diff --git a/azure/terraform/gitlab.tf b/azure/terraform/gitlab.tf
new file mode 100644
--- /dev/null
+++ b/azure/terraform/gitlab.tf
@@ -0,0 +1,22 @@
+# create a kubernetes cluster for a given environment
+# and deploy a gitlab instance on it
+# The cluster is deployed in its own resource group
+# suffixed by the environment
+
+# module "gitlab-production" {
+#     source = "./modules/gitlab"
+#     name   = "euwest-gitlab-production"
+# }
+
+# output "gitlab-production_summary" {
+#   value = module.gitlab-production.summary
+# }
+
+module "gitlab-staging" {
+  source = "./modules/gitlab"
+  name   = "euwest-gitlab-staging"
+}
+
+output "gitlab-staging_summary" {
+  value = module.gitlab-staging.summary
+}
diff --git a/azure/terraform/modules/gitlab/main.tf b/azure/terraform/modules/gitlab/main.tf
new file mode 100644
--- /dev/null
+++ b/azure/terraform/modules/gitlab/main.tf
@@ -0,0 +1,22 @@
+resource "azurerm_resource_group" "gitlab_rg" {
+  name     = var.name
+  location = var.location
+
+  tags = {
+    environment = "gitlab"
+  }
+}
+
+module "gitlab_aks_cluster" {
+  source         = "../kubernetes"
+  cluster_name   = var.name
+  resource_group = var.name
+
+  minimal_pool_count = 1
+  maximal_pool_count = 5
+  node_type          = "Standard_B2ms"
+
+  depends_on = [
+    azurerm_resource_group.gitlab_rg
+  ]
+}
diff --git a/azure/terraform/modules/gitlab/outputs.tf b/azure/terraform/modules/gitlab/outputs.tf
new file mode 100644
--- /dev/null
+++ b/azure/terraform/modules/gitlab/outputs.tf
@@ -0,0 +1,3 @@
+output "summary" {
+  value = module.gitlab_aks_cluster.summary
+}
diff --git a/azure/terraform/modules/gitlab/variables.tf b/azure/terraform/modules/gitlab/variables.tf
new file mode 100644
--- /dev/null
+++ b/azure/terraform/modules/gitlab/variables.tf
@@ -0,0 +1,10 @@
+variable "name" {
+  description = "Name of the gitlab environment"
+  type        = string
+}
+
+variable "location" {
+  description = "Name of the gitlab environment"
+  type        = string
+  default     = "westeurope"
+}
diff --git a/azure/terraform/modules/kubernetes/data.tf b/azure/terraform/modules/kubernetes/data.tf
new file mode 100644
--- /dev/null
+++ b/azure/terraform/modules/kubernetes/data.tf
@@ -0,0 +1,9 @@
+data "azurerm_resource_group" "aks_rg" {
+  name                 = var.resource_group
+}
+
+data "azurerm_subnet" "internal_subnet" {
+  name                 = "default"
+  virtual_network_name = var.internal_vnet
+  resource_group_name  = var.internal_vnet_rg
+}
diff --git a/azure/terraform/modules/kubernetes/main.tf b/azure/terraform/modules/kubernetes/main.tf
new file mode 100644
--- /dev/null
+++ b/azure/terraform/modules/kubernetes/main.tf
@@ -0,0 +1,50 @@
+
+resource "azurerm_kubernetes_cluster" "aks_cluster" {
+  name                = var.cluster_name
+  resource_group_name = data.azurerm_resource_group.aks_rg.name
+  location            = data.azurerm_resource_group.aks_rg.location
+  dns_prefix          = var.cluster_name
+
+  default_node_pool {
+    name                = "default"
+    node_count          = 1
+    vm_size             = var.node_type
+    enable_auto_scaling = true
+    max_count           = var.maximal_pool_count
+    min_count           = var.minimal_pool_count
+
+    # not supported for all vm types
+    # os_disk_type        = "Ephemeral"
+
+    # experimental feature, not activable as we don't
+    # have a subscription
+    # kubelet_config {
+    #   container_log_max_size_mb = "1024"
+    # }
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  private_cluster_enabled = true
+
+  network_profile {
+    network_plugin = "kubenet"
+    network_policy = "calico"
+  }
+}
+
+resource "azurerm_private_endpoint" "aks_cluster_endpoint" {
+  name                = "${var.cluster_name}-endpoint"
+  resource_group_name = data.azurerm_resource_group.aks_rg.name
+  location            = data.azurerm_resource_group.aks_rg.location
+  subnet_id           = data.azurerm_subnet.internal_subnet.id
+
+  private_service_connection {
+    name                           = "${var.cluster_name}-psc"
+    is_manual_connection           = false
+    private_connection_resource_id = azurerm_kubernetes_cluster.aks_cluster.id
+    subresource_names              = ["management"]
+  }
+}
diff --git a/azure/terraform/modules/kubernetes/outputs.tf b/azure/terraform/modules/kubernetes/outputs.tf
new file mode 100644
--- /dev/null
+++ b/azure/terraform/modules/kubernetes/outputs.tf
@@ -0,0 +1,15 @@
+output "summary" {
+  value = <<EOF
+
+name: ${azurerm_kubernetes_cluster.aks_cluster.name}
+internal_ip: ${azurerm_private_endpoint.aks_cluster_endpoint.private_service_connection.0.private_ip_address}
+
+Execute the following command to add the credentials in your .kube/config:
+az aks get-credentials --resource-group ${data.azurerm_resource_group.aks_rg.name} --name ${azurerm_kubernetes_cluster.aks_cluster.name} 
+
+and add this line in your /etc/hosts file:
+${azurerm_private_endpoint.aks_cluster_endpoint.private_service_connection.0.private_ip_address} ${azurerm_kubernetes_cluster.aks_cluster.private_fqdn}
+
+EOF
+
+}
diff --git a/azure/terraform/modules/kubernetes/variables.tf b/azure/terraform/modules/kubernetes/variables.tf
new file mode 100644
--- /dev/null
+++ b/azure/terraform/modules/kubernetes/variables.tf
@@ -0,0 +1,40 @@
+variable "resource_group" {
+  description = "Resource group name of the kubernetes cluster. Must already exist"
+  type        = string
+}
+
+variable "cluster_name" {
+  description = "Name of the cluster, for example: euwest-gitlab-staging"
+  type        = string
+}
+
+variable "node_type" {
+  description = "Type of vms in the default node pool"
+  default     = "Standard_B2ms"
+  type        = string
+}
+
+variable "minimal_pool_count" {
+  description = "Minimal number of node in the default pool"
+  type        = number
+  default     = 1
+}
+
+variable "maximal_pool_count" {
+  description = "Minimal number of node in the default pool"
+  type        = number
+  default     = 5
+}
+
+variable "internal_vnet" {
+  description = "A vnet accessible from the VPN"
+  type        = string
+  default     = "swh-vnet"
+}
+
+variable "internal_vnet_rg" {
+  description = "The resource group of the vnet accessible from the VPN"
+  type        = string
+  default     = "swh-resource"
+}
+