diff --git a/modules/cloud-config-container/nginx-tls/README.md b/modules/cloud-config-container/nginx-tls/README.md
new file mode 100644
index 0000000000..bf31d66611
--- /dev/null
+++ b/modules/cloud-config-container/nginx-tls/README.md
@@ -0,0 +1,61 @@
+# Containerized Nginx with self-signed TLS on Container Optimized OS
+
+This module manages a `cloud-config` configuration that starts a containerized Nginx with a self-signed TLS cert on Container Optimized OS.
+This can be useful if you need quickly a VM or instance group answering HTTPS for prototyping.
+
+The generated cloud config is rendered in the `cloud_config` output, and is meant to be used in instances or instance templates via the `user-data` metadata.
+
+This module depends on the [`cos-generic-metadata` module](../cos-generic-metadata) being in the parent folder. If you change its location be sure to adjust the `source` attribute in `main.tf`.
+
+## Examples
+
+### Default configuration
+
+```hcl
+# Nginx with self-signed TLS config
+module "cos-nginx-tls" {
+  source = "./modules/cloud-config-container/nginx-tls"
+}
+
+# COS VM
+module "vm-nginx-tls" {
+  source     = "./modules/compute-vm"
+  project_id = local.project_id
+  zone       = local.zone
+  name       = "cos-nginx-tls"
+  network_interfaces = [{
+    network    = local.vpc.self_link,
+    subnetwork = local.vpc.subnet_self_link,
+    nat        = false,
+    addresses  = null
+  }]
+
+  metadata = {
+    user-data = module.cos-nginx-tls.cloud_config
+  }
+
+  boot_disk = {
+    image = "projects/cos-cloud/global/images/family/cos-stable"
+    type  = "pd-ssd"
+    size  = 10
+  }
+
+  service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
+}
+```
+<!-- BEGIN TFDOC -->
+
+## Variables
+
+| name | description | type | required | default |
+|---|---|:---:|:---:|:---:|
+| [docker_logging](variables.tf#L23) | Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead. | <code>bool</code> |  | <code>true</code> |
+| [nginx_image](variables.tf#L17) | Nginx container image to use. | <code>string</code> |  | <code>&#34;nginx:1.23.1&#34;</code> |
+
+## Outputs
+
+| name | description | sensitive |
+|---|---|:---:|
+| [cloud_config](outputs.tf#L17) | Rendered cloud-config file to be passed as user-data instance metadata. |  |
+
+<!-- END TFDOC -->
diff --git a/modules/cloud-config-container/nginx-tls/files/customize.sh b/modules/cloud-config-container/nginx-tls/files/customize.sh
new file mode 100644
index 0000000000..297203454f
--- /dev/null
+++ b/modules/cloud-config-container/nginx-tls/files/customize.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+HOSTNAME=$(curl -s -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/hostname)
+openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj /CN=$HOSTNAME/ -keyout /etc/ssl/self-signed.key  -out /etc/ssl/self-signed.crt
+sed -i "s/HOSTNAME/${HOSTNAME}/" /etc/nginx/conf.d/default.conf
\ No newline at end of file
diff --git a/modules/cloud-config-container/nginx-tls/files/default.conf b/modules/cloud-config-container/nginx-tls/files/default.conf
new file mode 100644
index 0000000000..b928902a06
--- /dev/null
+++ b/modules/cloud-config-container/nginx-tls/files/default.conf
@@ -0,0 +1,20 @@
+server {
+    listen              80;
+    listen              443 ssl;
+    server_name         HOSTNAME;
+    ssl_certificate     /etc/ssl/self-signed.crt;
+    ssl_certificate_key /etc/ssl/self-signed.key;
+
+
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+    }
+
+    error_page   500 502 503 504  /50x.html;
+
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+
+}
\ No newline at end of file
diff --git a/modules/cloud-config-container/nginx-tls/main.tf b/modules/cloud-config-container/nginx-tls/main.tf
new file mode 100644
index 0000000000..ae668cc758
--- /dev/null
+++ b/modules/cloud-config-container/nginx-tls/main.tf
@@ -0,0 +1,58 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "cos-envoy-td" {
+  source = "../cos-generic-metadata"
+
+  boot_commands = [
+    "systemctl start node-problem-detector",
+  ]
+
+  container_image = var.nginx_image
+  container_name  = "nginx"
+  container_args  = ""
+
+  container_volumes = [
+    { host = "/etc/nginx/conf.d", container = "/etc/nginx/conf.d" },
+    { host = "/etc/ssl", container = "/etc/ssl" },
+  ]
+
+  docker_args = "--network host --pid host"
+
+  files = {
+    "/var/run/nginx/customize.sh" = {
+      content     = file("${path.module}/files/customize.sh")
+      owner       = "root"
+      permissions = "0744"
+    }
+    "/etc/nginx/conf.d/default.conf" = {
+      content     = file("${path.module}/files/default.conf")
+      owner       = "root"
+      permissions = "0644"
+    }
+  }
+
+  gcp_logging = var.docker_logging
+
+  run_commands = [
+    "iptables -I INPUT 1 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT",
+    "iptables -I INPUT 1 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT",
+    "/var/run/nginx/customize.sh",
+    "systemctl daemon-reload",
+    "systemctl start nginx",
+  ]
+
+}
diff --git a/modules/cloud-config-container/nginx-tls/outputs.tf b/modules/cloud-config-container/nginx-tls/outputs.tf
new file mode 100644
index 0000000000..4ce8d2473a
--- /dev/null
+++ b/modules/cloud-config-container/nginx-tls/outputs.tf
@@ -0,0 +1,20 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "cloud_config" {
+  description = "Rendered cloud-config file to be passed as user-data instance metadata."
+  value       = module.cos-envoy-td.cloud_config
+}
diff --git a/modules/cloud-config-container/nginx-tls/variables.tf b/modules/cloud-config-container/nginx-tls/variables.tf
new file mode 100644
index 0000000000..246e6d077b
--- /dev/null
+++ b/modules/cloud-config-container/nginx-tls/variables.tf
@@ -0,0 +1,27 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "nginx_image" {
+  description = "Nginx container image to use."
+  type        = string
+  default     = "nginx:1.23.1"
+}
+
+variable "docker_logging" {
+  description = "Log via the Docker gcplogs driver. Disable if you use the legacy Logging Agent instead."
+  type        = bool
+  default     = true
+}
diff --git a/modules/cloud-config-container/nginx-tls/versions.tf b/modules/cloud-config-container/nginx-tls/versions.tf
new file mode 100644
index 0000000000..4278054b12
--- /dev/null
+++ b/modules/cloud-config-container/nginx-tls/versions.tf
@@ -0,0 +1,29 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+  required_version = ">= 1.1.0"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 4.32.0" # tftest
+    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = ">= 4.32.0" # tftest
+    }
+  }
+}
+
+