diff --git a/share/wildduck/scimgateway.tf b/share/wildduck/scimgateway.tf
new file mode 100644
index 0000000..0cefb26
--- /dev/null
+++ b/share/wildduck/scimgateway.tf
@@ -0,0 +1,95 @@
+locals {
+  scimgateway-labels = merge(local.common-labels, {
+    "app.kubernetes.io/component" = "scimgateway"
+  })
+}
+
+resource "kubectl_manifest" "scimgateway_deploy" {
+  yaml_body  = <<-EOF
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: "${var.instance}-scimgateway"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.scimgateway-labels)}
+    spec:
+      replicas: 1
+      selector:
+        matchLabels: ${jsonencode(local.scimgateway-labels)}
+      template:
+        metadata:
+          labels: ${jsonencode(local.scimgateway-labels)}
+        spec:
+          securityContext:
+            fsGroup: 1000
+          containers:
+          - name: scimgateway
+            securityContext:
+              capabilities:
+                drop:
+                - ALL
+              readOnlyRootFilesystem: true
+              runAsNonRoot: true
+              runAsUser: 1000
+            image: "${var.images.scimgateway.registry}/${var.images.scimgateway.repository}:${var.images.scimgateway.tag}"
+            imagePullPolicy: "${var.images.scimgateway.pullPolicy}"
+            ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+            livenessProbe:
+              httpGet:
+                path: /healthcheck
+                port: http
+                scheme: HTTP
+            readinessProbe:
+              httpGet:
+                path: /healthcheck
+                port: http
+                scheme: HTTP
+            resources:
+              {}
+            env:
+            - name: "LOG_LEVEL"
+              value: "info"
+            - name: "PORT"
+              value: "8000"
+            - name: "WILDDUCK_DOMAIN"
+              value: "${var.domain-name}"
+            - name: "WILDDUCK_API"
+              value: "${var.instance}-wildduck-api.${var.namespace}.svc"
+            - name: WILDDUCK_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: "${var.instance}"
+                  key: authentik
+            - name: WILDDUCK_INITIAL_PASSWD
+              valueFrom:
+                secretKeyRef:
+                  name: "${var.instance}"
+                  key: default
+            - name: OID_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: "${var.instance}"
+                  key: access
+  EOF
+}
+resource "kubectl_manifest" "scimgateway_service" {
+  yaml_body  = <<-EOF
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: "${var.instance}-scimgateway"
+      namespace: "${var.namespace}"
+      labels: ${jsonencode(local.scimgateway-labels)}
+    spec:
+      type: ClusterIP
+      ports:
+      - port: 80
+        targetPort: http
+        protocol: TCP
+        name: http
+      selector: ${jsonencode(local.scimgateway-labels)}
+  EOF
+}