diff --git a/.gitignore b/.gitignore
index 9e45c4f9..4e9a26b4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,10 +5,6 @@
 *.tfstate
 *.tfstate.*
 
-# Exclude all .tfvars files, which are likely to contain sensitive data
-*.tfvars
-*.tfvars.json
-
 # Crash log files
 crash.log
 crash.*.log
diff --git a/tf/environments/production/main.tf b/tf/environments/production/main.tf
index 80067beb..0fc073ea 100644
--- a/tf/environments/production/main.tf
+++ b/tf/environments/production/main.tf
@@ -83,8 +83,6 @@ provider "aws" {
 
 data "aws_availability_zones" "available" {}
 
-
-
 resource "aws_vpc" "main" {
   cidr_block = "10.0.0.0/16"
 }
@@ -372,17 +370,15 @@ resource "aws_ecs_cluster" "main" {
 
 
 locals {
-  container_image = "ooni/dataapi:latest"
-  container_name  = "ooni_dataapi"
-  container_port  = 80
+  container_name = "ooni_dataapi"
 }
 
 resource "aws_ecs_task_definition" "dataapi" {
   family = "ooni-dataapi-production-td"
   container_definitions = templatefile("${path.module}/templates/task_definition.json", {
-    image_url        = local.container_image,
+    image_url        = "ooni/dataapi:${var.ooni_service_config.dataapi_version}",
     container_name   = local.container_name,
-    container_port   = local.container_port,
+    container_port   = 80,
     log_group_region = var.aws_region,
     log_group_name   = aws_cloudwatch_log_group.app.name
   })
diff --git a/tf/environments/production/templates/task_definition.json b/tf/environments/production/templates/task_definition.json
index ecd17bea..d5070e1e 100644
--- a/tf/environments/production/templates/task_definition.json
+++ b/tf/environments/production/templates/task_definition.json
@@ -19,4 +19,4 @@
         }
     }
   }
-]
+]
\ No newline at end of file
diff --git a/tf/environments/production/terraform.tfvars.json b/tf/environments/production/terraform.tfvars.json
new file mode 100644
index 00000000..e0e82c8c
--- /dev/null
+++ b/tf/environments/production/terraform.tfvars.json
@@ -0,0 +1,5 @@
+{
+    "ooni_service_config": {
+        "dataapi_version": "latest"
+    }
+}
diff --git a/tf/environments/production/variables.tf b/tf/environments/production/variables.tf
index c42205f0..98813410 100644
--- a/tf/environments/production/variables.tf
+++ b/tf/environments/production/variables.tf
@@ -1,6 +1,12 @@
-variable "datadog_api_key" {}
-variable "aws_access_key_id" {}
-variable "aws_secret_access_key" {}
+variable "datadog_api_key" {
+  sensitive = true
+}
+variable "aws_access_key_id" {
+  sensitive = true
+}
+variable "aws_secret_access_key" {
+  sensitive = true
+}
 
 variable "aws_region" {
   description = "The AWS region to create things in."
@@ -18,7 +24,15 @@ variable "key_name" {
   default     = "ooni-devops-prod"
 }
 
-
+variable "ooni_service_config" {
+  type = object({
+    dataapi_version = string
+  })
+  default = {
+    dataapi_version = "latest"
+  }
+  description = "configuration for ooni services"
+}
 
 variable "instance_type" {
   default     = "t2.micro"