diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 0d762ad8421d511e99523d0f071e3622244b80a1..24ba11c3392434378e62b4599f211061a577b3cd 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -5,6 +5,7 @@ variables:
   RELEASE_IMAGE_NAME: "$CI_REGISTRY_IMAGE/releases/$TERRAFORM_VERSION"
   TF_ADDRESS: "$CI_API_V4_URL/projects/$CI_PROJECT_ID/terraform/state/$CI_PIPELINE_IID-$STATE_NAME"
   TFPLANTOOL_VERSION: "v0.1.0"
+  BASE: "node:alpine"
 
 .versions:
   parallel:
@@ -46,7 +47,7 @@ build:
     - .versions
   stage: build
   script:
-    - docker image build --tag "$BUILD_IMAGE_NAME" --build-arg BASE=$TERRAFORM_BASE --build-arg TFPLANTOOL=$TFPLANTOOL_VERSION .
+    - docker image build --tag "$BUILD_IMAGE_NAME" --build-arg BASE=$BASE --build-arg TERRAFORM_BASE=$TERRAFORM_BASE --build-arg TFPLANTOOL=$TFPLANTOOL_VERSION .
     - docker image push "$BUILD_IMAGE_NAME"
 
 .test:
@@ -55,6 +56,7 @@ build:
     - terraform version
     - gitlab-terraform version
     - jq --version
+    - cdktf --version
     - cd tests
   cache:
     key: "$TERRAFORM_VERSION-$CI_COMMIT_REF_SLUG"
diff --git a/Dockerfile b/Dockerfile
index b45e5ba974d8b316639cacb05025c77ea8547e4a..6135381c96c6924b2ca9fb34b7acb3851089a834 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,25 +1,36 @@
 ARG BASE
+ARG TERRAFORM_BASE
 
 FROM golang:1.14 AS tfplantool
 
 ARG BASE
+ARG TERRAFORM_BASE
 ARG TFPLANTOOL
 
 WORKDIR /tfplantool
 
 RUN git clone --branch $TFPLANTOOL --depth 1 https://gitlab.com/mattkasa/tfplantool.git .
-RUN sed -i -e "/github\.com\/hashicorp\/terraform/s/ v.*\$/ v$(echo "$BASE" | sed -e "s/^.*://")/" go.mod
+RUN sed -i -e "/github\.com\/hashicorp\/terraform/s/ v.*\$/ v$(echo "$TERRAFORM_BASE" | sed -e "s/^.*://")/" go.mod
 RUN go get -d -v ./...
 RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o tfplantool .
 
+FROM $TERRAFORM_BASE AS terraform
+
+ARG BASE
+
 FROM $BASE
 
-RUN apk add --no-cache jq
+RUN apk add --no-cache ca-certificates jq
 
+COPY --from=terraform /bin/terraform /bin/terraform
 COPY --from=tfplantool /tfplantool/tfplantool /usr/bin/tfplantool
 
 COPY src/bin/gitlab-terraform.sh /usr/bin/gitlab-terraform
 RUN chmod +x /usr/bin/gitlab-terraform
 
-# Override ENTRYPOINT since hashicorp/terraform uses `terraform`
-ENTRYPOINT []
+RUN npm install -g cdktf-cli && npm cache clean --force
+
+COPY src/bin/entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/src/bin/entrypoint.sh b/src/bin/entrypoint.sh
new file mode 100644
index 0000000000000000000000000000000000000000..2ab89001da4a91327b6c8bfc54a75b11435cfcd5
--- /dev/null
+++ b/src/bin/entrypoint.sh
@@ -0,0 +1,27 @@
+#!/bin/sh -e
+
+# If TF_USERNAME is unset then default to GITLAB_USER_LOGIN
+export TF_USERNAME="${TF_USERNAME:-${GITLAB_USER_LOGIN}}"
+
+# If TF_PASSWORD is unset then default to gitlab-ci-token/CI_JOB_TOKEN
+if [ -z "${TF_PASSWORD}" ]; then
+  export TF_USERNAME="gitlab-ci-token"
+  export TF_PASSWORD="${CI_JOB_TOKEN}"
+fi
+
+# If TF_ADDRESS is unset but TF_STATE_NAME is provided, then default to GitLab backend in current project
+if [ -n "${TF_STATE_NAME}" ]; then
+  export TF_ADDRESS="${TF_ADDRESS:-${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/${TF_STATE_NAME}}"
+fi
+
+# Set variables for the HTTP backend to default to TF_* values
+export TF_HTTP_ADDRESS="${TF_HTTP_ADDRESS:-${TF_ADDRESS}}"
+export TF_HTTP_LOCK_ADDRESS="${TF_HTTP_LOCK_ADDRESS:-${TF_ADDRESS}/lock}"
+export TF_HTTP_LOCK_METHOD="${TF_HTTP_LOCK_METHOD:-POST}"
+export TF_HTTP_UNLOCK_ADDRESS="${TF_HTTP_UNLOCK_ADDRESS:-${TF_ADDRESS}/lock}"
+export TF_HTTP_UNLOCK_METHOD="${TF_HTTP_UNLOCK_METHOD:-DELETE}"
+export TF_HTTP_USERNAME="${TF_HTTP_USERNAME:-${TF_USERNAME}}"
+export TF_HTTP_PASSWORD="${TF_HTTP_PASSWORD:-${TF_PASSWORD}}"
+export TF_HTTP_RETRY_WAIT_MIN="${TF_HTTP_RETRY_WAIT_MIN:-5}"
+
+exec "$@"
diff --git a/src/bin/gitlab-terraform.sh b/src/bin/gitlab-terraform.sh
index c637ec0cf5e2a2568dc0e0401e96016b1b4cbcb3..4cdba2273e97aab8944f76b5475cec5f6eecaf71 100755
--- a/src/bin/gitlab-terraform.sh
+++ b/src/bin/gitlab-terraform.sh
@@ -21,30 +21,6 @@ JQ_PLAN='
   }
 '
 
-# If TF_USERNAME is unset then default to GITLAB_USER_LOGIN
-TF_USERNAME="${TF_USERNAME:-${GITLAB_USER_LOGIN}}"
-
-# If TF_PASSWORD is unset then default to gitlab-ci-token/CI_JOB_TOKEN
-if [ -z "${TF_PASSWORD}" ]; then
-  TF_USERNAME="gitlab-ci-token"
-  TF_PASSWORD="${CI_JOB_TOKEN}"
-fi
-
-# If TF_ADDRESS is unset but TF_STATE_NAME is provided, then default to GitLab backend in current project
-if [ -n "${TF_STATE_NAME}" ]; then
-  TF_ADDRESS="${TF_ADDRESS:-${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/${TF_STATE_NAME}}"
-fi
-
-# Set variables for the HTTP backend to default to TF_* values
-export TF_HTTP_ADDRESS="${TF_HTTP_ADDRESS:-${TF_ADDRESS}}"
-export TF_HTTP_LOCK_ADDRESS="${TF_HTTP_LOCK_ADDRESS:-${TF_ADDRESS}/lock}"
-export TF_HTTP_LOCK_METHOD="${TF_HTTP_LOCK_METHOD:-POST}"
-export TF_HTTP_UNLOCK_ADDRESS="${TF_HTTP_UNLOCK_ADDRESS:-${TF_ADDRESS}/lock}"
-export TF_HTTP_UNLOCK_METHOD="${TF_HTTP_UNLOCK_METHOD:-DELETE}"
-export TF_HTTP_USERNAME="${TF_HTTP_USERNAME:-${TF_USERNAME}}"
-export TF_HTTP_PASSWORD="${TF_HTTP_PASSWORD:-${TF_PASSWORD}}"
-export TF_HTTP_RETRY_WAIT_MIN="${TF_HTTP_RETRY_WAIT_MIN:-5}"
-
 apply() {
   if ! terraform_is_at_least 0.13.2; then
     tfplantool -f "${plan_cache}" backend set -k password -v "${TF_PASSWORD}"