diff --git a/modules/aws/bootstrap/README.md b/modules/aws/bootstrap/README.md
new file mode 100644
index 00000000000..01a9478254a
--- /dev/null
+++ b/modules/aws/bootstrap/README.md
@@ -0,0 +1,51 @@
+# Bootstrap Module
+
+This [Terraform][] [module][] manages [AWS][] resources only needed during cluster bootstrapping.
+It uses [implicit provider inheritance][implicit-provider-inheritance] to access the [AWS provider][AWS-provider].
+
+## Example
+
+Set up a `main.tf` with:
+
+```hcl
+provider "aws" {
+  region = "us-east-1"
+}
+
+resource "aws_s3_bucket" "example" {
+}
+
+resource "aws_vpc" "example" {
+  cidr_block           = "10.0.0.0/16"
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+}
+
+resource "aws_subnet" "example" {
+  vpc_id     = "${aws_vpc.example.id}"
+  cidr_block = "${aws_vpc.example.cidr_block}"
+}
+
+module "bootstrap" {
+  source = "github.com/openshift/installer//modules/aws/bootstrap"
+
+  ami            = "ami-07307c397daf4d02e"
+  bucket         = "${aws_s3_bucket.example.id}"
+  cluster_name   = "my-cluster"
+  ignition       = "{\"ignition\": {\"version\": \"2.2.0\"}}",
+  subnet_id      = "${aws_subnet.example.id}"
+}
+```
+
+Then run:
+
+```console
+$ terraform init
+$ terraform plan
+```
+
+[AWS]: https://aws.amazon.com/
+[AWS-provider]: https://www.terraform.io/docs/providers/aws/
+[implicit-provider-inheritance]: https://www.terraform.io/docs/modules/usage.html#implicit-provider-inheritance
+[module]: https://www.terraform.io/docs/modules/
+[Terraform]: https://www.terraform.io/
diff --git a/modules/aws/bootstrap/main.tf b/modules/aws/bootstrap/main.tf
new file mode 100644
index 00000000000..c83b0cefecd
--- /dev/null
+++ b/modules/aws/bootstrap/main.tf
@@ -0,0 +1,127 @@
+resource "aws_s3_bucket_object" "ignition" {
+  bucket  = "${var.bucket}"
+  key     = "bootstrap.ign"
+  content = "${var.ignition}"
+  acl     = "private"
+
+  server_side_encryption = "AES256"
+
+  tags = "${var.tags}"
+
+  lifecycle {
+    ignore_changes = ["*"]
+  }
+}
+
+data "ignition_config" "redirect" {
+  replace {
+    source = "s3://${var.bucket}/bootstrap.ign"
+  }
+}
+
+resource "aws_iam_instance_profile" "bootstrap" {
+  name = "${var.cluster_name}-bootstrap-profile"
+
+  role = "${var.iam_role == "" ?
+    join("|", aws_iam_role.bootstrap.*.name) :
+    join("|", data.aws_iam_role.bootstrap.*.name)
+  }"
+}
+
+data "aws_iam_role" "bootstrap" {
+  count = "${var.iam_role == "" ? 0 : 1}"
+  name  = "${var.iam_role}"
+}
+
+resource "aws_iam_role" "bootstrap" {
+  count = "${var.iam_role == "" ? 1 : 0}"
+  name  = "${var.cluster_name}-bootstrap-role"
+  path  = "/"
+
+  assume_role_policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "sts:AssumeRole",
+            "Principal": {
+                "Service": "ec2.amazonaws.com"
+            },
+            "Effect": "Allow",
+            "Sid": ""
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "bootstrap" {
+  count = "${var.iam_role == "" ? 1 : 0}"
+  name  = "${var.cluster_name}-bootstrap-policy"
+  role  = "${aws_iam_role.bootstrap.id}"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "ec2:Describe*",
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "ec2:AttachVolume",
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "ec2:DetachVolume",
+      "Resource": "*"
+    },
+    {
+      "Action" : [
+        "s3:GetObject"
+      ],
+      "Resource": "arn:aws:s3:::*",
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_instance" "bootstrap" {
+  ami = "${var.ami}"
+
+  iam_instance_profile        = "${aws_iam_instance_profile.bootstrap.name}"
+  instance_type               = "${var.instance_type}"
+  subnet_id                   = "${var.subnet_id}"
+  user_data                   = "${data.ignition_config.redirect.rendered}"
+  vpc_security_group_ids      = ["${var.vpc_security_group_ids}"]
+  associate_public_ip_address = "${var.associate_public_ip_address}"
+
+  lifecycle {
+    # Ignore changes in the AMI which force recreation of the resource. This
+    # avoids accidental deletion of nodes whenever a new OS release comes out.
+    ignore_changes = ["ami"]
+  }
+
+  tags = "${merge(map(
+    "kubernetes.io/cluster/${var.cluster_name}", "owned",
+  ), var.tags)}"
+
+  root_block_device {
+    volume_type = "${var.volume_type}"
+    volume_size = "${var.volume_size}"
+    iops        = "${var.volume_type == "io1" ? var.volume_iops : 0}"
+  }
+
+  volume_tags = "${var.tags}"
+}
+
+resource "aws_elb_attachment" "bootstrap" {
+  count    = "${length(var.elbs)}"
+  elb      = "${var.elbs[count.index]}"
+  instance = "${aws_instance.bootstrap.id}"
+}
diff --git a/modules/aws/bootstrap/variables.tf b/modules/aws/bootstrap/variables.tf
new file mode 100644
index 00000000000..f67481c01fc
--- /dev/null
+++ b/modules/aws/bootstrap/variables.tf
@@ -0,0 +1,77 @@
+variable "ami" {
+  type        = "string"
+  description = "The AMI ID for the bootstrap node."
+}
+
+variable "associate_public_ip_address" {
+  default     = false
+  description = "If set to true, public-facing ingress resources are created."
+}
+
+variable "bucket" {
+  type        = "string"
+  description = "The S3 bucket name for bootstrap ignition file."
+}
+
+variable "cluster_name" {
+  type        = "string"
+  description = "The name of the cluster."
+}
+
+variable "elbs" {
+  type        = "list"
+  default     = []
+  description = "Elastic load balancer IDs to attach to the bootstrap node."
+}
+
+variable "iam_role" {
+  type        = "string"
+  default     = ""
+  description = "The name of the IAM role to assign to the bootstrap node."
+}
+
+variable "ignition" {
+  type        = "string"
+  description = "The content of the bootstrap ignition file."
+}
+
+variable "instance_type" {
+  type        = "string"
+  default     = "t2.medium"
+  description = "The EC2 instance type for the bootstrap node."
+}
+
+variable "subnet_id" {
+  type        = "string"
+  description = "The subnet ID for the bootstrap node."
+}
+
+variable "tags" {
+  type        = "map"
+  default     = {}
+  description = "AWS tags to be applied to created resources."
+}
+
+variable "volume_iops" {
+  type        = "string"
+  default     = "100"
+  description = "The amount of IOPS to provision for the disk."
+}
+
+variable "volume_size" {
+  type        = "string"
+  default     = "30"
+  description = "The volume size (in gibibytes) for the bootstrap node's root volume."
+}
+
+variable "volume_type" {
+  type        = "string"
+  default     = "gp2"
+  description = "The volume type for the bootstrap node's root volume."
+}
+
+variable "vpc_security_group_ids" {
+  type        = "list"
+  default     = []
+  description = "VPC security group IDs for the bootstrap node."
+}
diff --git a/steps/bootstrap/aws/main.tf b/steps/bootstrap/aws/main.tf
index 33d1fb67a23..ae890e398eb 100644
--- a/steps/bootstrap/aws/main.tf
+++ b/steps/bootstrap/aws/main.tf
@@ -1,8 +1,3 @@
-locals {
-  private_endpoints = "${var.tectonic_aws_endpoints != "public"}"
-  public_endpoints  = "${var.tectonic_aws_endpoints != "private"}"
-}
-
 provider "aws" {
   region  = "${var.tectonic_aws_region}"
   profile = "${var.tectonic_aws_profile}"
@@ -14,137 +9,21 @@ provider "aws" {
   }
 }
 
-resource "aws_s3_bucket_object" "ignition_bootstrap" {
-  bucket  = "${local.s3_bucket}"
-  key     = "bootstrap.ign"
-  content = "${local.ignition_bootstrap}"
-  acl     = "private"
-
-  server_side_encryption = "AES256"
-
-  tags = "${merge(map(
-      "Name", "${var.tectonic_cluster_name}-ignition-bootstrap",
-      "KubernetesCluster", "${var.tectonic_cluster_name}",
-      "tectonicClusterID", "${var.tectonic_cluster_id}"
-    ), var.tectonic_aws_extra_tags)}"
-
-  lifecycle {
-    ignore_changes = ["*"]
-  }
-}
-
-data "ignition_config" "bootstrap_redirect" {
-  replace {
-    source = "s3://${local.s3_bucket}/bootstrap.ign"
-  }
-}
-
-resource "aws_iam_instance_profile" "bootstrap" {
-  name = "${var.tectonic_cluster_name}-bootstrap-profile"
-
-  role = "${var.tectonic_aws_master_iam_role_name == "" ? join("|", aws_iam_role.bootstrap_role.*.name) : join("|", data.aws_iam_role.bootstrap_role.*.name)}"
-}
-
-data "aws_iam_role" "bootstrap_role" {
-  count = "${var.tectonic_aws_master_iam_role_name == "" ? 0 : 1}"
-  name  = "${var.tectonic_aws_master_iam_role_name}"
-}
-
-resource "aws_iam_role" "bootstrap_role" {
-  count = "${var.tectonic_aws_master_iam_role_name == "" ? 1 : 0}"
-  name  = "${var.tectonic_cluster_name}-bootstrap-role"
-  path  = "/"
-
-  assume_role_policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Action": "sts:AssumeRole",
-            "Principal": {
-                "Service": "ec2.amazonaws.com"
-            },
-            "Effect": "Allow",
-            "Sid": ""
-        }
-    ]
-}
-EOF
-}
-
-resource "aws_iam_role_policy" "bootstrap_policy" {
-  count = "${var.tectonic_aws_master_iam_role_name == "" ? 1 : 0}"
-  name  = "${var.tectonic_cluster_name}-bootstrap-policy"
-  role  = "${aws_iam_role.bootstrap_role.id}"
-
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": "ec2:Describe*",
-      "Resource": "*"
-    },
-    {
-      "Effect": "Allow",
-      "Action": "ec2:AttachVolume",
-      "Resource": "*"
-    },
-    {
-      "Effect": "Allow",
-      "Action": "ec2:DetachVolume",
-      "Resource": "*"
-    },
-    {
-      "Action" : [
-        "s3:GetObject"
-      ],
-      "Resource": "arn:aws:s3:::*",
-      "Effect": "Allow"
-    }
-  ]
-}
-EOF
-}
+module "bootstrap" {
+  source = "../../../modules/aws/bootstrap"
 
-resource "aws_instance" "bootstrap" {
-  ami = "${var.tectonic_aws_ec2_ami_override}"
-
-  iam_instance_profile        = "${aws_iam_instance_profile.bootstrap.name}"
-  instance_type               = "${var.tectonic_aws_master_ec2_type}"
+  ami                         = "${var.tectonic_aws_ec2_ami_override}"
+  associate_public_ip_address = "${var.tectonic_aws_endpoints != "private"}"
+  bucket                      = "${local.s3_bucket}"
+  cluster_name                = "${var.tectonic_cluster_name}"
+  elbs                        = "${local.aws_lbs}"
+  iam_role                    = "${var.tectonic_aws_master_iam_role_name}"
+  ignition                    = "${local.ignition_bootstrap}"
   subnet_id                   = "${local.subnet_ids[0]}"
-  user_data                   = "${data.ignition_config.bootstrap_redirect.rendered}"
   vpc_security_group_ids      = ["${concat(var.tectonic_aws_master_extra_sg_ids, list(local.sg_id))}"]
-  associate_public_ip_address = "${local.public_endpoints}"
-
-  lifecycle {
-    # Ignore changes in the AMI which force recreation of the resource. This
-    # avoids accidental deletion of nodes whenever a new OS release comes out.
-    ignore_changes = ["ami"]
-  }
 
   tags = "${merge(map(
       "Name", "${var.tectonic_cluster_name}-bootstrap",
-      "kubernetes.io/cluster/${var.tectonic_cluster_name}", "owned",
       "tectonicClusterID", "${var.tectonic_cluster_id}"
     ), var.tectonic_aws_extra_tags)}"
-
-  root_block_device {
-    volume_type = "${var.tectonic_aws_master_root_volume_type}"
-    volume_size = "${var.tectonic_aws_master_root_volume_size}"
-    iops        = "${var.tectonic_aws_master_root_volume_type == "io1" ? var.tectonic_aws_master_root_volume_iops : 0}"
-  }
-
-  volume_tags = "${merge(map(
-    "Name", "${var.tectonic_cluster_name}-bootstrap",
-    "kubernetes.io/cluster/${var.tectonic_cluster_name}", "owned",
-    "tectonicClusterID", "${var.tectonic_cluster_id}"
-  ), var.tectonic_aws_extra_tags)}"
-}
-
-resource "aws_elb_attachment" "bootstrap" {
-  count    = "${length(local.aws_lbs)}"
-  elb      = "${local.aws_lbs[count.index]}"
-  instance = "${aws_instance.bootstrap.0.id}"
 }