diff --git a/bastion/main.tf b/bastion/main.tf
index d5fe9a68..6cd53ac6 100644
--- a/bastion/main.tf
+++ b/bastion/main.tf
@@ -51,7 +51,7 @@ variable "environment" {
 }
 
 module "ami" {
-  source        = "github.com/terraform-community-modules/tf_aws_ubuntu_ami/ebs"
+  source        = "git::https://github.com/terraform-community-modules/tf_aws_ubuntu_ami.git//ebs?ref=e6614d7ce66a9a59db1787c8f695d70034b865db"
   region        = "${var.region}"
   distribution  = "trusty"
   instance_type = "${var.instance_type}"
diff --git a/defaults/main.tf b/defaults/main.tf
index bd0d6892..70a0a7e1 100644
--- a/defaults/main.tf
+++ b/defaults/main.tf
@@ -27,7 +27,7 @@ variable "default_ecs_ami" {
     us-east-1      = "ami-5f3ff932"
     us-west-1      = "ami-31c08551"
     us-west-2      = "ami-f3985d93"
-    eu-west-1      = "ami-ab4bd5d8"
+    eu-west-1      = "ami-063f1a60"
     eu-central-1   = "ami-6c58b103"
     ap-northeast-1 = "ami-a69d68c7"
     ap-northeast-2 = "ami-7b2de615"
diff --git a/packer/base/packer.yml b/packer/base/packer.yml
index 0b2b78a4..f0fde64a 100644
--- a/packer/base/packer.yml
+++ b/packer/base/packer.yml
@@ -1,7 +1,7 @@
 ---
 # https://www.packer.io/docs/builders/amazon-ebs.html
 ami:
-  source_ami: ami-fa82739a
+  source_ami: ami-d8f4deab
   instance_type: c4.2xlarge
   ssh_username: ubuntu
   ssh_timeout: 10m
diff --git a/packer/ecs/packer.yml b/packer/ecs/packer.yml
index 846c0897..fcc5d7ae 100644
--- a/packer/ecs/packer.yml
+++ b/packer/ecs/packer.yml
@@ -3,3 +3,4 @@ base: base
 
 scripts:
   - ecs.sh
+  - dynatrace-staging.sh
diff --git a/packer/ecs/root/etc/systemd/system/ecs-agent.service b/packer/ecs/root/etc/systemd/system/ecs-agent.service
index 135da611..9ec14044 100644
--- a/packer/ecs/root/etc/systemd/system/ecs-agent.service
+++ b/packer/ecs/root/etc/systemd/system/ecs-agent.service
@@ -14,7 +14,7 @@ ExecStartPre=/bin/mkdir -p /var/lib/ecs/data
 ExecStartPre=/bin/mkdir -p /var/log/ecs
 ExecStartPre=-/usr/bin/docker kill ecs-agent
 ExecStartPre=-/usr/bin/docker rm ecs-agent
-ExecStartPre=-/usr/bin/docker pull amazon/amazon-ecs-agent:v1.9.0
+ExecStartPre=-/usr/bin/docker pull amazon/amazon-ecs-agent:v1.13.1
 ExecStart=/usr/bin/docker run \
     --name=ecs-agent \
     --restart=on-failure:10 \
@@ -26,7 +26,7 @@ ExecStart=/usr/bin/docker run \
     --publish=127.0.0.1:51678:51678 \
     --env-file=/etc/ecs/ecs.config \
     --env=ECS_CLUSTER=${SERVER_GROUP} \
-    amazon/amazon-ecs-agent:v1.9.0
+    amazon/amazon-ecs-agent:v1.13.1
 ExecStop=-/usr/bin/docker stop ecs-agent
 
 [Install]
diff --git a/packer/ecs/scripts/dynatrace-production.sh b/packer/ecs/scripts/dynatrace-production.sh
new file mode 100644
index 00000000..8bdfb85e
--- /dev/null
+++ b/packer/ecs/scripts/dynatrace-production.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+set -e
+
+openssl version
+
+# Use this command on the target host:
+wget -O Dynatrace-OneAgent-Linux-1.117.255.sh \
+     https://hek37999.live.dynatrace.com/installer/oneagent/unix/latest/QSSP55KtStY9rzBN
+
+# Verify signature:
+wget https://ca.dynatrace.com/dt-root.cert.pem
+( echo 'Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="--SIGNED-INSTALLER"\n\n----SIGNED-INSTALLER' ; cat Dynatrace-OneAgent-Linux-1.117.255.sh ) | openssl cms -verify -CAfile dt-root.cert.pem > /dev/null
+
+# And run the installer with root rights:
+/bin/sh Dynatrace-OneAgent-Linux-1.117.255.sh APP_LOG_CONTENT_ACCESS=1
diff --git a/packer/ecs/scripts/dynatrace-staging.sh b/packer/ecs/scripts/dynatrace-staging.sh
new file mode 100644
index 00000000..64843d53
--- /dev/null
+++ b/packer/ecs/scripts/dynatrace-staging.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+set -e
+
+openssl version
+
+# Use this command on the target host:
+wget -O Dynatrace-OneAgent-Linux-1.117.255.sh \
+     https://sff67693.live.dynatrace.com/installer/oneagent/unix/latest/z6ieyk1fQSf2HzeN
+
+# Verify signature:
+wget https://ca.dynatrace.com/dt-root.cert.pem
+( echo 'Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="--SIGNED-INSTALLER"\n\n----SIGNED-INSTALLER' ; cat Dynatrace-OneAgent-Linux-1.117.255.sh ) | openssl cms -verify -CAfile dt-root.cert.pem > /dev/null
+
+# And run the installer with root rights:
+/bin/sh Dynatrace-OneAgent-Linux-1.117.255.sh APP_LOG_CONTENT_ACCESS=1
diff --git a/security-groups/main.tf b/security-groups/main.tf
index a3b6a7eb..9bee46b8 100644
--- a/security-groups/main.tf
+++ b/security-groups/main.tf
@@ -50,7 +50,7 @@ resource "aws_security_group" "internal_elb" {
 resource "aws_security_group" "external_elb" {
   name        = "${format("%s-%s-external-elb", var.name, var.environment)}"
   vpc_id      = "${var.vpc_id}"
-  description = "Allows external ELB traffic"
+  description = "Allows internal ELB traffic"
 
   ingress {
     from_port   = 80