diff --git a/.golangci.yaml b/.golangci.yaml
index 30c26f6..0274ffb 100644
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -12,6 +12,7 @@ linters:
     - lll
     - cyclop
     - funlen
+    - maintidx
 formatters:
   # Enable specific formatter.
   # Default: [] (uses standard Go formatting)
diff --git a/README.md b/README.md
index d66b260..dec5c97 100644
--- a/README.md
+++ b/README.md
@@ -15,13 +15,19 @@ aws secretsmanager create-secret --name my-github-pat --secret-string <PAT>
 
 ## Deployment
 
-Deploy the stack with SAM and provide the secret name and any additional runner
-labels as parameters:
+Deploy the stack with SAM and provide the secret name, AMI, subnet, security groups and
+EC2 key pair used for the runner. You may also specify additional runner labels:
 
 ```bash
 sam deploy \
-  --parameter-overrides GitHubPATSecretName=my-github-pat ExtraRunnerLabels="gpu"
+  --parameter-overrides GitHubPATSecretName=my-github-pat \
+  ExtraRunnerLabels="gpu" \
+  ImageId=ami-0123456789abcdef0 \
+  SubnetId=subnet-12345678 \
+  SecurityGroupIds=sg-12345678 \
+  KeyName=my-key
 ```
 
 The `ExtraRunnerLabels` parameter is optional. When supplied, the labels are
-added to the default runner labels.
+added to the default runner labels. All other parameters are required and must
+be specified for your environment.
diff --git a/main.go b/main.go
index 73bd6d9..f7af115 100644
--- a/main.go
+++ b/main.go
@@ -91,6 +91,36 @@ func handler(request events.APIGatewayProxyRequest) (events.APIGatewayProxyRespo
 			extraLabels = "," + extraLabels
 		}
 
+		subnetID := os.Getenv("SUBNET_ID")
+		if subnetID == "" {
+			slog.Error("SUBNET_ID env var not set")
+
+			return events.APIGatewayProxyResponse{StatusCode: http.StatusInternalServerError}, errors.New("subnet id missing")
+		}
+
+		sgIDs := os.Getenv("SECURITY_GROUP_IDS")
+		if sgIDs == "" {
+			slog.Error("SECURITY_GROUP_IDS env var not set")
+
+			return events.APIGatewayProxyResponse{StatusCode: http.StatusInternalServerError}, errors.New("security groups missing")
+		}
+
+		securityGroups := strings.Split(sgIDs, ",")
+
+		keyName := os.Getenv("KEY_NAME")
+		if keyName == "" {
+			slog.Error("KEY_NAME env var not set")
+
+			return events.APIGatewayProxyResponse{StatusCode: http.StatusInternalServerError}, errors.New("key name missing")
+		}
+
+		imageID := os.Getenv("IMAGE_ID")
+		if imageID == "" {
+			slog.Error("IMAGE_ID env var not set")
+
+			return events.APIGatewayProxyResponse{StatusCode: http.StatusInternalServerError}, errors.New("image id missing")
+		}
+
 		tags := []types.Tag{
 			{
 				Key:   aws.String("GitHub Workflow Job Event ID"),
@@ -142,19 +172,19 @@ func handler(request events.APIGatewayProxyRequest) (events.APIGatewayProxyRespo
 				MinCount:                          aws.Int32(1),
 				MaxCount:                          aws.Int32(1),
 				EbsOptimized:                      aws.Bool(true),
-				ImageId:                           aws.String("ami-0c0c88099397fccb4"),
+				ImageId:                           aws.String(imageID),
 				InstanceInitiatedShutdownBehavior: types.ShutdownBehaviorTerminate,
 				InstanceType:                      instanceType,
 				NetworkInterfaces: []types.InstanceNetworkInterfaceSpecification{
 					{
 						AssociatePublicIpAddress: aws.Bool(true),
-						SubnetId:                 aws.String("subnet-0eb6da43c6f0ef528"),
+						SubnetId:                 aws.String(subnetID),
 						DeleteOnTermination:      aws.Bool(true),
 						DeviceIndex:              aws.Int32(0),
-						Groups:                   []string{"sg-0f185b577cb2b2802"},
+						Groups:                   securityGroups,
 					},
 				},
-				KeyName:    aws.String("terraform-20220125192645402400000001"),
+				KeyName:    aws.String(keyName),
 				Monitoring: &types.RunInstancesMonitoringEnabled{Enabled: aws.Bool(true)},
 				TagSpecifications: []types.TagSpecification{
 					{
diff --git a/template.yaml b/template.yaml
index 401b094..b1b0d1a 100644
--- a/template.yaml
+++ b/template.yaml
@@ -9,6 +9,18 @@ Parameters:
     Type: String
     Default: ""
     Description: Additional comma separated labels for the runner
+  ImageId:
+    Type: String
+    Description: AMI ID for the runner instances
+  SubnetId:
+    Type: String
+    Description: Subnet ID for the runner instances
+  SecurityGroupIds:
+    Type: String
+    Description: Comma separated security group IDs for the runner
+  KeyName:
+    Type: String
+    Description: EC2 key pair name for the runner
 
 # More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
 Globals:
@@ -38,6 +50,10 @@ Resources:
         Variables:
           GITHUB_PAT_SECRET_NAME: !Ref GitHubPATSecretName
           EXTRA_RUNNER_LABELS: !Ref ExtraRunnerLabels
+          IMAGE_ID: !Ref ImageId
+          SUBNET_ID: !Ref SubnetId
+          SECURITY_GROUP_IDS: !Ref SecurityGroupIds
+          KEY_NAME: !Ref KeyName
       Policies:
         - Statement:
             - Sid: RunInstances