diff --git a/Documentation/variables/config.md b/Documentation/variables/config.md
index 4bb7240779..f5fd42f91a 100644
--- a/Documentation/variables/config.md
+++ b/Documentation/variables/config.md
@@ -30,6 +30,7 @@ This document gives an overview of variables used in all platforms of the Tecton
 | tectonic_etcd_client_cert_path | (optional) The path of the file containing the client certificate for TLS communication with etcd.<br><br>Note: This works only when used in conjunction with an external etcd cluster. If set, the variables `tectonic_etcd_servers`, `tectonic_etcd_ca_cert_path`, and `tectonic_etcd_client_key_path` must also be set. | string | `/dev/null` |
 | tectonic_etcd_client_key_path | (optional) The path of the file containing the client key for TLS communication with etcd.<br><br>Note: This works only when used in conjunction with an external etcd cluster. If set, the variables `tectonic_etcd_servers`, `tectonic_etcd_ca_cert_path`, and `tectonic_etcd_client_cert_path` must also be set. | string | `/dev/null` |
 | tectonic_etcd_count | The number of etcd nodes to be created. If set to zero, the count of etcd nodes will be determined automatically.<br><br>Note: This is not supported on bare metal. | string | `0` |
+| tectonic_etcd_scheme | (optional) Can be either "http" or "https". When set, this scheme will be used for all provided etcd endpoints. | string | `https` |
 | tectonic_etcd_servers | (optional) List of external etcd v3 servers to connect with (hostnames/IPs only). Needs to be set if using an external etcd cluster.<br><br>Example: `["etcd1", "etcd2", "etcd3"]` | list | `<list>` |
 | tectonic_etcd_tls_enabled | (optional) If set to `true`, TLS secure communication for self-provisioned etcd. will be used.<br><br>Note: If `tectonic_experimental` is set to `true` this variable has no effect, because the experimental self-hosted etcd always uses TLS. | string | `true` |
 | tectonic_image_re | (internal) Regular expression used to extract repo and tag components | string | `/^([^/]+/[^/]+/[^/]+):(.*)$/` |
diff --git a/config.tf b/config.tf
index eb8704630f..a10df2bbbe 100644
--- a/config.tf
+++ b/config.tf
@@ -184,6 +184,15 @@ EOF
   default = []
 }
 
+variable "tectonic_etcd_scheme" {
+  type    = "string"
+  default = "https"
+
+  description = <<EOF
+(optional) Can be either "http" or "https". When set, this scheme will be used for all provided etcd endpoints.
+EOF
+}
+
 variable "tectonic_etcd_tls_enabled" {
   default = true
 
diff --git a/examples/terraform.tfvars.aws b/examples/terraform.tfvars.aws
index 4231e08551..a82aa3cf63 100644
--- a/examples/terraform.tfvars.aws
+++ b/examples/terraform.tfvars.aws
@@ -257,6 +257,9 @@ tectonic_container_linux_version = "latest"
 // Note: This is not supported on bare metal.
 tectonic_etcd_count = "0"
 
+// (optional) Can be either "http" or "https". When set, this scheme will be used for all provided etcd endpoints.
+// tectonic_etcd_scheme = "https"
+
 // (optional) List of external etcd v3 servers to connect with (hostnames/IPs only).
 // Needs to be set if using an external etcd cluster.
 // 
diff --git a/examples/terraform.tfvars.azure b/examples/terraform.tfvars.azure
index 3d629416cd..1f52e9b572 100644
--- a/examples/terraform.tfvars.azure
+++ b/examples/terraform.tfvars.azure
@@ -226,6 +226,9 @@ tectonic_container_linux_version = "latest"
 // Note: This is not supported on bare metal.
 tectonic_etcd_count = "0"
 
+// (optional) Can be either "http" or "https". When set, this scheme will be used for all provided etcd endpoints.
+// tectonic_etcd_scheme = "https"
+
 // (optional) List of external etcd v3 servers to connect with (hostnames/IPs only).
 // Needs to be set if using an external etcd cluster.
 // 
diff --git a/examples/terraform.tfvars.gcp b/examples/terraform.tfvars.gcp
index 0c7d066f2c..8d38c2b70a 100644
--- a/examples/terraform.tfvars.gcp
+++ b/examples/terraform.tfvars.gcp
@@ -109,6 +109,9 @@ tectonic_container_linux_version = "latest"
 // Note: This is not supported on bare metal.
 tectonic_etcd_count = "0"
 
+// (optional) Can be either "http" or "https". When set, this scheme will be used for all provided etcd endpoints.
+// tectonic_etcd_scheme = "https"
+
 // (optional) List of external etcd v3 servers to connect with (hostnames/IPs only).
 // Needs to be set if using an external etcd cluster.
 // 
diff --git a/examples/terraform.tfvars.metal b/examples/terraform.tfvars.metal
index 73f38ab109..56ec404ac1 100644
--- a/examples/terraform.tfvars.metal
+++ b/examples/terraform.tfvars.metal
@@ -109,6 +109,9 @@ tectonic_container_linux_version = "latest"
 // Note: This is not supported on bare metal.
 tectonic_etcd_count = "0"
 
+// (optional) Can be either "http" or "https". When set, this scheme will be used for all provided etcd endpoints.
+// tectonic_etcd_scheme = "https"
+
 // (optional) List of external etcd v3 servers to connect with (hostnames/IPs only).
 // Needs to be set if using an external etcd cluster.
 // 
diff --git a/examples/terraform.tfvars.openstack-neutron b/examples/terraform.tfvars.openstack-neutron
index 47ba5887e9..9dffcb23b5 100644
--- a/examples/terraform.tfvars.openstack-neutron
+++ b/examples/terraform.tfvars.openstack-neutron
@@ -109,6 +109,9 @@ tectonic_container_linux_version = "latest"
 // Note: This is not supported on bare metal.
 tectonic_etcd_count = "0"
 
+// (optional) Can be either "http" or "https". When set, this scheme will be used for all provided etcd endpoints.
+// tectonic_etcd_scheme = "https"
+
 // (optional) List of external etcd v3 servers to connect with (hostnames/IPs only).
 // Needs to be set if using an external etcd cluster.
 // 
diff --git a/examples/terraform.tfvars.vmware b/examples/terraform.tfvars.vmware
index a488eb96cc..56576de620 100644
--- a/examples/terraform.tfvars.vmware
+++ b/examples/terraform.tfvars.vmware
@@ -109,6 +109,9 @@ tectonic_container_linux_version = "latest"
 // Note: This is not supported on bare metal.
 tectonic_etcd_count = "0"
 
+// (optional) Can be either "http" or "https". When set, this scheme will be used for all provided etcd endpoints.
+// tectonic_etcd_scheme = "https"
+
 // (optional) List of external etcd v3 servers to connect with (hostnames/IPs only).
 // Needs to be set if using an external etcd cluster.
 // 
diff --git a/modules/aws/etcd/variables.tf b/modules/aws/etcd/variables.tf
index d244685530..546cb71eba 100644
--- a/modules/aws/etcd/variables.tf
+++ b/modules/aws/etcd/variables.tf
@@ -79,6 +79,11 @@ variable "dns_enabled" {
   default     = "false"
 }
 
+variable "etcd_scheme" {
+  type    = "string"
+  default = "https"
+}
+
 variable "tls_enabled" {
   default = false
 }
diff --git a/modules/bootkube/assets.tf b/modules/bootkube/assets.tf
index 7b311e11d6..81bdf92d93 100644
--- a/modules/bootkube/assets.tf
+++ b/modules/bootkube/assets.tf
@@ -13,14 +13,13 @@ resource "template_dir" "bootkube" {
     # Choose the etcd endpoints to use.
     # 1. If self-hosted etcd is enabled, then use
     # var.etcd_service_ip.
-    # 2. Else if no etcd TLS certificates are provided, i.e. we bootstrap etcd
-    # nodes ourselves (using http), then use insecure http var.etcd_endpoints.
-    # 3. Else (if etcd TLS certific are provided), then use the secure https
+    # 2. Else if var.tectonic_etcd_scheme is http? Then use that scheme.
+    # 3. Else use the secure https
     # var.etcd_endpoints.
     etcd_servers = "${
       var.self_hosted_etcd != ""
         ? format("https://%s:2379", cidrhost(var.service_cidr, 15))
-        : var.etcd_ca_cert_pem == ""
+        : var.etcd_scheme == "http"
           ? join(",", formatlist("http://%s:2379", var.etcd_endpoints))
           : join(",", formatlist("https://%s:2379", var.etcd_endpoints))
       }"
@@ -81,14 +80,13 @@ resource "template_dir" "bootkube_bootstrap" {
     # Choose the etcd endpoints to use.
     # 1. If self-hosted etcd mode is enabled, then use
     # var.etcd_service_ip.
-    # 2. Else if no etcd TLS certificates are provided, i.e. we bootstrap etcd
-    # nodes ourselves (using http), then use insecure http var.etcd_endpoints.
-    # 3. Else (if etcd TLS certific are provided), then use the secure https
+    # 2. Else if var.tectonic_etcd_scheme is http? Then use that scheme.
+    # 3. Else use the secure https
     # var.etcd_endpoints.
     etcd_servers = "${
       var.self_hosted_etcd != ""
         ? format("https://%s:2379,https://127.0.0.1:12379", cidrhost(var.service_cidr, 15))
-        : var.etcd_ca_cert_pem == ""
+        : var.etcd_scheme == "http"
           ? join(",", formatlist("http://%s:2379", var.etcd_endpoints))
           : join(",", formatlist("https://%s:2379", var.etcd_endpoints))
       }"
diff --git a/modules/bootkube/variables.tf b/modules/bootkube/variables.tf
index 05589b832c..593eab58e7 100644
--- a/modules/bootkube/variables.tf
+++ b/modules/bootkube/variables.tf
@@ -63,6 +63,12 @@ variable "etcd_endpoints" {
   type        = "list"
 }
 
+variable "etcd_scheme" {
+  description = "scheme either http or https"
+  type        = "string"
+  default     = "https"
+}
+
 variable "etcd_peer_cert_pem" {
   type        = "string"
   description = "The etcd peer certificate in PEM format."
diff --git a/modules/gcp/etcd/variables.tf b/modules/gcp/etcd/variables.tf
index 78cdc1a51e..40d8a7ee4c 100644
--- a/modules/gcp/etcd/variables.tf
+++ b/modules/gcp/etcd/variables.tf
@@ -68,6 +68,11 @@ variable "tls_enabled" {
   default = false
 }
 
+variable "etcd_scheme" {
+  type    = "string"
+  default = "https"
+}
+
 variable "tls_ca_crt_pem" {
   default = ""
 }
diff --git a/modules/ignition/etcd.tf b/modules/ignition/etcd.tf
index 6ea1f4ac94..37fe6699c9 100644
--- a/modules/ignition/etcd.tf
+++ b/modules/ignition/etcd.tf
@@ -27,17 +27,17 @@ data "template_file" "etcd_names" {
 
 data "template_file" "advertise_client_urls" {
   count    = "${var.etcd_count}"
-  template = "${local.scheme}://${var.etcd_advertise_name_list[count.index]}:2379"
+  template = "${var.etcd_scheme}://${var.etcd_advertise_name_list[count.index]}:2379"
 }
 
 data "template_file" "initial_advertise_peer_urls" {
   count    = "${var.etcd_count}"
-  template = "${local.scheme}://${var.etcd_advertise_name_list[count.index]}:2380"
+  template = "${var.etcd_scheme}://${var.etcd_advertise_name_list[count.index]}:2380"
 }
 
 data "template_file" "initial_cluster" {
   count    = "${length(var.etcd_initial_cluster_list) > 0 ? var.etcd_count : 0}"
-  template = "${data.template_file.etcd_names.*.rendered[count.index]}=${local.scheme}://${local.etcd_initial_cluster_list[count.index]}:2380"
+  template = "${data.template_file.etcd_names.*.rendered[count.index]}=${var.etcd_scheme}://${local.etcd_initial_cluster_list[count.index]}:2380"
 }
 
 data "template_file" "etcd" {
@@ -53,7 +53,7 @@ data "template_file" "etcd" {
     metadata_deps               = "${var.use_metadata ? local.metadata_deps : ""}"
     metadata_env                = "${var.use_metadata ? local.metadata_env : ""}"
     name                        = "${data.template_file.etcd_names.*.rendered[count.index]}"
-    scheme                      = "${local.scheme}"
+    scheme                      = "${var.etcd_scheme}"
   }
 }
 
diff --git a/modules/ignition/variables.tf b/modules/ignition/variables.tf
index a377e75efc..be8a9080fd 100644
--- a/modules/ignition/variables.tf
+++ b/modules/ignition/variables.tf
@@ -83,6 +83,11 @@ variable "etcd_tls_enabled" {
   default = true
 }
 
+variable "etcd_scheme" {
+  type    = "string"
+  default = "https"
+}
+
 variable "etcd_advertise_name_list" {
   type    = "list"
   default = []
diff --git a/modules/vmware/etcd/variables.tf b/modules/vmware/etcd/variables.tf
index 18f889bc13..03aceca06a 100644
--- a/modules/vmware/etcd/variables.tf
+++ b/modules/vmware/etcd/variables.tf
@@ -123,6 +123,11 @@ variable "tls_peer_crt_pem" {
   default = ""
 }
 
+variable "etcd_scheme" {
+  default = "https"
+  type    = "string"
+}
+
 variable "ign_etcd_dropin_id_list" {
   type = "list"
 }
diff --git a/platforms/aws/main.tf b/platforms/aws/main.tf
index 724612e44e..3b716610a5 100644
--- a/platforms/aws/main.tf
+++ b/platforms/aws/main.tf
@@ -71,6 +71,7 @@ module "etcd" {
   dns_enabled             = "${var.tectonic_self_hosted_etcd == "" && length(compact(var.tectonic_etcd_servers)) == 0}"
   dns_zone_id             = "${var.tectonic_aws_private_endpoints ? data.null_data_source.zones.inputs["private"] : data.null_data_source.zones.inputs["public"]}"
   ec2_type                = "${var.tectonic_aws_etcd_ec2_type}"
+  etcd_scheme             = "${var.tectonic_etcd_scheme}"
   external_endpoints      = "${compact(var.tectonic_etcd_servers)}"
   extra_tags              = "${var.tectonic_aws_extra_tags}"
   instance_count          = "${length(data.template_file.etcd_hostname_list.*.id)}"
@@ -97,6 +98,7 @@ module "ignition_masters" {
   etcd_advertise_name_list  = "${data.template_file.etcd_hostname_list.*.rendered}"
   etcd_count                = "${length(data.template_file.etcd_hostname_list.*.id)}"
   etcd_initial_cluster_list = "${data.template_file.etcd_hostname_list.*.rendered}"
+  etcd_scheme               = "${var.tectonic_etcd_scheme}"
   etcd_tls_enabled          = "${var.tectonic_etcd_tls_enabled}"
   image_re                  = "${var.tectonic_image_re}"
   kube_dns_service_ip       = "${module.bootkube.kube_dns_service_ip}"
diff --git a/platforms/azure/main.tf b/platforms/azure/main.tf
index 4db5d282fc..b0a95fec79 100644
--- a/platforms/azure/main.tf
+++ b/platforms/azure/main.tf
@@ -118,6 +118,7 @@ module "ignition_masters" {
   etcd_advertise_name_list  = "${data.template_file.etcd_advertise_name_list.*.rendered}"
   etcd_count                = "${local.etcd_count}"
   etcd_initial_cluster_list = "${data.template_file.etcd_hostname_list.*.rendered}"
+  etcd_scheme               = "${var.tectonic_etcd_scheme}"
   etcd_tls_enabled          = "${var.tectonic_etcd_tls_enabled}"
   image_re                  = "${var.tectonic_image_re}"
   kube_dns_service_ip       = "${module.bootkube.kube_dns_service_ip}"
diff --git a/platforms/gcp/main.tf b/platforms/gcp/main.tf
index 447788fdb0..59b6d3f915 100644
--- a/platforms/gcp/main.tf
+++ b/platforms/gcp/main.tf
@@ -61,6 +61,8 @@ module "etcd" {
   master_subnetwork_name = "${module.network.master_subnetwork_name}"
   external_endpoints     = ["${compact(var.tectonic_etcd_servers)}"]
 
+  etcd_scheme = "${var.tectonic_etcd_scheme}"
+
   tls_enabled             = "${var.tectonic_etcd_tls_enabled}"
   tls_ca_crt_pem          = "${module.etcd_certs.etcd_ca_crt_pem}"
   tls_server_crt_pem      = "${module.etcd_certs.etcd_server_crt_pem}"
@@ -148,6 +150,7 @@ module "ignition_masters" {
   etcd_advertise_name_list  = "${data.template_file.etcd_hostname_list.*.rendered}"
   etcd_count                = "${length(data.template_file.etcd_hostname_list.*.id)}"
   etcd_initial_cluster_list = "${data.template_file.etcd_hostname_list.*.rendered}"
+  etcd_scheme               = "${var.tectonic_etcd_scheme}"
   etcd_tls_enabled          = "${var.tectonic_etcd_tls_enabled}"
 }
 
diff --git a/platforms/metal/tectonic.tf b/platforms/metal/tectonic.tf
index d134c2c5ed..d976f7a181 100644
--- a/platforms/metal/tectonic.tf
+++ b/platforms/metal/tectonic.tf
@@ -82,6 +82,7 @@ module "bootkube" {
       : join(",", var.tectonic_etcd_servers)
     )}"
 
+  etcd_scheme               = "${var.tectonic_etcd_scheme}"
   etcd_backup_size          = "${var.tectonic_etcd_backup_size}"
   etcd_backup_storage_class = "${var.tectonic_etcd_backup_storage_class}"
   self_hosted_etcd          = "${var.tectonic_self_hosted_etcd}"
diff --git a/platforms/vmware/main.tf b/platforms/vmware/main.tf
index 1a64726209..a4444c79b3 100644
--- a/platforms/vmware/main.tf
+++ b/platforms/vmware/main.tf
@@ -7,6 +7,7 @@ module "etcd" {
   container_image    = "${var.tectonic_container_images["etcd"]}"
   base_domain        = "${var.tectonic_base_domain}"
   external_endpoints = ["${compact(var.tectonic_etcd_servers)}"]
+  etcd_scheme        = "${var.tectonic_etcd_scheme}"
 
   tls_ca_crt_pem     = "${module.etcd_certs.etcd_ca_crt_pem}"
   tls_server_crt_pem = "${module.etcd_certs.etcd_server_crt_pem}"
@@ -48,6 +49,7 @@ module "ignition_masters" {
   cluster_name             = "${var.tectonic_cluster_name}"
   container_images         = "${var.tectonic_container_images}"
   etcd_advertise_name_list = "${data.template_file.etcd_hostname_list.*.rendered}"
+  etcd_scheme              = "${var.tectonic_etcd_scheme}"
   image_re                 = "${var.tectonic_image_re}"
   kube_dns_service_ip      = "${module.bootkube.kube_dns_service_ip}"
   kubelet_cni_bin_dir      = "${var.tectonic_networking == "calico" || var.tectonic_networking == "canal" ? "/var/lib/cni/bin" : "" }"
