diff --git a/modules/microsite-v2-with-existing-realm/main.tf b/modules/microsite-v2-with-existing-realm/main.tf
new file mode 100644
index 0000000..ef647cf
--- /dev/null
+++ b/modules/microsite-v2-with-existing-realm/main.tf
@@ -0,0 +1,69 @@
+/*
+title: microsite-v2-with-existing-realm
+desc: Deploys a v2 (signed cookie) microsite with CICD and connects to an existing realm
+depends: static-site-signed-cookie-with-cicd, keycloak-client
+*/
+
+terraform {
+  backend "s3" {}
+}
+
+provider "aws" {
+  region = var.aws_region
+}
+
+module "keycloak_client" {
+  source = "../keycloak-client/"
+
+  realm_name           = var.realm_name
+  client_name          = replace("${var.sitename_prefix}-${var.domain_root}", ".", "-")
+  redirect_uri         = "${var.login_service_url}/process"
+  include_groups_claim = false
+}
+
+module "static_site" {
+  source = "../static-site-signed-cookie-with-cicd/"
+
+  aws_region = var.aws_region
+
+  sitename_prefix        = var.sitename_prefix
+  domain_root            = var.domain_root
+  access_log_bucket      = var.access_log_bucket
+  access_log_prefix      = var.access_log_prefix
+  fix_non_specific_paths = var.fix_non_specific_paths
+  custom_404_path        = var.custom_404_path
+  cipher_suite           = var.cipher_suite
+
+  gh_username              = var.gh_username
+  gh_secret_sm_param_name  = var.gh_secret_sm_param_name
+  gh_token_sm_param_name   = var.gh_token_sm_param_name
+  gh_repo                  = var.gh_repo
+  gh_branch                = var.gh_branch
+  encrypt_buckets          = var.encrypt_buckets
+  allow_root               = var.allow_root
+  build_image              = var.build_image
+  build_compute_type       = var.build_compute_type
+  build_role_policies      = var.build_role_policies
+  build_environment        = var.build_environment
+  secure_build_environment = var.secure_build_environment
+  certificate_arn          = var.certificate_arn
+  alternative_dns_names    = var.alternative_dns_names
+  codestar_connection_arn  = var.codestar_connection_arn
+  
+  send_notifications          = var.send_notifications
+  sns_topic_for_notifications = var.sns_topic_for_notifications
+
+  oidc_host           = var.keycloak_host
+  oidc_realm          = var.realm_name
+  oidc_client_id      = replace("${var.sitename_prefix}-${var.domain_root}", ".", "-")
+  oidc_client_secret  = module.keycloak_client.client_secret
+  cookie_duration     = var.cookie_max_age
+  config_table        = var.config_table
+  login_service_url   = var.login_service_url 
+  
+  origin_access_log_bucket = var.origin_access_log_bucket
+  origin_access_log_prefix = var.origin_access_log_prefix
+
+  pipeline_access_log_bucket = var.pipeline_access_log_bucket
+  pipeline_access_log_prefix = var.pipeline_access_log_prefix
+}
\ No newline at end of file
diff --git a/modules/microsite-v2-with-existing-realm/outputs.tf b/modules/microsite-v2-with-existing-realm/outputs.tf
new file mode 100644
index 0000000..408da9c
--- /dev/null
+++ b/modules/microsite-v2-with-existing-realm/outputs.tf
@@ -0,0 +1,3 @@
+output "webhook_url" {
+    value = var.codestar_connection_arn != "" ? "" : module.static_site.webhook_url
+}
\ No newline at end of file
diff --git a/modules/microsite-v2-with-existing-realm/variables.tf b/modules/microsite-v2-with-existing-realm/variables.tf
new file mode 100644
index 0000000..cb6ae05
--- /dev/null
+++ b/modules/microsite-v2-with-existing-realm/variables.tf
@@ -0,0 +1,214 @@
+variable "aws_region" {
+  description = "region where provisioning should happen"
+  type = string
+}
+
+variable "sitename_prefix" {
+  description = "prefix of site name e.g. for www.example.com this would be www, can be empty if deploy_at_apex is true"
+  type = string
+  default = ""
+}
+
+variable "deploy_at_apex" {
+  type = bool
+  description = "Deploy site at the domain_root apex, defaults to false"
+  default = false
+}
+
+variable "domain_root" {
+  description = "domain root for site e.g. example.com.  This must be available in Route53."
+  type = string
+}
+
+variable "access_log_bucket" {
+  description = "S3 bucket where access logs will be placed"
+  type = string
+  default = ""
+}
+
+variable "access_log_prefix" {
+  description = "prefix used for any access logs written to S3"
+  type = string
+  default = ""
+}
+
+variable "gh_username" {
+  description = "GitHub username used to access your site source code repo"
+  type = string
+}
+
+variable "gh_secret_sm_param_name" {
+  description = "name of SSM parameter where GitHub webhook secret is stored"
+  type = string
+  default = ""
+}
+
+variable "gh_token_sm_param_name" {
+  description = "name of SSM parameter where the GitHub Oauth token is stored"
+  type = string
+  default = ""
+}
+
+variable "gh_repo" {
+  description = "name of repo containing site source and buildspec.yml file"
+  type = string
+}
+
+variable "gh_branch" {
+  default = "master"
+  description = "branch of git repo to use for changes"
+  type = string
+}
+
+variable "keycloak_host" {
+  type = string
+  description = "name of keycloak host"
+}
+
+variable "encrypt_buckets" {
+  type = bool
+  default = false
+  description = "encrypt buckets with default AWS keys"
+}
+
+variable "allow_root" {
+  type = bool
+  default = false
+  description = "allow build process to become root (sudo)"
+}
+
+variable "send_notifications" {
+  type = bool
+  default = false
+  description = "should pipeline notifications be sent"
+}
+
+variable "sns_topic_for_notifications" {
+  type = string
+  description = "arn for sns topic to send notifications to"
+  default = ""
+}
+
+variable "build_image" {
+  type = string
+  default = "aws/codebuild/standard:7.0"
+  description = "what build image should be used to run the build job"
+}
+
+variable "fix_non_specific_paths" {
+  type = bool
+  default = false
+  description = "should we apply a lambda@edge function on origin requests to fix paths which are missing the expected root object?"
+}
+
+variable "custom_404_path" {
+  type = string
+  default = "none"
+  description = "what path should we use for a custom 404 (not found) error page"
+}
+
+variable "origin_access_log_bucket" {
+  type = string
+  default = ""
+  description = "bucket to be used for access logging on the origin s3 bucket"
+}
+
+variable "origin_access_log_prefix" {
+  type = string
+  default = ""
+  description = "prefix to use for access logs where that is enabled"
+}
+
+variable "pipeline_access_log_bucket" {
+  type = string
+  default = ""
+  description = "bucket to be used for access logging on the origin s3 bucket"
+}
+
+variable "pipeline_access_log_prefix" {
+  type = string
+  default = ""
+  description = "prefix to use for access logs where that is enabled"
+}
+
+variable "cookie_max_age" {
+  type = string
+  default = "3600"
+  description = "number of seconds cookies will live for, default is 1 hour"
+}
+
+variable "build_role_policies" {
+  description = "list of ARNs of policies to attach to the build role"
+  default = []
+  type = list(string)
+}
+
+variable "build_environment" {
+  description = "non secret build environment variables"
+  default = []
+  type = list(object({
+    name = string,
+    value = string
+  }))
+}
+
+variable "secure_build_environment" {
+  description = "secret build environment variables"
+  default = []
+  type = list(object({
+    name = string,
+    value = string,
+    type = string
+  }))
+}
+
+variable "build_compute_type" {
+  type = string
+  default = "BUILD_GENERAL1_SMALL"
+  description = "compute type for the build job"
+}
+
+variable "certificate_arn" {
+  type = string
+  default = ""
+  description = "arn of a certificate, if this is specified the module will not create a certificate"
+}
+
+variable "alternative_dns_names" {
+  type = list(string)
+  default = []
+  description = "list of additional names the cloudfront distribution"
+}
+
+variable "realm_name" {
+  description = "What name should be used for the keycloak realm"
+  type        = string 
+}
+
+variable "exclude_from_env" {
+  type        = list(string)
+  default     = []
+  description = "List of environment variables to exclude from the build"
+}
+
+variable "cipher_suite" {
+  type        = string
+  description = "Cipher suite to use on the cloudfront site"
+  default     = "TLSv1.2_2018"
+}
+
+variable "login_service_url" {
+  type        = string
+  description = "URL for the login service"
+}
+
+variable "config_table" {
+  type        = string
+  description = "name of the DynamoDB table where site config is stored"
+}
+
+variable "codestar_connection_arn" {
+  type = string
+  description = "ARN for the codestar connection to use to access github"
+  default = ""
+}
\ No newline at end of file
diff --git a/modules/static-site-signed-cookie-with-cicd/outputs.tf b/modules/static-site-signed-cookie-with-cicd/outputs.tf
new file mode 100644
index 0000000..408da9c
--- /dev/null
+++ b/modules/static-site-signed-cookie-with-cicd/outputs.tf
@@ -0,0 +1,3 @@
+output "webhook_url" {
+    value = var.codestar_connection_arn != "" ? "" : module.static_site.webhook_url
+}
\ No newline at end of file