diff --git a/services/terraform/self-host/.gitignore b/services/terraform/self-host/.gitignore
--- a/services/terraform/self-host/.gitignore
+++ b/services/terraform/self-host/.gitignore
@@ -1,7 +1,3 @@
-# User-specific files
-.sops.yaml
-keyserver_secrets.json
-
 # Local .terraform directories
 **/.terraform/*
 
diff --git a/services/terraform/self-host/aws_db.tf b/services/terraform/self-host/aws_db.tf
--- a/services/terraform/self-host/aws_db.tf
+++ b/services/terraform/self-host/aws_db.tf
@@ -9,7 +9,7 @@
     from_port   = 3307
     to_port     = 3307
     protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = ["${var.allowed_ip}/32"]
   }
 
   # Outbound rules
@@ -34,8 +34,8 @@
   instance_class         = "db.m6g.large"
   db_subnet_group_name   = aws_db_subnet_group.public_db_subnet_group.name
   vpc_security_group_ids = [aws_security_group.keyserver_mariadb_security_group.id]
-  username               = local.secrets["mariaDB"]["username"]
-  password               = local.secrets["mariaDB"]["password"]
+  username               = var.mariadb_username
+  password               = var.mariadb_password
   parameter_group_name   = aws_db_parameter_group.mariadb_parameter_group.name
   storage_encrypted      = true
   publicly_accessible    = true
diff --git a/services/terraform/self-host/aws_vpc.tf b/services/terraform/self-host/aws_vpc.tf
--- a/services/terraform/self-host/aws_vpc.tf
+++ b/services/terraform/self-host/aws_vpc.tf
@@ -6,17 +6,17 @@
 }
 
 # Public Subnets
-resource "aws_subnet" "public_a" {
+resource "aws_subnet" "public_1" {
   vpc_id                  = aws_vpc.default.id
   cidr_block              = "172.31.0.0/20"
-  availability_zone       = "us-east-2a"
+  availability_zone       = var.availability_zone_1
   map_public_ip_on_launch = true
 }
 
-resource "aws_subnet" "public_b" {
+resource "aws_subnet" "public_2" {
   vpc_id                  = aws_vpc.default.id
   cidr_block              = "172.31.16.0/20"
-  availability_zone       = "us-east-2b"
+  availability_zone       = var.availability_zone_2
   map_public_ip_on_launch = true
 }
 
@@ -30,25 +30,25 @@
   vpc_id = aws_vpc.default.id
 
   route {
-    cidr_block = "0.0.0.0/0"
+    cidr_block = "${var.allowed_ip}/32"
     gateway_id = aws_internet_gateway.default.id
   }
 }
 
-resource "aws_route_table_association" "public_a_igw_route_association" {
-  subnet_id      = aws_subnet.public_a.id
+resource "aws_route_table_association" "public_1_igw_route_association" {
+  subnet_id      = aws_subnet.public_1.id
   route_table_id = aws_route_table.public_igw_route_table.id
 }
 
-resource "aws_route_table_association" "public_b_igw_route_association" {
-  subnet_id      = aws_subnet.public_b.id
+resource "aws_route_table_association" "public_2_igw_route_association" {
+  subnet_id      = aws_subnet.public_2.id
   route_table_id = aws_route_table.public_igw_route_table.id
 }
 
 # DB Subnet Group
 resource "aws_db_subnet_group" "public_db_subnet_group" {
   name       = "public-db-subnet-group"
-  subnet_ids = [aws_subnet.public_a.id, aws_subnet.public_b.id]
+  subnet_ids = [aws_subnet.public_1.id, aws_subnet.public_2.id]
 
   tags = {
     Name = "DB subnet group associated with private vpc subnet"
diff --git a/services/terraform/self-host/main.tf b/services/terraform/self-host/main.tf
--- a/services/terraform/self-host/main.tf
+++ b/services/terraform/self-host/main.tf
@@ -1,15 +1,5 @@
-provider "sops" {}
-
-data "sops_file" "keyserver_secrets_json" {
-  source_file = "keyserver_secrets.json"
-}
-
-locals {
-  secrets = jsondecode(data.sops_file.keyserver_secrets_json.raw)
-}
-
 provider "aws" {
-  region = "us-east-2"
+  region = var.region
 
   default_tags {
     tags = {
diff --git a/services/terraform/self-host/providers.tf b/services/terraform/self-host/providers.tf
--- a/services/terraform/self-host/providers.tf
+++ b/services/terraform/self-host/providers.tf
@@ -4,10 +4,5 @@
       source  = "hashicorp/aws"
       version = "~> 5.7.0"
     }
-
-    sops = {
-      source  = "carlpett/sops"
-      version = "0.7.2"
-    }
   }
 }
diff --git a/services/terraform/self-host/terraform.tfvars.example b/services/terraform/self-host/terraform.tfvars.example
new file mode 100644
--- /dev/null
+++ b/services/terraform/self-host/terraform.tfvars.example
@@ -0,0 +1,6 @@
+mariadb_username    = "username"
+mariadb_password    = "password"
+region              = "us-west-1"
+availability_zone_1 = "us-west-1b"
+availability_zone_2 = "us-west-1c"
+allowed_ip          = "0.0.0.0"
diff --git a/services/terraform/self-host/variables.tf b/services/terraform/self-host/variables.tf
new file mode 100644
--- /dev/null
+++ b/services/terraform/self-host/variables.tf
@@ -0,0 +1,34 @@
+variable "mariadb_username" {
+  description = "MariaDB username"
+  type        = string
+  sensitive   = true
+}
+
+variable "mariadb_password" {
+  description = "MariaDB password"
+  type        = string
+  sensitive   = true
+}
+
+variable "region" {
+  description = "The AWS region to deploy your keyserver in"
+  type        = string
+  default     = "us-west-1"
+}
+
+variable "allowed_ip" {
+  description = "IP address"
+  type        = string
+}
+
+variable "availability_zone_1" {
+  description = "First availability zone for vpc subnet"
+  type        = string
+  default     = "us-west-1b"
+}
+
+variable "availability_zone_2" {
+  description = "Second availability zone for vpc subnet"
+  type        = string
+  default     = "us-west-1c"
+}