRVS_INFRA_ENV_TFVARS)
+
+$(ENV_NAME).auto.tfvars:
+	@echo "" >$@
+
+$(TRVS_INFRA_ENV_TFVARS):
+	vault kv get -format=json -field=data ${VAULT_SOURCE_PATH}/${VAULT_SECRET_KEY} > ${VAULT_SECRET_KEY}.auto.tfvars.json
+	vault kv get -format=json -field=data ${VAULT_SOURCE_PATH}/${VAULT_GCP_SECRET_KEY} > ${VAULT_GCP_SECRET_KEY}.auto.tfvars.json
+
+$(TRVS_ENV_NAME_TFVARS):
+	@echo "" >$@
diff --git a/docker-registry-production-2/main.tf b/docker-registry-production-2/main.tf
new file mode 100644
index 00000000..5d459cd9
--- /dev/null
+++ b/docker-registry-production-2/main.tf
@@ -0,0 +1,83 @@
+variable "env" {
+  default = "production"
+}
+
+variable "index" {
+  default = 1
+}
+
+variable "project" {
+  default = "travis-ci-prod-2"
+}
+
+variable "region" {
+  default = "us-central1"
+}
+
+variable "machine_type" {
+  default = "n1-standard-4"
+}
+
+variable "target_size" {
+  default = 2
+}
+
+variable "REGISTRY_HTTP_TLS_CERTIFICATE" {}
+variable "REGISTRY_HTTP_TLS_KEY" {}
+
+variable "APPLICATION_DEFAULT_CREDENTIALS" {}
+
+terraform {
+  backend "s3" {
+    bucket         = "travis-terraform-state"
+    key            = "terraform-config/docker-registry-production-2.tfstate"
+    region         = "us-east-1"
+    encrypt        = "true"
+    dynamodb_table = "travis-terraform-state"
+  }
+}
+
+provider "google" {
+  project = var.project
+  region  = var.region
+}
+
+provider "google-beta" {
+  project = var.project
+  region  = var.region
+}
+
+module "docker_registry" {
+  source = "../modules/docker_registry"
+
+  cache_size_mb  = 3000
+  env            = var.env
+  index          = var.index
+  machine_type   = var.machine_type
+  target_size    = var.target_size
+
+  REGISTRY_HTTP_TLS_CERTIFICATE = var.REGISTRY_HTTP_TLS_CERTIFICATE
+  REGISTRY_HTTP_TLS_KEY = var.REGISTRY_HTTP_TLS_KEY
+
+  APPLICATION_DEFAULT_CREDENTIALS = var.APPLICATION_DEFAULT_CREDENTIALS
+}
+
+module "docker_registry_east" {
+  source = "../modules/docker_registry"
+
+  cache_size_mb  = 3000
+  env            = var.env
+  index          = var.index
+  machine_type   = var.machine_type
+  target_size    = var.target_size
+  network        = "main-us-east1"
+
+  REGISTRY_HTTP_TLS_CERTIFICATE = var.REGISTRY_HTTP_TLS_CERTIFICATE
+  REGISTRY_HTTP_TLS_KEY = var.REGISTRY_HTTP_TLS_KEY
+
+APPLICATION_DEFAULT_CREDENTIALS = var.APPLICATION_DEFAULT_CREDENTIALS
+
+  prefix = "-east"
+  region = "us-east1"
+  zones  = ["b", "c", "d"]
+}
diff --git a/docker-registry-production-3/Makefile b/docker-registry-production-3/Makefile
new file mode 100644
index 00000000..c5a88dae
--- /dev/null
+++ b/docker-registry-production-3/Makefile
@@ -0,0 +1,36 @@
+ENV_SHORT := production
+INFRA := docker-registry
+VAULT_SOURCE_PATH := docker-registry
+VAULT_SECRET_KEY := docker-registry
+VAULT_GCP_SECRET_KEY := docker-gcp-registry-prod-3
+TOP := $(shell git rev-parse --show-toplevel)
+
+ifeq ($(VAULT_ADDR),)
+  $(error VAULT_ADDR is not set)
+endif
+
+ifeq ($(VAULT_TOKEN),)
+  $(error VAULT_TOKEN is not set)
+endif
+
+include $(TOP)/terraform-common.mk
+include $(TOP)/trvs.mk
+
+# Use terraform v0.12.29
+PROD_TF_VERSION := v0.12.29
+TERRAFORM := $(TF_INSTALLATION_PREFIX)/terraform-$(PROD_TF_VERSION)
+
+export PROD_TF_VERSION
+export TERRAFORM
+
+.config: $(ENV_NAME).auto.tfvars $(TRVS_INFRA_ENV_TFVARS)
+
+$(ENV_NAME).auto.tfvars:
+	@echo "" >$@
+
+$(TRVS_INFRA_ENV_TFVARS):
+	vault kv get -format=json -field=data ${VAULT_SOURCE_PATH}/${VAULT_SECRET_KEY} > ${VAULT_SECRET_KEY}.auto.tfvars.json
+	vault kv get -format=json -field=data ${VAULT_SOURCE_PATH}/${VAULT_GCP_SECRET_KEY} > ${VAULT_GCP_SECRET_KEY}.auto.tfvars.json
+
+$(TRVS_ENV_NAME_TFVARS):
+	@echo "" >$@
diff --git a/docker-registry-production-3/main.tf b/docker-registry-production-3/main.tf
new file mode 100644
index 00000000..abcde55c
--- /dev/null
+++ b/docker-registry-production-3/main.tf
@@ -0,0 +1,83 @@
+variable "env" {
+  default = "production"
+}
+
+variable "index" {
+  default = 1
+}
+
+variable "project" {
+  default = "travis-ci-prod-3"
+}
+
+variable "region" {
+  default = "us-central1"
+}
+
+variable "machine_type" {
+  default = "n1-standard-4"
+}
+
+variable "target_size" {
+  default = 2
+}
+
+variable "REGISTRY_HTTP_TLS_CERTIFICATE" {}
+variable "REGISTRY_HTTP_TLS_KEY" {}
+
+variable "APPLICATION_DEFAULT_CREDENTIALS" {}
+
+terraform {
+  backend "s3" {
+    bucket         = "travis-terraform-state"
+    key            = "terraform-config/docker-registry-production-3.tfstate"
+    region         = "us-east-1"
+    encrypt        = "true"
+    dynamodb_table = "travis-terraform-state"
+  }
+}
+
+provider "google" {
+  project = var.project
+  region  = var.region
+}
+
+provider "google-beta" {
+  project = var.project
+  region  = var.region
+}
+
+module "docker_registry" {
+  source = "../modules/docker_registry"
+
+  cache_size_mb  = 3000
+  env            = var.env
+  index          = var.index
+  machine_type   = var.machine_type
+  target_size    = var.target_size
+
+  REGISTRY_HTTP_TLS_CERTIFICATE = "${var.REGISTRY_HTTP_TLS_CERTIFICATE}"
+  REGISTRY_HTTP_TLS_KEY = "${var.REGISTRY_HTTP_TLS_KEY}"
+
+  APPLICATION_DEFAULT_CREDENTIALS = var.APPLICATION_DEFAULT_CREDENTIALS
+}
+
+module "docker_registry_east" {
+  source = "../modules/docker_registry"
+
+  cache_size_mb  = 3000
+  env            = var.env
+  index          = var.index
+  machine_type   = var.machine_type
+  target_size    = var.target_size
+  network        = "main-us-east1"
+
+  REGISTRY_HTTP_TLS_CERTIFICATE = "${var.REGISTRY_HTTP_TLS_CERTIFICATE}"
+  REGISTRY_HTTP_TLS_KEY = "${var.REGISTRY_HTTP_TLS_KEY}"
+
+  APPLICATION_DEFAULT_CREDENTIALS = var.APPLICATION_DEFAULT_CREDENTIALS
+
+  prefix = "-east"
+  region = "us-east1"
+  zones  = ["b", "c", "d"]
+}
diff --git a/docker-registry-production-4/Makefile b/docker-registry-production-4/Makefile
new file mode 100644
index 00000000..4dee1ac3
--- /dev/null
+++ b/docker-registry-production-4/Makefile
@@ -0,0 +1,36 @@
+ENV_SHORT := production
+INFRA := docker-registry
+VAULT_SOURCE_PATH := docker-registry
+VAULT_SECRET_KEY := docker-registry
+VAULT_GCP_SECRET_KEY := docker-gcp-registry-prod-4
+TOP := $(shell git rev-parse --show-toplevel)
+
+ifeq ($(VAULT_ADDR),)
+  $(error VAULT_ADDR is not set)
+endif
+
+ifeq ($(VAULT_TOKEN),)
+  $(error VAULT_TOKEN is not set)
+endif
+
+include $(TOP)/terraform-common.mk
+include $(TOP)/trvs.mk
+
+# Use terraform v0.12.29
+PROD_TF_VERSION := v0.12.29
+TERRAFORM := $(TF_INSTALLATION_PREFIX)/terraform-$(PROD_TF_VERSION)
+
+export PROD_TF_VERSION
+export TERRAFORM
+
+.config: $(ENV_NAME).auto.tfvars $(TRVS_INFRA_ENV_TFVARS)
+
+$(ENV_NAME).auto.tfvars:
+	@echo "" >$@
+
+$(TRVS_INFRA_ENV_TFVARS):
+	vault kv get -format=json -field=data ${VAULT_SOURCE_PATH}/${VAULT_SECRET_KEY} > ${VAULT_SECRET_KEY}.auto.tfvars.json
+	vault kv get -format=json -field=data ${VAULT_SOURCE_PATH}/${VAULT_GCP_SECRET_KEY} > ${VAULT_GCP_SECRET_KEY}.auto.tfvars.json
+
+$(TRVS_ENV_NAME_TFVARS):
+	@echo "" >$@
diff --git a/docker-registry-production-4/main.tf b/docker-registry-production-4/main.tf
new file mode 100644
index 00000000..58d768f2
--- /dev/null
+++ b/docker-registry-production-4/main.tf
@@ -0,0 +1,63 @@
+variable "env" {
+  default = "production"
+}
+
+variable "index" {
+  default = 1
+}
+
+variable "project" {
+  default = "travis-ci-prod-oss-4"
+}
+
+variable "region" {
+  default = "us-central1"
+}
+
+variable "machine_type" {
+  default = "n1-standard-4"
+}
+
+variable "target_size" {
+  default = 2
+}
+
+variable "REGISTRY_HTTP_TLS_CERTIFICATE" {}
+variable "REGISTRY_HTTP_TLS_KEY" {}
+
+variable "APPLICATION_DEFAULT_CREDENTIALS" {}
+
+terraform {
+  backend "s3" {
+    bucket         = "travis-terraform-state"
+    key            = "terraform-config/docker-registry-production-4-oss.tfstate"
+    region         = "us-east-1"
+    encrypt        = "true"
+    dynamodb_table = "travis-terraform-state"
+  }
+}
+
+provider "google" {
+  project = var.project
+  region  = var.region
+}
+
+provider "google-beta" {
+  project = var.project
+  region  = var.region
+}
+
+module "docker_registry" {
+  source = "../modules/docker_registry"
+
+  cache_size_mb  = 3000
+  env            = var.env
+  index          = var.index
+  machine_type   = var.machine_type
+  target_size    = var.target_size
+
+  REGISTRY_HTTP_TLS_CERTIFICATE = var.REGISTRY_HTTP_TLS_CERTIFICATE
+  REGISTRY_HTTP_TLS_KEY = var.REGISTRY_HTTP_TLS_KEY
+
+  APPLICATION_DEFAULT_CREDENTIALS = var.APPLICATION_DEFAULT_CREDENTIALS
+}
diff --git a/docker-registry-staging-1/Makefile b/docker-registry-staging-1/Makefile
new file mode 100644
index 00000000..0f79d00c
--- /dev/null
+++ b/docker-registry-staging-1/Makefile
@@ -0,0 +1,36 @@
+ENV_SHORT := staging
+INFRA := docker-registry
+VAULT_SOURCE_PATH := docker-registry
+VAULT_SECRET_KEY := docker-registry
+VAULT_GCP_SECRET_KEY := docker-gcp-registry
+TOP := $(shell git rev-parse --show-toplevel)
+
+ifeq ($(VAULT_ADDR),)
+  $(error VAULT_ADDR is not set)
+endif
+
+ifeq ($(VAULT_TOKEN),)
+  $(error VAULT_TOKEN is not set)
+endif
+
+include $(TOP)/terraform-common.mk
+include $(TOP)/trvs.mk
+
+# Use terraform v0.12.29
+PROD_TF_VERSION := v0.12.29
+TERRAFORM := $(TF_INSTALLATION_PREFIX)/terraform-$(PROD_TF_VERSION)
+
+export PROD_TF_VERSION
+export TERRAFORM
+
+.config: $(ENV_NAME).auto.tfvars $(TRVS_INFRA_ENV_TFVARS)
+
+$(ENV_NAME).auto.tfvars:
+	@echo "" >$@
+
+$(TRVS_INFRA_ENV_TFVARS):
+	vault kv get -format=json -field=data ${VAULT_SOURCE_PATH}/${VAULT_SECRET_KEY} > ${VAULT_SECRET_KEY}.auto.tfvars.json
+	vault kv get -format=json -field=data ${VAULT_SOURCE_PATH}/${VAULT_GCP_SECRET_KEY} > ${VAULT_GCP_SECRET_KEY}.auto.tfvars.json
+
+$(TRVS_ENV_NAME_TFVARS):
+	@echo "" >$@
diff --git a/docker-registry-staging-1/main.tf b/docker-registry-staging-1/main.tf
new file mode 100644
index 00000000..f6a75e9f
--- /dev/null
+++ b/docker-registry-staging-1/main.tf
@@ -0,0 +1,53 @@
+variable "env" {
+  default = "staging"
+}
+
+variable "index" {
+  default = 1
+}
+
+variable "project" {
+  default = "travis-staging-1"
+}
+
+variable "region" {
+  default = "us-central1"
+}
+
+variable "REGISTRY_HTTP_TLS_CERTIFICATE" {}
+variable "REGISTRY_HTTP_TLS_KEY" {}
+
+variable "APPLICATION_DEFAULT_CREDENTIALS" {}
+
+terraform {
+  backend "s3" {
+    bucket         = "travis-terraform-state"
+    key            = "terraform-config/docker-registry-staging-1.tfstate"
+    region         = "us-east-1"
+    encrypt        = "true"
+    dynamodb_table = "travis-terraform-state"
+  }
+}
+
+provider "google" {
+  project = var.project
+  region  = var.region
+}
+
+provider "google-beta" {
+  project = var.project
+  region  = var.region
+}
+
+module "docker_registry" {
+  source = "../modules/docker_registry"
+
+  cache_size_mb  = 40
+  env            = var.env
+  index          = var.index
+
+  REGISTRY_HTTP_TLS_CERTIFICATE = "${var.REGISTRY_HTTP_TLS_CERTIFICATE}"
+  REGISTRY_HTTP_TLS_KEY = "${var.REGISTRY_HTTP_TLS_KEY}"
+
+  APPLICATION_DEFAULT_CREDENTIALS = var.APPLICATION_DEFAULT_CREDENTIALS
+}
diff --git a/modules/docker_registry/cloud-config.yml.tpl b/modules/docker_registry/cloud-config.yml.tpl
new file mode 100644
index 00000000..54a987cc
--- /dev/null
+++ b/modules/docker_registry/cloud-config.yml.tpl
@@ -0,0 +1,26 @@
+#cloud-config
+# vim:filetype=yaml
+
+write_files:
+- content: '${base64encode(APPLICATION_DEFAULT_CREDENTIALS)}'
+  encoding: b64
+  path: /etc/google/auth/application_default_credentials.json
+- content: '${base64encode(REGISTRY_HTTP_TLS_CERTIFICATE)}'
+  encoding: b64
+  path: /etc/ssl/docker/tls.crt
+- content: '${base64encode(REGISTRY_HTTP_TLS_KEY)}'
+  encoding: b64
+  path: /etc/ssl/docker/tls.key
+- content: '${base64encode(registry_env)}'
+  encoding: b64
+  path: /etc/docker/registry/env
+- content: '${base64encode(file("${here}/cloud-init.bash"))}'
+  encoding: b64
+  path: /var/lib/cloud/scripts/per-boot/99-cloud-init
+  permissions: '0750'
+- content: '${base64encode(docker_registry_config)}'
+  encoding: b64
+  path: /etc/docker/registry/config.yml
+- content: '${base64encode("___INSTANCE_NAME___\n")}'
+  encoding: b64
+  path: /var/tmp/travis-run.d/instance-hostname.tmpl
diff --git a/modules/docker_registry/cloud-init.bash b/modules/docker_registry/cloud-init.bash
new file mode 100644
index 00000000..d9beee96
--- /dev/null
+++ b/modules/docker_registry/cloud-init.bash
@@ -0,0 +1,124 @@
+#!/usr/bin/env bash
+# vim:filetype=sh
+set -o errexit
+set -o pipefail
+
+main() {
+  [[ "${QUIET}" ]] || set -o xtrace
+
+  : "${DEV:=/dev}"
+  : "${ETCDIR:=/etc}"
+  : "${RUNDIR:=/var/tmp/travis-run.d}"
+  : "${VARLIBDIR:=/var/lib}"
+  : "${VARLOGDIR:=/var/log}"
+  : "${VARTMP:=/var/tmp}"
+
+  export DEBIAN_FRONTEND=noninteractive
+  chown nobody:nogroup "${VARTMP}"
+  chmod 0777 "${VARTMP}"
+
+  for substep in \
+    monitoring_agent \
+    restore_registry \
+    docker_registry \
+    registry_backup; do
+    logger running setup substep="${substep}"
+    "__setup_${substep}"
+  done
+}
+
+__wait_for_docker() {
+  local i=0
+
+  while ! docker version; do
+    if [[ $i -gt 600 ]]; then
+      exit 86
+    fi
+    systemctl start docker &>/dev/null || true
+    sleep 10
+    let i+=10
+  done
+}
+
+__setup_monitoring_agent() {
+
+  curl -sSO https://dl.google.com/cloudagents/add-monitoring-agent-repo.sh
+  bash add-monitoring-agent-repo.sh
+  apt update -yqq
+  apt install stackdriver-agent -y
+
+}
+
+__setup_restore_registry() {
+
+  gcloud auth activate-service-account --key-file=/etc/google/auth/application_default_credentials.json
+  PROJECT_ID=$(gcloud config get-value project)
+  BUCKET=${PROJECT_ID}-docker-registry
+  mkdir -p /var/lib/registry
+  touch /var/lib/registry/gsutil.lock
+  gsutil -m rsync -r gs://${BUCKET}/ /var/lib/registry/ >/dev/null 2>&1 && rm -f /var/lib/registry/gsutil.lock &
+
+}
+
+__setup_docker_registry() {
+
+  apt update -yqq
+  apt install docker.io -y
+  docker pull gcr.io/travis-ci-prod-oss-4/registry:v2.7.0-167-g551158e6
+  docker tag gcr.io/travis-ci-prod-oss-4/registry:v2.7.0-167-g551158e6 registry:2
+  docker run -d -p 443:443 --restart=always --name registry --env-file /etc/docker/registry/env -v /etc/docker/registry/config.yml:/etc/docker/registry/config.yml -v /etc/ssl/docker:/etc/ssl/docker -v /var/lib/registry:/var/lib/registry registry:2
+
+}
+
+__setup_registry_backup() {
+
+  tee /usr/local/bin/docker-registry-backup.sh <<-'EOF'
+#!/bin/bash
+
+set -o errtrace
+
+exec 1>/var/log/docker-registry-backup.log 2>&1
+
+. /etc/profile.d/apps-bin-path.sh
+
+if [[ -f /var/lib/registry/gsutil.lock ]]; then
+  echo "Lock file present"; exit 1;
+fi
+
+gcloud auth activate-service-account --key-file=/etc/google/auth/application_default_credentials.json
+INSTANCE_NAME=$(curl -s "http://metadata.google.internal/computeMetadata/v1/instance/name" -H "Metadata-Flavor: Google")
+PROJECT_ID=$(gcloud config get-value project)
+BUCKET=${PROJECT_ID}-docker-registry
+echo $INSTANCE_NAME > /var/lib/registry/INSTANCE_NAME
+
+gsutil cp gs://${BUCKET}/INSTANCE_NAME /tmp/ || true
+DOCKER_REGISTRY_INSTANCE_NAME=$(cat /tmp/INSTANCE_NAME)
+
+if [[ -z "$DOCKER_REGISTRY_INSTANCE_NAME" ]]; then
+  gsutil cp /var/lib/registry/INSTANCE_NAME gs://${BUCKET}/
+  DOCKER_REGISTRY_INSTANCE_NAME=${INSTANCE_NAME}
+fi
+
+INSTANCES=$(gcloud compute instances list) || { echo "Something went wrong"; exit 1; }
+echo ${INSTANCES} | grep -q ${DOCKER_REGISTRY_INSTANCE_NAME}
+status=$?
+
+if [[ $status -eq 1 ]]; then
+  gsutil cp /var/lib/registry/INSTANCE_NAME gs://${BUCKET}/
+  status=0
+  DOCKER_REGISTRY_INSTANCE_NAME=${INSTANCE_NAME}
+fi
+
+if [[ $DOCKER_REGISTRY_INSTANCE_NAME == $INSTANCE_NAME ]] && [[ $status -eq 0 ]]; then
+  gsutil mb gs://${BUCKET} || true
+  gsutil cp /var/lib/registry/INSTANCE_NAME gs://${BUCKET}/
+  gsutil -m rsync -r -d /var/lib/registry/ gs://${BUCKET}/
+fi
+EOF
+  chmod +x /usr/local/bin/docker-registry-backup.sh
+  rand=$(( RANDOM % 60 ))
+  ( crontab -l | echo "${rand} */4 * * * /usr/local/bin/docker-registry-backup.sh >/dev/null 2>&1" ) | crontab -
+
+}
+
+main "${@}"
diff --git a/modules/docker_registry/config.yml.tpl b/modules/docker_registry/config.yml.tpl
new file mode 100644
index 00000000..454e650f
--- /dev/null
+++ b/modules/docker_registry/config.yml.tpl
@@ -0,0 +1,32 @@
+version: 0.1
+log:
+  fields:
+    service: registry
+storage:
+  cache:
+    blobdescriptor: inmemory
+  filesystem:
+    rootdirectory: /var/lib/registry
+  delete:
+    enabled: true
+  maintenance:
+    uploadpurging:
+      enabled: true
+      age: 6h
+      interval: 1h
+      dryrun: false
+http:
+  addr: :443
+  headers:
+    X-Content-Type-Options: [nosniff]
+    #auth:
+    #  htpasswd:
+    #realm: basic-realm
+    #path: /etc/registry
+health:
+  storagedriver:
+    enabled: true
+    interval: 10s
+    threshold: 3
+proxy:
+  remoteurl: https://registry-1.docker.io
diff --git a/modules/docker_registry/main.tf b/modules/docker_registry/main.tf
new file mode 100644
index 00000000..6341af98
--- /dev/null
+++ b/modules/docker_registry/main.tf
@@ -0,0 +1,228 @@
+variable "allowed_internal_ranges" {
+  default = ["10.0.0.0/8"]
+}
+
+variable "cache_size_mb" {
+  default = 102400
+}
+
+variable "env" {}
+
+variable "gce_health_check_source_ranges" {
+  default = [
+    "130.211.0.0/22",
+    "35.191.0.0/16",
+  ]
+}
+
+variable "index" {}
+
+variable "machine_type" {
+  default = "n1-standard-2"
+}
+
+variable "network" {
+  default = "main"
+}
+
+variable "region" {
+  default = "us-central1"
+}
+
+variable "prefix" {
+  default = ""
+}
+
+variable "target_size" {
+  default = 2
+}
+
+variable "zones" {
+  default = ["a", "b", "c", "f"]
+}
+
+variable "REGISTRY_HTTP_TLS_CERTIFICATE" {}
+variable "REGISTRY_HTTP_TLS_KEY" {}
+
+variable "APPLICATION_DEFAULT_CREDENTIALS" {}
+
+data "template_file" "docker_registry_config" {
+  template = "${file("${path.module}/config.yml.tpl")}"
+}
+
+data "template_file" "cloud_config" {
+  template = "${file("${path.module}/cloud-config.yml.tpl")}"
+
+  vars = {
+    assets                 = "${path.module}/../../../../assets"
+    here                   = "${path.module}"
+    docker_registry_config = "${data.template_file.docker_registry_config.rendered}"
+
+    registry_env = <<EOF
+REGISTRY_HTTP_TLS_CERTIFICATE=/etc/ssl/docker/tls.crt
+REGISTRY_HTTP_TLS_KEY=/etc/ssl/docker/tls.key
+EOF
+
+    REGISTRY_HTTP_TLS_CERTIFICATE = "${var.REGISTRY_HTTP_TLS_CERTIFICATE}"
+    REGISTRY_HTTP_TLS_KEY         = "${var.REGISTRY_HTTP_TLS_KEY}"
+
+    APPLICATION_DEFAULT_CREDENTIALS = var.APPLICATION_DEFAULT_CREDENTIALS
+  }
+}
+
+resource "google_compute_subnetwork" "docker_registry" {
+  ip_cidr_range    = "10.90.1.0/24"
+  name             = "docker-registry${var.prefix}"
+  network          = var.network
+  region           = var.region
+}
+
+resource "google_compute_firewall" "allow_docker_registry_internal" {
+  name        = "allow-docker-registry-internal${var.prefix}"
+  network     = var.network
+  target_tags = ["docker-registry"]
+
+  source_ranges = var.allowed_internal_ranges
+
+  allow {
+    protocol = "all"
+  }
+}
+
+resource "google_compute_firewall" "allow_docker_registry_health_check" {
+  name        = "allow-docker-registry-health-check${var.prefix}"
+  network     = var.network
+  target_tags = ["docker-registry"]
+
+  source_ranges = var.gce_health_check_source_ranges
+
+  allow {
+    protocol = "tcp"
+    ports    = ["443"]
+  }
+}
+
+resource "google_compute_address" "docker_registry_frontend" {
+  name         = "docker-registry-frontend${var.prefix}"
+  subnetwork   = google_compute_subnetwork.docker_registry.self_link
+  address_type = "INTERNAL"
+  address      = cidrhost("10.90.1.0/24", 2)
+  region       = var.region
+}
+
+resource "google_compute_health_check" "docker_registry" {
+  name = "docker-registry-health-check${var.prefix}"
+
+  timeout_sec        = 3
+  check_interval_sec = 5
+
+  https_health_check {
+    port = 443
+    request_path = "/"
+  }
+}
+
+resource "google_compute_instance_template" "docker_registry" {
+  name_prefix  = "docker-registry${var.prefix}-"
+  machine_type = var.machine_type
+  tags         = ["docker-registry", "${var.env}"]
+
+  scheduling {
+    automatic_restart   = true
+    on_host_maintenance = "MIGRATE"
+  }
+
+  disk {
+    auto_delete  = true
+    boot         = true
+    disk_size_gb = var.cache_size_mb
+    disk_type    = "pd-ssd"
+    source_image = "ubuntu-os-cloud/ubuntu-2004-lts"
+  }
+
+  network_interface {
+    subnetwork    = google_compute_subnetwork.docker_registry.self_link
+    access_config {
+      network_tier = "PREMIUM"
+    }
+  }
+
+  metadata = {
+    block-project-ssh-keys = "true"
+    user-data              = "${data.template_file.cloud_config.rendered}"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  service_account {
+    scopes = [
+      "monitoring-write",
+      "monitoring-read",
+      "monitoring",
+      "cloud-platform"
+    ]
+  }
+}
+
+resource "google_compute_target_pool" "docker_registry" {
+  name   = "docker-registry${var.prefix}"
+  region = var.region
+}
+
+resource "google_compute_region_instance_group_manager" "docker_registry" {
+  provider = google-beta
+
+  base_instance_name        = "${var.env}-${var.index}-docker-registry"
+  distribution_policy_zones = formatlist("${var.region}-%s", var.zones)
+  name                      = "docker-registry${var.prefix}"
+  region                    = var.region
+  target_pools              = ["${google_compute_target_pool.docker_registry.self_link}"]
+  target_size               = var.target_size
+
+  version {
+    name              = "default"
+    instance_template = google_compute_instance_template.docker_registry.self_link
+  }
+
+  update_policy {
+    type                  = "PROACTIVE"
+    minimal_action        = "REPLACE"
+    max_unavailable_fixed = "0"
+    max_surge_fixed       = length(var.zones)
+    min_ready_sec         = 900
+  }
+
+  auto_healing_policies {
+    health_check      = google_compute_health_check.docker_registry.self_link
+    initial_delay_sec = 900
+  }
+}
+
+resource "google_compute_region_backend_service" "docker_registry" {
+  name             = "docker-registry-backend${var.prefix}"
+  description      = "Backend servers for docker registry"
+  protocol         = "TCP"
+  session_affinity = "CLIENT_IP"
+  timeout_sec      = 10
+  region           = var.region
+
+  backend {
+    group = google_compute_region_instance_group_manager.docker_registry.instance_group
+  }
+
+  health_checks = ["${google_compute_health_check.docker_registry.self_link}"]
+}
+
+resource "google_compute_forwarding_rule" "docker_registry" {
+  name                  = "docker-registry-forwarding${var.prefix}"
+  backend_service       = google_compute_region_backend_service.docker_registry.self_link
+  ip_address            = google_compute_address.docker_registry_frontend.address
+  ip_protocol           = "TCP"
+  load_balancing_scheme = "INTERNAL"
+  region                = var.region
+  network               = var.network
+  ports                 = ["443"]
+  subnetwork            = google_compute_subnetwork.docker_registry.self_link
+}
diff --git a/terraform-common.mk b/terraform-common.mk
index 44ca125c..ee54d463 100644
--- a/terraform-common.mk
+++ b/terraform-common.mk
@@ -68,7 +68,7 @@ console: announce
 
 .PHONY: plan
 plan: announce .config $(TRVS_TFVARS) $(TFSTATE)
-	$(TERRAFORM) plan -module-depth=-1 -out=$(TFPLAN)
+	$(TERRAFORM) plan -out=$(TFPLAN)
 
 .PHONY: planbeep
 planbeep: announce .config $(TRVS_TFVARS) $(TFSTATE)